From 8d2b76334cd60356c85810bf4902124105d54ad4 Mon Sep 17 00:00:00 2001 From: Clément Date: Thu, 16 Feb 2017 14:27:45 +0100 Subject: Possibility to register user having a '-', a '_' or a '.' in username --- app/Controllers/userController.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'app/Controllers') diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 9d6ae18e6..6199ff218 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -103,8 +103,9 @@ class FreshRSS_user_Controller extends Minz_ActionController { if (!is_array($userConfig)) { $userConfig = array(); } + $aValid = array('-', '_', '.'); - $ok = ($new_user_name != '') && ctype_alnum($new_user_name); + $ok = ($new_user_name != '') && ctype_alnum(str_replace($aValid, '', $new_user_name)); if ($ok) { $languages = Minz_Translate::availableLanguages(); @@ -187,7 +188,8 @@ class FreshRSS_user_Controller extends Minz_ActionController { $db = FreshRSS_Context::$system_conf->db; require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); - $ok = ctype_alnum($username); + $aValid = array('-', '_', '.'); + $ok = ctype_alnum(str_replace($aValid, '', $username)); if ($ok) { $default_user = FreshRSS_Context::$system_conf->default_user; $ok &= (strcasecmp($username, $default_user) !== 0); //It is forbidden to delete the default user -- cgit v1.2.3 From 4eeae5171b885b6dda392f5dd68d6dd78a0c7858 Mon Sep 17 00:00:00 2001 From: Clément Date: Thu, 16 Feb 2017 18:54:59 +0100 Subject: use function with preg_match to check username --- app/Controllers/userController.php | 11 +++++++---- app/Models/Auth.php | 3 +-- cli/_cli.php | 4 +--- cli/create-user.php | 3 +-- cli/delete-user.php | 3 +-- cli/do-install.php | 3 +-- 6 files changed, 12 insertions(+), 15 deletions(-) (limited to 'app/Controllers') diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 6199ff218..246be1bfe 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -34,6 +34,11 @@ class FreshRSS_user_Controller extends Minz_ActionController { return $passwordHash == '' ? '' : $passwordHash; } + public static function checkUsername($username) { + $match = '/^[a-zA-Z_]{1,38}$/'; + return preg_match($match, $username) === 1; + } + /** * This action displays the user profile page. */ @@ -103,9 +108,8 @@ class FreshRSS_user_Controller extends Minz_ActionController { if (!is_array($userConfig)) { $userConfig = array(); } - $aValid = array('-', '_', '.'); - $ok = ($new_user_name != '') && ctype_alnum(str_replace($aValid, '', $new_user_name)); + $ok = self::checkUsername($new_user_name); if ($ok) { $languages = Minz_Translate::availableLanguages(); @@ -188,8 +192,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { $db = FreshRSS_Context::$system_conf->db; require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); - $aValid = array('-', '_', '.'); - $ok = ctype_alnum(str_replace($aValid, '', $username)); + $ok = self::checkUsername($username); if ($ok) { $default_user = FreshRSS_Context::$system_conf->default_user; $ok &= (strcasecmp($username, $default_user) !== 0); //It is forbidden to delete the default user diff --git a/app/Models/Auth.php b/app/Models/Auth.php index e63a24b27..476627e10 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -182,8 +182,7 @@ class FreshRSS_Auth { class FreshRSS_FormAuth { public static function checkCredentials($username, $hash, $nonce, $challenge) { - $aValid = array('-', '_', '.'); - if (!ctype_alnum(str_replace($aValid, '', $username)) || + if (!FreshRSS_user_Controller::checkUsername($username) || !ctype_graph($challenge) || !ctype_alnum($nonce)) { Minz_Log::debug('Invalid credential parameters:' . diff --git a/cli/_cli.php b/cli/_cli.php index 885199659..f5e36eabc 100644 --- a/cli/_cli.php +++ b/cli/_cli.php @@ -20,9 +20,7 @@ function fail($message) { } function cliInitUser($username) { - $aValid = array('-', '_', '.'); - - if (!ctype_alnum(str_replace($aValid, '', $username))) { + if (!FreshRSS_user_Controller::checkUsername($username)) { fail('FreshRSS error: invalid username: ' . $username . "\n"); } diff --git a/cli/create-user.php b/cli/create-user.php index e5b4493e3..c9e350c14 100755 --- a/cli/create-user.php +++ b/cli/create-user.php @@ -16,9 +16,8 @@ if (empty($options['user'])) { fail('Usage: ' . basename(__FILE__) . " --user username ( --password 'password' --api-password 'api_password'" . " --language en --email user@example.net --token 'longRandomString --no-default-feeds' )"); } -$aValid = array('-', '_', '.'); $username = $options['user']; -if (!ctype_alnum(str_replace($aValid, '', $username))) { +if (!FreshRSS_user_Controller::checkUsername($username)) { fail('FreshRSS error: invalid username “' . $username . '”'); } diff --git a/cli/delete-user.php b/cli/delete-user.php index 82605fb27..baa81b893 100755 --- a/cli/delete-user.php +++ b/cli/delete-user.php @@ -9,9 +9,8 @@ $options = getopt('', array( if (empty($options['user'])) { fail('Usage: ' . basename(__FILE__) . " --user username"); } -$aValid = array('-', '_', '.'); $username = $options['user']; -if (!ctype_alnum(str_replace($aValid, '', $username))) { +if (!FreshRSS_user_Controller::checkUsername($username)) { fail('FreshRSS error: invalid username “' . $username . '”'); } diff --git a/cli/do-install.php b/cli/do-install.php index eb46c7e93..064a64ab2 100755 --- a/cli/do-install.php +++ b/cli/do-install.php @@ -47,8 +47,7 @@ if ($requirements['all'] !== 'ok') { fail($message); } -$aValid = array('-', '_', '.'); -if (!ctype_alnum(str_replace($aValid, '', $options['default_user']))) { +if (!FreshRSS_user_Controller::checkUsername($options['default_user'])) { fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $options['default_user']); } -- cgit v1.2.3 From 648fcb63b5170d07ad6d157249be398912da658f Mon Sep 17 00:00:00 2001 From: Clément Date: Sun, 19 Feb 2017 15:00:26 +0100 Subject: correct check username pattern --- app/Controllers/userController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/Controllers') diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 246be1bfe..718207734 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -35,7 +35,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { } public static function checkUsername($username) { - $match = '/^[a-zA-Z_]{1,38}$/'; + $match = '/^[0-9a-zA-Z_]{1,38}$/'; return preg_match($match, $username) === 1; } -- cgit v1.2.3 From 59d6f3593cb1dead402813207ab8d860ea684ddc Mon Sep 17 00:00:00 2001 From: Dennis Schwerdel Date: Thu, 23 Feb 2017 21:22:56 +0100 Subject: Add config option to disable and hide self-update --- app/Controllers/updateController.php | 2 +- app/layout/aside_configure.phtml | 2 ++ app/layout/header.phtml | 2 ++ data/config.default.php | 3 +++ 4 files changed, 8 insertions(+), 1 deletion(-) (limited to 'app/Controllers') diff --git a/app/Controllers/updateController.php b/app/Controllers/updateController.php index 8f939dbdb..b4e8a0bff 100644 --- a/app/Controllers/updateController.php +++ b/app/Controllers/updateController.php @@ -162,7 +162,7 @@ class FreshRSS_update_Controller extends Minz_ActionController { } public function applyAction() { - if (!file_exists(UPDATE_FILENAME) || !is_writable(FRESHRSS_PATH)) { + if (!file_exists(UPDATE_FILENAME) || !is_writable(FRESHRSS_PATH) || Minz_Configuration::get('system')->disable_update) { Minz_Request::forward(array('c' => 'update'), true); } diff --git a/app/layout/aside_configure.phtml b/app/layout/aside_configure.phtml index d956ec21f..94f5b1f6c 100644 --- a/app/layout/aside_configure.phtml +++ b/app/layout/aside_configure.phtml @@ -41,9 +41,11 @@ Minz_Request::actionName() === 'checkInstall' ? ' active' : ''; ?>"> + disable_update) { ?>
    • + diff --git a/app/layout/header.phtml b/app/layout/header.phtml index 238c664b0..e589ed7ef 100644 --- a/app/layout/header.phtml +++ b/app/layout/header.phtml @@ -71,8 +71,10 @@ if (FreshRSS_Auth::accessNeedsAction()) {
    • + disable_update) { ?>
    • +
    • diff --git a/data/config.default.php b/data/config.default.php index 433207a9c..748df1884 100644 --- a/data/config.default.php +++ b/data/config.default.php @@ -146,4 +146,7 @@ return array( # List of enabled FreshRSS extensions. 'extensions_enabled' => array(), + + # Disable self-update, + 'disable_update' => false, ); -- cgit v1.2.3 From 8a6b38115456f592c8a246f9abbb84f4449721c0 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sat, 25 Feb 2017 11:51:54 +0100 Subject: Sanitize Web site URL https://github.com/FreshRSS/FreshRSS/issues/1434 --- app/Controllers/subscriptionController.php | 4 ++-- lib/lib_rss.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'app/Controllers') diff --git a/app/Controllers/subscriptionController.php b/app/Controllers/subscriptionController.php index 03d3ee15e..aa9f18663 100644 --- a/app/Controllers/subscriptionController.php +++ b/app/Controllers/subscriptionController.php @@ -90,8 +90,8 @@ class FreshRSS_subscription_Controller extends Minz_ActionController { $values = array( 'name' => Minz_Request::param('name', ''), 'description' => sanitizeHTML(Minz_Request::param('description', '', true)), - 'website' => Minz_Request::param('website', ''), - 'url' => Minz_Request::param('url', ''), + 'website' => checkUrl(Minz_Request::param('website', '')), + 'url' => checkUrl(Minz_Request::param('url', '')), 'category' => $cat, 'pathEntries' => Minz_Request::param('path_entries', ''), 'priority' => intval(Minz_Request::param('priority', 0)), diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 560e5b256..78c9cabea 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -69,10 +69,10 @@ function idn_to_puny($url) { } function checkUrl($url) { - if (empty ($url)) { + if ($url == '') { return ''; } - if (!preg_match ('#^https?://#i', $url)) { + if (!preg_match('#^https?://#i', $url)) { $url = 'http://' . $url; } $url = idn_to_puny($url); //PHP bug #53474 IDN -- cgit v1.2.3 From 271a1fdc8900a8b2c32675c22dce1cc458209de4 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sat, 25 Feb 2017 12:39:08 +0100 Subject: Missing checkUsername and const patten https://github.com/FreshRSS/FreshRSS/pull/1423 https://github.com/YunoHost-Apps/freshrss_ynh/issues/27#issuecomment-279792363 --- app/Controllers/javascriptController.php | 2 +- app/Controllers/userController.php | 9 +++++++-- app/Models/Feed.php | 2 +- app/Models/UserDAO.php | 2 +- app/install.php | 2 +- app/views/auth/formLogin.phtml | 2 +- app/views/auth/register.phtml | 2 +- app/views/user/manage.phtml | 2 +- cli/reconfigure.php | 2 +- lib/lib_rss.php | 2 +- p/api/greader.php | 2 +- 11 files changed, 17 insertions(+), 12 deletions(-) (limited to 'app/Controllers') diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php index 00a7b5c38..6336106a9 100755 --- a/app/Controllers/javascriptController.php +++ b/app/Controllers/javascriptController.php @@ -26,7 +26,7 @@ class FreshRSS_javascript_Controller extends Minz_ActionController { header('Pragma: no-cache'); $user = isset($_GET['user']) ? $_GET['user'] : ''; - if (ctype_alnum($user)) { + if (FreshRSS_user_Controller::checkUsername($user)) { try { $salt = FreshRSS_Context::$system_conf->salt; $conf = get_user_configuration($user); diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 718207734..13a6fce67 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -34,9 +34,14 @@ class FreshRSS_user_Controller extends Minz_ActionController { return $passwordHash == '' ? '' : $passwordHash; } + /** + * The username is also used as folder name, and part of SQL table name. + * '_' is a reserved internal username. + */ + const USERNAME_PATTERN = '[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}'; + public static function checkUsername($username) { - $match = '/^[0-9a-zA-Z_]{1,38}$/'; - return preg_match($match, $username) === 1; + return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1; } /** diff --git a/app/Models/Feed.php b/app/Models/Feed.php index 97cb1c47e..7a9cf8612 100644 --- a/app/Models/Feed.php +++ b/app/Models/Feed.php @@ -442,7 +442,7 @@ class FreshRSS_Feed extends Minz_Model { file_put_contents(USERS_PATH . '/_/log_pshb.txt', date('c') . "\t" . $text . "\n", FILE_APPEND); } $currentUser = Minz_Session::param('currentUser'); - if (ctype_alnum($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) { + if (FreshRSS_user_Controller::checkUsername($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) { touch($path . '/' . $currentUser . '.txt'); } } diff --git a/app/Models/UserDAO.php b/app/Models/UserDAO.php index 32bc6de2f..a60caf395 100644 --- a/app/Models/UserDAO.php +++ b/app/Models/UserDAO.php @@ -85,7 +85,7 @@ class FreshRSS_UserDAO extends Minz_ModelPdo { } public static function touch($username = '') { - if (($username == '') || (!ctype_alnum($username))) { + if (!FreshRSS_user_Controller::checkUsername($username)) { $username = Minz_Session::param('currentUser', '_'); } return touch(join_path(DATA_PATH , 'users', $username, 'config.php')); diff --git a/app/install.php b/app/install.php index 8c65a0977..58674e3a7 100644 --- a/app/install.php +++ b/app/install.php @@ -553,7 +553,7 @@ function printStep2() {
    - +
    diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml index 24cb14c6e..2f881dde7 100644 --- a/app/views/auth/formLogin.phtml +++ b/app/views/auth/formLogin.phtml @@ -9,7 +9,7 @@
    - +
    diff --git a/app/views/auth/register.phtml b/app/views/auth/register.phtml index d7997f5f5..fce7e1388 100644 --- a/app/views/auth/register.phtml +++ b/app/views/auth/register.phtml @@ -5,7 +5,7 @@
    - +
    diff --git a/app/views/user/manage.phtml b/app/views/user/manage.phtml index 10bee5507..9238a01b9 100644 --- a/app/views/user/manage.phtml +++ b/app/views/user/manage.phtml @@ -22,7 +22,7 @@
    - +
    diff --git a/cli/reconfigure.php b/cli/reconfigure.php index 5294dd2df..da451b3ef 100755 --- a/cli/reconfigure.php +++ b/cli/reconfigure.php @@ -45,7 +45,7 @@ foreach ($dBparams as $dBparam) { } $config->db = $db; -if (!ctype_alnum($config->default_user)) { +if (!FreshRSS_user_Controller::checkUsername($config->default_user)) { fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $config->default_user); } diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 560e5b256..cdd08719d 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -285,7 +285,7 @@ function uSecString() { } function invalidateHttpCache($username = '') { - if (($username == '') || (!ctype_alnum($username))) { + if (!FreshRSS_user_Controller::checkUsername($username)) { Minz_Session::_param('touch', uTimeString()); $username = Minz_Session::param('currentUser', '_'); } diff --git a/p/api/greader.php b/p/api/greader.php index 4965ffd3b..01eca6d4f 100644 --- a/p/api/greader.php +++ b/p/api/greader.php @@ -152,7 +152,7 @@ function authorizationToUser() { $headerAuthX = explode('/', $headerAuth, 2); if (count($headerAuthX) === 2) { $user = $headerAuthX[0]; - if (ctype_alnum($user)) { + if (FreshRSS_user_Controller::checkUsername($user)) { FreshRSS_Context::$user_conf = get_user_configuration($user); if (FreshRSS_Context::$user_conf == null) { Minz_Log::warning('Invalid API user ' . $user . ': configuration cannot be found.'); -- cgit v1.2.3 From 0bd4b2c74204a2f9360816ab22aac0da4c459824 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sat, 25 Feb 2017 13:08:06 +0100 Subject: Changelog 1423 --- CHANGELOG.md | 2 ++ app/Controllers/userController.php | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'app/Controllers') diff --git a/CHANGELOG.md b/CHANGELOG.md index 4738b7360..885b625f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,8 @@ * Allow empty strings in CLI do-install [#1435](https://github.com/FreshRSS/FreshRSS/pull/1435) * Security * No version number for anonymous users [#1404](https://github.com/FreshRSS/FreshRSS/issues/1404) +* Misc. + * Relaxed requirements for username to `/^[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}/$` [#1423](https://github.com/FreshRSS/FreshRSS/pull/1423) ## 2016-12-26 FreshRSS 1.6.2 diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 13a6fce67..593e24cf2 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -35,7 +35,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { } /** - * The username is also used as folder name, and part of SQL table name. + * The username is also used as folder name, file name, and part of SQL table name. * '_' is a reserved internal username. */ const USERNAME_PATTERN = '[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}'; -- cgit v1.2.3 From 9c012e6c81e435736bfef78e0669cd236ed9d73b Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Thu, 2 Mar 2017 22:57:02 +0100 Subject: Fix SQLite CLI install https://github.com/FreshRSS/FreshRSS/issues/1445 https://github.com/FreshRSS/FreshRSS/issues/1443 https://github.com/FreshRSS/FreshRSS/issues/1443 --- app/Controllers/userController.php | 7 +++++-- lib/lib_rss.php | 9 ++------- 2 files changed, 7 insertions(+), 9 deletions(-) (limited to 'app/Controllers') diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 593e24cf2..f910cecd9 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -115,6 +115,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { } $ok = self::checkUsername($new_user_name); + $homeDir = join_path(DATA_PATH, 'users', $new_user_name); if ($ok) { $languages = Minz_Translate::availableLanguages(); @@ -124,7 +125,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { $ok &= !in_array(strtoupper($new_user_name), array_map('strtoupper', listUsers())); //Not an existing user, case-insensitive - $configPath = join_path(DATA_PATH, 'users', $new_user_name, 'config.php'); + $configPath = join_path($homeDir, 'config.php'); $ok &= !file_exists($configPath); } if ($ok) { @@ -141,7 +142,9 @@ class FreshRSS_user_Controller extends Minz_ActionController { } } if ($ok) { - mkdir(join_path(DATA_PATH, 'users', $new_user_name)); + if (!is_dir($homeDir)) { + mkdir($homeDir); + } $userConfig['passwordHash'] = $passwordHash; $userConfig['apiPasswordHash'] = $apiPasswordHash; $ok &= (file_put_contents($configPath, "