From 7bb28c3f2b77b109451e2514e83fa99789fee35e Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 25 Oct 2015 13:24:48 +0100
Subject: HTTP 403 for invalid login

https://github.com/FreshRSS/FreshRSS/issues/1015
And does not leak if user exists or not
---
 app/Controllers/javascriptController.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'app/Controllers/javascriptController.php')

diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index 421cf6f72..f8746240c 100755
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -43,7 +43,11 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
 		} else {
 			Minz_Log::notice('Nonce failure due to invalid username!');
 		}
-		$this->view->nonce = '';	//Failure
-		$this->view->salt1 = '';
+		//Failure: Return random data.
+		$this->view->salt1 = sprintf('$2a$%02d$', FreshRSS_user_Controller::BCRYPT_COST);
+		for ($i = 22; $i > 0; $i--) {
+			$this->view->salt1 .= './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'[rand(0, 63)];
+		}
+		$this->view->nonce = sha1(rand());
 	}
 }
-- 
cgit v1.2.3


From c992b683a8467de60136e4d4b1860f06a746c6b1 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Mon, 26 Oct 2015 17:38:32 +0100
Subject: PHP 5.2 compatibility

https://github.com/FreshRSS/FreshRSS/pull/1016
https://github.com/FreshRSS/FreshRSS/issues/1015
It is first PHP 5.5 that added support for accessing characters within
string literals using []...
---
 app/Controllers/javascriptController.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'app/Controllers/javascriptController.php')

diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index f8746240c..e3ae3669e 100755
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -45,8 +45,9 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
 		}
 		//Failure: Return random data.
 		$this->view->salt1 = sprintf('$2a$%02d$', FreshRSS_user_Controller::BCRYPT_COST);
+		$alphabet = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
 		for ($i = 22; $i > 0; $i--) {
-			$this->view->salt1 .= './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'[rand(0, 63)];
+			$this->view->salt1 .= $alphabet[rand(0, 63)];
 		}
 		$this->view->nonce = sha1(rand());
 	}
-- 
cgit v1.2.3


From c9d3d78340e062b9e2fe19c8c55b8bdc75392e63 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sat, 27 Feb 2016 17:51:13 +0100
Subject: CSP manually refreshing feeds

https://github.com/FreshRSS/FreshRSS/issues/1075
---
 app/Controllers/javascriptController.php |  2 +-
 app/views/javascript/actualize.phtml     | 69 ++++++--------------------------
 p/scripts/main.js                        | 44 +++++++++++++++++---
 3 files changed, 53 insertions(+), 62 deletions(-)

(limited to 'app/Controllers/javascriptController.php')

diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index e3ae3669e..00a7b5c38 100755
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -6,7 +6,7 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
 	}
 
 	public function actualizeAction() {
-		header('Content-Type: text/javascript; charset=UTF-8');
+		header('Content-Type: application/json; charset=UTF-8');
 		$feedDAO = FreshRSS_Factory::createFeedDao();
 		$this->view->feeds = $feedDAO->listFeedsOrderUpdate(FreshRSS_Context::$user_conf->ttl_default);
 	}
diff --git a/app/views/javascript/actualize.phtml b/app/views/javascript/actualize.phtml
index 454228909..3baabf748 100644
--- a/app/views/javascript/actualize.phtml
+++ b/app/views/javascript/actualize.phtml
@@ -1,56 +1,13 @@
-"use strict";
-var feeds = [<?php foreach ($this->feeds as $feed) { ?>{<?php
-	?>url: "<?php echo Minz_Url::display(array('c' => 'feed', 'a' => 'actualize', 'params' => array('id' => $feed->id(), 'ajax' => '1')), 'php'); ?>",<?php
-	?>title: "<?php echo $feed->name(); ?>"<?php
-?>},<?php } ?>],
-	feed_processed = 0,
-	feed_count = feeds.length;
-
-function initProgressBar(init) {
-	if (init) {
-		$("body").after("\<div id=\"actualizeProgress\" class=\"notification good\">\
-			<?php echo _t('feedback.sub.actualize'); ?><br /><span class=\"title\">/</span><br />\
-			<span class=\"progress\">0 / " + feed_count + "</span>\
-		</div>");
-	} else {
-		window.location.reload();
-	}
-}
-function updateProgressBar(i, title_feed) {
-	$("#actualizeProgress .progress").html(i + " / " + feed_count);
-	$("#actualizeProgress .title").html(title_feed);
-}
-
-function updateFeeds() {
-	if (feed_count === 0) {
-		openNotification("<?php echo _t('feedback.sub.feed.no_refresh'); ?>", "good");
-		ajax_loading = false;
-		return;
-	}
-	initProgressBar(true);
-
-	for (var i = 0; i < 10; i++) {
-		updateFeed();
-	}
-}
-
-function updateFeed() {
-	var feed = feeds.pop();
-	if (feed == undefined) {
-		return;
-	}
-
-	$.ajax({
-		type: 'POST',
-		url: feed['url'],
-	}).complete(function (data) {
-		feed_processed++;
-		updateProgressBar(feed_processed, feed['title']);
-
-		if (feed_processed === feed_count) {
-			initProgressBar(false);
-		} else {
-			updateFeed();
-		}
-	});
-}
+<?php
+$feeds = array();
+foreach ($this->feeds as $feed) {
+	$feeds[] = array(
+		'url' => Minz_Url::display(array('c' => 'feed', 'a' => 'actualize', 'params' => array('id' => $feed->id(), 'ajax' => '1')), 'php'),
+		'title' => $feed->name(),
+	);
+}
+echo json_encode(array(
+	'feeds' => $feeds,
+	'feedback_no_refresh' => _t('feedback.sub.feed.no_refresh'),
+	'feedback_actualize' => _t('feedback.sub.actualize'),
+));
diff --git a/p/scripts/main.js b/p/scripts/main.js
index d62a6aff8..51c8f4cbf 100644
--- a/p/scripts/main.js
+++ b/p/scripts/main.js
@@ -767,6 +767,31 @@ function init_nav_entries() {
 	});
 }
 
+// <actualize>
+var feed_processed = 0;
+
+function updateFeed(feeds, feeds_count) {
+	var feed = feeds.pop();
+	if (feed == undefined) {
+		return;
+	}
+
+	$.ajax({
+		type: 'POST',
+		url: feed['url'],
+	}).complete(function (data) {
+		feed_processed++;
+		$("#actualizeProgress .progress").html(feed_processed + " / " + feeds_count);
+		$("#actualizeProgress .title").html(feed['title']);
+
+		if (feed_processed === feeds_count) {
+			window.location.reload();
+		} else {
+			updateFeed(feeds, feeds_count);
+		}
+	});
+}
+
 function init_actualize() {
 	var auto = false;
 
@@ -777,14 +802,23 @@ function init_actualize() {
 
 		ajax_loading = true;
 
-		$.getScript('./?c=javascript&a=actualize').done(function () {
-			if (auto && feed_count < 1) {
+		$.getJSON('./?c=javascript&a=actualize').done(function (data) {
+			if (auto && data.feeds.length < 1) {
 				auto = false;
 				ajax_loading = false;
 				return false;
 			}
-
-			updateFeeds();
+			if (data.feeds.length === 0) {
+				openNotification(data.feedback_no_refresh, "good");
+				ajax_loading = false;
+				return;
+			}
+			//Progress bar
+			var feeds_count = data.feeds.length;
+			$('body').after('<div id="actualizeProgress" class="notification good">' + data.feedback_actualize + '<br /><span class="title">/</span><br /><span class="progress">0 / ' + feeds_count + '</span></div>');
+			for (var i = 10; i > 0; i--) {
+				updateFeed(data.feeds, feeds_count);
+			}
 		});
 
 		return false;
@@ -795,7 +829,7 @@ function init_actualize() {
 		$("#actualize").click();
 	}
 }
-
+// </actualize>
 
 // <notification>
 var notification = null,
-- 
cgit v1.2.3


From 271a1fdc8900a8b2c32675c22dce1cc458209de4 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sat, 25 Feb 2017 12:39:08 +0100
Subject: Missing checkUsername and const patten

https://github.com/FreshRSS/FreshRSS/pull/1423

https://github.com/YunoHost-Apps/freshrss_ynh/issues/27#issuecomment-279792363
---
 app/Controllers/javascriptController.php | 2 +-
 app/Controllers/userController.php       | 9 +++++++--
 app/Models/Feed.php                      | 2 +-
 app/Models/UserDAO.php                   | 2 +-
 app/install.php                          | 2 +-
 app/views/auth/formLogin.phtml           | 2 +-
 app/views/auth/register.phtml            | 2 +-
 app/views/user/manage.phtml              | 2 +-
 cli/reconfigure.php                      | 2 +-
 lib/lib_rss.php                          | 2 +-
 p/api/greader.php                        | 2 +-
 11 files changed, 17 insertions(+), 12 deletions(-)

(limited to 'app/Controllers/javascriptController.php')

diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index 00a7b5c38..6336106a9 100755
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -26,7 +26,7 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
 		header('Pragma: no-cache');
 
 		$user = isset($_GET['user']) ? $_GET['user'] : '';
-		if (ctype_alnum($user)) {
+		if (FreshRSS_user_Controller::checkUsername($user)) {
 			try {
 				$salt = FreshRSS_Context::$system_conf->salt;
 				$conf = get_user_configuration($user);
diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php
index 718207734..13a6fce67 100644
--- a/app/Controllers/userController.php
+++ b/app/Controllers/userController.php
@@ -34,9 +34,14 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 		return $passwordHash == '' ? '' : $passwordHash;
 	}
 
+	/**
+	 * The username is also used as folder name, and part of SQL table name.
+	 * '_' is a reserved internal username.
+	 */
+	const USERNAME_PATTERN = '[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}';
+
 	public static function checkUsername($username) {
-		$match = '/^[0-9a-zA-Z_]{1,38}$/';
-		return preg_match($match, $username) === 1;
+		return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1;
 	}
 
 	/**
diff --git a/app/Models/Feed.php b/app/Models/Feed.php
index 97cb1c47e..7a9cf8612 100644
--- a/app/Models/Feed.php
+++ b/app/Models/Feed.php
@@ -442,7 +442,7 @@ class FreshRSS_Feed extends Minz_Model {
 				file_put_contents(USERS_PATH . '/_/log_pshb.txt', date('c') . "\t" . $text . "\n", FILE_APPEND);
 			}
 			$currentUser = Minz_Session::param('currentUser');
-			if (ctype_alnum($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) {
+			if (FreshRSS_user_Controller::checkUsername($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) {
 				touch($path . '/' . $currentUser . '.txt');
 			}
 		}
diff --git a/app/Models/UserDAO.php b/app/Models/UserDAO.php
index 32bc6de2f..a60caf395 100644
--- a/app/Models/UserDAO.php
+++ b/app/Models/UserDAO.php
@@ -85,7 +85,7 @@ class FreshRSS_UserDAO extends Minz_ModelPdo {
 	}
 
 	public static function touch($username = '') {
-		if (($username == '') || (!ctype_alnum($username))) {
+		if (!FreshRSS_user_Controller::checkUsername($username)) {
 			$username = Minz_Session::param('currentUser', '_');
 		}
 		return touch(join_path(DATA_PATH , 'users', $username, 'config.php'));
diff --git a/app/install.php b/app/install.php
index 8c65a0977..58674e3a7 100644
--- a/app/install.php
+++ b/app/install.php
@@ -553,7 +553,7 @@ function printStep2() {
 		<div class="form-group">
 			<label class="group-name" for="default_user"><?php echo _t('install.default_user'); ?></label>
 			<div class="group-controls">
-				<input type="text" id="default_user" name="default_user" required="required" size="16" maxlength="16" pattern="[0-9a-zA-Z_]{1,16}" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" />
+				<input type="text" id="default_user" name="default_user" required="required" size="16" maxlength="16" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" />
 			</div>
 		</div>
 
diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml
index 24cb14c6e..2f881dde7 100644
--- a/app/views/auth/formLogin.phtml
+++ b/app/views/auth/formLogin.phtml
@@ -9,7 +9,7 @@
 		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<div>
 			<label for="username"><?php echo _t('gen.auth.username'); ?></label>
-			<input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z_]{1,16}" autofocus="autofocus" />
+			<input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" autofocus="autofocus" />
 		</div>
 		<div>
 			<label for="passwordPlain"><?php echo _t('gen.auth.password'); ?></label>
diff --git a/app/views/auth/register.phtml b/app/views/auth/register.phtml
index d7997f5f5..fce7e1388 100644
--- a/app/views/auth/register.phtml
+++ b/app/views/auth/register.phtml
@@ -5,7 +5,7 @@
 		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<div>
 			<label class="group-name" for="new_user_name"><?php echo _t('gen.auth.username'), '<br />', _i('help'), ' ', _t('gen.auth.username.format'); ?></label>
-			<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z_]{1,16}" />
+			<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" />
 		</div>
 
 		<div>
diff --git a/app/views/user/manage.phtml b/app/views/user/manage.phtml
index 10bee5507..9238a01b9 100644
--- a/app/views/user/manage.phtml
+++ b/app/views/user/manage.phtml
@@ -22,7 +22,7 @@
 		<div class="form-group">
 			<label class="group-name" for="new_user_name"><?php echo _t('admin.user.username'); ?></label>
 			<div class="group-controls">
-				<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z_]{1,16}" placeholder="demo" />
+				<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" placeholder="demo" />
 			</div>
 		</div>
 
diff --git a/cli/reconfigure.php b/cli/reconfigure.php
index 5294dd2df..da451b3ef 100755
--- a/cli/reconfigure.php
+++ b/cli/reconfigure.php
@@ -45,7 +45,7 @@ foreach ($dBparams as $dBparam) {
 }
 $config->db = $db;
 
-if (!ctype_alnum($config->default_user)) {
+if (!FreshRSS_user_Controller::checkUsername($config->default_user)) {
 	fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $config->default_user);
 }
 
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 560e5b256..cdd08719d 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -285,7 +285,7 @@ function uSecString() {
 }
 
 function invalidateHttpCache($username = '') {
-	if (($username == '') || (!ctype_alnum($username))) {
+	if (!FreshRSS_user_Controller::checkUsername($username)) {
 		Minz_Session::_param('touch', uTimeString());
 		$username = Minz_Session::param('currentUser', '_');
 	}
diff --git a/p/api/greader.php b/p/api/greader.php
index 4965ffd3b..01eca6d4f 100644
--- a/p/api/greader.php
+++ b/p/api/greader.php
@@ -152,7 +152,7 @@ function authorizationToUser() {
 		$headerAuthX = explode('/', $headerAuth, 2);
 		if (count($headerAuthX) === 2) {
 			$user = $headerAuthX[0];
-			if (ctype_alnum($user)) {
+			if (FreshRSS_user_Controller::checkUsername($user)) {
 				FreshRSS_Context::$user_conf = get_user_configuration($user);
 				if (FreshRSS_Context::$user_conf == null) {
 					Minz_Log::warning('Invalid API user ' . $user . ': configuration cannot be found.');
-- 
cgit v1.2.3