June 27th, 2002

livejournal

Module Name: livejournal
Committed By: bradfitz
Date: Thu Jun 27 19:49:56 UTC 2002

Modified Files:
---------------
livejournal/bin/upgrading: en.dat
livejournal/htdocs: update.bml

Log Message:
------------
English-removes update.bml . Written and submitted by dottey;
reviewed, merged, substantially XHTMLified and tested by avva.


To generate a diff of this commit:
cvs rdiff -r1.21 -r1.22 livejournal/bin/upgrading/en.dat
http://cvs.livejournal.org/browse.cgi/livejournal/bin/upgrading/en.dat.diff?r1=1.21&r2=1.22
cvs rdiff -r1.30 -r1.31 livejournal/htdocs/update.bml
http://cvs.livejournal.org/browse.cgi/livejournal/htdocs/update.bml.diff?r1=1.30&r2=1.31

livejournal

Module Name: livejournal
Committed By: bradfitz
Date: Thu Jun 27 20:15:53 UTC 2002

Modified Files:
---------------
livejournal/cgi-bin: ljlib.pl ljprotocol.pl ljviews.pl

Log Message:
------------
avva:
Here's the same patch with anti-autovivifying checks added. I also fixed the
same problem elsewhere in ljviews.pl in this patch (specifically where
it deals with opt_nclinks).

The original description of the patch:

This patch addresses a few minor security holes in friend group names,
improves the way filtering works in links, and makes public friend
groups actually work.

signe submitted a patch which prevented non-owner from
seeing filter values in skiplinks (thus verifying that the group name
if valid) and made /username/friends/group/ syntax work in addition
to /username/friends/group .

avva reviewed and tested that, then added support for
public groups, and rewrote skiplinks code to use the group by name
if it was specified by name, thus making skiplinks less cryptic.
Also presence of default view is no longer detectable by skiplinks
after this patch.

What it does:
ljlib.pl - LJ::get_friend_items(): passed value of $filter is used
even if the
remote is not the owner (needed for public groups; security check
shifts higher to the view creator).

ljviews.pl - create_view_friends():
1. Only consider using $FORM{'filter'} if remote==owner;
2. If a group is specified by name, only convert it to a $filter
value if it's either public or remote==owner;
3. When building skiplinks, propagate the group name in the link if
it was there. Only propagate the filter value if it was requested in the
URL (so that if we built $filter from the default view group, it
won't be reflected in the skiplinks).

ljprotocol.pl - don't allow creating groups with last character '/' .

Tested.
Here's the same patch with anti-autovivifying checks added. I also fixed the
same problem elsewhere in ljviews.pl in this patch (specifically where
it deals with opt_nclinks).

The original description of the patch:

This patch addresses a few minor security holes in friend group names,
improves the way filtering works in links, and makes public friend
groups actually work.

signe submitted a patch which prevented non-owner from
seeing filter values in skiplinks (thus verifying that the group name
if valid) and made /username/friends/group/ syntax work in addition
to /username/friends/group .

avva reviewed and tested that, then added support for
public groups, and rewrote skiplinks code to use the group by name
if it was specified by name, thus making skiplinks less cryptic.
Also presence of default view is no longer detectable by skiplinks
after this patch.

What it does:
ljlib.pl - LJ::get_friend_items(): passed value of $filter is used
even if the
remote is not the owner (needed for public groups; security check
shifts higher to the view creator).

ljviews.pl - create_view_friends():
1. Only consider using $FORM{'filter'} if remote==owner;
2. If a group is specified by name, only convert it to a $filter
value if it's either public or remote==owner;
3. When building skiplinks, propagate the group name in the link if
it was there. Only propagate the filter value if it was requested in the
URL (so that if we built $filter from the default view group, it
won't be reflected in the skiplinks).

ljprotocol.pl - don't allow creating groups with last character '/' .

Tested.


To generate a diff of this commit:
cvs rdiff -r1.217 -r1.218 livejournal/cgi-bin/ljlib.pl
http://cvs.livejournal.org/browse.cgi/livejournal/cgi-bin/ljlib.pl.diff?r1=1.217&r2=1.218
cvs rdiff -r1.108 -r1.109 livejournal/cgi-bin/ljprotocol.pl
http://cvs.livejournal.org/browse.cgi/livejournal/cgi-bin/ljprotocol.pl.diff?r1=1.108&r2=1.109
cvs rdiff -r1.61 -r1.62 livejournal/cgi-bin/ljviews.pl
http://cvs.livejournal.org/browse.cgi/livejournal/cgi-bin/ljviews.pl.diff?r1=1.61&r2=1.62

livejournal

Module Name: livejournal
Committed By: bradfitz
Date: Thu Jun 27 21:29:30 UTC 2002

Modified Files:
---------------
livejournal/htdocs: modify_do.bml

Log Message:
------------
global head shouldn't have body tags in it.
(props to mart for pointing this out)


To generate a diff of this commit:
cvs rdiff -r1.24 -r1.25 livejournal/htdocs/modify_do.bml
http://cvs.livejournal.org/browse.cgi/livejournal/htdocs/modify_do.bml.diff?r1=1.24&r2=1.25

livejournal

Module Name: livejournal
Committed By: bradfitz
Date: Thu Jun 27 21:46:11 UTC 2002

Modified Files:
---------------
livejournal/cgi-bin/Apache: LiveJournal.pm

Log Message:
------------
mart: Patch: Make error messages nicer
http://www.livejournal.com/talkpost.bml?journal=lj_dev&itemid=408030

some changes by me


To generate a diff of this commit:
cvs rdiff -r1.30 -r1.31 livejournal/cgi-bin/Apache/LiveJournal.pm
http://cvs.livejournal.org/browse.cgi/livejournal/cgi-bin/Apache/LiveJournal.pm.diff?r1=1.30&r2=1.31

livejournal

Module Name: livejournal
Committed By: bradfitz
Date: Thu Jun 27 22:13:29 UTC 2002

Modified Files:
---------------
livejournal/cgi-bin: ljdefaults.pl portal.pl

Log Message:
------------
jproulx: portal work:
-- separation (livejournal/ljcom)
-- two new boxes


To generate a diff of this commit:
cvs rdiff -r1.12 -r1.13 livejournal/cgi-bin/ljdefaults.pl
http://cvs.livejournal.org/browse.cgi/livejournal/cgi-bin/ljdefaults.pl.diff?r1=1.12&r2=1.13
cvs rdiff -r1.19 -r1.20 livejournal/cgi-bin/portal.pl
http://cvs.livejournal.org/browse.cgi/livejournal/cgi-bin/portal.pl.diff?r1=1.19&r2=1.20

livejournal

Module Name: livejournal
Committed By: bradfitz
Date: Fri Jun 28 04:19:16 UTC 2002

Modified Files:
---------------
livejournal/bin/upgrading: en.dat
livejournal/htdocs: editjournal.bml editjournal_do.bml update.bml
livejournal/htdocs/tools: memadd.bml

Log Message:
------------
This patch English-removes editjournal.bml and editjournal_do.bml .

It was written and submitted by dottey; avva
reviewed and tested it, then XHTMLified most of the stuff in these
files.

Tested.


To generate a diff of this commit:
cvs rdiff -r1.22 -r1.23 livejournal/bin/upgrading/en.dat
http://cvs.livejournal.org/browse.cgi/livejournal/bin/upgrading/en.dat.diff?r1=1.22&r2=1.23
cvs rdiff -r1.6 -r1.7 livejournal/htdocs/editjournal.bml
http://cvs.livejournal.org/browse.cgi/livejournal/htdocs/editjournal.bml.diff?r1=1.6&r2=1.7
cvs rdiff -r1.22 -r1.23 livejournal/htdocs/editjournal_do.bml
http://cvs.livejournal.org/browse.cgi/livejournal/htdocs/editjournal_do.bml.diff?r1=1.22&r2=1.23
cvs rdiff -r1.31 -r1.32 livejournal/htdocs/update.bml
http://cvs.livejournal.org/browse.cgi/livejournal/htdocs/update.bml.diff?r1=1.31&r2=1.32
cvs rdiff -r1.21 -r1.22 livejournal/htdocs/tools/memadd.bml
http://cvs.livejournal.org/browse.cgi/livejournal/htdocs/tools/memadd.bml.diff?r1=1.21&r2=1.22

livejournal

Module Name: livejournal
Committed By: bradfitz
Date: Fri Jun 28 04:37:17 UTC 2002

Modified Files:
---------------
livejournal/htdocs: talkpost.bml

Log Message:
------------
avva:
This patch escapes all HTML in subjects of comments when viewed at
talkpost.bml?journal=whatever&replyto=1234 .

We don't allow HTML tags to work in subjects of comments, and eall()
them in talkread.bml, but they work in talkpost.bml URLs, and that's
inconsistent. This came up in support and was reported by support
volunteers.

Tested.


To generate a diff of this commit:
cvs rdiff -r1.58 -r1.59 livejournal/htdocs/talkpost.bml
http://cvs.livejournal.org/browse.cgi/livejournal/htdocs/talkpost.bml.diff?r1=1.58&r2=1.59