bvandeusen
|
00643c778e
|
security: fix 10 vulnerabilities from security audit
- SSRF: block private/internal URLs in image cache fetch
- SSRF: block private/internal URLs in RSS feed fetch (scheme guard)
- SSRF: block private/internal URLs in CalDAV URL setting
- Auth: require login for GET /api/images/<id> (was unauthenticated)
- Auth: restrict Ollama model pull/delete to admin users only
- Info disclosure: remove email from /api/users/search response
- OAuth: skip email-based account linking when email_verified is false
- Config: raise hard error on default SECRET_KEY when SECURE_COOKIES=true
- Rate limit: document proxy header requirement; add startup warning
- XSS: remove src/alt from global DOMPurify ADD_ATTR allowlist
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-03-29 00:37:13 -04:00 |
|
bvandeusen
|
57bf63e576
|
feat: extend RSS item retention from 14 to 90 days
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-03-28 00:29:32 -04:00 |
|
bvandeusen
|
359b5f0545
|
feat(briefing): trigger RSS classification after new items are stored
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-03-25 10:39:08 -04:00 |
|
bvandeusen
|
9bb054f3d5
|
feat: RSS service — feedparser fetch, cache, prune
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-03-11 19:46:01 -04:00 |
|