jvoisin
b663a2fb90
Fix a stored XSS
6 years ago
jvoisin
348c698e35
Remove the /db page
...
This page wasn't linked anywhere, and was
allowing an administrator to issue arbitrary sql
comments, and was vulnerable to reflected XSS.
We should get rid of it. If you really want to issue
SQL commands, just ssh to your instance and do it from here.
6 years ago
jvoisin
d3970a5c62
Fix various minor issues found by LGTM
...
- Unnecessary boxing
- Integer overflow
- Path traversal via zip
- Dangerous synchronization pattern
6 years ago
Andrew DeMaria
a911ebab80
Merge remote-tracking branch 'origin/pr/1027'
6 years ago
Andrew DeMaria
2162250101
Revert "Minor frameset-related factorization"
...
This reverts commit e69287cfe6
.
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
Andrew DeMaria
a14c8549fa
Merge remote-tracking branch 'origin/pr/963'
6 years ago
Andrew DeMaria
a3e59e9724
Fix file encoding
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
Andrew DeMaria
e5c36d9854
Fix variable name
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
Andrew DeMaria
d8a5d1afad
Merge remote-tracking branch 'origin/pr/1034'
6 years ago
Andrew DeMaria
afc2f58ac5
Merge remote-tracking branch 'origin/pr/1036'
6 years ago
Andrew DeMaria
ab07462530
Update tomcat to 8.5.40
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
François-Xavier Thomas
820a4faec2
Avoid logging sensitive URL parameters in the Subsonic API
...
In case of exceptions, Airsonic logs the full URL that triggered it
since 417583cc
, including possibly sensitive query parameters such as
the authentication password/tokens passed to the Subsonic API.
This replaces the value set for this parameter in the URL by the
"<hidden>" string.
6 years ago
jvoisin
41408bc2c3
Replace the double-mustache anti-pattern
...
Because Double Brace Initialization (DBI) creates an anonymous class with a
reference to the instance of the owning object, its use can lead to memory
leaks if the anonymous inner class is returned and held by other objects. Even
when there's no leak, DBI is so obscure that it's bound to confuse most
maintainers.
6 years ago
jvoisin
c6825cf0d7
Minor refactorization of two methods in AbstractDao
6 years ago
Andrew DeMaria
1463f75b06
Merge remote-tracking branch 'origin/pr/961'
6 years ago
Andrew DeMaria
693336af83
Merge remote-tracking branch 'origin/pr/967'
6 years ago
Andrew DeMaria
e2e1554e93
Merge remote-tracking branch 'origin/pr/968'
6 years ago
Andrew DeMaria
cddc2b2fa7
Merge remote-tracking branch 'origin/pr/983'
6 years ago
Andrew DeMaria
d03b4dd963
Merge remote-tracking branch 'origin/pr/984'
6 years ago
Andrew DeMaria
2030caa219
Merge remote-tracking branch 'origin/pr/994'
6 years ago
Andrew DeMaria
1bd70263bd
Merge remote-tracking branch 'origin/pr/989'
6 years ago
Andrew DeMaria
24f5c2d8f5
Merge remote-tracking branch 'origin/pr/1005'
6 years ago
Andrew DeMaria
3f9c525933
Merge remote-tracking branch 'origin/pr/1007'
6 years ago
Andrew DeMaria
50964fa378
Merge remote-tracking branch 'origin/pr/1002'
6 years ago
Andrew DeMaria
326583839e
Merge remote-tracking branch 'origin/pr/982'
6 years ago
Andrew DeMaria
a2b423aa82
Merge remote-tracking branch 'origin/pr/1020'
6 years ago
Andrew DeMaria
f5250e36f1
Merge remote-tracking branch 'origin/pr/1021'
6 years ago
Andrew DeMaria
fdfa244ad4
Merge remote-tracking branch 'origin/pr/1022'
6 years ago
Andrew DeMaria
fe08dd1c94
Merge remote-tracking branch 'origin/pr/1023'
6 years ago
Andrew DeMaria
969394a1c9
Merge remote-tracking branch 'origin/pr/1006'
6 years ago
jvoisin
a21188a064
Add a permission check for the podcast folder
...
This should make podcast-related stacktraces a bit
more obvious to debug for users.
6 years ago
jvoisin
716fd3635c
Remove a useless test page
6 years ago
jvoisin
e2683024af
Factorize a bit the checkbox-related CSS
...
Since the `border: 0;` property is applied
to every checkbox, there is no need for a class.
This is also a good opportunity to use ternaries
for the `checked` attribute, instead of clumsy `if`.
6 years ago
jvoisin
cf1f86f226
Move some video-cast-related inline js to an external file
6 years ago
jvoisin
af4165310f
Fix yet an other XSS
6 years ago
tesshucom
f54e72026f
version upgrade of spring-boot-dependencies,spring-boot-maven-plugin
...
- Safety version for CVE-2019-3795
- Match the new jetty ecj version because the version of ecj used by
tomcat and jetty is different.
6 years ago
jvoisin
e69287cfe6
Minor frameset-related factorization
6 years ago
Andrew DeMaria
10e90beb30
Refactor stream integration test
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
jvoisin
17f1d45e08
Remove mentions of subsonic premium
6 years ago
jvoisin
90cb02105e
Add a noopener and noreferrer to external urls
...
- noreferrer is used to prevent the browser from sending the referrer
to the visited site
- noopener fixes a fun class of bug: https://mathiasbynens.github.io/rel-noopener/
6 years ago
jvoisin
a200dd0c37
Don't autocomplete the password field
...
I guess that this is a bit silly in 2019,
but since people tend to use weird browsers in weird
places, disabling autocompletion here might prevent
the password from ending up in some local cache.
6 years ago
jvoisin
9dea3e9051
Add a CONTRIBUTING.md file
6 years ago
jvoisin
ec4b969e2c
Replace latin encoding with utf-8
6 years ago
jvoisin
5acabcae19
Remove resource bundles for messages as well
6 years ago
jo
eea9416fbe
[skip ci] Update stale labels
6 years ago
Andrew DeMaria
c3a1980ca2
Merge remote-tracking branch 'airsonic/pr/964'
6 years ago
Andrew DeMaria
15c6a8861b
Fix formatting on external player for firefox
...
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago
Andrew DeMaria
b128479972
Merge remote-tracking branch 'airsonic/pr/962'
6 years ago
Andrew DeMaria
4b2cf99adf
Merge remote-tracking branch 'airsonic/pr/951'
6 years ago
Andrew DeMaria
8e0d49834c
Merge remote-tracking branch 'airsonic/pr/929'
6 years ago