The inline javascript used with the cancel buttons
was only used to change the location.
Instead of doing this, it's easier to wrap
the button in a tag.
This is related to #909.
- Fix a stupid self-XSS. I doubt that there are ways to
use it against other users, but well, better safe than sorry
- Replace the javascript-on-focus hacks with the `autofocus` attribute
Previously, lost passwords were generated via
org.apache.commons.lang.RandomStringUtils,
which is using java.util.Random internally.
This PRNG is has a 48-bit seed, that can easily be bruteforced
if an attacker is able to get the PRNG's output, for example
but resetting their own account multiple times,
leading to trivial privileges escalation attacks.
This commit makes use of java.security.SecureRandom
instead.
I tested this locally, it's working on my machine™
Nothing fancy, no new privileges, private stuff (/tmp, …),
no exotic devices/access/…, …
Signed-off-by: jvoisin <julien.voisin@dustri.org>
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
- Remove `sudo` since it's deprecated,
along with the useless `apt update` call
- Remove the manual maven installation since
it's already present on the travis image
by default
This should reduce a bit the time taken for a whole CI run.
I threw airsonic at IntelliJ's IDEA analysis,
and asked it to flag what could be modernized
for Java > 5.
- foreach instead of for…
- I added some null-deref checks
- Integer.ValueOf, since Integer(…) is deprecated
- Contextual try
- Objects.equals instead of handcrafted comparisons
- StringBuilder instead of StringBuffer
- Removal of outdated/wrong javadoc comments