1. 18 May, 2016 2 commits
  2. 17 May, 2016 2 commits
  3. 16 May, 2016 5 commits
  4. 12 May, 2016 1 commit
  5. 06 May, 2016 1 commit
  6. 05 May, 2016 1 commit
    • Aaron Wells's avatar
      Escape double-quotes in filname, in Content-Disposition header · b3b57485
      Aaron Wells authored and Robert Lyon's avatar Robert Lyon committed
      Bug 1578512: As specified in RFC 6266, the filename is a
      "quoted-string", and as specified in RFC 2616 double quotes
      within a quoted-string should be escaped with a backslash.
      
      Change-Id: Id9d069a976406a82a6f0b6db92c696f700e00469
      behatnotneeded: Can't test file uploads in behat yet
      (cherry picked from commit aa8c6760)
      b3b57485
  7. 02 May, 2016 6 commits
  8. 01 May, 2016 6 commits
  9. 29 Apr, 2016 1 commit
  10. 28 Apr, 2016 5 commits
  11. 26 Apr, 2016 1 commit
  12. 23 Apr, 2016 1 commit
  13. 22 Apr, 2016 1 commit
  14. 21 Apr, 2016 5 commits
  15. 20 Apr, 2016 2 commits
    • Aaron Wells's avatar
      Correcting typoes in cookie-issuing code · 0184cbf6
      Aaron Wells authored and Robert Lyon's avatar Robert Lyon committed
      Bug 1570744: Accidentally used set_cookie() instead of
      setcookie(). This makes the cookie break if you use
      the $cfg->cookieprefix setting.
      
      behatnotneeded: Covered by existing tests
      
      Change-Id: Idec3676222e3ff4eb22f7925de6bec10cfa35755
      0184cbf6
    • Aaron Wells's avatar
      Bug 1570744: Fixing session bugs · 6d469bd6
      Aaron Wells authored and Robert Lyon's avatar Robert Lyon committed
      This patch does 2 things:
      
      1. It loads the session much earlier during init.php. We wind
      up creating one on *every* script load anyway, due to LiveUser's
      constructor. Sometimes it gets created earlier if other code
      tries to use it before then, which adds some unpredictability
      to things. Moving it up to the top of init.php reduces that
      unpredictability.
      
      2. It turns out that in PHP 5.3, using header_remove('Set-Cookie')
      to only doesn't remove session headers. But header_remove()
      (with no params) to remove *all* cookies does remove them. So
      I'm changing remove_duplicate_cookies() to use that instead.
      
      3. Also in PHP 5.3, session headers are visible in headers_list().
      In situations where your session id changes (due to session_destroy()
      and session_regenerate_id()), our use of array_unique() meant we
      would preserve the old and new session IDs and send both back
      to the browser. This patch makes remove_duplicate_cookies() aware
      of the current session ID, and it only preserves that one.
      
      Change-Id: I7a90b8692a5f97429415aa9a17451a44cd2109dd
      behatnotneeded: Covered by existing tests
      (cherry picked from commit 83ec33f2)
      6d469bd6