Age | Commit message (Collapse) | Author | Files | Lines |
|
Previously the website was connected to the database with a "database
owner" user, which has far too many permissions. Now there's a special
vndb_site user with only the necessary permissions. The primary
reason to do this is to decrease the impact if the site process is
compromised. E.g. it's now no longer possible to delete or modify old
entry revisions. An attacker can still do a lot of damage, however.
Additionally (and this was the main reason to implement this change in
the first place), the user sessions, passwords and email data is now not
easily accessible anymore. Hopefully, the new user management
abstractions will prevent email and password dumps in case of an SQL
injection or RCE vulnerability in the site code. Of course, this only
works if my implementation is fully correct and there's no privilige
escalation vulnerability somewhere.
Furthermore, changing your password now invalidates any existing
sessions, and the password reset function is disabled for 'usermods'
(because usermods can list email addresses from the database, and the
password reset function could still allow an attacker to gain access to
anyone's account).
I also changed the format of the password reset tokens, as they totally
don't need to be salted.
|
|
Most of these replacements were automated. This ended up being less
work than I had anticipated.
I also fixed a few minor bugs along the way, but probably introduced
more than I fixed.
|
|
With some related edits in other parts of the code, mostly due to
interface changes to htmlRevision() and htmlFormError().
Trivial replacements were automated by a super awesome script.
|
|
|
|
This removes the reliance on sort() to provide meaningful ordering (the
keys aren't always good for ordering) and removes the 'order' hack used
for (vn|prod)_relations.
|
|
|
|
|
|
|
|
Two main improvements:
- Filtering on (non)hidden items now doesn't join any of the item
tables, instead it looks up the latest revision from the changes table
itself, using the index on (type,itemid,rev). It's still not super
fast, but a pretty large improvement nonetheless.
- The item titles/names are obtained in a separate query. I tried to
modify the main query in various ways, but couldn't make it as fast as
I'd have liked.
I also removed the 'what' flag while I was at it, all uses of the method
request all information anyway.
|
|
And added new 'page' and 'id' templates for more strict validation.
|
|
|
|
This fixes the unexpected behaviour that changing the spoiler setting on
one page will change it for all pages. All manual spoiler changing
options are temporary now.
|
|
The name of the profile setting isn't very clear. Not sure what to do
with it.
|
|
|
|
|
|
I think this was the last piece of inline JS.
|
|
TUWF properly detects HTTPS and includes this in the returned URL, so
this change ensures that all URLs adopt properly to HTTP and HTTPS.
|
|
I increased the N parameter to approximate about 500ms to generate the
hash. This is quite a paranoid setting for a website, but login attempts
are throttled so there's not much of a DoS factor. (Alright, password
changing feature isn't throttled so the DoS factor still exists. But
really, there's some pages with longer page generation times anyway.)
I did lower the size of the salt a bit (Crypt::ScryptKDF uses 256 bits
by default), because 64 bits of randomness should have low enough chance
of collision with only ~100k users (even with a million users,
seriously).
|
|
It doesn't make a whole lot to separate the hashed password and the salt
from each other, you need both to do anything with them, and from the
database perspective they're both completely opaque strings only usable
for direct comparison with other hashed strings.
This change is mostly as preparation for switching to a proper key
derivation function (sha256 isn't...) and to add support for longer
and/or binary salt.
Because the passwd field now needs to be interpreted in Perl, it's being
passed around as a binary string rather than a hex-encoded value.
API login is broken in this commit. I'll get to that.
|
|
This used to work fine before the AIR skin was added, because Angelic
Serenade used to be the first in the list.
|
|
|
|
|
|
formcode is strengthened by including the IP (-prefix) into the hash,
ensuring that the code can't be obtained by someone on a different
network.
I also removed the login form of every page. Felt kinda pointless.
|
|
|
|
I think this is the only thing necessary to add full IPv6 support to
VNDB. It's not actually necessary, but without this modification it will
become way too easy to flood the site with new accounts.
|
|
|
|
Using CSS3 selectors. This is a more elegant approach, and since browser
support for CSS3 selectors isn't as crap as it used to be I can finally
make use of them.
|
|
The interface to set a non-integer vote isn't very nice, but at least it
works. Or so I hope.
|
|
Fixes a bug when both 'charedit' and 'edit' are selected, in which case
neither flag will be set.
|
|
|
|
Rather than setting an automatically password, reset the password and
send an email with a secure token instead. The password can then be set
again using this token.
This doesn't really have an advantage at this point, just makes the
interface and code more consistent when I update the registration code
to do something similar.
|
|
This is far more flexible.
|
|
For consistency
|
|
Cleaner this way.
Also found two occurences of manually HTML-escaping text for textareas,
which isn't necessary anymore.
|
|
That's more what you'd expect from a list that functions somewhat as a
short-lived FIFO "archive".
|
|
Haven't found any bugs this way, yet. I doubt there'll be any problems,
but it's a nice new feature that could help quite a bit. :-D
|
|
There may still be some bugs present and I've only converted the points
where TUWF is incompatible with YAWF. The new TUWF features are not in
use yet, I'll do that later on.
Note that, in order to run the new code, TUWF must be installed on your
system. The configuration for the TransAdmin plugin has also changed.
Other than that there shouldn't be any issues.
|
|
And renamed notify_dbedit to notify_nodbedit, since the default is to
provide a notify on a database edit.
Also fixed a few bugs along the way.
|
|
In the users_prefs table, the default value should evaluate to 'false'
in Perl, so show_list had to be inverted to hide_list.
|
|
|
|
Will convert the other preferences later.
|
|
|
|
The new tag link browser has replaced the crappy old user-tags-browser.
|
|
|
|
And removed some shared code that is now unused
|
|
Just a simple question.
|
|
Also fixes a cross-site request forgery vulnerability. Not as strong as
the others but it's not very crucial anyway.
|
|
|
|
|
|
I could swear the user pages have always been noindex'ed... hmm.
|