summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2014-10-21Disable warning about switch statementYorhel1-1/+2
I really want to rewrite that code to not use the very unperlish switch statement, but the code is rather... complex and hairy. :(
2014-10-21Fix search tabs query string appending on back buttonYorhel1-0/+1
As reported in https://vndb.org/t5868
2014-10-20Fix tabindex on edit summaryYorhel1-1/+1
Per https://vndb.org/t5864
2014-10-16Fix tabindex on the date selectorYorhel2-4/+8
2014-10-16Completely get rid of the old charedit perm flagYorhel7-17/+16
2014-10-16Add a positive tabindex to all generated form elementsYorhel1-12/+16
This should result in a more natural tabbing order, skipping over any links around the forms.
2014-10-16Set httponly flag on auth cookieYorhel1-1/+1
2014-10-16Hash session tokens with SHA-1 when storing in DBYorhel3-23/+31
This ensures that, if an attacker evers gets read access to the database, he will not be able to compromise any accounts. SHA-1 suffices here, because the data being hashed is a random 20 byte string. The search space is so damn large that you can't sanely brute force it, nor are rainbow tables any use at that scale. They're not salted. The password reset tokens are also hashed in the database and do include salt, but I've no idea why we did that.
2014-10-15Let's call this 2.232.23Yorhel3-1/+5
2014-10-15scrypt: Lower default N to 65536Yorhel1-1/+1
Completely disregard my comments regarding DoS in commit 6e0a0e1d00e11da9b4eab2163e19314f752b05b5 - successful logins aren't throttled at all. The other reason for lowering this value is because the API requires a login for each new TCP session, and it doesn't seem like many (any?) applications keep the TCP session alive for very long. Still, 65536 is more secure than the default of 16384.
2014-10-15Multi::API: Fix login with the new password format changesYorhel1-5/+19
2014-10-15Multi::API: Fix crash on failed loginYorhel1-2/+2
I broke this when changing the column type of login_throttle.timeout.
2014-10-15Use scrypt for new password hashesYorhel5-10/+39
I increased the N parameter to approximate about 500ms to generate the hash. This is quite a paranoid setting for a website, but login attempts are throttled so there's not much of a DoS factor. (Alright, password changing feature isn't throttled so the DoS factor still exists. But really, there's some pages with longer page generation times anyway.) I did lower the size of the salt a bit (Crypt::ScryptKDF uses 256 bits by default), because 64 bits of randomness should have low enough chance of collision with only ~100k users (even with a million users, seriously).
2014-10-15Auth: Use a proper CSPRNG for generating salt and tokensYorhel2-6/+11
2014-10-15SQL: Merge users.(passwd|salt) in one column + document valuesYorhel5-42/+47
It doesn't make a whole lot to separate the hashed password and the salt from each other, you need both to do anything with them, and from the database perspective they're both completely opaque strings only usable for direct comparison with other hashed strings. This change is mostly as preparation for switching to a proper key derivation function (sha256 isn't...) and to add support for longer and/or binary salt. Because the passwd field now needs to be interpreted in Perl, it's being passed around as a binary string rather than a hex-encoded value. API login is broken in this commit. I'll get to that.
2014-10-13SQL: Use enum to represent platformsYorhel7-14/+26
I believe I didn't do this conversion earlier (back when I converted the language types) because PostgreSQL didn't support dynamically adding new values to an existing enum back then, and modifying an enum was a huge pain. Recent versions do support this, so there's no reason to keep it as a string. ...I just felt like adding some churn to the code base.
2014-10-12Add PS4 and Xbox One platformsYorhel4-1/+28
2014-10-11SQL: Convert login_throttle.timeout to a timestamptzYorhel4-6/+10
Easier to work with in custom queries.
2014-10-09Handler::Users: Properly select current skin in user edit formYorhel1-2/+4
This used to work fine before the AIR skin was added, because Angelic Serenade used to be the first in the list.
2014-10-09Two new skins from YirbaYorhel6-0/+64
2014-09-25Multi: Update maintenance timings + disable usercacheYorhel1-10/+14
The usercache maintenance cron is causing significant downtime each month, so I've disabled it for now.
2014-09-15Change normalization factor in popularity ranking calculationYorhel1-1/+1
Suggested by Hinoe, quoting his reasoning: In popularity rankings, change the normalization from "sqrt(LowerVoteCount)" == "LowerVoteCount^0.5" to something that grows somewhat more slowly. Details: Natural logarithm itself (ln(LowerVoteCount+1)) is too slow; at the current VN count (15403), it returns 9.64; however, sqrt(15402) is just above 124.1, which I feel is already too high. After experimenting with the exponents a bit, I decided that the best point likely lies between 0.3, which returns a bit above 18.0, and 0.4, which returns a bit above 47.3. Thus, I suggest that the new function be LowerVoteCount^0.36788; the exponent is a 5-digit approximation of e^-1, just because it's a nice number in the specified area and works well, returning circa 34.7.
2014-09-15norm_ip: Use /23 subnet for IPv4Yorhel1-7/+12
Apparently there are networks where a single visitor is assigned random addresses in the /23 range for each request. This should fix the login/registration form on such networks, and makes the login throttling more robust (and easier to trigger for innocent people, but judging from monitoring the throttle table, failed logins arent that common). I wonder if /23 is enough, but we'll see.
2014-09-02Fix matching bug in norm_ip()Yorhel1-1/+1
The . match doesn't match "any byte". Without the /s flag, it doesn't match newline characters.
2014-09-01Disallow ( and ) in email regexYorhel1-1/+1
2014-08-29API: Make sure to honor the new login throttleYorhel5-33/+53
2014-08-29Throttle failed login attempts (10/day)Yorhel7-4/+85
2014-08-29Strengthen formcode for non-logged-in visitors + CSRF protect login formYorhel5-38/+62
formcode is strengthened by including the IP (-prefix) into the hash, ensuring that the code can't be obtained by someone on a different network. I also removed the login form of every page. Felt kinda pointless.
2014-08-29Sync language type util/sql/all.sql with recent updateYorhel1-1/+1
2014-08-21Add Romanian languageYorhel5-1/+17
2014-08-21API dump: Add daily votes dumpYorhel2-1/+48
2014-08-21API: Increase max result counts for userlistsYorhel2-3/+6
2014-08-19Multi: Run maintenance tasks at 12:00 GMTYorhel1-7/+4
In particular, don't run the tasks when I'm asleep. The SQL queries that are run during maintenance can deadlock and cause multi to crash. I want to be awake when that happens.
2014-08-19API: Allow access to other users' public listsYorhel2-12/+29
2014-08-16API: Add 'vn' filter to get characterYorhel2-1/+10
2014-07-22d11: Remove offline beta, d14: Update dump sizesYorhel2-3/+3
2014-07-18API: Add firstchar filter to get vnYorhel2-4/+19
2014-07-09Disallow comma in email pattern matchYorhel1-1/+1
2014-06-28L10N-RU: Fix birthdayYorhel1-1/+1
2014-05-21Added a config_example.plYorhel1-0/+35
2014-05-16API: Added 'dbstats' commandYorhel2-4/+56
2014-03-14Shorten the VNDB description on the homepageYorhel1-47/+10
The stuff about promoting users to register isn't really necessary.
2014-03-14DB::Releases: Fix mixing AND/OR expressions in platform/media filtersYorhel1-4/+4
Fixes http://vndb.org/t5136
2014-03-11Multi::API: Fix two 'Use of uninitialized value in multiplication'Yorhel1-2/+2
Shouldn't affect behaviour in any way, just get rid of the warnings.
2014-03-10Multi::API: Expose popularity, rating and votecountYorhel2-1/+29
http://vndb.org/t5121
2014-02-04L10N-DE: More updates & fixesMarcel Weyers13-457/+572
2014-02-04d12: Clarify character image sprite/cg usageYorhel1-2/+4
2013-12-30L10N-EN: Fix incorrect fix of use of "than"Yorhel1-1/+1
2013-12-29L10N-DE: Misc. fixesMarcel Weyers11-51/+51
2013-12-29Merge https://github.com/erengy/vndbYorhel3-20/+22