Merge branch 'master' into v0.9

.github/mailmap

@@ -11,3 +11,5 @@ Timo Van Neerden <[email protected]> lehollandaisvolant <levoltigeurho
 VirtualTam <[email protected]> <[email protected]>
 VirtualTam <[email protected]> <[email protected]>
 VirtualTam <[email protected]> <[email protected]>
+Willi Eggeling <[email protected]> <[email protected]>
+Willi Eggeling <[email protected]> <[email protected]>

.travis.yml

@@ -1,12 +1,6 @@
 sudo: false
-dist: precise
+dist: trusty
 language: php
-addons:
-  apt:
-    packages:
-      - locales
-      - language-pack-de
-      - language-pack-fr
 cache:
   directories:
     - $HOME/.composer/cache
@@ -18,6 +12,7 @@ php:
 install:
   - composer self-update
   - composer install --prefer-dist
+  - locale -a
 script:
   - make clean
   - make check_permissions

AUTHORS

@@ -1,14 +1,16 @@
-   506	ArthurHoaro <[email protected]>
-   204	VirtualTam <[email protected]>
-   147	nodiscc <[email protected]>
+   537	ArthurHoaro <[email protected]>
+   252	VirtualTam <[email protected]>
+   148	nodiscc <[email protected]>
     56	Sébastien Sauvage <[email protected]>
     15	Florian Eula <[email protected]>
     13	Emilien Klein <[email protected]>
     12	Nicolas Danelon <[email protected]>
+     9	Willi Eggeling <[email protected]>
      8	Christophe HENRY <[email protected]>
+     6	B. van Berkum <[email protected]>
+     5	Lucas Cimon <[email protected]>
      4	Alexandre Alapetite <[email protected]>
      4	David Sferruzza <[email protected]>
-     3	Lucas Cimon <[email protected]>
      3	Teromene <[email protected]>
      3	kalvn <[email protected]>
      2	Chris Kuethe <[email protected]>
@@ -37,6 +39,7 @@
      1	Kevin Canévet <[email protected]>
      1	Knah Tsaeb <[email protected]>
      1	Lionel Martin <[email protected]>
+     1	Mark Gerarts <[email protected]>
      1	Marsup <[email protected]>
      1	Sbgodin <[email protected]>
      1	TsT <[email protected]>

CHANGELOG.md

@@ -4,6 +4,44 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [v0.9.2](https://github.com/shaarli/Shaarli/releases/tag/v0.9.2) - 2017-10-07
+
+**Major security issue fixed. Please update.**
+
+### Added
+- Tag search now supports wildcards `*`
+- New setting `privacy.force_login` which can be used with `privacy.hide_public_links` to redirect anonymous users to the login page.
+- New setting `general.default_note_title` used to override default `Note:` title prefix for notes.
+- Add a version hash for asset loading to prevent browser's cache issue
+
+### Changed
+- The "Remember me" checkbox is unchecked by default
+- The default value of the "Remember me" checkbox can be configured under `data/config.json.php`
+
+### Removed
+- Remove obsolete PHP magic quote support
+
+### Fixed
+- Generates a permalink URL if the URL is set to blank
+- Replace links to the old GitHub wiki with ReadTheDocs URIs
+- Use single quotes in the note bookmarklet
+- Daily page if there is no link
+- Bulk link deletion with a single link
+- HTTPS detection behind a reverse proxy
+- Travis tests environment and localization
+- Improve template paths robustness (trailing slash)
+- Robustness: safer gzinflate/zlib usage
+- Description links parsing with parenthesis (without Markdown)
+- Templates:
+    - Sort the tag cloud alphabetically
+    - Firefox social title
+    - Improved visited link color
+    - Fix jumpy textarea with long content in post edit
+
+### Security
+
+- Vulnerability introduced in v0.9.1 fixed.
+
 ## [v0.9.1](https://github.com/shaarli/Shaarli/releases/tag/v0.9.1) - 2017-08-23
 
 The documentation has been migrated to ReadTheDocs:
@@ -61,7 +99,7 @@ The documentation has been migrated to ReadTheDocs:
 This release introduces the REST API, and requires updating HTTP server
 configuration to enable URL rewriting, see:
 - https://shaarli.github.io/api-documentation/
-- https://github.com/shaarli/Shaarli/wiki/Server-configuration
+- https://shaarli.readthedocs.io/en/master/Server-configuration/
 
 **WARNING**: Shaarli now requires PHP 5.5+.
 

CONTRIBUTING.md

@@ -54,7 +54,7 @@ Please report any problem you might find.
  * starting from branch ` master`, switch to a new branch (eg. `git checkout -b my-awesome-feature`)
  * edit the required files (from the Github web interface or your text editor)
  * add and commit your changes with a meaningful commit message (eg `Cool new feature, fixes issue #1001`)
- * run unit tests against your patched version, see [Running unit tests](https://github.com/shaarli/Shaarli/wiki/Running-unit-tests)
+ * run unit tests against your patched version, see [Running unit tests](https://shaarli.readthedocs.io/en/master/Unit-tests/#run-unit-tests)
  * Open your fork in the Github web interface and click the "Compare and Pull Request" button, enter required info and submit your Pull Request.
 
 All changes you will do on the `my-awesome-feature`  in the future will be added to your Pull Request. Don't work directly on the master branch, don't do unrelated work on your  `my-awesome-feature` branch.

Makefile

@@ -18,6 +18,16 @@ PHP_COMMA_SOURCE = index.php,application,tests,plugins
 
 all: static_analysis_summary check_permissions test
 
+##
+# Docker test adapter
+#
+# Shaarli sources and vendored libraries are copied from a shared volume
+# to a user-owned directory to enable running tests as a non-root user.
+##
+docker_%:
+	rsync -az /shaarli/ ~/shaarli/
+	cd ~/shaarli && make $*
+
 ##
 # Concise status of the project
 # These targets are non-blocking: || exit 0
@@ -159,14 +169,14 @@ composer_dependencies: clean
 	find vendor/ -name ".git" -type d -exec rm -rf {} +
 
 ### generate a release tarball and include 3rd-party dependencies
-release_tar: composer_dependencies doc_html
+release_tar: composer_dependencies htmldoc
 	git archive --prefix=$(ARCHIVE_PREFIX) -o $(ARCHIVE_VERSION).tar HEAD
 	tar rvf $(ARCHIVE_VERSION).tar --transform "s|^vendor|$(ARCHIVE_PREFIX)vendor|" vendor/
 	tar rvf $(ARCHIVE_VERSION).tar --transform "s|^doc/html|$(ARCHIVE_PREFIX)doc/html|" doc/html/
 	gzip $(ARCHIVE_VERSION).tar
 
 ### generate a release zip and include 3rd-party dependencies
-release_zip: composer_dependencies doc_html
+release_zip: composer_dependencies htmldoc
 	git archive --prefix=$(ARCHIVE_PREFIX) -o $(ARCHIVE_VERSION).zip -9 HEAD
 	mkdir -p $(ARCHIVE_PREFIX)/{doc,vendor}
 	rsync -a doc/html/ $(ARCHIVE_PREFIX)doc/html/
@@ -195,17 +205,11 @@ doxygen: clean
 	@rm -rf doxygen
 	@( cat Doxyfile ; echo "PROJECT_NUMBER=`git describe`" ) | doxygen -
 
-### Convert local markdown documentation to HTML
-#
-# For all pages:
-#  - convert GitHub-flavoured relative links to standard Markdown
-#  - generate html documentation with mkdocs
-htmlpages:
+### generate HTML documentation from Markdown pages with MkDocs
+htmldoc:
 	python3 -m venv venv/
 	bash -c 'source venv/bin/activate; \
 	pip install mkdocs; \
 	mkdocs build'
 	find doc/html/ -type f -exec chmod a-x '{}' \;
 	rm -r venv
-
-doc_html: authors htmlpages

README.md

@@ -9,7 +9,7 @@ _It is designed to be personal (single-user), fast and handy._
 [![](https://img.shields.io/badge/stable-v0.8.4-blue.svg)](https://github.com/shaarli/Shaarli/releases/tag/v0.8.4)
 [![](https://img.shields.io/travis/shaarli/Shaarli/stable.svg?label=stable)](https://travis-ci.org/shaarli/Shaarli)
 •
-[![](https://img.shields.io/badge/latest-v0.9.0-blue.svg)](https://github.com/shaarli/Shaarli/releases/tag/v0.9.0)
+[![](https://img.shields.io/badge/latest-v0.9.1-blue.svg)](https://github.com/shaarli/Shaarli/releases/tag/v0.9.1)
 [![](https://img.shields.io/travis/shaarli/Shaarli/latest.svg?label=latest)](https://travis-ci.org/shaarli/Shaarli)
 •
 [![](https://img.shields.io/badge/master-v0.9.x-blue.svg)](https://github.com/shaarli/Shaarli)

application/ApplicationUtils.php

@@ -168,14 +168,15 @@ public static function checkPHPVersion($minVersion, $curVersion)
     public static function checkResourcePermissions($conf)
     {
         $errors = array();
+        $rainTplDir = rtrim($conf->get('resource.raintpl_tpl'), '/');
 
         // Check script and template directories are readable
         foreach (array(
             'application',
             'inc',
             'plugins',
-            $conf->get('resource.raintpl_tpl'),
-            $conf->get('resource.raintpl_tpl').'/'.$conf->get('resource.theme'),
+            $rainTplDir,
+            $rainTplDir.'/'.$conf->get('resource.theme'),
         ) as $path) {
             if (! is_readable(realpath($path))) {
                 $errors[] = '"'.$path.'" directory is not readable';
@@ -220,4 +221,19 @@ public static function checkResourcePermissions($conf)
 
         return $errors;
     }
+
+    /**
+     * Returns a salted hash representing the current Shaarli version.
+     *
+     * Useful for assets browser cache.
+     *
+     * @param string $currentVersion of Shaarli
+     * @param string $salt           User personal salt, also used for the authentication
+     *
+     * @return string version hash
+     */
+    public static function getVersionHash($currentVersion, $salt)
+    {
+        return hash_hmac('sha256', $currentVersion, $salt);
+    }
 }

application/FileUtils.php

@@ -50,7 +50,8 @@ public static function writeFlatDB($file, $content)
 
     /**
      * Read data from a file containing Shaarli database format content.
-     * If the file isn't readable or doesn't exists, default data will be returned.
+     *
+     * If the file isn't readable or doesn't exist, default data will be returned.
      *
      * @param string $file    File path.
      * @param mixed  $default The default value to return if the file isn't readable.
@@ -61,16 +62,21 @@ public static function readFlatDB($file, $default = null)
     {
         // Note that gzinflate is faster than gzuncompress.
         // See: http://www.php.net/manual/en/function.gzdeflate.php#96439
-        if (is_readable($file)) {
-            return unserialize(
-                gzinflate(
-                    base64_decode(
-                        substr(file_get_contents($file), strlen(self::$phpPrefix), -strlen(self::$phpSuffix))
-                    )
-                )
-            );
+        if (! is_readable($file)) {
+            return $default;
+        }
+
+        $data = file_get_contents($file);
+        if ($data == '') {
+            return $default;
         }
 
-        return $default;
+        return unserialize(
+            gzinflate(
+                base64_decode(
+                    substr($data, strlen(self::$phpPrefix), -strlen(self::$phpSuffix))
+                )
+            )
+        );
     }
 }

application/HttpUtils.php

@@ -401,3 +401,31 @@ function getIpAddressFromProxy($server, $trustedIps)
 
     return array_pop($ips);
 }
+
+/**
+ * Returns true if Shaarli's currently browsed in HTTPS.
+ * Supports reverse proxies (if the headers are correctly set).
+ *
+ * @param array $server $_SERVER.
+ *
+ * @return bool true if HTTPS, false otherwise.
+ */
+function is_https($server)
+{
+
+    if (isset($server['HTTP_X_FORWARDED_PORT'])) {
+        // Keep forwarded port
+        if (strpos($server['HTTP_X_FORWARDED_PORT'], ',') !== false) {
+            $ports = explode(',', $server['HTTP_X_FORWARDED_PORT']);
+            $port = trim($ports[0]);
+        } else {
+            $port = $server['HTTP_X_FORWARDED_PORT'];
+        }
+
+        if ($port == '443') {
+            return true;
+        }
+    }
+
+    return ! empty($server['HTTPS']);
+}

application/LinkDB.php

@@ -249,7 +249,7 @@ private function check()
         $link = array(
             'id' => 1,
             'title'=>' Shaarli: the personal, minimalist, super-fast, no-database delicious clone',
-            'url'=>'https://github.com/shaarli/Shaarli/wiki',
+            'url'=>'https://shaarli.readthedocs.io',
             'description'=>'Welcome to Shaarli! This is your first public bookmark. To edit or delete me, you must first login.
 
 To learn how to use Shaarli, consult the link "Help/documentation" at the bottom of this page.