1. 16 Jul, 2013 7 commits
    • Evan Prodromou's avatar
      Upgrade version number · 6bf2c182
      Evan Prodromou authored
      Conflicts:
      	lib/framework.php
      6bf2c182
    • Joshua Wise's avatar
      Escape argument to prevent SQL injection attack in · 89ba8202
      Joshua Wise authored
      User::getTaggedSubscriptions()
      
      This change escapes the $tag argument to prevent a SQL injection
      attack in User::getTaggedSubscriptions(). The parameter was not
      escaped higher up the stack, so this vulnerability could be exploited.
      89ba8202
    • Joshua Wise's avatar
      Escape argument to User::getTaggedSubscribers() to preven SQL injection · 4a30da92
      Joshua Wise authored
      This change escapes the argument to User::getTaggedSubscribers() to
      prevent SQL injection attacks.
      
      Both code paths up the stack fail to escape this parameter, so this is
      a potential SQL injection attack.
      4a30da92
    • Joshua Wise's avatar
      Escape query parameters in Profile_tag::getTagged() · e54cb695
      Joshua Wise authored
      This patch escapes query parameters in Profile_tag::getTagged(). This
      is an extra security step; since these parameters come out of the
      database, it's unlikely that they would have dangerous data in them.
      e54cb695
    • Joshua Wise's avatar
      Escape SQL parameter in Profile_tag::moveTag() · 5b118b37
      Joshua Wise authored
      This change adds additional escapes for arguments to
      Profile_tag::moveTag(). The arguments are canonicalized in the API and
      Web UI paths higher up the stack, but this change makes sure that no
      other paths can introduce SQL injection errors.
      5b118b37
    • Joshua Wise's avatar
      Escape $tag passed to Profile::getTaggedSubscribers() · c5a710e0
      Joshua Wise authored
      This patch escapes the $tag parameter in
      Profile::getTaggedSubscribers(). The parameter is not escaped either
      in actions/subscriptions.php or in actions/apiuserfollowers.php. So
      there is a potential for SQL injection here.
      c5a710e0
    • Joshua Wise's avatar
      Potential SQL injection in Local_group::setNickname() · 3fb2c06c
      Joshua Wise authored
      This change escapes a parameter in Local_group::setNickname(). Review
      of the code paths that call this function sanitize the parameter
      higher up the stack, but it's escaped here to prevent mistakes later.
      
      Note that nickname parameters are normally alphanum strings, so
      there's not much danger in double-escaping them.
      3fb2c06c
  2. 29 Jun, 2013 1 commit
    • Evan Prodromou's avatar
      Squashed commit of the following: · 4092ee1b
      Evan Prodromou authored
      commit bd23a7da105d635414643dfcedd9c8f710d565b8
      Author: Evan Prodromou <evan@e14n.com>
      Date:   Sat Jun 29 07:49:03 2013 -0400
      
          Make the after flag work correctly
      
      commit 5c5845a2f866f0bbffedd8e2e5d1f512f87d5329
      Author: Evan Prodromou <evan@e14n.com>
      Date:   Sat Jun 29 06:14:43 2013 -0400
      
          Add an 'after' flag for backup script
      4092ee1b
  3. 26 Jun, 2013 2 commits
  4. 15 Jun, 2013 19 commits
  5. 09 Jun, 2013 2 commits
  6. 08 Jun, 2013 3 commits
  7. 07 Jun, 2013 4 commits
  8. 05 Jun, 2013 2 commits