Commit Graph

165 Commits (ad3e22de338ce5e4e8a6dd844c15c5ea3e7e5a86)

Author SHA1 Message Date
Martin Linkhorst 8877883c63 given openproject runs in a subdirectory we cannot allow redirecting to a different subdirectory. also tries to catch shenanigans to circumvent the check like ".." in the path. 10 years ago
Marek Takac 2269f9a8ee Fixed authorization service calls 10 years ago
Martin Linkhorst 1f36d43b70 there was a wrong parenthesis: the last match needs to be ANDed with all the prior checks. instead of changing it, refactored the code to be more clear. still allows redirects to different sub-uris. 11 years ago
Philipp Tessenow d8cb82a2e8 explicitly allow home path in back_url 11 years ago
Philipp Tessenow 0cdbaf39f6 fix protocol-relative redirection test 11 years ago
jplang 1db8642ac6 [security] fixed back url verification 11 years ago
Marek Takac 1ca62def08 Used named params in AuthorizationService constructor 11 years ago
Marek Takac bb8aa422b1 Refactored Authorization service 11 years ago
Marek Takac ac2c89c0d7 Initial foundations for API v3 11 years ago
Michael Frister 98f81665db CSRF Protection: Prevent login CSRF 11 years ago
Michael Frister ed7ffdc616 CSRF Protection: Don't attempt to catch unused InvalidAuthenticityToken 11 years ago
Michael Frister c2fdfd0f1d Fix API requests without CSRF token being rejected 11 years ago
Philipp Tessenow d3e6a5b284 better handle handle_unverified_request 11 years ago
Philipp Tessenow 3c5fb24d8c rubocopify most parts of the application controller 11 years ago
Toshi MARUYAMA 5233d6d0f0 remove Rails2 Ruby1.9 utf8nize! 11 years ago
Toshi MARUYAMA 4775f66e77 fix non-ascii attachment file name get corrupted in IE11 (#16711) 11 years ago
Richard aad7606340 Encoding filter operator values to avoid url escaping browser bullshit. 11 years ago
Richard 2f11241407 WIP. using the url params to keep state but having a nightmare with url escaping:/ 11 years ago
Jean-Philippe Lang b8ffa31e1a Potentiel data leak in "Invalid form authenticity token" error screen (#16511). 11 years ago
Martin Linkhorst a83af510cb given openproject runs in a subdirectory we cannot allow redirecting to a different subdirectory. also tries to catch shenanigans to circumvent the check like ".." in the path. 11 years ago
Martin Linkhorst dbc75d4263 there was a wrong parenthesis: the last match needs to be ANDed with all the prior checks. instead of changing it, refactored the code to be more clear. still allows redirects to different sub-uris. 11 years ago
Philipp Tessenow b0285751a6 explicitly allow home path in back_url 11 years ago
Philipp Tessenow 7808e82cf1 fix protocol-relative redirection test 11 years ago
jplang 7bb076fa48 [security] fixed back url verification 11 years ago
Johannes Wollert 8b096975fe updates copyright headers 11 years ago
Martin Linkhorst 6f21ef73ad move application controller load hook to the end of the class definition. find explanation why inside. 11 years ago
Markus Kahl 4d41bff3a0 make API sessions not expire 11 years ago
Philipp Tessenow f099413192 introduce render_400 (bad request) method in application controller 11 years ago
Hagen Schink dba223e029 Fixes specs by renaming event properties 11 years ago
Philipp Tessenow 7282104f00 remove forgotten debug statement 11 years ago
Philipp Tessenow 8a25a1c0a1 add option to diable browser cache for security reasons. 11 years ago
Hagen Schink 61682ae789 Fixes event sorting 11 years ago
Philipp Tessenow 444546e2e8 use \A and \z instead of ^ and $ in ruby regexes 11 years ago
Jens Ulferts b346e6a242 moves find_issue into v1/issues_controller - only used there 11 years ago
Michael Frister 626848551b Rename Redmine::Configuration to OpenProject::Configuration 11 years ago
Hagen Schink e164c4345e Renames variables 11 years ago
Sebastian Schuster e4ec72f2c5 Readded find_issues as some subclasses still depend on it 11 years ago
Sebastian Schuster 8842f75b1e Added before filter for bulk destroy in work packages controller 11 years ago
Philipp Tessenow a1e67dd460 new copyright header #1903 11 years ago
Jens Ulferts 1b9edac314 removes issue views/actions/routes no longer required 11 years ago
Christian Ratz 43bc798abb changed feed setting to enabled instead of disabled 11 years ago
Christian Ratz 8f1b73b473 better naming of before filter 11 years ago
Christian Ratz b86f8d65d7 [#1850] Disable atom feeds via setting 11 years ago
Nils Kenneweg e1341b3a31 renamed header. 11 years ago
Nils Kenneweg 543c77232a improved layout passthrough 11 years ago
Nils Kenneweg 8d129f9d9a url rewriting. iframe destruction on close. 11 years ago
Nils Kenneweg f94dab0f6f bugfix 11 years ago
Nils Kenneweg f877b2c1b6 bugfix. url rewriting. 11 years ago
Nils Kenneweg 1a29603db0 fixed logout dialog test. 11 years ago
Nils Kenneweg 9279b55ebd modal with less knowledge. more generalization. 11 years ago