diff --git a/updatedb/updateDb.v12.0.sql b/updatedb/updateDb.v12.0.sql index b67b0f9e82..49b026583f 100644 --- a/updatedb/updateDb.v12.0.sql +++ b/updatedb/updateDb.v12.0.sql @@ -1,20 +1,21 @@ -- ### Credit +-- 2022-Jul-07 -- -- Discovered by Claudio Bozzato of Cisco Talos. -- -- TALOS-2022-1534 -- -- Now the userUpdate.json.php requires a request from the same domain as the AVideo site --- in aditional all save and delete database calls requires the same by default (a whitelist can be builded hardcoding it in the objects/Object.php file) +-- in addition all save and delete database calls require the same by default (a whitelist can be built hardcoding it in the objects/Object.php file) -- -- TALOS-2022-1535 -- -- Session ID will only change if you are not logged in --- In case the session ID changed we will regenerate it with a new name avoiding reuse it +-- In case the session ID changes we will regenerate it with a new name avoiding reusing it -- -- TALOS-2022-1536 -- --- plugin/Live/view/Live_schedule/add.json.php and objects/playlistAddNew.json.php will deny to update if the users_id is not = as the original record when it is editing +-- plugin/Live/view/Live_schedule/add.json.php and objects/playlistAddNew.json.php will deny updating if the users_id is not = as the original record when it is editing -- -- TALOS-2022-1537 -- @@ -27,15 +28,15 @@ -- -- TALOS-2022-1540 -- --- Video title and filename will always be sanitized on the setTitle method (sometimes more than once) +-- Video title and the filename will always be sanitized on the setTitle method (sometimes more than once) -- -- -- TALOS-2022-1542 -- -- httponly set to true -- we are now using the passhash instead of the database pass in all site --- the passhash is totally different than the original DB password, it a encrypted json and has an expiration time and also will be automatically rejected if the original password is updated --- the login with the pass hash (database password field) directly will be disabled soon, for now it is only enabled to buy some time to update the other third parties apps +-- the passhash is totally different than the original DB password, it is an encrypted JSON and has an expiration time, and also will be automatically rejected if the original password is updated +-- the login with the pass hash (database password field) directly will be disabled soon, for now, it is only enabled to buy some time to update the other third parties apps -- -- TALOS-2022-1545 -- @@ -70,7 +71,7 @@ -- -- -- --- this will only allow access to only some specific file types inside videos folder +-- this will only allow access to only some specific file types inside the videos folder -- -- TALOS-2022-1548 -- @@ -78,11 +79,11 @@ -- -- TALOS-2022-1549 -- --- We now only download the downloadURL_image if it is a valid URL NOT localfiles any more +-- We now only download the downloadURL_image if it is a valid URL NOT local files anymore -- -- TALOS-2022-1551 -- --- All our classes were updated using the prepare statement to avoid sql injection +-- All our classes were updated using the prepared statement to avoid SQL injection -- also `videoDownloadedLink` and `duration` are now sanitized -- if you are editing anything we now "forbidIfItIsNotMyUsersId" -- key and URL are now sanitized Clone plugin