Nariman Jelveh
42d85abfc2
Update WebServerService.js
2024-04-27 19:10:10 -07:00
Nariman Jelveh
fd4e2f59dc
Update WebServerService.js
2024-04-27 19:03:48 -07:00
Nariman Jelveh
053728a03f
Validate the Host
header before responding to requests
2024-04-27 18:52:01 -07:00
Nariman Jelveh
92f6c8003b
Merge pull request #352 from enweazudaniel/main
...
Language: Add Igbo translations
2024-04-27 14:49:28 -07:00
Nariman Jelveh
826afd7653
change en
to ig
for object name
2024-04-27 14:38:18 -07:00
enweazudaniel
0df9519f76
Language: Add Igbo
2024-04-27 12:06:29 +01:00
enweazudaniel
d5d0f67797
Language: Add (Igbo) ig.js
2024-04-27 12:03:18 +01:00
Nariman Jelveh
219cc94fbf
Merge branch 'main' of https://github.com/HeyPuter/puter into main
2024-04-26 19:13:34 -07:00
Nariman Jelveh
bfa6419070
Update helpers.js
2024-04-26 19:13:22 -07:00
KernelDeimos
d7d6ff0cca
Rate limit updates
2024-04-26 21:02:01 -04:00
KernelDeimos
79d6f64451
Notify old email when email change is initiated
2024-04-26 21:02:01 -04:00
Nariman Jelveh
fd59a6c994
Merge branch 'main' of https://github.com/HeyPuter/puter into main
2024-04-26 15:36:22 -07:00
Nariman Jelveh
cb4776cc0e
do not append question mark to app URL if there is no query params to append
2024-04-26 15:36:15 -07:00
Eric Dubé
2ee00ca8e6
Revert "fix(security): Prevent email enumeration" ( #351 )
2024-04-26 18:22:14 -04:00
Nariman Jelveh
a3ec7bb5ad
Fix the issue with context submenu not closing parent menu when clicked
2024-04-25 23:14:39 -07:00
Nariman Jelveh
faa72fd97c
Update UIWindow.js
2024-04-25 23:10:03 -07:00
Nariman Jelveh
378b87459a
Add robust hostname comparison for when declaring an environment as GUI
2024-04-25 17:51:20 -07:00
KernelDeimos
30f17ade3a
fix: use primary read in signup
2024-04-25 19:46:39 -04:00
KernelDeimos
ecec8bf75d
Use pread for signup page
2024-04-25 19:44:06 -04:00
KernelDeimos
736ebb6f28
Improve server health service
2024-04-25 19:39:18 -04:00
Nariman Jelveh
928dd90f61
Merge pull request #346 from youngsiiimba/main
...
fix(security): Prevent email enumeration
2024-04-25 14:59:56 -07:00
KernelDeimos
eb166a67a9
fix(security): Fix session revocation
2024-04-25 16:19:46 -04:00
Nariman Jelveh
51a6d1ea1d
Allow the <p>
tag in UIAlert
body
2024-04-25 13:19:03 -07:00
Nariman Jelveh
3cce0e88df
Revert "Allow the <p>
tag in UIAlert
body"
...
This reverts commit e2dcc813ec
.
2024-04-25 13:18:37 -07:00
Nariman Jelveh
e2dcc813ec
Allow the <p>
tag in UIAlert
body
2024-04-25 13:18:28 -07:00
Nariman Jelveh
a572a0a640
Merge pull request #341 from Xiayucheng1212/pass_locale
...
Pass locale to the iframe url whenever accessing an app
2024-04-25 13:14:16 -07:00
Nariman Jelveh
c4b2d9861f
Clean up some of the unnecessary console warnings
2024-04-25 13:11:11 -07:00
Simba Chawanda
ed70314686
fix(security): Prevent email enumeration
2024-04-25 09:27:37 +02:00
Nariman Jelveh
f5f35f2c37
Phase out openItem
in IPC
...
also fix the issue with directories being opened with notepad after setting notepad as default app for files without extensions.
2024-04-24 23:12:57 -07:00
KernelDeimos
ccf1afc93c
feat(security): add ip rate limiting
2024-04-24 22:35:40 -04:00
KernelDeimos
7800ef6102
fix(security): skip cache when checking old passwd
2024-04-24 22:28:27 -04:00
Nariman Jelveh
25eea41f60
Keep track of app_instance_id
s
2024-04-24 17:57:30 -07:00
Nariman Jelveh
c21c16026b
Update ko.js
2024-04-24 14:43:07 -07:00
KernelDeimos
74e9270d58
Fix
2024-04-24 16:16:31 -04:00
KernelDeimos
b2e72adba9
Add ratelimit for /confirm-email
2024-04-24 16:12:09 -04:00
KernelDeimos
1eac147918
Add ratelimit for /contactUs
2024-04-24 16:09:04 -04:00
スーチ・ファトマワティ
3f6f4bb4c0
fix(security): update follow-redirects
...
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.
## Steps To Reproduce & PoC
```js
const axios = require('axios');
axios.get('http://127.0.0.1:10081/ ', {
headers: {
'AuThorization': 'Rear Test',
'ProXy-AuthoriZation': 'Rear Test',
'coOkie': 't=1'
}
})
.then((response) => {
console.log(response);
})
```
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.
```diff
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
```
CWE-200
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
CVE-2024-28849
2024-04-24 15:23:47 -04:00
Sam Atkins
a8d1d3b87a
docs: Add help text to dcall utility ( #335 )
2024-04-24 15:21:31 -04:00
Nariman Jelveh
fb3dfc5672
Merge branch 'main' of https://github.com/HeyPuter/puter into main
2024-04-24 12:06:16 -07:00
Nariman Jelveh
cdd0231a76
translation fix
2024-04-24 12:06:05 -07:00
Eric Dubé
e9e43c059a
Merge pull request #342 from brhahlen/docker-ci-improvements
...
Update Docker CI
2024-04-24 15:04:29 -04:00
Nariman Jelveh
548e975cac
remove unused imports, sanitization, and validation of input
2024-04-24 10:05:53 -07:00
Ben Hählen
028b37b9d4
Update Docker CI
2024-04-24 11:29:44 +02:00
Xiayucheng1212
916e1bb95c
Add local to url
2024-04-24 16:40:42 +08:00
Nariman Jelveh
c9e8207e4b
Clean up the console warninf message
2024-04-23 23:53:15 -07:00
Nariman Jelveh
aef6df048c
allow the <strong>
tag in UIAlert
2024-04-23 23:06:04 -07:00
Nariman Jelveh
f8b2b18185
Update en.js
2024-04-23 22:49:16 -07:00
Nariman Jelveh
ce411ed728
Perform more advanced input and string sanitization and validation for performance and security
2024-04-23 22:46:33 -07:00
Nariman Jelveh
9859a32e15
Deprecate and remove UIWindowConfirmDownload
2024-04-23 16:35:28 -07:00
Nariman Jelveh
3be7af8fb8
Merge branch 'main' of https://github.com/HeyPuter/puter into main
2024-04-23 16:26:07 -07:00