Merge remote-tracking branch 'FreshRSS/master' into dev

1 files changed, 271 insertions, 56 deletions

diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 9abdf18ce..560e5b256 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -1,20 +1,33 @@
 <?php
 if (!function_exists('json_decode')) {
 	require_once('JSON.php');
-	function json_decode($var) {
-		$JSON = new Services_JSON;
-		return (array)($JSON->decode($var));
+	function json_decode($var, $assoc = false) {
+		$JSON = new Services_JSON($assoc ? SERVICES_JSON_LOOSE_TYPE : 0);
+		return $JSON->decode($var);
 	}
 }
 
 if (!function_exists('json_encode')) {
 	require_once('JSON.php');
 	function json_encode($var) {
-		$JSON = new Services_JSON;
+		$JSON = new Services_JSON();
 		return $JSON->encodeUnsafe($var);
 	}
 }
 
+defined('JSON_UNESCAPED_UNICODE') or define('JSON_UNESCAPED_UNICODE', 256);	//PHP 5.3
+
+/**
+ * Build a directory path by concatenating a list of directory names.
+ *
+ * @param $path_parts a list of directory names
+ * @return a string corresponding to the final pathname
+ */
+function join_path() {
+	$path_parts = func_get_args();
+	return join(DIRECTORY_SEPARATOR, $path_parts);
+}
+
 //<Auto-loading>
 function classAutoloader($class) {
 	if (strpos($class, 'FreshRSS') === 0) {
@@ -27,7 +40,7 @@ function classAutoloader($class) {
 				include(APP_PATH . '/Models/' . $components[1] . '.php');
 				return;
 			case 3:	//Controllers, Exceptions
-				@include(APP_PATH . '/' . $components[2] . 's/' . $components[1] . $components[2] . '.php');
+				include(APP_PATH . '/' . $components[2] . 's/' . $components[1] . $components[2] . '.php');
 				return;
 		}
 	} elseif (strpos($class, 'Minz') === 0) {
@@ -40,6 +53,21 @@ function classAutoloader($class) {
 spl_autoload_register('classAutoloader');
 //</Auto-loading>
 
+function idn_to_puny($url) {
+	if (function_exists('idn_to_ascii')) {
+		$parts = parse_url($url);
+		if (!empty($parts['host'])) {
+			$idn = $parts['host'];
+			$puny = idn_to_ascii($idn);
+			$pos = strpos($url, $idn);
+			if ($pos !== false) {
+				return substr_replace($url, $puny, $pos, strlen($idn));
+			}
+		}
+	}
+	return $url;
+}
+
 function checkUrl($url) {
 	if (empty ($url)) {
 		return '';
@@ -47,41 +75,74 @@ function checkUrl($url) {
 	if (!preg_match ('#^https?://#i', $url)) {
 		$url = 'http://' . $url;
 	}
-	if (filter_var($url, FILTER_VALIDATE_URL) ||
-		(version_compare(PHP_VERSION, '5.3.3', '<') && (strpos($url, '-') > 0) &&	//PHP bug #51192
-		 ($url === filter_var($url, FILTER_SANITIZE_URL)))) {
+	$url = idn_to_puny($url);	//PHP bug #53474 IDN
+	if (filter_var($url, FILTER_VALIDATE_URL)) {
 		return $url;
 	} else {
 		return false;
 	}
 }
 
-function formatNumber($n, $precision = 0) {
-	return str_replace(' ', ' ',	//Espace insécable	//TODO: remplacer par une espace _fine_ insécable
-		number_format($n, $precision, '.', ' '));	//number_format does not seem to be Unicode-compatible
+function safe_ascii($text) {
+	return filter_var($text, FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
+}
+
+/**
+ * Test if a given server address is publicly accessible.
+ *
+ * Note: for the moment it tests only if address is corresponding to a
+ * localhost address.
+ *
+ * @param $address the address to test, can be an IP or a URL.
+ * @return true if server is accessible, false else.
+ * @todo improve test with a more valid technique (e.g. test with an external server?)
+ */
+function server_is_public($address) {
+	$host = parse_url($address, PHP_URL_HOST);
+
+	$is_public = !in_array($host, array(
+		'127.0.0.1',
+		'localhost',
+		'localhost.localdomain',
+		'[::1]',
+		'localhost6',
+		'localhost6.localdomain6',
+	));
+
+	return $is_public;
 }
 
-function formatBytes($bytes, $precision = 2, $system = 'IEC') {
+
+function format_number($n, $precision = 0) {
+	// number_format does not seem to be Unicode-compatible
+	return str_replace(' ', ' ',  //Espace fine insécable
+		number_format($n, $precision, '.', ' ')
+	);
+}
+
+function format_bytes($bytes, $precision = 2, $system = 'IEC') {
 	if ($system === 'IEC') {
 		$base = 1024;
 		$units = array('B', 'KiB', 'MiB', 'GiB', 'TiB');
 	} elseif ($system === 'SI') {
 		$base = 1000;
 		$units = array('B', 'KB', 'MB', 'GB', 'TB');
+	} else {
+		return format_number($bytes, $precision);
 	}
 	$bytes = max(intval($bytes), 0);
 	$pow = $bytes === 0 ? 0 : floor(log($bytes) / log($base));
 	$pow = min($pow, count($units) - 1);
 	$bytes /= pow($base, $pow);
-	return formatNumber($bytes, $precision) . ' ' . $units[$pow];
+	return format_number($bytes, $precision) . ' ' . $units[$pow];
 }
 
 function timestamptodate ($t, $hour = true) {
-	$month = _t(date('M', $t));
+	$month = _t('gen.date.' . date('M', $t));
 	if ($hour) {
-		$date = _t('format_date_hour', $month);
+		$date = _t('gen.date.format_date_hour', $month);
 	} else {
-		$date = _t('format_date', $month);
+		$date = _t('gen.date.format_date', $month);
 	}
 
 	return @date ($date, $t);
@@ -106,11 +167,15 @@ function html_only_entity_decode($text) {
 }
 
 function customSimplePie() {
+	$system_conf = Minz_Configuration::get('system');
+	$limits = $system_conf->limits;
 	$simplePie = new SimplePie();
-	$simplePie->set_useragent(_t('freshrss') . '/' . FRESHRSS_VERSION . ' (' . PHP_OS . '; ' . FRESHRSS_WEBSITE . ') ' . SIMPLEPIE_NAME . '/' . SIMPLEPIE_VERSION);
+	$simplePie->set_useragent('FreshRSS/' . FRESHRSS_VERSION . ' (' . PHP_OS . '; ' . FRESHRSS_WEBSITE . ') ' . SIMPLEPIE_NAME . '/' . SIMPLEPIE_VERSION);
+	$simplePie->set_syslog($system_conf->simplepie_syslog_enabled);
 	$simplePie->set_cache_location(CACHE_PATH);
-	$simplePie->set_cache_duration(800);
-	$simplePie->set_timeout(10);	//TODO: Make a user setting
+	$simplePie->set_cache_duration($limits['cache_duration']);
+	$simplePie->set_timeout($limits['timeout']);
+	$simplePie->set_curl_options($system_conf->curl_options);
 	$simplePie->strip_htmltags(array(
 		'base', 'blink', 'body', 'doctype', 'embed',
 		'font', 'form', 'frame', 'frameset', 'html',
@@ -120,12 +185,11 @@ function customSimplePie() {
 	$simplePie->strip_attributes(array_merge($simplePie->strip_attributes, array(
 		'autoplay', 'onload', 'onunload', 'onclick', 'ondblclick', 'onmousedown', 'onmouseup',
 		'onmouseover', 'onmousemove', 'onmouseout', 'onfocus', 'onblur',
-		'onkeypress', 'onkeydown', 'onkeyup', 'onselect', 'onchange', 'seamless')));
+		'onkeypress', 'onkeydown', 'onkeyup', 'onselect', 'onchange', 'seamless', 'sizes', 'srcset')));
 	$simplePie->add_attributes(array(
-		'img' => array('lazyload' => '', 'postpone' => ''),	//http://www.w3.org/TR/resource-priorities/
-		'audio' => array('lazyload' => '', 'postpone' => '', 'preload' => 'none'),
-		'iframe' => array('lazyload' => '', 'postpone' => '', 'sandbox' => 'allow-scripts allow-same-origin'),
-		'video' => array('lazyload' => '', 'postpone' => '', 'preload' => 'none'),
+		'audio' => array('preload' => 'none'),
+		'iframe' => array('sandbox' => 'allow-scripts allow-same-origin'),
+		'video' => array('preload' => 'none'),
 	));
 	$simplePie->set_url_replacements(array(
 		'a' => 'href',
@@ -149,6 +213,16 @@ function customSimplePie() {
 			'src',
 		),
 	));
+	$https_domains = array();
+	$force = @file(DATA_PATH . '/force-https.default.txt', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
+	if (is_array($force)) {
+		$https_domains = array_merge($https_domains, $force);
+	}
+	$force = @file(DATA_PATH . '/force-https.txt', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
+	if (is_array($force)) {
+		$https_domains = array_merge($https_domains, $force);
+	}
+	$simplePie->set_https_domains($https_domains);
 	return $simplePie;
 }
 
@@ -163,17 +237,27 @@ function sanitizeHTML($data, $base = '') {
 
 /* permet de récupérer le contenu d'un article pour un flux qui n'est pas complet */
 function get_content_by_parsing ($url, $path) {
-	require_once (LIB_PATH . '/lib_phpQuery.php');
+	require_once(LIB_PATH . '/lib_phpQuery.php');
 
-	syslog(LOG_INFO, 'FreshRSS GET ' . $url);
-	$html = file_get_contents ($url);
+	Minz_Log::notice('FreshRSS GET ' . SimplePie_Misc::url_remove_credentials($url));
+	$html = file_get_contents($url);
 
 	if ($html) {
-		$doc = phpQuery::newDocument ($html);
-		$content = $doc->find ($path);
+		$doc = phpQuery::newDocument($html);
+		$content = $doc->find($path);
+
+		foreach (pq('img[data-src]') as $img) {
+			$imgP = pq($img);
+			$dataSrc = $imgP->attr('data-src');
+			if (strlen($dataSrc) > 4) {
+				$imgP->attr('src', $dataSrc);
+				$imgP->removeAttr('data-src');
+			}
+		}
+
 		return sanitizeHTML($content->__toString(), $url);
 	} else {
-		throw new Exception ();
+		throw new Exception();
 	}
 }
 
@@ -200,50 +284,102 @@ function uSecString() {
 	return str_pad($t['usec'], 6, '0');
 }
 
-function invalidateHttpCache() {
-	Minz_Session::_param('touch', uTimeString());
-	return touch(LOG_PATH . '/' . Minz_Session::param('currentUser', '_') . '.log');
+function invalidateHttpCache($username = '') {
+	if (($username == '') || (!ctype_alnum($username))) {
+		Minz_Session::_param('touch', uTimeString());
+		$username = Minz_Session::param('currentUser', '_');
+	}
+	return touch(join_path(DATA_PATH, 'users', $username, 'log.txt'));
 }
 
-function usernameFromPath($userPath) {
-	if (preg_match('%/([A-Za-z0-9]{1,16})_user\.php$%', $userPath, $matches)) {
-		return $matches[1];
-	} else {
-		return '';
+function listUsers() {
+	$final_list = array();
+	$base_path = join_path(DATA_PATH, 'users');
+	$dir_list = array_values(array_diff(
+		scandir($base_path),
+		array('..', '.', '_')
+	));
+
+	foreach ($dir_list as $file) {
+		if (is_dir(join_path($base_path, $file))) {
+			$final_list[] = $file;
+		}
 	}
+
+	return $final_list;
 }
 
-function listUsers() {
-	return array_map('usernameFromPath', glob(DATA_PATH . '/*_user.php'));
+
+/**
+ * Return if the maximum number of registrations has been reached.
+ *
+ * Note a max_regstrations of 0 means there is no limit.
+ *
+ * @return true if number of users >= max registrations, false else.
+ */
+function max_registrations_reached() {
+	$system_conf = Minz_Configuration::get('system');
+	$limit_registrations = $system_conf->limits['max_registrations'];
+	$number_accounts = count(listUsers());
+
+	return $limit_registrations > 0 && $number_accounts >= $limit_registrations;
 }
 
+
+/**
+ * Register and return the configuration for a given user.
+ *
+ * Note this function has been created to generate temporary configuration
+ * objects. If you need a long-time configuration, please don't use this function.
+ *
+ * @param $username the name of the user of which we want the configuration.
+ * @return a Minz_Configuration object, null if the configuration cannot be loaded.
+ */
+function get_user_configuration($username) {
+	$namespace = 'user_' . $username;
+	try {
+		Minz_Configuration::register($namespace,
+		                             join_path(USERS_PATH, $username, 'config.php'),
+		                             join_path(USERS_PATH, '_', 'config.default.php'));
+	} catch (Minz_ConfigurationNamespaceException $e) {
+		// namespace already exists, do nothing.
+	} catch (Minz_FileNotExistException $e) {
+		Minz_Log::warning($e->getMessage());
+		return null;
+	}
+
+	return Minz_Configuration::get($namespace);
+}
+
+
 function httpAuthUser() {
 	return isset($_SERVER['REMOTE_USER']) ? $_SERVER['REMOTE_USER'] : '';
 }
 
 function cryptAvailable() {
-	if (version_compare(PHP_VERSION, '5.3.3', '>=')) {
-		try {
-			$hash = '$2y$04$usesomesillystringfore7hnbRJHxXVLeakoG8K30oukPsA.ztMG';
-			return $hash === @crypt('password', $hash);
-		} catch (Exception $e) {
-		}
+	try {
+		$hash = '$2y$04$usesomesillystringfore7hnbRJHxXVLeakoG8K30oukPsA.ztMG';
+		return $hash === @crypt('password', $hash);
+	} catch (Exception $e) {
 	}
 	return false;
 }
 
 function is_referer_from_same_domain() {
 	if (empty($_SERVER['HTTP_REFERER'])) {
-		return false;
+		return true;	//Accept empty referer while waiting for good support of meta referrer same-origin policy in browsers
 	}
 	$host = parse_url(((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? 'https://' : 'http://') .
 		(empty($_SERVER['HTTP_HOST']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']));
 	$referer = parse_url($_SERVER['HTTP_REFERER']);
-	if (empty($host['scheme']) || empty($referer['scheme']) || $host['scheme'] !== $referer['scheme'] ||
-	    empty($host['host']) || empty($referer['host']) || $host['host'] !== $referer['host']) {
+	if (empty($host['host']) || empty($referer['host']) || $host['host'] !== $referer['host']) {
 		return false;
 	}
-	return (isset($host['port']) ? $host['port'] : 0) === (isset($referer['port']) ? $referer['port'] : 0);
+	//TODO: check 'scheme', taking into account the case of a proxy
+	if ((isset($host['port']) ? $host['port'] : 0) !== (isset($referer['port']) ? $referer['port'] : 0)) {
+		return false;
+	}
+	return true;
 }
 
 
@@ -253,15 +389,16 @@ function is_referer_from_same_domain() {
  * @return array of tested values.
  */
 function check_install_php() {
+	$pdo_mysql = extension_loaded('pdo_mysql');
+	$pdo_sqlite = extension_loaded('pdo_sqlite');
 	return array(
-		'php' => version_compare(PHP_VERSION, '5.2.1') >= 0,
+		'php' => version_compare(PHP_VERSION, '5.3.3') >= 0,
 		'minz' => file_exists(LIB_PATH . '/Minz'),
 		'curl' => extension_loaded('curl'),
-		'pdo_mysql' => extension_loaded('pdo_mysql'),
-		'pdo_sqlite' => extension_loaded('pdo_sqlite'),
-		'pdo' => extension_loaded('pdo_mysql') || extension_loaded('pdo_sqlite'),
+		'pdo' => $pdo_mysql || $pdo_sqlite,
 		'pcre' => extension_loaded('pcre'),
 		'ctype' => extension_loaded('ctype'),
+		'fileinfo' => extension_loaded('fileinfo'),
 		'dom' => class_exists('DOMDocument'),
 		'json' => extension_loaded('json'),
 		'zip' => extension_loaded('zip'),
@@ -278,9 +415,8 @@ function check_install_files() {
 	return array(
 		'data' => DATA_PATH && is_writable(DATA_PATH),
 		'cache' => CACHE_PATH && is_writable(CACHE_PATH),
-		'logs' => LOG_PATH && is_writable(LOG_PATH),
+		'users' => USERS_PATH && is_writable(USERS_PATH),
 		'favicons' => is_writable(DATA_PATH . '/favicons'),
-		'persona' => is_writable(DATA_PATH . '/persona'),
 		'tokens' => is_writable(DATA_PATH . '/tokens'),
 	);
 }
@@ -313,3 +449,82 @@ function check_install_database() {
 
 	return $status;
 }
+
+/**
+ * Remove a directory recursively.
+ *
+ * From http://php.net/rmdir#110489
+ *
+ * @param $dir the directory to remove
+ */
+function recursive_unlink($dir) {
+	if (!is_dir($dir)) {
+		return true;
+	}
+
+	$files = array_diff(scandir($dir), array('.', '..'));
+	foreach ($files as $filename) {
+		$filename = $dir . '/' . $filename;
+		if (is_dir($filename)) {
+			@chmod($filename, 0777);
+			recursive_unlink($filename);
+		} else {
+			unlink($filename);
+		}
+	}
+
+	return rmdir($dir);
+}
+
+
+/**
+ * Remove queries where $get is appearing.
+ * @param $get the get attribute which should be removed.
+ * @param $queries an array of queries.
+ * @return the same array whithout those where $get is appearing.
+ */
+function remove_query_by_get($get, $queries) {
+	$final_queries = array();
+	foreach ($queries as $key => $query) {
+		if (empty($query['get']) || $query['get'] !== $get) {
+			$final_queries[$key] = $query;
+		}
+	}
+	return $final_queries;
+}
+
+
+/**
+ * Add a value in an array and take care it is unique.
+ * @param $array the array in which we add the value.
+ * @param $value the value to add.
+ */
+function array_push_unique(&$array, $value) {
+	$found = array_search($value, $array) !== false;
+	if (!$found) {
+		$array[] = $value;
+	}
+}
+
+
+/**
+ * Remove a value from an array.
+ * @param $array the array from wich value is removed.
+ * @param $value the value to remove.
+ */
+function array_remove(&$array, $value) {
+	$array = array_diff($array, array($value));
+}
+
+//RFC 4648
+function base64url_encode($data) {
+	return strtr(rtrim(base64_encode($data), '='), '+/', '-_');
+}
+//RFC 4648
+function base64url_decode($data) {
+	return base64_decode(strtr($data, '-_', '+/'));
+}
+
+function _i($icon, $url_only = false) {
+	return FreshRSS_Themes::icon($icon, $url_only);
+}