Since Spring's default remember-me technique is
terrible security-wise (`user:timstamp:md5(use:timestamp:password:key)`),
we should at least use a random key, instead of a fixed one,
otherwise, and attacker able to capture the cookies
might be able to trivially bruteforce offline
the password of the associated user.
The inline javascript used with the cancel buttons
was only used to change the location.
Instead of doing this, it's easier to wrap
the button in a tag.
This is related to #909.
- Fix a stupid self-XSS. I doubt that there are ways to
use it against other users, but well, better safe than sorry
- Replace the javascript-on-focus hacks with the `autofocus` attribute
Previously, lost passwords were generated via
org.apache.commons.lang.RandomStringUtils,
which is using java.util.Random internally.
This PRNG is has a 48-bit seed, that can easily be bruteforced
if an attacker is able to get the PRNG's output, for example
but resetting their own account multiple times,
leading to trivial privileges escalation attacks.
This commit makes use of java.security.SecureRandom
instead.
I threw airsonic at IntelliJ's IDEA analysis,
and asked it to flag what could be modernized
for Java > 5.
- foreach instead of for…
- I added some null-deref checks
- Integer.ValueOf, since Integer(…) is deprecated
- Contextual try
- Objects.equals instead of handcrafted comparisons
- StringBuilder instead of StringBuffer
- Removal of outdated/wrong javadoc comments
This commit should fix the following javascript crash that
may occur if the localstorage isn't available/supported by the browser:
```
more.view:140 Uncaught TypeError: Cannot read property 'playCountValue' of null
at loadShuffleForm (more.view:140)
at HTMLDocument.<anonymous> (more.view:181)
at n (jquery-1.7.1.min.js:2)
at Object.fireWith (jquery-1.7.1.min.js:2)
at Function.ready (jquery-1.7.1.min.js:2)
at HTMLDocument.B (jquery-1.7.1.min.js:2)
```
Signed-off-by: jvoisin <julien.voisin@dustri.org>
pngfix.js is used for compatibility's reason
with IE 5 and 6. I think that now that we're in 2019,
we can get rid of it.
Signed-off-by: jvoisin <julien.voisin@dustri.org>
MomentJS was only used in a single javascript function,
to do Seconds → (Minutes, Seconds). This commit
replaces this with a hand-rolled version, and removes
MomentJS.
Signed-off-by: jvoisin <julien.voisin@dustri.org>
The FILES DEFRAG / FILES LOG SIZE properties are kept when upgrading to
2.x; it's enough that they were set once on 1.8. For new installations
the migration will still run with the correct SQL statements.
This will only affect the (embedded/legacy) HSQLDB driver. Even though
cff97ea9 should prevent the db log from getting uncontrollably large,
the 'Clean-up database' and 'Scan' actions will additionally force a
checkpoint to ensure this happens on big operations.