Commits

Author Commit Message Labels Comments Date
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
update htmlescape, fix small bug regarding $dir in exec_command
JanKanis
changes from Harding
da...@b7c52663-8f12-0410-848f-ff3e29dadc7b
Fixed invalid HTML
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
* fix bug in session handling: after reset_session_id session_start needs to be called again to set the client's cookie. * make the warning for file uploads use the $warning variable instead of echo'ing. * also include the countdown in the "Login failed, please try again" message.
JanK...@b7c52663-8f12-0410-848f-ff3e29dadc7b
* Make the timeout warning dynamically count to zero * Fix bug: $_SERVER['SCRIPT_URL'] -> $_SERVER['REQUEST_URI'];
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
Remove no longer used branch 'jan'.
Branches
jan
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
Improved a minor session handling issue and fixed a style issue.
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
fix typo in SECURITY
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
show a big warning if trying to log in over nonsecured connection. also: updated INSTALL, to point people to pwhash.php as a first choice and note cleartext passwords are deprecated, add missing dependency info to README
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
Implemented login rate limiting, also an important security feature. Unfortunately it required quite a lot of code, net +215 lines. Mainly to handle the storage file and get file locking right. Using a database would probably be both easier and have lower overhead, however we don't want PHP Shell to have a database dependency. The main logic is implemented in a separate class RateLimit in the phpshell.php file. Also fix a typo in config.php, and add documentation …
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
Lots of security improvements for session handling, and a few other minor changes. * Harden session management: - use secure randomness to initialise the session id, if available from /dev/urandom - set session to httponly if possible - set session to https if possible - lock the session cookie to PHP Shell's URL - lock session to user's IP address - enable an absolute timeout for the validity of the login information - re-generate a new session id …
da...@b7c52663-8f12-0410-848f-ff3e29dadc7b
Fixed invalid HTML and some style-warnings from phpcs.
da...@b7c52663-8f12-0410-848f-ff3e29dadc7b
Set $HOME variable, so that the comamnds "cd" and "cd ~" work as expected.
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
Some warnings fixed for php 5.3; better detection of hash type; some more minor fixes
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
Implemented password hash stretching using Phpass. This is (I believe) an important security improvement. Accept 'clear' command only if authenticated & CSRF token checked
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
merged branch jan into trunk
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
whoops, revert minor problem
Branches
jan
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
Protection against Cross-Site Request Forgery attacks implemented
Branches
jan
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
Several small changes: * change terminal output from a <textarea> to a <pre>, so the output doesn't get sent back to the server every POST. * Make sure editors 'Exit without Saving' also works if javascript is disabled. * Add 'logout' button to the error page so you can reset your session
Branches
jan
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
A number of minor fixes and improvements * if 'execute command' is clicked while a file to upload is selected, the file is no longer uploaded. Upload and terminal are now separate forms. * add clear also as a builtin. * Don't crash if the current directory has unreadable entries * fix some small bugs in the editor * replace htmlentities with htmlescape everywhere
Branches
jan
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
merge all changes from trunk until r105 in branch jan
Branches
jan
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
forgot to add phpshell.ico to branch
Branches
jan
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
merged all changes from trunk up to r84 into branch jan
Branches
jan
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
make this branch work, the previous commit had errors. There's also a bit more careful error checking in the editor, and \r\n escaping is reimplemented
Branches
jan
da...@b7c52663-8f12-0410-848f-ff3e29dadc7b
Use sha512 for password hashing (if possible)
da...@b7c52663-8f12-0410-848f-ff3e29dadc7b
Show a warning message, if a user logs in with an (unhashed) password and recommend to change it to a hashed password.
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
Some refactorings and bugfixes: - do (nearly) all subprocess interaction from one point through exec_command - correctly escape the filename in http headers on file download - don't replace %0D%0A in editor output - handle errors when saving editor result (transplanted from 8a49e429073e0ee64cb54570c59ec39626285ffd)
Branches
jan
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
remove unused 'avoid-open-basedir' setting. (transplanted from 8152c639ca52dc45ab76b2c0ebb4038f4b13d7c2)
Branches
jan
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
"Current Working Directory" -> "Current Directory" (transplanted from 1e26f032a03184c297276ec845e9b88f8de0fae4)
Branches
jan
jank...@b7c52663-8f12-0410-848f-ff3e29dadc7b
allow editor to create new files editor warns if it has no write access (transplanted from 402f6fb2295bbca0beef8c317ed2a8a89bf529c4)
Branches
jan
  1. Prev
  2. Next