* wrapped $user in preg_quote function
* updated auth test for special character in username
Co-authored-by: Léo Colombaro <git@colombaro.fr>
Co-authored-by: ྅༻ Ǭɀħ ༄༆ཉ <ozh@ozh.org>
Also, minor code styles doc & typo
* Refactor yourls_filter_unique_id() to remove useless vars
* Comply with phpstan level 4
* add some tests to cover newly discovered potential issues
* Add nonce to the logout link
* Add tests for cookies being set or reset
* More tests: check nonces are different for different actions & users
Fixes#3170
Fixes#3189
- Allow prefix n shortening without being logged in
- Test checking for redirection on successful auth
Props @dan-r for the initial digging on this issue !
* Add filters to auth and cookie functions
- move auth/nonce functions to functions-auth.php
- add filters, especially for auth cookie values
* Move debug function back to wrapper function
Makes more sense & easier to find.
* Support for SameSite attribute in cookies
* Attempt at fixing #2603 and superseding #2545
This all boils down to redirecting to $_SERVER['REQUEST_URI'] after successful login
Thanks @hangxingliu and @pcolmer for insightful feedbacks which has led to this PR
* Refactor slightly the redirect function
- no dying
- no output if we're on cli
* Update tests/includes/utils.php
Co-Authored-By: Léo Colombaro <git@colombaro.fr>
* Update includes/functions.php
Co-Authored-By: Léo Colombaro <git@colombaro.fr>
* Rewrite yourls_get_request()
Do not rely on HOSTNAME, HTTP_HOST or whatever, just use YOURLS_SITE
* Remove leftover comment
[skip ci] [skip scrutinizer]
Co-authored-by: Léo Colombaro <git@colombaro.fr>
Use more modern package from hautelook/phpass, but keep 5.3-5.5 compat
Also, remove that test file. This should never have been included in the first place.
Remove anti CRLF checks from yourls_sanitize_url() and yourls_esc_url() because some legit URLs have %0A or %0D
We're just stripping those, using new function yourls_sanitize_url_safe(), for internal redirection when target location isn't hardcoded.
- works with "login" => "pass" and 'login' => 'pass'
- works with malformed arrays
- works with any password & special chars
- better error reporting
- l10n instead of hardcoded strings
- less var declared
