diff options
Diffstat (limited to 'app/Controllers')
| -rwxr-xr-x | app/Controllers/javascriptController.php | 2 | ||||
| -rw-r--r-- | app/Controllers/subscriptionController.php | 4 | ||||
| -rw-r--r-- | app/Controllers/updateController.php | 2 | ||||
| -rw-r--r-- | app/Controllers/userController.php | 21 |
4 files changed, 21 insertions, 8 deletions
diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php index 00a7b5c38..6336106a9 100755 --- a/app/Controllers/javascriptController.php +++ b/app/Controllers/javascriptController.php @@ -26,7 +26,7 @@ class FreshRSS_javascript_Controller extends Minz_ActionController { header('Pragma: no-cache'); $user = isset($_GET['user']) ? $_GET['user'] : ''; - if (ctype_alnum($user)) { + if (FreshRSS_user_Controller::checkUsername($user)) { try { $salt = FreshRSS_Context::$system_conf->salt; $conf = get_user_configuration($user); diff --git a/app/Controllers/subscriptionController.php b/app/Controllers/subscriptionController.php index 03d3ee15e..aa9f18663 100644 --- a/app/Controllers/subscriptionController.php +++ b/app/Controllers/subscriptionController.php @@ -90,8 +90,8 @@ class FreshRSS_subscription_Controller extends Minz_ActionController { $values = array( 'name' => Minz_Request::param('name', ''), 'description' => sanitizeHTML(Minz_Request::param('description', '', true)), - 'website' => Minz_Request::param('website', ''), - 'url' => Minz_Request::param('url', ''), + 'website' => checkUrl(Minz_Request::param('website', '')), + 'url' => checkUrl(Minz_Request::param('url', '')), 'category' => $cat, 'pathEntries' => Minz_Request::param('path_entries', ''), 'priority' => intval(Minz_Request::param('priority', 0)), diff --git a/app/Controllers/updateController.php b/app/Controllers/updateController.php index 8f939dbdb..b4e8a0bff 100644 --- a/app/Controllers/updateController.php +++ b/app/Controllers/updateController.php @@ -162,7 +162,7 @@ class FreshRSS_update_Controller extends Minz_ActionController { } public function applyAction() { - if (!file_exists(UPDATE_FILENAME) || !is_writable(FRESHRSS_PATH)) { + if (!file_exists(UPDATE_FILENAME) || !is_writable(FRESHRSS_PATH) || Minz_Configuration::get('system')->disable_update) { Minz_Request::forward(array('c' => 'update'), true); } diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 9d6ae18e6..f910cecd9 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -35,6 +35,16 @@ class FreshRSS_user_Controller extends Minz_ActionController { } /** + * The username is also used as folder name, file name, and part of SQL table name. + * '_' is a reserved internal username. + */ + const USERNAME_PATTERN = '[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}'; + + public static function checkUsername($username) { + return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1; + } + + /** * This action displays the user profile page. */ public function profileAction() { @@ -104,7 +114,8 @@ class FreshRSS_user_Controller extends Minz_ActionController { $userConfig = array(); } - $ok = ($new_user_name != '') && ctype_alnum($new_user_name); + $ok = self::checkUsername($new_user_name); + $homeDir = join_path(DATA_PATH, 'users', $new_user_name); if ($ok) { $languages = Minz_Translate::availableLanguages(); @@ -114,7 +125,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { $ok &= !in_array(strtoupper($new_user_name), array_map('strtoupper', listUsers())); //Not an existing user, case-insensitive - $configPath = join_path(DATA_PATH, 'users', $new_user_name, 'config.php'); + $configPath = join_path($homeDir, 'config.php'); $ok &= !file_exists($configPath); } if ($ok) { @@ -131,7 +142,9 @@ class FreshRSS_user_Controller extends Minz_ActionController { } } if ($ok) { - mkdir(join_path(DATA_PATH, 'users', $new_user_name)); + if (!is_dir($homeDir)) { + mkdir($homeDir); + } $userConfig['passwordHash'] = $passwordHash; $userConfig['apiPasswordHash'] = $apiPasswordHash; $ok &= (file_put_contents($configPath, "<?php\n return " . var_export($userConfig, true) . ';') !== false); @@ -187,7 +200,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { $db = FreshRSS_Context::$system_conf->db; require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); - $ok = ctype_alnum($username); + $ok = self::checkUsername($username); if ($ok) { $default_user = FreshRSS_Context::$system_conf->default_user; $ok &= (strcasecmp($username, $default_user) !== 0); //It is forbidden to delete the default user |