From 75bf305b2f084958d43689b3781d03a29cc21f60 Mon Sep 17 00:00:00 2001
From: Marien Fressinaud <dev@marienfressinaud.fr>
Date: Wed, 17 Sep 2014 14:07:52 +0200
Subject: Test HTTP REFERER in install.php

Test is actually basic, we need to use
Minz_Request::isRefererFromSameDomain() method to improve checking
---
 app/install.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'app/install.php')

diff --git a/app/install.php b/app/install.php
index 8986e9965..f31764545 100644
--- a/app/install.php
+++ b/app/install.php
@@ -307,6 +307,7 @@ function checkStep1() {
 	$log = LOG_PATH && is_writable(LOG_PATH);
 	$favicons = is_writable(DATA_PATH . '/favicons');
 	$persona = is_writable(DATA_PATH . '/persona');
+	$http_referer = !empty($_SERVER['HTTP_REFERER']);
 
 	return array(
 		'php' => $php ? 'ok' : 'ko',
@@ -323,8 +324,10 @@ function checkStep1() {
 		'log' => $log ? 'ok' : 'ko',
 		'favicons' => $favicons ? 'ok' : 'ko',
 		'persona' => $persona ? 'ok' : 'ko',
+		'http_referer' => $http_referer ? 'ok' : 'ko',
 		'all' => $php && $minz && $curl && $pdo && $pcre && $ctype && $dom &&
-		         $data && $cache && $log && $favicons && $persona ? 'ok' : 'ko'
+		         $data && $cache && $log && $favicons && $persona && $http_referer ?
+		         'ok' : 'ko'
 	);
 }
 
@@ -548,6 +551,12 @@ function printStep1() {
 	<p class="alert alert-error"><span class="alert-head"><?php echo _t('damn'); ?></span> <?php echo _t('file_is_nok', DATA_PATH . '/persona'); ?></p>
 	<?php } ?>
 
+	<?php if ($res['http_referer'] == 'ok') { ?>
+	<p class="alert alert-success"><span class="alert-head"><?php echo _t('ok'); ?></span> <?php echo _t('http_referer_is_ok'); ?></p>
+	<?php } else { ?>
+	<p class="alert alert-error"><span class="alert-head"><?php echo _t('damn'); ?></span> <?php echo _t('http_referer_is_nok'); ?></p>
+	<?php } ?>
+
 	<?php if ($res['all'] == 'ok') { ?>
 	<a class="btn btn-important next-step" href="?step=2"><?php echo _t('next_step'); ?></a>
 	<?php } else { ?>
-- 
cgit v1.2.3


From fc7d2a0bf271e43a9e6001dccef61ec0762eb840 Mon Sep 17 00:00:00 2001
From: Marien Fressinaud <dev@marienfressinaud.fr>
Date: Wed, 17 Sep 2014 14:21:56 +0200
Subject: Move http referer test into lib_rss

Rename method (coding style)
Change in app/FreshRSS.php
Improve test of app/install.php
---
 app/FreshRSS.php     |  2 +-
 app/install.php      |  2 +-
 lib/Minz/Request.php | 14 --------------
 lib/lib_rss.php      | 14 ++++++++++++++
 4 files changed, 16 insertions(+), 16 deletions(-)

(limited to 'app/install.php')

diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 6cca27f78..347b8392f 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -6,7 +6,7 @@ class FreshRSS extends Minz_FrontController {
 		}
 		$loginOk = $this->accessControl(Minz_Session::param('currentUser', ''));
 		$this->loadParamsView();
-		if (Minz_Request::isPost() && !Minz_Request::isRefererFromSameDomain()) {
+		if (Minz_Request::isPost() && !is_referer_from_same_domain()) {
 			$loginOk = false;	//Basic protection against XSRF attacks
 			Minz_Error::error(
 				403,
diff --git a/app/install.php b/app/install.php
index f31764545..362ffec48 100644
--- a/app/install.php
+++ b/app/install.php
@@ -307,7 +307,7 @@ function checkStep1() {
 	$log = LOG_PATH && is_writable(LOG_PATH);
 	$favicons = is_writable(DATA_PATH . '/favicons');
 	$persona = is_writable(DATA_PATH . '/persona');
-	$http_referer = !empty($_SERVER['HTTP_REFERER']);
+	$http_referer = is_referer_from_same_domain();
 
 	return array(
 		'php' => $php ? 'ok' : 'ko',
diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php
index ec4e25a6b..52f53012f 100644
--- a/lib/Minz/Request.php
+++ b/lib/Minz/Request.php
@@ -84,20 +84,6 @@ class Minz_Request {
 		return $_SERVER['HTTP_HOST'];
 	}
 
-	public static function isRefererFromSameDomain() {
-		if (empty($_SERVER['HTTP_REFERER'])) {
-			return false;
-		}
-		$host = parse_url(((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? 'https://' : 'http://') .
-			(empty($_SERVER['HTTP_HOST']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']));
-		$referer = parse_url($_SERVER['HTTP_REFERER']);
-		if (empty($host['scheme']) || empty($referer['scheme']) || $host['scheme'] !== $referer['scheme'] ||
-		    empty($host['host']) || empty($referer['host']) || $host['host'] !== $referer['host']) {
-			return false;
-		}
-		return (isset($host['port']) ? $host['port'] : 0) === (isset($referer['port']) ? $referer['port'] : 0);
-	}
-
 	/**
 	 * Détermine la base de l'url
 	 * @return la base de l'url
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 823f53716..31c9cdbc1 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -230,3 +230,17 @@ function cryptAvailable() {
 	}
 	return false;
 }
+
+function is_referer_from_same_domain() {
+	if (empty($_SERVER['HTTP_REFERER'])) {
+		return false;
+	}
+	$host = parse_url(((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? 'https://' : 'http://') .
+		(empty($_SERVER['HTTP_HOST']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']));
+	$referer = parse_url($_SERVER['HTTP_REFERER']);
+	if (empty($host['scheme']) || empty($referer['scheme']) || $host['scheme'] !== $referer['scheme'] ||
+	    empty($host['host']) || empty($referer['host']) || $host['host'] !== $referer['host']) {
+		return false;
+	}
+	return (isset($host['port']) ? $host['port'] : 0) === (isset($referer['port']) ? $referer['port'] : 0);
+}
-- 
cgit v1.2.3


From 5c752f71e9bd07d2e8f9ffd4b246cf4216c7a85f Mon Sep 17 00:00:00 2001
From: Marien Fressinaud <dev@marienfressinaud.fr>
Date: Thu, 18 Sep 2014 09:15:24 +0200
Subject: Fix a serie of undefined index (app/install.php)

---
 app/install.php | 41 +++++++++++++++++++++++++++--------------
 1 file changed, 27 insertions(+), 14 deletions(-)

(limited to 'app/install.php')

diff --git a/app/install.php b/app/install.php
index 362ffec48..4449cd063 100644
--- a/app/install.php
+++ b/app/install.php
@@ -149,7 +149,7 @@ function saveStep2() {
 
 		$config_array = array(
 			'language' => $_SESSION['language'],
-			'theme' => $_SESSION['theme'],
+			'theme' => 'Origine',
 			'old_entries' => $_SESSION['old_entries'],
 			'mail_login' => $_SESSION['mail_login'],
 			'passwordHash' => $_SESSION['passwordHash'],
@@ -337,9 +337,15 @@ function checkStep2() {
 	        isset($_SESSION['mail_login']) &&
 	        !empty($_SESSION['default_user']);
 
-	$form = $_SESSION['auth_type'] != 'form' || !empty($_SESSION['passwordHash']);
+	$form = (
+		isset($_SESSION['auth_type']) &&
+		($_SESSION['auth_type'] != 'form' || !empty($_SESSION['passwordHash']))
+	);
 
-	$persona = $_SESSION['auth_type'] != 'persona' || !empty($_SESSION['mail_login']);
+	$persona = (
+		isset($_SESSION['auth_type']) &&
+		($_SESSION['auth_type'] != 'persona' || !empty($_SESSION['mail_login']))
+	);
 
 	$defaultUser = empty($_POST['default_user']) ? null : $_POST['default_user'];
 	if ($defaultUser === null) {
@@ -600,16 +606,17 @@ function printStep2() {
 		<div class="form-group">
 			<label class="group-name" for="auth_type"><?php echo _t('auth_type'); ?></label>
 			<div class="group-controls">
-				<select id="auth_type" name="auth_type" required="required" onchange="auth_type_change()">
+				<select id="auth_type" name="auth_type" required="required" onchange="auth_type_change(true)">
 					<?php
-						function no_auth() {
-							return !in_array($_SESSION['auth_type'], array('form', 'persona', 'http_auth', 'none'));
+						function no_auth($auth_type) {
+							return !in_array($auth_type, array('form', 'persona', 'http_auth', 'none'));
 						}
+						$auth_type = isset($_SESSION['auth_type']) ? $_SESSION['auth_type'] : '';
 					?>
-					<option value="form"<?php echo $_SESSION['auth_type'] === 'form' || no_auth() ? ' selected="selected"' : '', cryptAvailable() ? '' : ' disabled="disabled"'; ?>><?php echo _t('auth_form'); ?></option>
-					<option value="persona"<?php echo $_SESSION['auth_type'] === 'persona' ? ' selected="selected"' : ''; ?>><?php echo _t('auth_persona'); ?></option>
-					<option value="http_auth"<?php echo $_SESSION['auth_type'] === 'http_auth' ? ' selected="selected"' : '', httpAuthUser() == '' ? ' disabled="disabled"' : ''; ?>><?php echo _t('http_auth'); ?>(REMOTE_USER = '<?php echo httpAuthUser(); ?>')</option>
-					<option value="none"<?php echo $_SESSION['auth_type'] === 'none' ? ' selected="selected"' : ''; ?>><?php echo _t('auth_none'); ?></option>
+					<option value="form"<?php echo $auth_type === 'form' || no_auth($auth_type) ? ' selected="selected"' : '', cryptAvailable() ? '' : ' disabled="disabled"'; ?>><?php echo _t('auth_form'); ?></option>
+					<option value="persona"<?php echo $auth_type === 'persona' ? ' selected="selected"' : ''; ?>><?php echo _t('auth_persona'); ?></option>
+					<option value="http_auth"<?php echo $auth_type === 'http_auth' ? ' selected="selected"' : '', httpAuthUser() == '' ? ' disabled="disabled"' : ''; ?>><?php echo _t('http_auth'); ?>(REMOTE_USER = '<?php echo httpAuthUser(); ?>')</option>
+					<option value="none"<?php echo $auth_type === 'none' ? ' selected="selected"' : ''; ?>><?php echo _t('auth_none'); ?></option>
 				</select>
 			</div>
 		</div>
@@ -618,7 +625,7 @@ function printStep2() {
 			<label class="group-name" for="passwordPlain"><?php echo _t('password_form'); ?></label>
 			<div class="group-controls">
 				<div class="stick">
-					<input type="password" id="passwordPlain" name="passwordPlain" pattern=".{7,}" autocomplete="off" <?php echo $_SESSION['auth_type'] === 'form' ? ' required="required"' : ''; ?> />
+					<input type="password" id="passwordPlain" name="passwordPlain" pattern=".{7,}" autocomplete="off" <?php echo $auth_type === 'form' ? ' required="required"' : ''; ?> />
 					<a class="btn toggle-password" data-toggle="passwordPlain"><?php echo FreshRSS_Themes::icon('key'); ?></a>
 				</div>
 				<noscript><b><?php echo _t('javascript_should_be_activated'); ?></b></noscript>
@@ -628,7 +635,7 @@ function printStep2() {
 		<div class="form-group">
 			<label class="group-name" for="mail_login"><?php echo _t('persona_connection_email'); ?></label>
 			<div class="group-controls">
-				<input type="email" id="mail_login" name="mail_login" value="<?php echo isset($_SESSION['mail_login']) ? $_SESSION['mail_login'] : ''; ?>" placeholder="alice@example.net" <?php echo $_SESSION['auth_type'] === 'persona' ? ' required="required"' : ''; ?> />
+				<input type="email" id="mail_login" name="mail_login" value="<?php echo isset($_SESSION['mail_login']) ? $_SESSION['mail_login'] : ''; ?>" placeholder="alice@example.net" <?php echo $auth_type === 'persona' ? ' required="required"' : ''; ?> />
 				<noscript><b><?php echo _t('javascript_should_be_activated'); ?></b></noscript>
 			</div>
 		</div>
@@ -653,7 +660,7 @@ function printStep2() {
 				toggles[i].addEventListener('click', toggle_password);
 			}
 
-			function auth_type_change() {
+			function auth_type_change(focus) {
 				var auth_value = document.getElementById('auth_type').value,
 				    password_input = document.getElementById('passwordPlain'),
 				    mail_input = document.getElementById('mail_login');
@@ -661,15 +668,21 @@ function printStep2() {
 				if (auth_value === 'form') {
 					password_input.required = true;
 					mail_input.required = false;
+					if (focus) {
+						password_input.focus();
+					}
 				} else if (auth_value === 'persona') {
 					password_input.required = false;
 					mail_input.required = true;
+					if (focus) {
+						mail_input.focus();
+					}
 				} else {
 					password_input.required = false;
 					mail_input.required = false;
 				}
 			}
-			auth_type_change();
+			auth_type_change(false);
 		</script>
 
 		<div class="form-group form-actions">
-- 
cgit v1.2.3