Commit graph

1595 commits

Author SHA1 Message Date
Pierre Rudloff
363bf9b08c fixup! Prevent SSRF requests By validating the provided URL before passing it to youtube-dl 2022-02-27 23:36:51 +01:00
Pierre Rudloff
732baccd63 Make the watch route generate a full YouTube URL (fixes #402) 2022-02-27 23:32:08 +01:00
Pierre Rudloff
7f28275fb0 Merge tag '3.0.2' into develop
Fixed a SSRF vulnerability that could be used to send a request to an internal hostname
2022-02-27 12:34:23 +01:00
Pierre Rudloff
148a171b24 Merge branch 'hotfix/3.0.2' 2022-02-27 12:32:36 +01:00
Pierre Rudloff
1b099bb983 Patch youtube-dl to disable redirects
In order to prevent SSRF attacks using redirects
2022-02-27 12:30:15 +01:00
Pierre Rudloff
3a4f09dda0 Prevent SSRF requests
By validating the provided URL before passing it to youtube-dl
2022-02-27 11:00:33 +01:00
Pierre Rudloff
bf4a761d3a Make UglyRouter compatible with routes with parameters (#399) 2022-02-23 21:30:58 +01:00
Pierre Rudloff
6ad0486468 Use Python 3.8.12 on Heroku 2022-02-22 23:10:54 +01:00
Pierre Rudloff
e246ab03e9 Partial PHP 8 compatibility
But we still need to update rinvex/countries
2022-02-22 22:58:57 +01:00
Pierre Rudloff
e567f9c9fa Update annotated-command
To fix PHP 8 compatibility issues: https://github.com/consolidation/annotated-command/pull/210
2022-02-20 14:19:41 +01:00
Pierre Rudloff
64ac180a53 Merge branch 'master' into develop 2022-02-20 14:07:21 +01:00
Pierre Rudloff
2afbfb4bf2 fixup! Don't redirect to REQUEST_URI when browsing to index.php Instead, we can make sure everything works correctly on index.php 2022-02-20 14:06:59 +01:00
Pierre Rudloff
9410d4b49b LinkHeaderMiddleware should use the same URL as ViewFactory
This way the X-Forwarded-Path header is used to generate the Link header
2022-02-20 13:55:44 +01:00
Pierre Rudloff
bfaea0e381 Merge tag '3.0.1' into develop
Fixed an open redirect vulnerability that could be used to construct an URL redirecting to an arbitraty domain
2022-02-20 13:34:53 +01:00
Pierre Rudloff
3ab22c654a Merge branch 'hotfix/3.0.1' 2022-02-20 13:31:40 +01:00
Pierre Rudloff
bc14b6e45c Don't redirect to REQUEST_URI when browsing to index.php
Instead, we can make sure everything works correctly on index.php
2022-02-20 13:28:57 +01:00
Pierre Rudloff
acbd2008ca Merge branch 'master' into develop 2022-02-19 20:48:02 +01:00
Pierre Rudloff
cf82f1cc8f
Add security policy 2022-02-19 20:47:53 +01:00
Pierre Rudloff
5677ce719a Update youtube-dl to 2021.12.17 (#395) 2022-02-17 22:13:56 +01:00
Pierre Rudloff
655490eeb3 Use HTTPS URLs in composer.json 2022-02-17 22:00:08 +01:00
Pierre Rudloff
18847e4d75 More robust way to detect CI in tests 2022-02-07 22:30:47 +01:00
Pierre Rudloff
fe771886d9 Replace Travis with GitHub actions
travis-ci.org does not run tests anymore
2022-02-07 22:26:33 +01:00
Pierre Rudloff
27439c7e14 Simplify overly complicated format selection template 2022-02-06 20:46:38 +01:00
Pierre Rudloff
d9ba01f017 Generate <img> tags with Smarty 2022-02-06 19:17:05 +01:00
Pierre Rudloff
ce9b4d9a48 Update Smarty to 4.0 2022-02-06 18:43:08 +01:00
Pierre Rudloff
7cd42e6c6b Fix MP3 option size 2022-02-03 21:57:00 +01:00
Pierre Rudloff
ac8c53375a Easier to maintain template structure
This the head and footer don't have to be included everytime and the hierarchy is easier to read
2022-02-03 21:41:07 +01:00
Pierre Rudloff
de74808459 More readable way to include HTML in translated strings 2022-02-03 21:07:13 +01:00
Pierre Rudloff
bdf5554430 Use HTTPS links 2022-02-03 20:55:09 +01:00
Pierre Rudloff
b8c88aecf5 Improve typing 2022-02-03 20:52:18 +01:00
Pierre Rudloff
d46563f994 Simplify code 2022-02-03 20:21:04 +01:00
Pierre Rudloff
781b5c8bc2 phpcs does not like full namespaces 2022-02-03 20:03:55 +01:00
Pierre Rudloff
ffd9275500 Correct way to use interface constant 2022-02-03 20:01:56 +01:00
Pierre Rudloff
6fef87f58b Use HTML dumper for Smarty collector 2022-01-27 00:15:05 +01:00
Pierre Rudloff
835170f4b5 Use phpmnd to detect magic numbers 2022-01-27 00:03:37 +01:00
Pierre Rudloff
5ed15afe1f Use constant for HTTP response code 2022-01-26 23:58:25 +01:00
Pierre Rudloff
359c358df1 Symfony 5.0 is not maintained anymore 2022-01-26 23:53:14 +01:00
Pierre Rudloff
c44979bbae
Merge pull request #385 from LoganTann/master
fix: manifest causes 404 when making pwa shortcut
2022-01-17 20:24:57 +01:00
Pierre Rudloff
8f3f1cdaf8 Merge branch 'master' into develop 2022-01-17 20:14:06 +01:00
ShinProg (Logan Tann)
1464b2c319
fix: manifest causes 404 when making pwa shortcut
fixes #384
2022-01-17 11:38:38 +01:00
dependabot[bot]
fb78ecb410 Bump smarty/smarty from 3.1.39 to 3.1.43 (#383)
Bumps smarty/smarty from 3.1.39 to 3.1.43.

---
updated-dependencies:
- dependency-name: smarty/smarty
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-13 00:05:49 +01:00
Pierre Rudloff
d744ee557e Build Link header from an array 2021-10-19 23:14:38 +02:00
Pierre Rudloff
5d40523cf4 Don't hardcode class name 2021-10-18 13:16:28 +02:00
Pierre Rudloff
55db198d39 Upgrade phpunit to 9.5
So we stop depending on the unmaintained php-token-stream
2021-10-17 21:14:39 +02:00
M*C*O
60f924f4bf
Document X-Forwarded-Proto in README (#368) 2021-07-25 15:02:03 +02:00
Pierre Rudloff
607efaa292 fixup! Fix small typos (#333) 2021-06-06 19:15:44 +02:00
Pierre Rudloff
f3ffa90a2e Update alltube-library to 0.1.3 2021-05-13 13:03:10 +02:00
Pierre Rudloff
a95d1de67e Update alltube-library to 0.1.2 2021-05-05 21:48:10 +02:00
Pierre Rudloff
1753adf478 Merge tag '3.0.0' into develop
This release contains several breaking changes:

The Video class is now available as a separate Composer package (rudloff/alltube-library)
The release package and Docker image now contain only production dependencies
youtube-dl is now a production dependency
Composer does not install ffmpeg or phantomjs anymore
The "avconv" and "avconvVerbosity" options are now respectively "ffmpeg" and "ffmpegVerbosity"

Other changes:

Setting the "stream" option to "ask" now works correctly
New locales are automatically detected
New Italian translation (thanks to @holoitsme)
If the "best" format does not exist, it will fall back to "bestvideo"
Composer 2 compatibility
youtube-dl and ffmpeg commands are now logged when debug mode is enabled
404 and 405 error pages now have the same style as the other pages
The new "defaultAudio" option allows converting to audio by default (thanks to @bellington3)
The Heroku build now uses Python 3 (thanks to @telegrambotdev)
The app now supports the container Heroku stack (thanks to @telegrambotdev)
The new "convertSeek" option allows disabling seeking when converting to audio (thanks to @bellington3)
Exceptions are now logged
AllTube can now run correctly behind a reverse proxy with a custom path or port (thanks to @bellington3)
2021-04-20 23:19:29 +02:00
Pierre Rudloff
eeda434b2f Merge branch 'release-3.0.0' 2021-04-20 23:16:45 +02:00