Since Spring's default remember-me technique is
terrible security-wise (`user:timstamp:md5(use:timestamp:password:key)`),
we should at least use a random key, instead of a fixed one,
otherwise, and attacker able to capture the cookies
might be able to trivially bruteforce offline
the password of the associated user.
The inline javascript used with the cancel buttons
was only used to change the location.
Instead of doing this, it's easier to wrap
the button in a tag.
This is related to #909.
I've tested this on mp3, ogg and flac, everything
is working.
Apart from fixing a decent amount of bugs
(https://github.com/mediaelement/mediaelement/releases),
this has the nice side effect of removing a copy
of jquery 1.9.1.
- Fix a stupid self-XSS. I doubt that there are ways to
use it against other users, but well, better safe than sorry
- Replace the javascript-on-focus hacks with the `autofocus` attribute
Previously, lost passwords were generated via
org.apache.commons.lang.RandomStringUtils,
which is using java.util.Random internally.
This PRNG is has a 48-bit seed, that can easily be bruteforced
if an attacker is able to get the PRNG's output, for example
but resetting their own account multiple times,
leading to trivial privileges escalation attacks.
This commit makes use of java.security.SecureRandom
instead.
I tested this locally, it's working on my machine™
Nothing fancy, no new privileges, private stuff (/tmp, …),
no exotic devices/access/…, …
Signed-off-by: jvoisin <julien.voisin@dustri.org>
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
- Remove `sudo` since it's deprecated,
along with the useless `apt update` call
- Remove the manual maven installation since
it's already present on the travis image
by default
This should reduce a bit the time taken for a whole CI run.
jvoisin
Andrew DeMaria
François-Xavier Thomas