diff options
Diffstat (limited to 'app')
| -rwxr-xr-x | app/Controllers/javascriptController.php | 2 | ||||
| -rw-r--r-- | app/Controllers/subscriptionController.php | 4 | ||||
| -rw-r--r-- | app/Controllers/updateController.php | 2 | ||||
| -rw-r--r-- | app/Controllers/userController.php | 21 | ||||
| -rw-r--r-- | app/Models/Auth.php | 4 | ||||
| -rw-r--r-- | app/Models/EntryDAO.php | 2 | ||||
| -rw-r--r-- | app/Models/Feed.php | 2 | ||||
| -rw-r--r-- | app/Models/FeedDAO.php | 2 | ||||
| -rw-r--r-- | app/Models/UserDAO.php | 2 | ||||
| -rw-r--r-- | app/i18n/cz/gen.php | 2 | ||||
| -rw-r--r-- | app/i18n/de/gen.php | 2 | ||||
| -rw-r--r-- | app/i18n/en/gen.php | 2 | ||||
| -rw-r--r-- | app/i18n/fr/gen.php | 2 | ||||
| -rw-r--r-- | app/i18n/it/gen.php | 2 | ||||
| -rw-r--r-- | app/i18n/nl/gen.php | 4 | ||||
| -rw-r--r-- | app/i18n/ru/gen.php | 2 | ||||
| -rw-r--r-- | app/i18n/tr/gen.php | 2 | ||||
| -rw-r--r-- | app/install.php | 2 | ||||
| -rw-r--r-- | app/layout/aside_configure.phtml | 2 | ||||
| -rw-r--r-- | app/layout/header.phtml | 2 | ||||
| -rw-r--r-- | app/views/auth/formLogin.phtml | 2 | ||||
| -rw-r--r-- | app/views/auth/register.phtml | 2 | ||||
| -rw-r--r-- | app/views/helpers/javascript_vars.phtml | 1 | ||||
| -rw-r--r-- | app/views/index/about.phtml | 2 | ||||
| -rw-r--r-- | app/views/user/manage.phtml | 2 |
25 files changed, 55 insertions, 19 deletions
diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php index 00a7b5c38..6336106a9 100755 --- a/app/Controllers/javascriptController.php +++ b/app/Controllers/javascriptController.php @@ -26,7 +26,7 @@ class FreshRSS_javascript_Controller extends Minz_ActionController { header('Pragma: no-cache'); $user = isset($_GET['user']) ? $_GET['user'] : ''; - if (ctype_alnum($user)) { + if (FreshRSS_user_Controller::checkUsername($user)) { try { $salt = FreshRSS_Context::$system_conf->salt; $conf = get_user_configuration($user); diff --git a/app/Controllers/subscriptionController.php b/app/Controllers/subscriptionController.php index 03d3ee15e..aa9f18663 100644 --- a/app/Controllers/subscriptionController.php +++ b/app/Controllers/subscriptionController.php @@ -90,8 +90,8 @@ class FreshRSS_subscription_Controller extends Minz_ActionController { $values = array( 'name' => Minz_Request::param('name', ''), 'description' => sanitizeHTML(Minz_Request::param('description', '', true)), - 'website' => Minz_Request::param('website', ''), - 'url' => Minz_Request::param('url', ''), + 'website' => checkUrl(Minz_Request::param('website', '')), + 'url' => checkUrl(Minz_Request::param('url', '')), 'category' => $cat, 'pathEntries' => Minz_Request::param('path_entries', ''), 'priority' => intval(Minz_Request::param('priority', 0)), diff --git a/app/Controllers/updateController.php b/app/Controllers/updateController.php index 8f939dbdb..b4e8a0bff 100644 --- a/app/Controllers/updateController.php +++ b/app/Controllers/updateController.php @@ -162,7 +162,7 @@ class FreshRSS_update_Controller extends Minz_ActionController { } public function applyAction() { - if (!file_exists(UPDATE_FILENAME) || !is_writable(FRESHRSS_PATH)) { + if (!file_exists(UPDATE_FILENAME) || !is_writable(FRESHRSS_PATH) || Minz_Configuration::get('system')->disable_update) { Minz_Request::forward(array('c' => 'update'), true); } diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 9d6ae18e6..f910cecd9 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -35,6 +35,16 @@ class FreshRSS_user_Controller extends Minz_ActionController { } /** + * The username is also used as folder name, file name, and part of SQL table name. + * '_' is a reserved internal username. + */ + const USERNAME_PATTERN = '[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}'; + + public static function checkUsername($username) { + return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1; + } + + /** * This action displays the user profile page. */ public function profileAction() { @@ -104,7 +114,8 @@ class FreshRSS_user_Controller extends Minz_ActionController { $userConfig = array(); } - $ok = ($new_user_name != '') && ctype_alnum($new_user_name); + $ok = self::checkUsername($new_user_name); + $homeDir = join_path(DATA_PATH, 'users', $new_user_name); if ($ok) { $languages = Minz_Translate::availableLanguages(); @@ -114,7 +125,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { $ok &= !in_array(strtoupper($new_user_name), array_map('strtoupper', listUsers())); //Not an existing user, case-insensitive - $configPath = join_path(DATA_PATH, 'users', $new_user_name, 'config.php'); + $configPath = join_path($homeDir, 'config.php'); $ok &= !file_exists($configPath); } if ($ok) { @@ -131,7 +142,9 @@ class FreshRSS_user_Controller extends Minz_ActionController { } } if ($ok) { - mkdir(join_path(DATA_PATH, 'users', $new_user_name)); + if (!is_dir($homeDir)) { + mkdir($homeDir); + } $userConfig['passwordHash'] = $passwordHash; $userConfig['apiPasswordHash'] = $apiPasswordHash; $ok &= (file_put_contents($configPath, "<?php\n return " . var_export($userConfig, true) . ';') !== false); @@ -187,7 +200,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { $db = FreshRSS_Context::$system_conf->db; require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); - $ok = ctype_alnum($username); + $ok = self::checkUsername($username); if ($ok) { $default_user = FreshRSS_Context::$system_conf->default_user; $ok &= (strcasecmp($username, $default_user) !== 0); //It is forbidden to delete the default user diff --git a/app/Models/Auth.php b/app/Models/Auth.php index b3255cfbd..476627e10 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -182,7 +182,7 @@ class FreshRSS_Auth { class FreshRSS_FormAuth { public static function checkCredentials($username, $hash, $nonce, $challenge) { - if (!ctype_alnum($username) || + if (!FreshRSS_user_Controller::checkUsername($username) || !ctype_graph($challenge) || !ctype_alnum($nonce)) { Minz_Log::debug('Invalid credential parameters:' . @@ -211,7 +211,7 @@ class FreshRSS_FormAuth { // Token has expired (> 1 month) or does not exist. // TODO: 1 month -> use a configuration instead @unlink($token_file); - return array(); + return array(); } $credentials = @file_get_contents($token_file); diff --git a/app/Models/EntryDAO.php b/app/Models/EntryDAO.php index 397471baa..afcde3d7f 100644 --- a/app/Models/EntryDAO.php +++ b/app/Models/EntryDAO.php @@ -649,7 +649,7 @@ class FreshRSS_EntryDAO extends Minz_ModelPdo implements FreshRSS_Searchable { $values[] = intval($id); break; case 'A': - $where .= '1 '; + $where .= '1=1 '; break; default: throw new FreshRSS_EntriesGetter_Exception('Bad type in Entry->listByType: [' . $type . ']!'); diff --git a/app/Models/Feed.php b/app/Models/Feed.php index 97cb1c47e..7a9cf8612 100644 --- a/app/Models/Feed.php +++ b/app/Models/Feed.php @@ -442,7 +442,7 @@ class FreshRSS_Feed extends Minz_Model { file_put_contents(USERS_PATH . '/_/log_pshb.txt', date('c') . "\t" . $text . "\n", FILE_APPEND); } $currentUser = Minz_Session::param('currentUser'); - if (ctype_alnum($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) { + if (FreshRSS_user_Controller::checkUsername($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) { touch($path . '/' . $currentUser . '.txt'); } } diff --git a/app/Models/FeedDAO.php b/app/Models/FeedDAO.php index 68398efd5..0168aebd9 100644 --- a/app/Models/FeedDAO.php +++ b/app/Models/FeedDAO.php @@ -67,7 +67,7 @@ class FreshRSS_FeedDAO extends Minz_ModelPdo implements FreshRSS_Searchable { $set = ''; foreach ($valuesTmp as $key => $v) { - $set .= $key . '=?, '; + $set .= '`' . $key . '`=?, '; if ($key == 'httpAuth') { $valuesTmp[$key] = base64_encode($v); diff --git a/app/Models/UserDAO.php b/app/Models/UserDAO.php index 32bc6de2f..a60caf395 100644 --- a/app/Models/UserDAO.php +++ b/app/Models/UserDAO.php @@ -85,7 +85,7 @@ class FreshRSS_UserDAO extends Minz_ModelPdo { } public static function touch($username = '') { - if (($username == '') || (!ctype_alnum($username))) { + if (!FreshRSS_user_Controller::checkUsername($username)) { $username = Minz_Session::param('currentUser', '_'); } return touch(join_path(DATA_PATH , 'users', $username, 'config.php')); diff --git a/app/i18n/cz/gen.php b/app/i18n/cz/gen.php index 3db3a31da..e6aadfc02 100644 --- a/app/i18n/cz/gen.php +++ b/app/i18n/cz/gen.php @@ -165,6 +165,8 @@ return array( 'wallabag' => 'wallabag v1', 'wallabagv2' => 'wallabag v2', 'jdh' => 'Journal du hacker', + 'Known' => 'Known based sites', + 'gnusocial' => 'GNU social', ), 'short' => array( 'attention' => 'Upozornění!', diff --git a/app/i18n/de/gen.php b/app/i18n/de/gen.php index c73aedbfe..4b171a04d 100644 --- a/app/i18n/de/gen.php +++ b/app/i18n/de/gen.php @@ -165,6 +165,8 @@ return array( 'wallabag' => 'wallabag v1', 'wallabagv2' => 'wallabag v2', 'jdh' => 'Journal du hacker', + 'Known' => 'Known based sites', + 'gnusocial' => 'GNU social', ), 'short' => array( 'attention' => 'Achtung!', diff --git a/app/i18n/en/gen.php b/app/i18n/en/gen.php index 3f86cfd19..1ee5336bd 100644 --- a/app/i18n/en/gen.php +++ b/app/i18n/en/gen.php @@ -165,6 +165,8 @@ return array( 'wallabag' => 'wallabag v1', 'wallabagv2' => 'wallabag v2', 'jdh' => 'Journal du hacker', + 'Known' => 'Known based sites', + 'gnusocial' => 'GNU social', ), 'short' => array( 'attention' => 'Warning!', diff --git a/app/i18n/fr/gen.php b/app/i18n/fr/gen.php index b5dc098ae..43825f798 100644 --- a/app/i18n/fr/gen.php +++ b/app/i18n/fr/gen.php @@ -165,6 +165,8 @@ return array( 'wallabag' => 'wallabag v1', 'wallabagv2' => 'wallabag v2', 'jdh' => 'Journal du hacker', + 'Known' => 'Sites basés sur Known', + 'gnusocial' => 'GNU social', ), 'short' => array( 'attention' => 'Attention !', diff --git a/app/i18n/it/gen.php b/app/i18n/it/gen.php index a9a8709d3..ec6de84de 100644 --- a/app/i18n/it/gen.php +++ b/app/i18n/it/gen.php @@ -165,6 +165,8 @@ return array( 'wallabag' => 'wallabag v1', 'wallabagv2' => 'wallabag v2', 'jdh' => 'Journal du hacker', + 'Known' => 'Siti basati su Known', + 'gnusocial' => 'GNU social', ), 'short' => array( 'attention' => 'Attenzione!', diff --git a/app/i18n/nl/gen.php b/app/i18n/nl/gen.php index 83811ce68..11e82cb4d 100644 --- a/app/i18n/nl/gen.php +++ b/app/i18n/nl/gen.php @@ -163,8 +163,10 @@ return array( 'shaarli' => 'Shaarli', 'twitter' => 'Twitter', 'wallabag' => 'wallabag v1', - 'wallabagv2' => 'wallabag v2', + 'wallabagv2' => 'wallabag v2', 'jdh' => 'Journal du hacker', + 'Known' => 'Known based sites', + 'gnusocial' => 'GNU social', ), 'short' => array( 'attention' => 'Attentie!', diff --git a/app/i18n/ru/gen.php b/app/i18n/ru/gen.php index bc42afaa8..c913b8720 100644 --- a/app/i18n/ru/gen.php +++ b/app/i18n/ru/gen.php @@ -165,6 +165,8 @@ return array( 'twitter' => 'Twitter', 'wallabag' => 'wallabag v1', 'wallabagv2' => 'wallabag v2', + 'Known' => 'Known based sites', + 'gnusocial' => 'GNU social', ), 'short' => array( 'attention' => 'Warning!', diff --git a/app/i18n/tr/gen.php b/app/i18n/tr/gen.php index bcc839daf..4da0206ec 100644 --- a/app/i18n/tr/gen.php +++ b/app/i18n/tr/gen.php @@ -165,6 +165,8 @@ return array( 'wallabag' => 'wallabag v1', 'wallabagv2' => 'wallabag v2', 'jdh' => 'Journal du hacker', + 'Known' => 'Known based sites', + 'gnusocial' => 'GNU social', ), 'short' => array( 'attention' => 'Tehlike!', diff --git a/app/install.php b/app/install.php index 986a7dc60..9a88e0f37 100644 --- a/app/install.php +++ b/app/install.php @@ -553,7 +553,7 @@ function printStep2() { <div class="form-group"> <label class="group-name" for="default_user"><?php echo _t('install.default_user'); ?></label> <div class="group-controls"> - <input type="text" id="default_user" name="default_user" required="required" size="16" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" /> + <input type="text" id="default_user" name="default_user" required="required" size="16" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" /> </div> </div> diff --git a/app/layout/aside_configure.phtml b/app/layout/aside_configure.phtml index d956ec21f..94f5b1f6c 100644 --- a/app/layout/aside_configure.phtml +++ b/app/layout/aside_configure.phtml @@ -41,9 +41,11 @@ Minz_Request::actionName() === 'checkInstall' ? ' active' : ''; ?>"> <a href="<?php echo _url('update', 'checkInstall'); ?>"><?php echo _t('gen.menu.check_install'); ?></a> </li> + <?php if (!Minz_Configuration::get('system')->disable_update) { ?> <li class="item<?php echo Minz_Request::controllerName() === 'update' && Minz_Request::actionName() === 'index' ? ' active' : ''; ?>"> <a href="<?php echo _url('update', 'index'); ?>"><?php echo _t('gen.menu.update'); ?></a> </li> <?php } ?> + <?php } ?> </ul> diff --git a/app/layout/header.phtml b/app/layout/header.phtml index 238c664b0..e589ed7ef 100644 --- a/app/layout/header.phtml +++ b/app/layout/header.phtml @@ -71,8 +71,10 @@ if (FreshRSS_Auth::accessNeedsAction()) { <li class="item"><a href="<?php echo _url('user', 'manage'); ?>"><?php echo _t('gen.menu.user_management'); ?></a></li> <li class="item"><a href="<?php echo _url('auth', 'index'); ?>"><?php echo _t('gen.menu.authentication'); ?></a></li> <li class="item"><a href="<?php echo _url('update', 'checkInstall'); ?>"><?php echo _t('gen.menu.check_install'); ?></a></li> + <?php if (!Minz_Configuration::get('system')->disable_update) { ?> <li class="item"><a href="<?php echo _url('update', 'index'); ?>"><?php echo _t('gen.menu.update'); ?></a></li> <?php } ?> + <?php } ?> <li class="separator"></li> <li class="item"><a href="<?php echo _url('stats', 'index'); ?>"><?php echo _t('gen.menu.stats'); ?></a></li> <li class="item"><a href="<?php echo _url('index', 'logs'); ?>"><?php echo _t('gen.menu.logs'); ?></a></li> diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml index a8213b7ae..99be6059c 100644 --- a/app/views/auth/formLogin.phtml +++ b/app/views/auth/formLogin.phtml @@ -9,7 +9,7 @@ <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <div> <label for="username"><?php echo _t('gen.auth.username'); ?></label> - <input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" autofocus="autofocus" /> + <input type="text" id="username" name="username" size="16" required="required" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" autofocus="autofocus" /> </div> <div> <label for="passwordPlain"><?php echo _t('gen.auth.password'); ?></label> diff --git a/app/views/auth/register.phtml b/app/views/auth/register.phtml index 1f9976391..23bda25ce 100644 --- a/app/views/auth/register.phtml +++ b/app/views/auth/register.phtml @@ -5,7 +5,7 @@ <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" /> <div> <label class="group-name" for="new_user_name"><?php echo _t('gen.auth.username'), '<br />', _i('help'), ' ', _t('gen.auth.username.format'); ?></label> - <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" /> + <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" /> </div> <div> diff --git a/app/views/helpers/javascript_vars.phtml b/app/views/helpers/javascript_vars.phtml index 745baa195..059224305 100644 --- a/app/views/helpers/javascript_vars.phtml +++ b/app/views/helpers/javascript_vars.phtml @@ -3,6 +3,7 @@ $mark = FreshRSS_Context::$user_conf->mark_when; $s = FreshRSS_Context::$user_conf->shortcuts; echo htmlspecialchars(json_encode(array( 'context' => array( + 'anonymous' => !FreshRSS_Auth::hasAccess(), 'auto_remove_article' => !!FreshRSS_Context::isAutoRemoveAvailable(), 'hide_posts' => !(FreshRSS_Context::$user_conf->display_posts || Minz_Request::actionName() === 'reader'), 'display_order' => Minz_Request::param('order', FreshRSS_Context::$user_conf->sort_order), diff --git a/app/views/index/about.phtml b/app/views/index/about.phtml index 3fdb5160d..649729952 100644 --- a/app/views/index/about.phtml +++ b/app/views/index/about.phtml @@ -13,8 +13,10 @@ <dt><?php echo _t('index.about.license'); ?></dt> <dd><?php echo _t('index.about.agpl3'); ?></dd> + <?php if (FreshRSS_Auth::hasAccess()): ?> <dt><?php echo _t('index.about.version'); ?></dt> <dd><?php echo FRESHRSS_VERSION; ?></dd> + <?php endif; ?> </dl> <p><?php echo _t('index.about.freshrss_description'); ?></p> diff --git a/app/views/user/manage.phtml b/app/views/user/manage.phtml index a32247d14..793a3a0bd 100644 --- a/app/views/user/manage.phtml +++ b/app/views/user/manage.phtml @@ -22,7 +22,7 @@ <div class="form-group"> <label class="group-name" for="new_user_name"><?php echo _t('admin.user.username'); ?></label> <div class="group-controls"> - <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" placeholder="demo" /> + <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" placeholder="demo" /> </div> </div> |