diff options
Diffstat (limited to 'app/Models')
| -rw-r--r-- | app/Models/Auth.php | 17 | ||||
| -rw-r--r-- | app/Models/EntryDAO.php | 2 | ||||
| -rw-r--r-- | app/Models/Feed.php | 2 | ||||
| -rw-r--r-- | app/Models/FeedDAO.php | 2 | ||||
| -rw-r--r-- | app/Models/UserDAO.php | 2 |
5 files changed, 15 insertions, 10 deletions
diff --git a/app/Models/Auth.php b/app/Models/Auth.php index 3313fdf3f..476627e10 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -182,7 +182,7 @@ class FreshRSS_Auth { class FreshRSS_FormAuth { public static function checkCredentials($username, $hash, $nonce, $challenge) { - if (!ctype_alnum($username) || + if (!FreshRSS_user_Controller::checkUsername($username) || !ctype_graph($challenge) || !ctype_alnum($nonce)) { Minz_Log::debug('Invalid credential parameters:' . @@ -211,7 +211,7 @@ class FreshRSS_FormAuth { // Token has expired (> 1 month) or does not exist. // TODO: 1 month -> use a configuration instead @unlink($token_file); - return array(); + return array(); } $credentials = @file_get_contents($token_file); @@ -219,8 +219,8 @@ class FreshRSS_FormAuth { } public static function makeCookie($username, $password_hash) { + $conf = Minz_Configuration::get('system'); do { - $conf = Minz_Configuration::get('system'); $token = sha1($conf->salt . $username . uniqid(mt_rand(), true)); $token_file = DATA_PATH . '/tokens/' . $token . '.txt'; } while (file_exists($token_file)); @@ -229,15 +229,17 @@ class FreshRSS_FormAuth { return false; } - $expire = time() + 2629744; //1 month //TODO: Use a configuration instead + $limits = $conf->limits; + $cookie_duration = empty($limits['cookie_duration']) ? 2629744 : $limits['cookie_duration']; + $expire = time() + $cookie_duration; Minz_Session::setLongTermCookie('FreshRSS_login', $token, $expire); return $token; } public static function deleteCookie() { $token = Minz_Session::getLongTermCookie('FreshRSS_login'); - Minz_Session::deleteLongTermCookie('FreshRSS_login'); if (ctype_alnum($token)) { + Minz_Session::deleteLongTermCookie('FreshRSS_login'); @unlink(DATA_PATH . '/tokens/' . $token . '.txt'); } @@ -247,7 +249,10 @@ class FreshRSS_FormAuth { } public static function purgeTokens() { - $oldest = time() - 2629744; // 1 month // TODO: Use a configuration instead + $conf = Minz_Configuration::get('system'); + $limits = $conf->limits; + $cookie_duration = empty($limits['cookie_duration']) ? 2629744 : $limits['cookie_duration']; + $oldest = time() - $cookie_duration; foreach (new DirectoryIterator(DATA_PATH . '/tokens/') as $file_info) { // $extension = $file_info->getExtension(); doesn't work in PHP < 5.3.7 $extension = pathinfo($file_info->getFilename(), PATHINFO_EXTENSION); diff --git a/app/Models/EntryDAO.php b/app/Models/EntryDAO.php index 397471baa..afcde3d7f 100644 --- a/app/Models/EntryDAO.php +++ b/app/Models/EntryDAO.php @@ -649,7 +649,7 @@ class FreshRSS_EntryDAO extends Minz_ModelPdo implements FreshRSS_Searchable { $values[] = intval($id); break; case 'A': - $where .= '1 '; + $where .= '1=1 '; break; default: throw new FreshRSS_EntriesGetter_Exception('Bad type in Entry->listByType: [' . $type . ']!'); diff --git a/app/Models/Feed.php b/app/Models/Feed.php index 97cb1c47e..7a9cf8612 100644 --- a/app/Models/Feed.php +++ b/app/Models/Feed.php @@ -442,7 +442,7 @@ class FreshRSS_Feed extends Minz_Model { file_put_contents(USERS_PATH . '/_/log_pshb.txt', date('c') . "\t" . $text . "\n", FILE_APPEND); } $currentUser = Minz_Session::param('currentUser'); - if (ctype_alnum($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) { + if (FreshRSS_user_Controller::checkUsername($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) { touch($path . '/' . $currentUser . '.txt'); } } diff --git a/app/Models/FeedDAO.php b/app/Models/FeedDAO.php index 68398efd5..0168aebd9 100644 --- a/app/Models/FeedDAO.php +++ b/app/Models/FeedDAO.php @@ -67,7 +67,7 @@ class FreshRSS_FeedDAO extends Minz_ModelPdo implements FreshRSS_Searchable { $set = ''; foreach ($valuesTmp as $key => $v) { - $set .= $key . '=?, '; + $set .= '`' . $key . '`=?, '; if ($key == 'httpAuth') { $valuesTmp[$key] = base64_encode($v); diff --git a/app/Models/UserDAO.php b/app/Models/UserDAO.php index 32bc6de2f..a60caf395 100644 --- a/app/Models/UserDAO.php +++ b/app/Models/UserDAO.php @@ -85,7 +85,7 @@ class FreshRSS_UserDAO extends Minz_ModelPdo { } public static function touch($username = '') { - if (($username == '') || (!ctype_alnum($username))) { + if (!FreshRSS_user_Controller::checkUsername($username)) { $username = Minz_Session::param('currentUser', '_'); } return touch(join_path(DATA_PATH , 'users', $username, 'config.php')); |