From 1893fc61e0e576519f878267fd877247445d1055 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Thu, 20 Oct 2016 01:19:59 +0200
Subject: guid and urls should not contain low/high characters

It looks like SimplePie does not always filter everything
Having a character not in latin1 would create MySQL collate errors
---
 app/Controllers/feedController.php         |  4 +++-
 app/Controllers/importExportController.php |  4 +++-
 app/Models/EntryDAO.php                    |  4 ++++
 app/Models/FeedDAO.php                     | 10 ++++++++++
 4 files changed, 20 insertions(+), 2 deletions(-)

(limited to 'app')

diff --git a/app/Controllers/feedController.php b/app/Controllers/feedController.php
index 8751d2fff..d4a6c9955 100755
--- a/app/Controllers/feedController.php
+++ b/app/Controllers/feedController.php
@@ -314,7 +314,9 @@ class FreshRSS_feed_Controller extends Minz_ActionController {
 			if (count($entries) > 0) {
 				$newGuids = array();
 				foreach ($entries as $entry) {
-					$newGuids[] = $entry->guid();
+					$guid = $entry->guid();
+					$guid = filter_var($guid, FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
+					$newGuids[] = $guid;
 				}
 				// For this feed, check existing GUIDs already in database.
 				$existingHashForGuids = $entryDAO->listHashForFeedGuids($feed->id(), $newGuids);
diff --git a/app/Controllers/importExportController.php b/app/Controllers/importExportController.php
index d36c57deb..e380323c4 100644
--- a/app/Controllers/importExportController.php
+++ b/app/Controllers/importExportController.php
@@ -362,7 +362,9 @@ class FreshRSS_importExport_Controller extends Minz_ActionController {
 
 		$newGuids = array();
 		foreach ($article_object['items'] as $item) {
-			$newGuids[] = $item['id'];
+			$guid = $item['id'];
+			$guid = filter_var($guid, FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
+			$newGuids[] = $guid;
 		}
 		// For this feed, check existing GUIDs already in database.
 		$existingHashForGuids = $this->entryDAO->listHashForFeedGuids($feed->id(), $newGuids);
diff --git a/app/Models/EntryDAO.php b/app/Models/EntryDAO.php
index 3959cb191..466e6f5a3 100644
--- a/app/Models/EntryDAO.php
+++ b/app/Models/EntryDAO.php
@@ -123,6 +123,7 @@ class FreshRSS_EntryDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 		}
 		$this->addEntryPrepared->bindParam(':id', $valuesTmp['id']);
 		$valuesTmp['guid'] = substr($valuesTmp['guid'], 0, 760);
+		$valuesTmp['guid'] = filter_var($valuesTmp['guid'], FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
 		$this->addEntryPrepared->bindParam(':guid', $valuesTmp['guid']);
 		$valuesTmp['title'] = substr($valuesTmp['title'], 0, 255);
 		$this->addEntryPrepared->bindParam(':title', $valuesTmp['title']);
@@ -130,6 +131,7 @@ class FreshRSS_EntryDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 		$this->addEntryPrepared->bindParam(':author', $valuesTmp['author']);
 		$this->addEntryPrepared->bindParam(':content', $valuesTmp['content']);
 		$valuesTmp['link'] = substr($valuesTmp['link'], 0, 1023);
+		$valuesTmp['link'] = filter_var($valuesTmp['link'], FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
 		$this->addEntryPrepared->bindParam(':link', $valuesTmp['link']);
 		$this->addEntryPrepared->bindParam(':date', $valuesTmp['date'], PDO::PARAM_INT);
 		$valuesTmp['lastSeen'] = time();
@@ -190,6 +192,7 @@ class FreshRSS_EntryDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 		$this->updateEntryPrepared->bindParam(':author', $valuesTmp['author']);
 		$this->updateEntryPrepared->bindParam(':content', $valuesTmp['content']);
 		$valuesTmp['link'] = substr($valuesTmp['link'], 0, 1023);
+		$valuesTmp['link'] = filter_var($valuesTmp['link'], FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
 		$this->updateEntryPrepared->bindParam(':link', $valuesTmp['link']);
 		$this->updateEntryPrepared->bindParam(':date', $valuesTmp['date'], PDO::PARAM_INT);
 		$valuesTmp['lastSeen'] = time();
@@ -689,6 +692,7 @@ class FreshRSS_EntryDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 		if (count($guids) < 1) {
 			return array();
 		}
+		$guids = array_unique($guids);
 		$sql = 'SELECT guid, ' . $this->sqlHexEncode('hash') . ' AS hex_hash FROM `' . $this->prefix . 'entry` WHERE id_feed=? AND guid IN (' . str_repeat('?,', count($guids) - 1). '?)';
 		$stm = $this->bd->prepare($sql);
 		$values = array($id_feed);
diff --git a/app/Models/FeedDAO.php b/app/Models/FeedDAO.php
index c680d270c..33e19d750 100644
--- a/app/Models/FeedDAO.php
+++ b/app/Models/FeedDAO.php
@@ -5,6 +5,9 @@ class FreshRSS_FeedDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 		$sql = 'INSERT INTO `' . $this->prefix . 'feed` (url, category, name, website, description, `lastUpdate`, priority, `httpAuth`, error, keep_history, ttl) VALUES(?, ?, ?, ?, ?, ?, 10, ?, 0, -2, -2)';
 		$stm = $this->bd->prepare($sql);
 
+		$valuesTmp['url'] = filter_var($valuesTmp['url'], FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
+		$valuesTmp['website'] = filter_var($valuesTmp['website'], FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
+
 		$values = array(
 			substr($valuesTmp['url'], 0, 511),
 			$valuesTmp['category'],
@@ -55,6 +58,13 @@ class FreshRSS_FeedDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 	}
 
 	public function updateFeed($id, $valuesTmp) {
+		if (isset($valuesTmp['url'])) {
+			$valuesTmp['url'] = filter_var($valuesTmp['url'], FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
+		}
+		if (isset($valuesTmp['website'])) {
+			$valuesTmp['website'] = filter_var($valuesTmp['website'], FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
+		}
+
 		$set = '';
 		foreach ($valuesTmp as $key => $v) {
 			$set .= $key . '=?, ';
-- 
cgit v1.2.3


From 7f2b0439ec4158ee7d78571d60e9bcc995e87cac Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Thu, 20 Oct 2016 01:38:23 +0200
Subject: Extract function safe_ascii()

---
 app/Controllers/feedController.php         | 4 +---
 app/Controllers/importExportController.php | 4 +---
 app/Models/EntryDAO.php                    | 6 +++---
 app/Models/FeedDAO.php                     | 8 ++++----
 lib/lib_rss.php                            | 3 +++
 5 files changed, 12 insertions(+), 13 deletions(-)

(limited to 'app')

diff --git a/app/Controllers/feedController.php b/app/Controllers/feedController.php
index d4a6c9955..ed3229687 100755
--- a/app/Controllers/feedController.php
+++ b/app/Controllers/feedController.php
@@ -314,9 +314,7 @@ class FreshRSS_feed_Controller extends Minz_ActionController {
 			if (count($entries) > 0) {
 				$newGuids = array();
 				foreach ($entries as $entry) {
-					$guid = $entry->guid();
-					$guid = filter_var($guid, FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
-					$newGuids[] = $guid;
+					$newGuids[] = safe_ascii($entry->guid());
 				}
 				// For this feed, check existing GUIDs already in database.
 				$existingHashForGuids = $entryDAO->listHashForFeedGuids($feed->id(), $newGuids);
diff --git a/app/Controllers/importExportController.php b/app/Controllers/importExportController.php
index e380323c4..a1f789805 100644
--- a/app/Controllers/importExportController.php
+++ b/app/Controllers/importExportController.php
@@ -362,9 +362,7 @@ class FreshRSS_importExport_Controller extends Minz_ActionController {
 
 		$newGuids = array();
 		foreach ($article_object['items'] as $item) {
-			$guid = $item['id'];
-			$guid = filter_var($guid, FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
-			$newGuids[] = $guid;
+			$newGuids[] = safe_ascii($item['id']);
 		}
 		// For this feed, check existing GUIDs already in database.
 		$existingHashForGuids = $this->entryDAO->listHashForFeedGuids($feed->id(), $newGuids);
diff --git a/app/Models/EntryDAO.php b/app/Models/EntryDAO.php
index 466e6f5a3..4c6a9ea20 100644
--- a/app/Models/EntryDAO.php
+++ b/app/Models/EntryDAO.php
@@ -123,7 +123,7 @@ class FreshRSS_EntryDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 		}
 		$this->addEntryPrepared->bindParam(':id', $valuesTmp['id']);
 		$valuesTmp['guid'] = substr($valuesTmp['guid'], 0, 760);
-		$valuesTmp['guid'] = filter_var($valuesTmp['guid'], FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
+		$valuesTmp['guid'] = safe_ascii($valuesTmp['guid']);
 		$this->addEntryPrepared->bindParam(':guid', $valuesTmp['guid']);
 		$valuesTmp['title'] = substr($valuesTmp['title'], 0, 255);
 		$this->addEntryPrepared->bindParam(':title', $valuesTmp['title']);
@@ -131,7 +131,7 @@ class FreshRSS_EntryDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 		$this->addEntryPrepared->bindParam(':author', $valuesTmp['author']);
 		$this->addEntryPrepared->bindParam(':content', $valuesTmp['content']);
 		$valuesTmp['link'] = substr($valuesTmp['link'], 0, 1023);
-		$valuesTmp['link'] = filter_var($valuesTmp['link'], FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
+		$valuesTmp['link'] = safe_ascii($valuesTmp['link']);
 		$this->addEntryPrepared->bindParam(':link', $valuesTmp['link']);
 		$this->addEntryPrepared->bindParam(':date', $valuesTmp['date'], PDO::PARAM_INT);
 		$valuesTmp['lastSeen'] = time();
@@ -192,7 +192,7 @@ class FreshRSS_EntryDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 		$this->updateEntryPrepared->bindParam(':author', $valuesTmp['author']);
 		$this->updateEntryPrepared->bindParam(':content', $valuesTmp['content']);
 		$valuesTmp['link'] = substr($valuesTmp['link'], 0, 1023);
-		$valuesTmp['link'] = filter_var($valuesTmp['link'], FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
+		$valuesTmp['link'] = safe_ascii($valuesTmp['link']);
 		$this->updateEntryPrepared->bindParam(':link', $valuesTmp['link']);
 		$this->updateEntryPrepared->bindParam(':date', $valuesTmp['date'], PDO::PARAM_INT);
 		$valuesTmp['lastSeen'] = time();
diff --git a/app/Models/FeedDAO.php b/app/Models/FeedDAO.php
index 33e19d750..b21f19b66 100644
--- a/app/Models/FeedDAO.php
+++ b/app/Models/FeedDAO.php
@@ -5,8 +5,8 @@ class FreshRSS_FeedDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 		$sql = 'INSERT INTO `' . $this->prefix . 'feed` (url, category, name, website, description, `lastUpdate`, priority, `httpAuth`, error, keep_history, ttl) VALUES(?, ?, ?, ?, ?, ?, 10, ?, 0, -2, -2)';
 		$stm = $this->bd->prepare($sql);
 
-		$valuesTmp['url'] = filter_var($valuesTmp['url'], FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
-		$valuesTmp['website'] = filter_var($valuesTmp['website'], FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
+		$valuesTmp['url'] = safe_ascii($valuesTmp['url']);
+		$valuesTmp['website'] = safe_ascii($valuesTmp['website']);
 
 		$values = array(
 			substr($valuesTmp['url'], 0, 511),
@@ -59,10 +59,10 @@ class FreshRSS_FeedDAO extends Minz_ModelPdo implements FreshRSS_Searchable {
 
 	public function updateFeed($id, $valuesTmp) {
 		if (isset($valuesTmp['url'])) {
-			$valuesTmp['url'] = filter_var($valuesTmp['url'], FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
+			$valuesTmp['url'] = safe_ascii($valuesTmp['url']);
 		}
 		if (isset($valuesTmp['website'])) {
-			$valuesTmp['website'] = filter_var($valuesTmp['website'], FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
+			$valuesTmp['website'] = safe_ascii($valuesTmp['website']);
 		}
 
 		$set = '';
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index b18512484..75046fd54 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -83,6 +83,9 @@ function checkUrl($url) {
 	}
 }
 
+function safe_ascii($text) {
+	return filter_var($text, FILTER_DEFAULT, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
+}
 
 /**
  * Test if a given server address is publicly accessible.
-- 
cgit v1.2.3