Davide Scaini 6d3673b2f7 1. Image upload size limit — _MAX_IMAGE_BYTES = 10 MB in both serve/server.py and edit/server.py ...

2. Image MIME type whitelist — _ALLOWED_IMAGE_TYPES blocks SVG XSS in both servers
  3. Filename collision safety — _unique_image_name() helper in both servers
  4. OAuth CSRF — state token generated in edit/server.py auth-url, stored in _oauth_states, validated and discarded in callback; strava_api.auth_url() accepts optional state param
  5. Error message leak — upload processing errors now return generic "Processing failed" instead of exception type/message
  6. Handle injection in subprocess — _trigger_rebuild now asserts handle matches _VALID_HANDLE before passing to subprocess

2026-04-10 13:56:39 +02:00

..

__init__.py

feat: activity sidecar edits via bincio edit --serve

2026-03-29 15:06:55 +02:00

cli.py

sync strava data from web ui

2026-04-06 12:38:41 +02:00

ops.py

"keep data on the server" opt-in/out

2026-04-10 13:01:21 +02:00

server.py

1. Image upload size limit — _MAX_IMAGE_BYTES = 10 MB in both serve/server.py and edit/server.py

2026-04-10 13:56:39 +02:00