Commit Graph

784 Commits

Author SHA1 Message Date
KernelDeimos
8e6ee9ea79 Fix oversight in token compression 2024-04-29 22:48:10 -04:00
KernelDeimos
e7e7363fa7 Drop useless header 2024-04-29 22:34:19 -04:00
KernelDeimos
5a76bad28d fix: reduce token lengths 2024-04-29 21:46:02 -04:00
KernelDeimos
c1e4eeec32 Add TokenService and test utility 2024-04-29 21:11:31 -04:00
KernelDeimos
d2de46edfb fix: increase QR code size 2024-04-29 19:48:01 -04:00
KernelDeimos
04432df554 feat: improve password recovery experience 2024-04-29 19:26:29 -04:00
KernelDeimos
c44028f413 refactor: normalize email calls 2024-04-29 17:34:24 -04:00
Nariman Jelveh
8cad610a54 more sanitization, just in case 2024-04-29 14:09:54 -07:00
Nariman Jelveh
f807a28e95 bugfix 2024-04-29 12:05:41 -07:00
KernelDeimos
4c1d5a4b6d fix: fix error handling for outdated node versions 2024-04-29 02:42:04 -04:00
Nariman Jelveh
ecfbc44a20 safely escape settings strings 2024-04-28 16:02:54 -07:00
Nariman Jelveh
63c81d6fff Update UITabAccount.js 2024-04-27 19:29:44 -07:00
Nariman Jelveh
42d85abfc2 Update WebServerService.js 2024-04-27 19:10:10 -07:00
Nariman Jelveh
fd4e2f59dc Update WebServerService.js 2024-04-27 19:03:48 -07:00
Nariman Jelveh
053728a03f Validate the Host header before responding to requests 2024-04-27 18:52:01 -07:00
Nariman Jelveh
92f6c8003b
Merge pull request #352 from enweazudaniel/main
Language: Add Igbo translations
2024-04-27 14:49:28 -07:00
Nariman Jelveh
826afd7653 change en to ig for object name 2024-04-27 14:38:18 -07:00
enweazudaniel
0df9519f76
Language: Add Igbo 2024-04-27 12:06:29 +01:00
enweazudaniel
d5d0f67797
Language: Add (Igbo) ig.js 2024-04-27 12:03:18 +01:00
Nariman Jelveh
219cc94fbf Merge branch 'main' of https://github.com/HeyPuter/puter into main 2024-04-26 19:13:34 -07:00
Nariman Jelveh
bfa6419070 Update helpers.js 2024-04-26 19:13:22 -07:00
KernelDeimos
d7d6ff0cca Rate limit updates 2024-04-26 21:02:01 -04:00
KernelDeimos
79d6f64451 Notify old email when email change is initiated 2024-04-26 21:02:01 -04:00
Nariman Jelveh
fd59a6c994 Merge branch 'main' of https://github.com/HeyPuter/puter into main 2024-04-26 15:36:22 -07:00
Nariman Jelveh
cb4776cc0e do not append question mark to app URL if there is no query params to append 2024-04-26 15:36:15 -07:00
Eric Dubé
2ee00ca8e6
Revert "fix(security): Prevent email enumeration" (#351) 2024-04-26 18:22:14 -04:00
Nariman Jelveh
a3ec7bb5ad Fix the issue with context submenu not closing parent menu when clicked 2024-04-25 23:14:39 -07:00
Nariman Jelveh
faa72fd97c Update UIWindow.js 2024-04-25 23:10:03 -07:00
Nariman Jelveh
378b87459a Add robust hostname comparison for when declaring an environment as GUI 2024-04-25 17:51:20 -07:00
KernelDeimos
30f17ade3a fix: use primary read in signup 2024-04-25 19:46:39 -04:00
KernelDeimos
ecec8bf75d Use pread for signup page 2024-04-25 19:44:06 -04:00
KernelDeimos
736ebb6f28 Improve server health service 2024-04-25 19:39:18 -04:00
Nariman Jelveh
928dd90f61
Merge pull request #346 from youngsiiimba/main
fix(security): Prevent email enumeration
2024-04-25 14:59:56 -07:00
KernelDeimos
eb166a67a9 fix(security): Fix session revocation 2024-04-25 16:19:46 -04:00
Nariman Jelveh
51a6d1ea1d Allow the <p> tag in UIAlert body 2024-04-25 13:19:03 -07:00
Nariman Jelveh
3cce0e88df Revert "Allow the <p> tag in UIAlert body"
This reverts commit e2dcc813ec.
2024-04-25 13:18:37 -07:00
Nariman Jelveh
e2dcc813ec Allow the <p> tag in UIAlert body 2024-04-25 13:18:28 -07:00
Nariman Jelveh
a572a0a640
Merge pull request #341 from Xiayucheng1212/pass_locale
Pass locale to the iframe url whenever accessing an app
2024-04-25 13:14:16 -07:00
Nariman Jelveh
c4b2d9861f Clean up some of the unnecessary console warnings 2024-04-25 13:11:11 -07:00
Simba Chawanda
ed70314686 fix(security): Prevent email enumeration 2024-04-25 09:27:37 +02:00
Nariman Jelveh
f5f35f2c37 Phase out openItem in IPC
also fix the issue with directories being opened with notepad after setting notepad as default app for files without extensions.
2024-04-24 23:12:57 -07:00
KernelDeimos
ccf1afc93c feat(security): add ip rate limiting 2024-04-24 22:35:40 -04:00
KernelDeimos
7800ef6102 fix(security): skip cache when checking old passwd 2024-04-24 22:28:27 -04:00
Nariman Jelveh
25eea41f60 Keep track of app_instance_ids 2024-04-24 17:57:30 -07:00
Nariman Jelveh
c21c16026b Update ko.js 2024-04-24 14:43:07 -07:00
KernelDeimos
74e9270d58 Fix 2024-04-24 16:16:31 -04:00
KernelDeimos
b2e72adba9 Add ratelimit for /confirm-email 2024-04-24 16:12:09 -04:00
KernelDeimos
1eac147918 Add ratelimit for /contactUs 2024-04-24 16:09:04 -04:00
スーチ・ファトマワティ
3f6f4bb4c0
fix(security): update follow-redirects
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

## Steps To Reproduce & PoC
```js
const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
 headers: {
 'AuThorization': 'Rear Test',
 'ProXy-AuthoriZation': 'Rear Test',
 'coOkie': 't=1'
 }
})
 .then((response) => {
 console.log(response);
 })
```
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

```diff
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
```
CWE-200
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
CVE-2024-28849
2024-04-24 15:23:47 -04:00
Sam Atkins
a8d1d3b87a
docs: Add help text to dcall utility (#335) 2024-04-24 15:21:31 -04:00