Commit e2070c9b authored by Jim Fenton's avatar Jim Fenton

release 1.1.9

parent 072207e1
Pipeline #100446461 passed with stages
in 5 minutes and 5 seconds
......@@ -29,8 +29,10 @@ Benoît Bleuzé <[email protected]>
Christian Kier <[email protected]>
Christoph Anton Mitterer <[email protected]>
CSchulz <[email protected]>
Cyprian Guerra <[email protected]>
Cyril Giraud <[email protected]>
Daniel Aleksandersen <[email protected]>
Danny de Weille <[email protected]>
DAViCal Administrator <[email protected]>
Dávid Takács <[email protected]>
Émile Morel <[email protected]>
......@@ -61,7 +63,9 @@ Matthias Beyer <[email protected]>
Matthias Mohr <[email protected]>
Maxime Delorme <[email protected]>
Michael Trausch <[email protected]>
Milan Crha <[email protected]>
Milan Medlik <[email protected]>
Niels van Gijzen <[email protected]>
Nishanth Aravamudan <[email protected]>
Nomad Arton <[email protected]>
Patrick Näf Moser <[email protected]>
......@@ -71,6 +75,7 @@ Peter Schaefer-Hutter <[email protected]>
Philipp Matthias Hahn <[email protected]>
Pierre Giraud <[email protected]>
Raphael Hertzog <[email protected]>
Rick Verdoes <[email protected]>
Rik Theys <[email protected]>
Rob Ostensen <[email protected]>
Sarenet S.A.U Egoitz Aurrekoetxea <[email protected]>
2019-11-29 Niels van Gijzen <[email protected]>
* Correct reflected cross-site scripting (XSS) vulnerability
* Correct persistent XSS vulnerability in user/group/resource details
* Correct persistent XSS vulnerability in user/group/resource list
* Add token to address cross-site request forgery (CSRF) vulnerability
2019-11-26 Andrew Ruthven <[email protected]>
* More syntax errors with collection_id
2019-03-28 Cyprian Guerra <[email protected]>
* Fix syntax of collection_id parameter
2019-06-19 Milan Crha <[email protected]>
* Add missing 'break' to rrule.php
2019-03-11 Florian Schlichting <[email protected]>
* More PHP curl message corrections
2019-03-06 Andrew Ruthven <[email protected]>
* Specify PHP curl, not PHP5
2019-03-05 Jamie McClymont <[email protected]>
* Update minimum PHP version requirement
2019-02-27 Jamie McClymont <[email protected]>
* Make range-based calendar queries use the new first_instance_start/last_instance_end columns
* Make calquery expansion aware of the calendar default timezone
2019-02-12 Florian Schlichting <[email protected]>
* Fix more PHP7+ type hints for PHP5 compatibility (fixes #197)
2019-01-30 Florian Schlichting <[email protected]>
* add users to new groups in the "update groups" step
* honour do_not_sync_group_from_ldap when creating groups, correctly display all results
......@@ -8,47 +8,6 @@
if ( preg_match('{/always.php$}', $_SERVER['SCRIPT_NAME'] ) ) header('Location: index.php');
// XSS Protection
function filter_post(&$val, $index) {
if(in_array($index, ["newpass1", "newpass2"])) return;
switch (gettype($val)) {
case "string":
$val = htmlspecialchars($val);
case "array":
array_walk_recursive($val, function(&$v) {
if (gettype($v) == "string") {
$v = htmlspecialchars($v);
function clean_get() {
$temp = [];
foreach($_GET as $key => $value) {
// XSS is possible in both key and values
$k = htmlspecialchars($key);
$v = htmlspecialchars($value);
$temp[$k] = $v;
return $temp;
// Before anything else is executed we filter all the user input, a lot of code in this project
// relies on variables that are easily manipulated by the user. These lines and functions filter all those variables.
if(isset($_POST)) array_walk($_POST, 'filter_post');
$_GET = clean_get();
$_SERVER['REQUEST_URI'] = str_replace("&amp;", "&", htmlspecialchars($_SERVER['REQUEST_URI']));
$_SERVER['HTTP_REFERER'] = htmlspecialchars($_SERVER['HTTP_REFERER']);
// Ensure the configuration starts out as an empty object.
$c = (object) array();
$c->script_start_time = microtime(true);
......@@ -287,7 +246,7 @@ if ( function_exists('awl_set_locale') ) {
$c->code_version = 0;
$c->want_awl_version = '0.60';
$c->version_string = '1.1.8'; // The actual version # is replaced into that during the build /release process
$c->version_string = '1.1.9'; // The actual version # is replaced into that during the build /release process
if ( isset($c->version_string) && preg_match( '/(\d+)\.(\d+)\.(\d+)(.*)/', $c->version_string, $matches) ) {
$c->code_major = $matches[1];
$c->code_minor = $matches[2];
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment