|
From: onli <no...@gi...> - 2026-04-08 08:43:21
|
Branch: refs/heads/feature/autodetectBaseURLRules Home: https://github.com/s9y/Serendipity Commit: 9b6e405892c5d627780a81373c7b968fda754d49 https://github.com/s9y/Serendipity/commit/9b6e405892c5d627780a81373c7b968fda754d49 Author: onli <on...@pa...> Date: 2026-04-08 (Wed, 08 Apr 2026) Changed paths: M docs/NEWS M include/functions_config.inc.php Log Message: ----------- Let browser pin down cookie domain (#958) * Fix attack vector by not using HTTP_HOST for the cookie domain Instead use the configurable baseURL. * Do not set a domain manually for the cookie Then the browser will autoamtically bind the cookie to the origin, which is the safest approach. See https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#domain-and-path-attributes * Also avoid host in delete cookie function + remove leftover code * document changes Commit: 20acbc2ff1c179eeaf60463e22634dde2d689ee7 https://github.com/s9y/Serendipity/commit/20acbc2ff1c179eeaf60463e22634dde2d689ee7 Author: onli <on...@pa...> Date: 2026-04-08 (Wed, 08 Apr 2026) Changed paths: M docs/NEWS M include/functions.inc.php Log Message: ----------- Fix possible mail header injection attack by not using HTTP_HOST (#959) * Fix possible mail header injection attack by not using HTTP_HOST Rely on the configured $serendipity['baseURL'] instead, with additional safeguards for the baseURL autodection mode * document changes Commit: fff9e79d5a3e2e31f40e7cb76113121706b49c87 https://github.com/s9y/Serendipity/commit/fff9e79d5a3e2e31f40e7cb76113121706b49c87 Author: onli <on...@pa...> Date: 2026-04-08 (Wed, 08 Apr 2026) Changed paths: M docs/NEWS M include/functions.inc.php M include/functions_config.inc.php Log Message: ----------- Merge branch 'master' into feature/autodetectBaseURLRules Compare: https://github.com/s9y/Serendipity/compare/e87848af02bd...fff9e79d5a3e To unsubscribe from these emails, change your notification settings at https://github.com/s9y/Serendipity/settings/notifications |
