11975 Commits

Author SHA1 Message Date
Pierrick Le Gall aa3d6f4284 no bug bounty program 2026-07-18 19:08:38 +02:00
plegall 0329e6a91e fixes #2569 big warning when editing guest user permissions 2026-07-07 17:10:47 +02:00
HWFord 9822df60c8 issue #2516 update admin messages
adjust margin for messages with links
change display for edit album, change ".show" to change css display for flex instead of block
remove bullets for multiple messages displayed
2026-07-02 13:16:38 +02:00
plegall 9755d88edf fixes GHSA-hq29-8hhx-5jwc [search] check input parameter ratings 2026-06-25 13:29:59 +02:00
RushLana 2357a86d51 Fixes #2552 - Implement SVG validation
Use https://github.com/darylldoyle/svg-sanitizer to check for malicious code inside svg, throw an error code 415 when triggered in the API.
2026-05-26 14:26:39 +02:00
David 1b1c89867e Fixes #2036 WebP support when using PHP GD 2026-05-14 15:01:15 +02:00
Steffan Henke 01f68b81c6 Typo 2026-05-14 14:50:38 +02:00
HWFord f12323d1c9 fixes #2557 use pwg_get_cookie_var
-Update cookie to use pwg_lang to avoid conflicts with other potential apps.
-Add cookie path to the pwg_lang cookie to help with conflicts also.
-Be less restrictive in load_cookie_language function
-We can't use pwg_set_cookie because it is set in js not PHP so we force it to be called pwg_lang
2026-05-06 08:53:44 +02:00
Linty 29c7957054 fix typo causing undefined array key warning 2026-05-04 18:44:26 +02:00
plegall 2cfa7a3d19 fixes GHSA-6wj3-7fhw-gfpm upgrade/install: make sure user input is sanitized 2026-05-03 12:03:43 +02:00
plegall 5277a7dee4 fixes GHSA-rr39-mf4j-6594 prevent displaying RAW cookie content
... and also factorize code checking the cookie.lang user input
2026-05-01 16:59:29 +02:00
Linty 33024bcc8d fixes #2555 toggle password links by user status
Show copy/send password links by default but hide them for users with status 'generic'. Adds a change handler in fill_user_edit_properties to call toggle_send_copy_password when the status select changes, and implements toggle_send_copy_password(status) to show/hide #copy_password_link and #send_password_link accordingly.
2026-04-29 16:20:37 +02:00
Linty 9196732341 fixes #2478 add created_on tooltip and responsive tooltip styles
JS: add mouseenter handler to toggle a tooltip-flip class for elements with data-tooltip so tooltips flip when they would overflow the right edge; set data-tooltip on API creation timestamp. CSS: constrain tooltip max width to 250px (or viewport margin), allow multiline content (max-content/word-wrap), and position flipped tooltips from the right. These changes prevent tooltip overflow on narrow viewports and improve readability.
2026-04-29 15:15:34 +02:00
plegall 54c812bf7d fixes #2553 force opcache to reload files extracted from zip during plugin update 2026-04-28 16:40:57 +02:00
plegall ba1f803f8c fixes GHSA-jhp4-7f82-8f6q check image_order against allowed values 2026-04-26 15:18:28 +02:00
plegall c7e30da5c1 fixes GHSA-7r67-9xhq-7p2c check get.filter inputs for dimensions and filesize 2026-04-26 13:06:52 +02:00
plegall 4a13ec9a8f fixes GHSA-7w97-5g4p-xqvv more robust check on logo file type 2026-04-26 11:42:20 +02:00
plegall 8cec3cc305 fixes #2550 checks MIME type against each uploaded file 2026-04-21 16:39:04 +02:00
plegall d21b530cb0 fixes #2369 avoid division by zero in case of STORAGE_TOTAL < 1kB 2026-04-15 16:15:36 +02:00
HWFord 03823bbff3 issue #2516 update admin messages
colours and padding mainly
2026-04-10 10:13:52 +02:00
plegall 81f8d65a25 fixes GHSA-gphq-34pv-gvf3 sanity check for table prefix during install 2026-03-30 15:42:02 +02:00
Linty c9af737962 fixes #2544 improve AddUser UI layout
Hide AddUser error block on close and make the AddUser popin scrollable with layout fixes. Also refine two French translations (password and login key).
2026-03-26 10:10:20 +01:00
Linty b19beee0aa fixes #796 handle ampersand escaping for API URLs
When generating URLs for the web service (IN_WS), ensure the argument separator is a raw '&' instead of the HTML entity '&amp;'. add_url_params now switches the separator to '&' if IN_WS is defined and '&amp;' was requested. Removed a redundant str_replace call in ws_std_get_urls since get_action_url/add_url_params now produce the correct separator. This prevents double-escaped ampersands.
2026-03-23 12:26:20 +01:00
RushLana 001a21056c fixes #2540 only prompt to update container on version lower than the latest version 2026-03-16 13:03:45 +01:00
Linty 8fe5a57799 fixes #2539 always set pwg_token for API key requests
Simplify pwg_token setup during PWG_API_KEY_REQUEST by unconditionally assigning get_pwg_token() to both $_POST['pwg_token'] and $_GET['pwg_token']. Removes prior isset() checks so the token is always present for API key requests; be aware this will overwrite any existing pwg_token values in request arrays.
2026-03-13 18:18:21 +01:00
plegall 355f3d44af fixes #2538 differentiate from and reply-to in pwg_mail 2026-03-11 12:23:52 +01:00
04cb 964a2d8ede Fix disk storage unit conversion from kB to GB/MB
Use binary (1024-based) prefixes instead of decimal (1000-based) for
storage unit conversion. Previously dividing by 1000000 and 1000,
now correctly dividing by 1048576 (1024*1024) and 1024.

Fixes #2502
2026-03-07 13:38:11 +01:00
HWFord 5cfabc12bf fixes #2531 remove use_standard_pages from config.php 2026-02-26 14:36:08 +01:00
plegall 3ab004f7f6 fixes GHSA-wfmr-9hg8-jh3m protects pwg.activity.getList 2026-02-24 17:14:35 +01:00
plegall db2a156554 fixes GHSA-5jwg-cr5q-vjq2 protect filter parameter in pwg.user.getList 2026-02-24 16:19:22 +01:00
plegall b2a78ded67 fixes GHSA-397m-gfhm-pmg2 pwg.history.search is only for admins 2026-02-24 15:59:19 +01:00
RushLana bfbc8f68d9 Add docker updates support
Detect if running in a official container and replace updates buttons by links to the documentation
2026-02-24 15:16:56 +01:00
HWFord 1441831e9d fixes #2528 add icon class 2026-02-23 17:59:24 +01:00
HWFord b0c6da3efd fixes #2525 add missing translation 2026-02-20 14:11:03 +01:00
HWFord 4b68edbd5c issue #2516 update message colors 2026-02-19 15:58:46 +01:00
HWFord 5a3f1a306d issue #2516 update message icons
change all message icons to circled versions
2026-02-19 11:19:23 +01:00
HWFord 3ac7b803e5 issue #2516 update fontello
Add warning circled
2026-02-18 11:13:55 +01:00
plegall 0f359f2af5 fixes GHSA-mgqc-3445-qghq checks standard date fields 2026-02-17 18:54:45 +01:00
Linty b26ca3e08a fixes #2522 use privacy-preserving verification message
Replace the explicit "An email has been sent with a verification code" message with a privacy-preserving wording: "If your account exists, a verification code has been sent to your email address." This avoids account enumeration. Updated language entries in en_UK and fr_FR, the server-side message in password.php, and the password reset template.
2026-02-12 17:25:50 +01:00
plegall 74edc39995 fixes #2519 prevent CSRF on album notification form 2026-02-04 15:49:47 +01:00
HWFord 186378e4f3 fixes #2518 add viewport meta & adjust responsive css 2026-01-29 09:20:45 +01:00
HWFord ce3fcd61e4 fixes #2517 set max height and scroll for lang switch 2026-01-28 14:38:14 +01:00
HWFord 3195a33b76 fixes #2516 update message colors and design 2026-01-27 16:02:46 +01:00
plegall 15e451c231 fixes #2510 fallback for missing username 2026-01-15 14:19:04 +01:00
HWFord c186a5f7de fixes #2509 change button label in site_update.tpl 2026-01-15 10:08:29 +01:00
HWFord d9fce8a309 fixes #2508 add header.tpl to standard pages
duplicate header.tpl from themes/default remove anything that isn't needed, load jQuery in header instead of footer
2026-01-14 14:18:27 +01:00
RushLana 5563ea98fd Add a more granular container detection (#2501)
Add a more granular container detection

Replace is_in_container by  get_container_info
Currently detect Official container (once they update a version with a tagfile) and LinuxServer container
All other container are marked as Unknown

Report two field :
- container_type ( none | Official | LinuxServer | Unknown
- container_version ( build Version number like 16.2.0a, only reported if Official container is detected )
2026-01-14 13:00:14 +01:00
plegall c614efd33c fixes #2507 add conditions before trying to display an image in the email 2026-01-13 15:08:52 +01:00
HWFord 25068f308a fixes #2504 add missing @translate and missing keys 2026-01-08 16:09:51 +01:00
HWFord 074de993fe fixes #2503 revert moving update button 2026-01-07 16:45:54 +01:00