Added a central URLFilter class to check & clean URLs used for
attachments, which is also used for validation, and by the purifier to
standardise protocols (and to make protocol config easier in future).
Thanks to mfk25 for reporting.
Avoids providing responses with potential sensitive attachment info
before permission checks.
Added tests to cover.
Thanks to Rafael Castilho for reporting.
Adds validation that the related page exists, is visible, and that the
user has page edit permissions for the page.
Aligns with attachment permission model, and aligns across different
image endpoints.
Added tests to cover.
Closes#6126
From testing, don't think this could exploited directly, as the response
would error instead of allowing control characters, but this adds an
extra layer of sanitization, and switches to encoded disposition
filenames for better UTF8 support.
Had prevented public access for images when secure_restricted images was
enabled (and for just secure images) when app settings allowed public
access.
This considers the app public setting, and adds tests to cover extra
scenarios to prevent regression.
We were not responsing with a range request, where the requested range
was for the full extent of content. This changes things to always
provide a range request, even for the full range.
Change made since our existing logic could cause problems in chromium
browsers.
Elseif statement removed as its was likley redundant based upon other
existing checks.
This also changes responses for requested ranges beyond content, but I
think that's technically correct looking at the spec (416 are for when
there are no overlapping request/response ranges at all).
Updated tests to cover.
For #5342
Changes GIF image thumbnail handling to direcly load via gd instead of
going through interventions own handling (which supports frames) since
we don't need animation for our thumbnails, and since performance issues
could arise with GIFs that have large frame counts.
For #5029
- Updated existing tests now affected by my-account changes.
- Updated some existing tests to more accuractly check the scenario.
- Updated some code styling in SocialController.
- Fixed redirects for social account flows to fit my-account.
- Added test for social account attaching.
- Added test for api token redirect handling.
Within the flow of HttpFetchException, the actual exception from curl is preserved and logged. Make HttpFetchException a pretty exception for when it is shown to users.
- Updated UI with image form dropdown containing delete and replace
image actions.
- Adds new endpoint and service/repo handling for replacing existing
image.
- Includes tests to cover.
Added test to cover.
Did attempt a 64k limit, but values over 2k significantly increase
chance of other issues since this URL may be used in redirect headers.
Would rather catch issues in-app.
For #4044
Failure of loading drawings will now close the drawing view and show an
error message, hinting at file or permission issues, instead of leaving
the user facing a continuosly loading interface.
Adds test to cover.
This also updates errors from our HTTP service to be wrapped in a custom
error type for better identification and so the error is an actual
javascript error. Should be object compatible.
Related to #3955.