diff options
Diffstat (limited to 'app/Controllers/subscriptionController.php')
| -rw-r--r-- | app/Controllers/subscriptionController.php | 44 |
1 files changed, 43 insertions, 1 deletions
diff --git a/app/Controllers/subscriptionController.php b/app/Controllers/subscriptionController.php index 7d41edfa7..58cda4b9b 100644 --- a/app/Controllers/subscriptionController.php +++ b/app/Controllers/subscriptionController.php @@ -46,6 +46,12 @@ class FreshRSS_subscription_Controller extends FreshRSS_ActionController { FreshRSS_View::appendScript(Minz_Url::display('/scripts/feed.js?' . @filemtime(PUBLIC_PATH . '/scripts/feed.js'))); FreshRSS_View::prependTitle(_t('sub.title') . ' · '); + $this->_csp([ + 'default-src' => "'self'", + 'frame-ancestors' => "'none'", + 'img-src' => "'self' blob:", + ]); + $this->view->onlyFeedsWithError = Minz_Request::paramBoolean('error'); $id = Minz_Request::paramInt('id'); @@ -80,6 +86,7 @@ class FreshRSS_subscription_Controller extends FreshRSS_ActionController { * - feed URL * - category id (default: default category id) * - CSS path to article on website + * - favicon * - display in main stream (default: 0) * - HTTP authentication * - number of article to retain (default: -2) @@ -109,6 +116,12 @@ class FreshRSS_subscription_Controller extends FreshRSS_ActionController { FreshRSS_View::prependTitle($feed->name() . ' · ' . _t('sub.title.feed_management') . ' · '); + $this->_csp([ + 'default-src' => "'self'", + 'frame-ancestors' => "'none'", + 'img-src' => "'self' blob:", + ]); + if (Minz_Request::isPost()) { $unicityCriteria = Minz_Request::paramString('unicityCriteria'); if (in_array($unicityCriteria, ['id', '', null], strict: true)) { @@ -309,6 +322,18 @@ class FreshRSS_subscription_Controller extends FreshRSS_ActionController { $feed->_attribute('path_entries_conditions', empty($conditions) ? null : $conditions); $feed->_attribute('path_entries_filter', Minz_Request::paramString('path_entries_filter', true)); + // @phpstan-ignore offsetAccess.nonOffsetAccessible + $favicon_path = isset($_FILES['newFavicon']) ? $_FILES['newFavicon']['tmp_name'] : ''; + // @phpstan-ignore offsetAccess.nonOffsetAccessible + $favicon_size = isset($_FILES['newFavicon']) ? $_FILES['newFavicon']['size'] : 0; + + $favicon_uploaded = $favicon_path !== ''; + + $resetFavicon = Minz_Request::paramBoolean('resetFavicon'); + if ($resetFavicon) { + $feed->resetCustomFavicon(); + } + $values = [ 'name' => Minz_Request::paramString('name'), 'kind' => $feed->kind(), @@ -343,7 +368,24 @@ class FreshRSS_subscription_Controller extends FreshRSS_ActionController { $url_redirect = ['c' => 'subscription', 'params' => ['id' => $id]]; } - if ($values['url'] != '' && $feedDAO->updateFeed($id, $values) !== false) { + if ($favicon_uploaded && !$resetFavicon) { + require_once(LIB_PATH . '/favicons.php'); + $max_size = FreshRSS_Context::systemConf()->limits['max_favicon_upload_size']; + if ($favicon_size > $max_size) { + Minz_Request::bad(_t('feedback.sub.feed.favicon.too_large', format_bytes($max_size)), $url_redirect); + return; + } + try { + $feed->setCustomFavicon(tmpPath: is_string($favicon_path) ? $favicon_path : '', values: $values); + } catch (FreshRSS_UnsupportedImageFormat_Exception $_) { + Minz_Request::bad(_t('feedback.sub.feed.favicon.unsupported_format'), $url_redirect); + return; + } catch (FreshRSS_Feed_Exception $_) { + Minz_Request::bad(_t('feedback.sub.feed.error'), $url_redirect); + return; + } + Minz_Request::good(_t('feedback.sub.feed.updated'), $url_redirect); + } elseif ($values['url'] != '' && $feedDAO->updateFeed($id, $values) !== false) { $feed->_categoryId($values['category']); // update url and website values for faviconPrepare $feed->_url($values['url'], false); |