- 14 Apr, 2016 1 commit
-
-
Daniel Hams authored
Update eclipse project file to reflect changed list of jars. Verified as building and running under Eclipse Luna.
-
- 11 Apr, 2016 2 commits
-
-
Guus der Kinderen authored
OF-1126: Abstract implemenation should not change signature
-
Guus der Kinderen authored
The abstract implementation of GroupProvider should not hide the thrown clause as defined by the createGroup() signature.
-
- 10 Apr, 2016 2 commits
-
-
daryl herzmann authored
OF-1120 Additional fix for the default behavior
-
wroot authored
-
- 09 Apr, 2016 1 commit
-
-
wroot authored
-
- 08 Apr, 2016 2 commits
-
-
Guus der Kinderen authored
OF-836 / OF-941 / OF-777
-
Dave Cridland authored
Various SASL-related changes
-
- 06 Apr, 2016 4 commits
-
-
Guus der Kinderen authored
Openfire should not need to be restarted after a configuration change for SASL.
-
Guus der Kinderen authored
The GSSAPI SASL mechanism can be enabled by default. It won't be offered unless there is a specific gssapi-configuration option present.
-
Guus der Kinderen authored
Openfire should not offer SASL mechanisms if the JVM has no implementation for them.
-
Guus der Kinderen authored
The changes for OF-1092 accidentally removed a snippet of code that translates a non-optional part of the GSSAPI SASL configuration. This commit restores that, with a difference: the configuration is now checked continuously, intead of just on server startup. This allows for configuration changes that need not be followed by an Openfire restart.
-
- 30 Mar, 2016 1 commit
-
-
Dave Cridland authored
-
- 25 Mar, 2016 2 commits
-
-
Dave Cridland authored
OF-1119: Do not depend on ordering of chains
-
Guus der Kinderen authored
When validating a certificate chain, the provided chain aught to be ordered. If our own ordering fails, we should use the first certifcate of the (unordered) chain, instead of failing completely.
-
- 24 Mar, 2016 3 commits
-
-
Dave Cridland authored
Set affiliation to 'none' after removing registration from room.
-
Dave Cridland authored
Fixing NPE in RemoteSession
-
Dave Cridland authored
Fix non-working XEP-0136 for monitoring plugin
-
- 23 Mar, 2016 15 commits
-
-
Dave Cridland authored
-
Dave Cridland authored
-
Dave Cridland authored
Include nickname in actor element when kick a MUC occupant.
-
Dave Cridland authored
OF-1115 Use Java 8 for Debian packaging
-
Dave Cridland authored
OF-1093: Allow for empty/unknown user creation dates.
-
Dave Cridland authored
OF-1118: Don't try to use unsupported encryption settings.
-
Guus der Kinderen authored
Stored preferences of encryption protocols and/or cipher suites might include non-supported items. To prevent issues, the list of preferences should be checked against the currently supported items.
-
Dave Cridland authored
Extending the previous commit, this adds CSRF to a number of high-value target pages, including user password changing, dleetion, lockout, etc, and also for the login page (to avoid a class of attack we probably don't care about). The CSRF mechanism requires manual addition to each form, but has been design reviewed by Simon Waters (Surevine Ltd).
-
Dave Cridland authored
-
Dave Cridland authored
Reflected XSS in import-keystore-certificate.jsp via the passphrase. Reported by Florian Nivette of Sysdream.
-
Dave Cridland authored
-
Guus der Kinderen authored
Adding indexes to PostgreSQL for message search query improvement
-
Dave Cridland authored
The mucdesc parameter of muc-service-edit-form.jsp was reflected unescaped in the summary view at muc-service-summary.jsp This was reported by Florian Nivette of Sysdream. Fixed by escaping on output within muc-service-summary.jsp. In addition, domain validation was added on input.
-
Guus der Kinderen authored
Some user providers might not be able to provide a creation date. There's no reason that the admin page should fail over that. Note that this commit completes commit 2746a7f4, which had an correct but incomplete fix for the same problem.
-
Dave Cridland authored
The subdomain parameter in external-components-settings.jsp was reflected in both cases in the deletion URI as an unencoded parameter. Originally discovered by Simon Waters, then this case found by Florian Nivette of Sysdream. Fix is twofold: * The parameter is now encoded on output, the deletion URI is now set using the JSP tags instead of string construction. * The subdomain parameter is validated on input, making it difficult to inject script elements etc.
-
- 22 Mar, 2016 1 commit
-
-
Juan Francisco Calderon Zumba authored
-
- 21 Mar, 2016 2 commits
-
-
daryl herzmann authored
OF-929 prevent ghosts by removing ioSession check
-
akrherz authored
untested by me, just a simple s/7/8/ with the debian build files
-
- 18 Mar, 2016 1 commit
-
-
akrherz authored
Since the release of Openfire 3.9.3, users have reported problems with "ghost" sessions left on the server. After reviewing the changes that went into the 3.9.3 release, it seemed the fix for OF-464 may have had some side effect causing this. Since Igniterealtime's Openfire was reproducing OF-829, I did a test whereby the functional changes of Igniterealtime/Openfire#ad08cae9 were reverted. After 36 hours, there were no ghosts! This will likely necessitate reopening OF-464.
-
- 17 Mar, 2016 1 commit
-
-
Christian Schudt authored
OF-1089: Send IQ result only after messages
-
- 11 Mar, 2016 2 commits
-
-
Guus der Kinderen authored
OF-1107 Option to not show email, added readme and changelog
-
wroot authored
-