Rooba
/
boinc
mirror of https://github.com/BOINC/boinc.git
1
0
Fork 0
Code Issues 1 Packages Projects Releases Wiki Activity
35,532 Commits 94 Branches 867 Tags 348 MiB
Commit Graph

35532 Commits

Author SHA1 Message Date
David Anderson 6f5fc348d4 web: fix various XSS vulnerabilities 
Most of these involve putting user text in error messages.
Use htmlspecialchars() for this.

filenames: require POSIX portable names
 2024-12-21 21:43:31 +01:00
Laurence 1a8200e120 Removed conflict statements 2024-12-20 14:36:45 +01:00
David Anderson 715173bc2f web: fix various vulnerabilities 
- Send all cookies as HttpOnly (don't let Javascript see them)
- If page sending cookie is HTTPS, make the cookie secure
- Often we have something like:
        $name = get_str('name');
        if (!lookup($name)) {
            error_page("can't find $name");
        }
    Can't do this; it can be exploited for XSS attacks.
    Just say 'Can't find file' or whatever
- Don't show database error messages
 2024-12-20 09:52:13 +01:00
David Anderson fa038faa40 web: remove vulnerabilities in tree_threader and in unused badge function 2024-12-19 12:47:41 +01:00
Laurence Field 2fdc9ff275 New version 2024-12-17 13:43:20 +01:00
David Anderson 460c6a7ff7 fix vulnerability in yucky consent code 2024-12-17 13:40:56 +01:00
David Anderson a564f3ef06 web: don't allow special chars in user names. 
Check this (and show appropriate message) in both account creation
and user name update
 2024-12-17 13:40:38 +01:00
David Anderson 4c97ac0ba2 Web: sanitize user URLs to prevent XSS attacks 
Add a function sanitize_user_url() to do this.
It accepts things like

google.com
http://google.com
https://google.com?blah=foo&x=y

but nothing else.
There doesn't seem to be a PHP function that works,
and stack overflow didn't yield anything plausible.

When showing a user page,
show 'Invalid URL' if it's nonempty and doesn't pass this.

When a user edits their info, show error page if they enter an invalid URL.
 2024-12-17 13:39:47 +01:00
Laurence Field fdb43eb909 New server version 2024-12-13 21:09:55 +01:00
David Anderson f2f305f62f web: fix CSRF vulnerability in edit passwd function 2024-12-13 21:00:57 +01:00
Laurence 743e6f373c Rebaed with master 2023-01-23 10:56:49 +01:00
Charlie Fenton 1976f02585 Mac: Fix permission errors when running client as a daemon / system service 2023-01-23 10:54:58 +01:00
Florian Weimer f5d4e1dd75 configure.ac: Do not probe for <avxintrin.h> 
With GCC 12, this header file cannot be included on its own.
Doing so fails with #error, but also produces many warnings
related to implicit ints and implicit function declarations.
This is inconvenient for distributions who are trying to
switch to newer C versions (without implicit ints/function
declarations), and monitor builds for suspicious warnings
related to obsolete C features.
 2023-01-23 10:54:58 +01:00
Vitalii Koshura 5f4723db47 [VS] Remove outdated buildenv.cmd script. 
This fixes #3347.

Signed-off-by: Vitalii Koshura <lestat.de.lionkur@gmail.com>
 2023-01-23 10:54:58 +01:00
Vitalii Koshura 82fd2748ff [CI][OSX] Update OSX CI to use XCode 14.2.0 
Signed-off-by: Vitalii Koshura <lestat.de.lionkur@gmail.com>
 2023-01-23 10:54:57 +01:00
Vulpine05 8526f1cbbc Update copyright year 2023-01-23 10:54:57 +01:00
Vitalii Koshura 4d3a0c6de3 [Windows] Retarget solution to VS2022 
Get rid of all old solutions and projects.
Switch to CUDA 12.0.0.
Add crypt_proj to the solution.
Use 'windows-2022' on CI.

This fixes #4917.

Signed-off-by: Vitalii Koshura <lestat.de.lionkur@gmail.com>
 2023-01-23 10:54:57 +01:00
David Anderson ee1268e001 comment 2023-01-23 10:54:57 +01:00
David Anderson cec85c47d6 scheduler: set type of Apple GPUs to "Apple" 
When the client reports an OpenCL GPU (other than NVIDIA/AMD/Intel)
in a scheduler request, the "type" field is the model name.
In the case of Apple GPUs this is "Apple M1" or "Apple M2"
(and other models as time goes on).
The type field is used in plan class descriptions.

In the case of Apple the models are (I think) equivalent software-wise,
and it would be a nuisance to have to make a new plan class
(and app versions) for each model.

So - in the case of Apple GPUs - use "Apple" as the type.
The model name is still available (as opencl_prop.name) if needed.
 2023-01-23 10:54:57 +01:00
Vitalii Koshura 87d9e28773 Rename set-version.py to set-client-version.py 
Signed-off-by: Vitalii Koshura <lestat.de.lionkur@gmail.com>
 2023-01-23 10:54:57 +01:00
Vitalii Koshura b4ea43a007 [CI} Run CI on every push to 'client_release/**' branch 
Signed-off-by: Vitalii Koshura <lestat.de.lionkur@gmail.com>
 2023-01-23 10:54:57 +01:00
Vitalii Koshura df862f2456 Fix he -> iw translations for Android 
Signed-off-by: Vitalii Koshura <lestat.de.lionkur@gmail.com>
 2023-01-23 10:54:57 +01:00
Vitalii Koshura b9f714f836 [CI] Build linux, Android and mingw with ubuntu-20.04 
Signed-off-by: Vitalii Koshura <lestat.de.lionkur@gmail.com>
 2023-01-23 10:54:57 +01:00
Vitalii Koshura 3452d1cdfc Update translations 
Signed-off-by: Vitalii Koshura <lestat.de.lionkur@gmail.com>
 2023-01-23 10:54:57 +01:00
David Anderson 811eb439a7 get_project_config.php: always send terms of use if present. 2023-01-23 10:54:57 +01:00
Hristo Georgiev 95b5ec0767 Canonicalize URLs to lower case 2023-01-23 10:54:56 +01:00
davidpanderson c0488d63f0 Manager: make button labels appear in terms of use dialog. 
Put labels in constructor; not sure why this is needed.
 2023-01-23 10:54:56 +01:00
Laurence 87ea3df5c5 Increament version 2022-12-02 11:46:05 +01:00
Laurence 1c72eeba6a html/inc/server_version.inc 2022-12-02 11:11:08 +01:00
Laurence 10626e31f7 Increase version 2022-12-02 11:09:50 +01:00
Laurence db880159c5 Updated server version 2022-12-02 11:08:06 +01:00
Vitalii Koshura ad9b322987
Merge pull request #5033 from AenBleidd/vko_update_translation_templates 
[locale]: update localixation template files
 2022-12-02 01:21:32 +01:00
Vitalii Koshura b32360f0ad
[locale]: update localixation template files 
Signed-off-by: Vitalii Koshura <lestat.de.lionkur@gmail.com>
 2022-12-02 00:49:05 +01:00
lfield 14023b2fe0
Merge pull request #5030 from BOINC/dpa_recaptcha2 
web: fix recaptcha validation
 2022-12-01 21:54:28 +01:00
lfield e561655596
Merge pull request #5031 from BOINC/dpa_uv2 
update_versions: fix spurious PHP warning
 2022-12-01 21:53:25 +01:00
lfield c22bb09211
Merge pull request #5032 from BOINC/dpa_android64 
Add Android ARM64 to default platform list (tools/project.xml).
 2022-12-01 21:52:01 +01:00
David Anderson ae29bf51a2 change name of Linux/ARM platform to match wiki 2022-11-30 22:19:11 -08:00
David Anderson 7027c0fdb3 - add a couple more platforms 2022-11-30 17:13:05 -08:00
David Anderson 9b393d779c Add Android ARM64 to default platform list (tools/project.xml). 
Note: there's some inconsistency between this list and
https://boinc.berkeley.edu/trac/wiki/BoincPlatforms
 2022-11-30 16:06:13 -08:00
David Anderson 9213ac3613 web: fix recaptcha validation 
The old code stopped working; I don't know why.
Maybe some change at Google's end.
I switched to a simpler method, as described here:
https://developers.google.com/recaptcha/docs/verify
 2022-11-29 13:12:07 -08:00
David Anderson 4505544168 update_versions: fix spurious PHP warning 2022-11-29 12:59:59 -08:00
Laurence bb4cbe461c Updated server version 2022-11-29 14:53:15 +01:00
Vitalii Koshura d238b9bab3
Merge pull request #4955 from Vulpine05/Vulpine05-4939_Mgr 
[Manager] [Advanced View] Add warning message in preferences for suspension
 2022-11-28 13:38:20 +01:00
Vitalii Koshura 3af653d9d1
Merge pull request #5028 from AenBleidd/vko_fix_build_after_vcpkg_expat_update 
[CI][Windows] Fix build after expat update on vcpkg
 2022-11-27 17:47:01 +01:00
Vitalii Koshura c8efcfd16d
[CI][Windows] Fix build after expat update on vcpkg 
Signed-off-by: Vitalii Koshura <lestat.de.lionkur@gmail.com>
 2022-11-27 17:09:13 +01:00
David Anderson 28b89a055a
Merge pull request #5025 from davidbolvansky/patch-2 
Fix for issue 5024
 2022-11-22 16:35:27 -08:00
Dávid Bolvanský a2fb254cde
AccountManagerProcessingPage: account username in utf8 2022-11-22 11:17:35 +01:00
Dávid Bolvanský 9b7d9f4980
ProjectProcessingPage: account username in utf8 2022-11-22 11:15:39 +01:00
Dávid Bolvanský 4dc55bffa8
Speculative fix for issue 5024 2022-11-22 02:35:11 +01:00
Vitalii Koshura 7d6cc3ae7e
Merge pull request #5022 from BOINC/msw_fix_stop_gfx 
MSW: Fix "Stop graphics" button operation on MS Windows
 2022-11-21 04:42:24 +01:00