Commit Graph

196 Commits (34a4f74d16f72915634bca8dc65958c6670d7210)

Author SHA1 Message Date
Oliver Günther a6b4372b09 Always preprocess URLs with CGI.unescape 9 years ago
Oliver Günther fcd450af3f Fix redirect vulnerability 9 years ago
Oliver Günther 6eeea9d1da Avoid mutator sort on relations 9 years ago
Jens Ulferts 6e01b27f18 rename service's method to be in accordance with proc 9 years ago
Jens Ulferts c471080e08 set locale before API v3 request 9 years ago
Markus Kahl dd496297fd don't use random language as user's language 9 years ago
Oliver Günther 7ebac37c14 Repository Management - Refactoring and Preparation 9 years ago
Alex Coles 0ad3cfb4b2 Prefer do…end for controller respond_to blocks 9 years ago
Markus Kahl bcd981df5c consider X-Authentication-Scheme; opt scoped realm 10 years ago
Markus Kahl d854df5175 suppress browser prompt on authenticate failure 10 years ago
Alex Coles e02eb0181d Migrate AR finder/query methods in controllers 10 years ago
Alex Coles ec1bb39f9b Fix syntax (w/Rubocop) in (Rails) controllers 10 years ago
Alex Coles 57618b25ec Replace dynamic finder usages with #find_by, etc. 10 years ago
Alex Coles bc5abb34ab Remove explicit require_dependency of Principal 10 years ago
Markus Kahl 560d970b0f in-regex comments 10 years ago
Markus Kahl 4abd716dd6 more comments 10 years ago
Markus Kahl 52fe1da137 don't redirect back to logout 10 years ago
Alex Coles e0191e759c Update year in copyright header to 2015 10 years ago
Alex Coles 3629ded2ae Handle ActionController::ParameterMissing globally 10 years ago
Alex Coles bb0e6e6aa5 Fix syntax (w/Rubocop) in (Rails) controllers 10 years ago
Alex Coles 336446c59d Use 1.9+ Hash syntax in (Rails) controllers 10 years ago
Richard 72b6e26461 Twist redirect to back url method to work with JSON params. 10 years ago
Martin Linkhorst 8877883c63 given openproject runs in a subdirectory we cannot allow redirecting to a different subdirectory. also tries to catch shenanigans to circumvent the check like ".." in the path. 10 years ago
Marek Takac 2269f9a8ee Fixed authorization service calls 10 years ago
Martin Linkhorst 1f36d43b70 there was a wrong parenthesis: the last match needs to be ANDed with all the prior checks. instead of changing it, refactored the code to be more clear. still allows redirects to different sub-uris. 11 years ago
Philipp Tessenow d8cb82a2e8 explicitly allow home path in back_url 11 years ago
Philipp Tessenow 0cdbaf39f6 fix protocol-relative redirection test 11 years ago
jplang 1db8642ac6 [security] fixed back url verification 11 years ago
Marek Takac 1ca62def08 Used named params in AuthorizationService constructor 11 years ago
Marek Takac bb8aa422b1 Refactored Authorization service 11 years ago
Marek Takac ac2c89c0d7 Initial foundations for API v3 11 years ago
Michael Frister 98f81665db CSRF Protection: Prevent login CSRF 11 years ago
Michael Frister ed7ffdc616 CSRF Protection: Don't attempt to catch unused InvalidAuthenticityToken 11 years ago
Michael Frister c2fdfd0f1d Fix API requests without CSRF token being rejected 11 years ago
Philipp Tessenow d3e6a5b284 better handle handle_unverified_request 11 years ago
Philipp Tessenow 3c5fb24d8c rubocopify most parts of the application controller 11 years ago
Toshi MARUYAMA 5233d6d0f0 remove Rails2 Ruby1.9 utf8nize! 11 years ago
Toshi MARUYAMA 4775f66e77 fix non-ascii attachment file name get corrupted in IE11 (#16711) 11 years ago
Richard aad7606340 Encoding filter operator values to avoid url escaping browser bullshit. 11 years ago
Richard 2f11241407 WIP. using the url params to keep state but having a nightmare with url escaping:/ 11 years ago
Jean-Philippe Lang b8ffa31e1a Potentiel data leak in "Invalid form authenticity token" error screen (#16511). 11 years ago
Martin Linkhorst a83af510cb given openproject runs in a subdirectory we cannot allow redirecting to a different subdirectory. also tries to catch shenanigans to circumvent the check like ".." in the path. 11 years ago
Martin Linkhorst dbc75d4263 there was a wrong parenthesis: the last match needs to be ANDed with all the prior checks. instead of changing it, refactored the code to be more clear. still allows redirects to different sub-uris. 11 years ago
Philipp Tessenow b0285751a6 explicitly allow home path in back_url 11 years ago
Philipp Tessenow 7808e82cf1 fix protocol-relative redirection test 11 years ago
jplang 7bb076fa48 [security] fixed back url verification 11 years ago
Johannes Wollert 8b096975fe updates copyright headers 11 years ago
Martin Linkhorst 6f21ef73ad move application controller load hook to the end of the class definition. find explanation why inside. 11 years ago
Markus Kahl 4d41bff3a0 make API sessions not expire 11 years ago
Philipp Tessenow f099413192 introduce render_400 (bad request) method in application controller 11 years ago