aboutsummaryrefslogtreecommitdiff
path: root/app/Controllers
diff options
context:
space:
mode:
Diffstat (limited to 'app/Controllers')
-rw-r--r--app/Controllers/authController.php4
-rwxr-xr-xapp/Controllers/javascriptController.php2
-rw-r--r--app/Controllers/subscriptionController.php4
-rw-r--r--app/Controllers/updateController.php2
-rw-r--r--app/Controllers/userController.php14
5 files changed, 20 insertions, 6 deletions
diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index 9decba431..1398e4e49 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -113,6 +113,10 @@ class FreshRSS_auth_Controller extends Minz_ActionController {
$file_mtime = @filemtime(PUBLIC_PATH . '/scripts/bcrypt.min.js');
Minz_View::appendScript(Minz_Url::display('/scripts/bcrypt.min.js?' . $file_mtime));
+ $conf = Minz_Configuration::get('system');
+ $limits = $conf->limits;
+ $this->view->cookie_days = round($limits['cookie_duration'] / 86400, 1);
+
if (Minz_Request::isPost()) {
$nonce = Minz_Session::param('nonce');
$username = Minz_Request::param('username', '');
diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index 00a7b5c38..6336106a9 100755
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -26,7 +26,7 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
header('Pragma: no-cache');
$user = isset($_GET['user']) ? $_GET['user'] : '';
- if (ctype_alnum($user)) {
+ if (FreshRSS_user_Controller::checkUsername($user)) {
try {
$salt = FreshRSS_Context::$system_conf->salt;
$conf = get_user_configuration($user);
diff --git a/app/Controllers/subscriptionController.php b/app/Controllers/subscriptionController.php
index 03d3ee15e..aa9f18663 100644
--- a/app/Controllers/subscriptionController.php
+++ b/app/Controllers/subscriptionController.php
@@ -90,8 +90,8 @@ class FreshRSS_subscription_Controller extends Minz_ActionController {
$values = array(
'name' => Minz_Request::param('name', ''),
'description' => sanitizeHTML(Minz_Request::param('description', '', true)),
- 'website' => Minz_Request::param('website', ''),
- 'url' => Minz_Request::param('url', ''),
+ 'website' => checkUrl(Minz_Request::param('website', '')),
+ 'url' => checkUrl(Minz_Request::param('url', '')),
'category' => $cat,
'pathEntries' => Minz_Request::param('path_entries', ''),
'priority' => intval(Minz_Request::param('priority', 0)),
diff --git a/app/Controllers/updateController.php b/app/Controllers/updateController.php
index 8f939dbdb..b4e8a0bff 100644
--- a/app/Controllers/updateController.php
+++ b/app/Controllers/updateController.php
@@ -162,7 +162,7 @@ class FreshRSS_update_Controller extends Minz_ActionController {
}
public function applyAction() {
- if (!file_exists(UPDATE_FILENAME) || !is_writable(FRESHRSS_PATH)) {
+ if (!file_exists(UPDATE_FILENAME) || !is_writable(FRESHRSS_PATH) || Minz_Configuration::get('system')->disable_update) {
Minz_Request::forward(array('c' => 'update'), true);
}
diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php
index 9d6ae18e6..593e24cf2 100644
--- a/app/Controllers/userController.php
+++ b/app/Controllers/userController.php
@@ -35,6 +35,16 @@ class FreshRSS_user_Controller extends Minz_ActionController {
}
/**
+ * The username is also used as folder name, file name, and part of SQL table name.
+ * '_' is a reserved internal username.
+ */
+ const USERNAME_PATTERN = '[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}';
+
+ public static function checkUsername($username) {
+ return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1;
+ }
+
+ /**
* This action displays the user profile page.
*/
public function profileAction() {
@@ -104,7 +114,7 @@ class FreshRSS_user_Controller extends Minz_ActionController {
$userConfig = array();
}
- $ok = ($new_user_name != '') && ctype_alnum($new_user_name);
+ $ok = self::checkUsername($new_user_name);
if ($ok) {
$languages = Minz_Translate::availableLanguages();
@@ -187,7 +197,7 @@ class FreshRSS_user_Controller extends Minz_ActionController {
$db = FreshRSS_Context::$system_conf->db;
require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php');
- $ok = ctype_alnum($username);
+ $ok = self::checkUsername($username);
if ($ok) {
$default_user = FreshRSS_Context::$system_conf->default_user;
$ok &= (strcasecmp($username, $default_user) !== 0); //It is forbidden to delete the default user
generated by cgit v1.2.3 (git 2.39.1) at 2026-05-08 08:25:04 +0000