25 Commits

Author	SHA1	Message	Date
Andy Miller	99f6532965	Fix security vulnerabilities: user enumeration and XSS issues ... Security fixes: 1. GHSA-q3qx-cp62-f6m7: User Enumeration & Email Disclosure - Changed rate-limiter error message in taskForgot() to not include email - Added generic translation key FORGOT_CANNOT_RESET_RATE_LIMITED - Prevents attackers from enumerating valid usernames via forgot password 2. GHSA-rmw5-f87r-w988: Stored XSS in Group Display Name - Added HTML escaping to group.readableName in acl_picker.html.twig - Prevents XSS when malicious group names are rendered in selectize 3. GHSA-gqxx-248x-g29f & GHSA-mpjj-4688-3fxg: XSS in Taxonomy Fields - Added HTML escaping to taxonomy labels in taxonomy.html.twig - Prevents XSS when malicious taxonomy names are rendered 4. GHSA-65mj-f7p4-wggq, GHSA-7g78-5g5g-mvfj: XSS in Selectize Dropdowns - Added SafeRender functions to selectize.js that escape HTML by default - All selectize dropdowns now escape option/item text unless custom render is specified - Provides defense-in-depth against XSS in any selectize-based field	2025-11-29 18:43:02 -07:00
Andy Miller	325764a304	improved login/session handling ... Signed-off-by: Andy Miller <rhuk@mac.com>	2025-09-15 12:02:55 -06:00
Andy Miller	841ec861bd	PHP 8.4 fixes - Implicitly nullable parameter declarations deprecated	2024-10-25 20:12:25 +01:00
Andy Miller	8cc7fb4393	use login’s site_host functionality	2024-05-06 12:38:46 +01:00
Andy Miller	d5eea54aca	Revert "require new email status style" ... This reverts commit 4d87a391ad.	2024-04-05 11:49:13 -06:00
Andy Miller	4d87a391ad	require new email status style	2024-04-05 11:46:39 -06:00
Andy Miller	540482a487	update copyright date	2024-01-05 11:50:46 +00:00
Andy Miller	f32b6ff439	copyright dates	2023-01-02 11:17:40 -07:00
Andy Miller	97ab52df81	no longer reference SwiftException (deprecated)	2022-10-05 08:07:09 -06:00
Matias Griese	396e32b76e	Made path handling unicode-safe, use new Utils::basename() and Utils::pathinfo() everywhere	2022-01-26 14:11:10 +02:00
Matias Griese	e84e785978	Fixed passing null to $twoFa->verifyCode() and $twoFa->verifyYubikeyOTP() ... `	2022-01-12 10:55:41 +02:00
Andy Miller	0f05d065b0	Support for YubiKey OTP 2 factor authenticator	2022-01-11 12:00:10 -07:00
Andy Miller	0ca2d22f86	updated some copyright years	2022-01-03 09:33:16 -07:00
Matias Griese	6463135bf0	Fixed unescaped messages in JSON responses	2021-11-03 12:42:27 +02:00
Matias Griese	2546cd35e0	Make sure that login data is an array in taskLogin()	2021-08-18 13:41:04 +03:00
Matias Griese	c097eee87f	Fixed error reporting for AJAX tasks if user has no permissions	2021-04-15 10:11:04 +03:00
Matias Griese	1acb94e857	Fixed error message when user clicks logout link after his session has been expired	2021-04-13 10:16:17 +03:00
Matias Griese	9108a4a85f	Fixed broken 2FA login when site is not configured to use Flex Users [#2109]	2021-04-08 10:56:18 +03:00
Matias Griese	9fca08ab43	Regression: Fixed broken 2FA form [#2109]	2021-04-07 14:14:04 +03:00
Matias Griese	58e2c6cc55	Change nonce expiration message	2021-03-31 11:48:15 +03:00
Matias Griese	aa4f80eec1	Greatly improve login related actions for Admin ... * Better isolate admin to prevent session related vulnerabilities * Removed support for custom login redirects for improved security * Shorten forgot password link lifetime from 7 days to 1 hour * Fixed login related pages being accessible from admin when user has logged in * Fixed admin user creation and password reset allowing unsafe passwords * Fixed missing validation when registering the first admin user * Fixed reset password email not to have session specific token in it	2021-03-26 14:39:37 +02:00
Matias Griese	de3a557b80	Display controller exceptions in debugger	2021-01-18 12:05:24 +02:00
Matias Griese	87f3fd83ff	Pass phpstan level 1 tests	2020-02-04 11:22:27 +02:00
Matias Griese	5dad360946	Fix compatibility regression	2019-08-26 10:51:10 +03:00
Matias Griese	902447a50c	WIP: Added new controller for admin	2019-06-18 12:15:58 +03:00