From 35be1769de28df3fff1a26e40d1d6b1e587a2847 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Fri, 1 Aug 2014 20:20:25 +0200 Subject: Basic protection against XSRF using Referer https://github.com/marienfressinaud/FreshRSS/issues/554 Also edited the error controler to use the log message passed in Minz_Error::error(). --- lib/Minz/Translate.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/Minz') diff --git a/lib/Minz/Translate.php b/lib/Minz/Translate.php index df48350e9..8c2f90041 100644 --- a/lib/Minz/Translate.php +++ b/lib/Minz/Translate.php @@ -75,5 +75,5 @@ function _t($key) { unset($args[0]); array_unshift($args, $key); - return call_user_func_array("Minz_Translate::t", $args); + return call_user_func_array('Minz_Translate::t', $args); } -- cgit v1.2.3 From d477373ef2879bdeeaa3c157287c0fab98afefdc Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sat, 9 Aug 2014 19:58:39 +0200 Subject: SQLite: Bug creation new users Not tested much yet. Some MySQL parts changed a bit too to double-check. https://github.com/marienfressinaud/FreshRSS/issues/574 --- app/Models/UserDAO.php | 35 ++++++++++++++++++++++------------- app/SQL/install.sql.sqlite.php | 1 + lib/Minz/ModelPdo.php | 20 ++++++++++++-------- 3 files changed, 35 insertions(+), 21 deletions(-) (limited to 'lib/Minz') diff --git a/app/Models/UserDAO.php b/app/Models/UserDAO.php index 1763fac67..9f64fb4a7 100644 --- a/app/Models/UserDAO.php +++ b/app/Models/UserDAO.php @@ -4,18 +4,21 @@ class FreshRSS_UserDAO extends Minz_ModelPdo { public function createUser($username) { $db = Minz_Configuration::dataBase(); require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); - - if (defined('SQL_CREATE_TABLES')) { + + $userPDO = new Minz_ModelPdo($username); + + $ok = false; + if (defined('SQL_CREATE_TABLES')) { //E.g. MySQL $sql = sprintf(SQL_CREATE_TABLES, $db['prefix'] . $username . '_', Minz_Translate::t('default_category')); - $stm = $this->bd->prepare($sql); + $stm = $userPDO->bd->prepare($sql); $ok = $stm && $stm->execute(); - } else { + } else { //E.g. SQLite global $SQL_CREATE_TABLES; if (is_array($SQL_CREATE_TABLES)) { $ok = true; foreach ($SQL_CREATE_TABLES as $instruction) { $sql = sprintf($instruction, '', Minz_Translate::t('default_category')); - $stm = $c->prepare($sql); + $stm = $userPDO->bd->prepare($sql); $ok &= ($stm && $stm->execute()); } } @@ -24,7 +27,7 @@ class FreshRSS_UserDAO extends Minz_ModelPdo { if ($ok) { return true; } else { - $info = $stm == null ? array(2 => 'syntax error') : $stm->errorInfo(); + $info = empty($stm) ? array(2 => 'syntax error') : $stm->errorInfo(); Minz_Log::record ('SQL error : ' . $info[2], Minz_Log::ERROR); return false; } @@ -34,14 +37,20 @@ class FreshRSS_UserDAO extends Minz_ModelPdo { $db = Minz_Configuration::dataBase(); require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); - $sql = sprintf(SQL_DROP_TABLES, $db['prefix'] . $username . '_'); - $stm = $this->bd->prepare($sql); - if ($stm && $stm->execute()) { - return true; + if ($db['type'] === 'sqlite') { + return unlink(DATA_PATH . '/' . $username . '.sqlite'); } else { - $info = $stm == null ? array(2 => 'syntax error') : $stm->errorInfo(); - Minz_Log::record ('SQL error : ' . $info[2], Minz_Log::ERROR); - return false; + $userPDO = new Minz_ModelPdo($username); + + $sql = sprintf(SQL_DROP_TABLES, $db['prefix'] . $username . '_'); + $stm = $userPDO->bd->prepare($sql); + if ($stm && $stm->execute()) { + return true; + } else { + $info = $stm == null ? array(2 => 'syntax error') : $stm->errorInfo(); + Minz_Log::record ('SQL error : ' . $info[2], Minz_Log::ERROR); + return false; + } } } } diff --git a/app/SQL/install.sql.sqlite.php b/app/SQL/install.sql.sqlite.php index b90a5ef5e..7988ada04 100644 --- a/app/SQL/install.sql.sqlite.php +++ b/app/SQL/install.sql.sqlite.php @@ -1,4 +1,5 @@ bd = self::$sharedBd; $this->prefix = self::$sharedPrefix; return; @@ -42,6 +42,10 @@ class Minz_ModelPdo { $db = Minz_Configuration::dataBase(); + if ($currentUser === null) { + $currentUser = Minz_Session::param('currentUser', '_'); + } + try { $type = $db['type']; if ($type === 'mysql') { @@ -51,9 +55,9 @@ class Minz_ModelPdo { $driver_options = array( PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8', ); - $this->prefix = $db['prefix'] . Minz_Session::param('currentUser', '_') . '_'; + $this->prefix = $db['prefix'] . $currentUser . '_'; } elseif ($type === 'sqlite') { - $string = 'sqlite:' . DATA_PATH . '/' . Minz_Session::param('currentUser', '_') . '.sqlite'; + $string = 'sqlite:' . DATA_PATH . '/' . $currentUser . '.sqlite'; $driver_options = array( //PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, ); @@ -67,7 +71,7 @@ class Minz_ModelPdo { self::$sharedDbType = $type; self::$sharedPrefix = $this->prefix; - $this->bd = new FreshPDO( + $this->bd = new MinzPDO( $string, $db['user'], $db['password'], @@ -98,7 +102,7 @@ class Minz_ModelPdo { } } -class FreshPDO extends PDO { +class MinzPDO extends PDO { private static function check($statement) { if (preg_match('/^(?:UPDATE|INSERT|DELETE)/i', $statement)) { invalidateHttpCache(); @@ -106,12 +110,12 @@ class FreshPDO extends PDO { } public function prepare($statement, $driver_options = array()) { - FreshPDO::check($statement); + MinzPDO::check($statement); return parent::prepare($statement, $driver_options); } public function exec($statement) { - FreshPDO::check($statement); + MinzPDO::check($statement); return parent::exec($statement); } } -- cgit v1.2.3 From eceb7756cfcf117c2a18984291181a84697ed3cd Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Sun, 10 Aug 2014 20:29:43 +0200 Subject: Add possibility to keep logged in with form Add an option to keep logged in. Change lifetime of session cookie to 1 year. See https://github.com/marienfressinaud/FreshRSS/issues/465 --- app/Controllers/indexController.php | 9 +++++++++ app/i18n/en.php | 1 + app/i18n/fr.php | 1 + app/views/index/formLogin.phtml | 23 +++++++++++++++-------- lib/Minz/Session.php | 35 ++++++++++++++++++++++++++++++----- 5 files changed, 56 insertions(+), 13 deletions(-) (limited to 'lib/Minz') diff --git a/app/Controllers/indexController.php b/app/Controllers/indexController.php index 3119073b8..18b99d0df 100755 --- a/app/Controllers/indexController.php +++ b/app/Controllers/indexController.php @@ -298,6 +298,7 @@ class FreshRSS_index_Controller extends Minz_ActionController { public function formLoginAction () { if (Minz_Request::isPost()) { $ok = false; + $keep_logged_in = Minz_Request::param('keep_logged_in', false); $nonce = Minz_Session::param('nonce'); $username = Minz_Request::param('username', ''); $c = Minz_Request::param('challenge', ''); @@ -312,6 +313,11 @@ class FreshRSS_index_Controller extends Minz_ActionController { if ($ok) { Minz_Session::_param('currentUser', $username); Minz_Session::_param('passwordHash', $s); + if ($keep_logged_in) { + // New cookie with a lifetime of 1 year! + Minz_Session::keepCookie(31536000); + Minz_Session::regenerateID(); + } } else { Minz_Log::record('Password mismatch for user ' . $username . ', nonce=' . $nonce . ', c=' . $c, Minz_Log::WARNING); } @@ -371,6 +377,9 @@ class FreshRSS_index_Controller extends Minz_ActionController { Minz_Session::_param('currentUser'); Minz_Session::_param('mail'); Minz_Session::_param('passwordHash'); + Minz_Session::keepCookie(0); + Minz_Session::regenerateID(); + Minz_Request::forward(array('c' => 'index', 'a' => 'index'), true); } } diff --git a/app/i18n/en.php b/app/i18n/en.php index d80299b10..3c55f62a2 100644 --- a/app/i18n/en.php +++ b/app/i18n/en.php @@ -3,6 +3,7 @@ return array ( // LAYOUT 'login' => 'Login', + 'keep_logged_in' => 'Keep me logged in', 'login_with_persona' => 'Login with Persona', 'logout' => 'Logout', 'search' => 'Search words or #tags', diff --git a/app/i18n/fr.php b/app/i18n/fr.php index 4be028ac3..63d779471 100644 --- a/app/i18n/fr.php +++ b/app/i18n/fr.php @@ -3,6 +3,7 @@ return array ( // LAYOUT 'login' => 'Connexion', + 'session_active' => 'Rester connecté', 'login_with_persona' => 'Connexion avec Persona', 'logout' => 'Déconnexion', 'search' => 'Rechercher des mots ou des #tags', diff --git a/app/views/index/formLogin.phtml b/app/views/index/formLogin.phtml index cc925ea59..f01a950b6 100644 --- a/app/views/index/formLogin.phtml +++ b/app/views/index/formLogin.phtml @@ -1,32 +1,39 @@
-

- +
- +
- +
- + +
+
+
+

- - + +

-

+

diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index ddabc4658..c859be2ed 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -15,13 +15,15 @@ class Minz_Session { * Le nom de session est utilisé comme nom pour les cookies et les URLs (i.e. PHPSESSID). * Il ne doit contenir que des caractères alphanumériques ; il doit être court et descriptif */ - public static function init ($name) { + public static function init($name) { + $cookie = session_get_cookie_params(); + self::keepCookie($cookie['lifetime']); + // démarre la session - session_name ($name); - session_set_cookie_params (0, dirname(empty($_SERVER['REQUEST_URI']) ? '/' : dirname($_SERVER['REQUEST_URI'])), null, false, true); - session_start (); + session_name($name); + session_start(); - if (isset ($_SESSION)) { + if (isset($_SESSION)) { self::$session = $_SESSION; } } @@ -68,4 +70,27 @@ class Minz_Session { Minz_Translate::reset (); } } + + + /** + * Spécifie la durée de vie des cookies + * @param $l la durée de vie + */ + public static function keepCookie($l) { + $cookie_dir = dirname( + empty($_SERVER['SCRIPT_NAME']) ? '' : $_SERVER['SCRIPT_NAME'] + ) . '/'; + session_set_cookie_params($l, $cookie_dir, $_SERVER['HTTP_HOST'], + false, true); + } + + + /** + * Régénère un id de session. + * Utile pour appeler session_set_cookie_params après session_start() + */ + public static function regenerateID() { + session_regenerate_id(true); + } + } -- cgit v1.2.3 From df47217839ccddb8e03015959c61b61e748d9700 Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Sun, 10 Aug 2014 23:41:36 +0200 Subject: Set session.gc_maxlifetime Take the maxvalue between 1440 (24m) and cookie lifetime when calling Minz_Session::keepCookie() See https://github.com/marienfressinaud/FreshRSS/issues/465 --- lib/Minz/Session.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lib/Minz') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index c859be2ed..fb3c5d74b 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -82,6 +82,9 @@ class Minz_Session { ) . '/'; session_set_cookie_params($l, $cookie_dir, $_SERVER['HTTP_HOST'], false, true); + + $l_session = max(1440, $l); + ini_set('session.gc_maxlifetime', $l_session); } -- cgit v1.2.3 From bc71a577fe3154080df9949b394c7ae552773c7b Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Mon, 11 Aug 2014 18:39:22 +0200 Subject: Revert "Set session.gc_maxlifetime" This reverts commit df47217839ccddb8e03015959c61b61e748d9700. See https://github.com/marienfressinaud/FreshRSS/issues/465 --- lib/Minz/Session.php | 3 --- 1 file changed, 3 deletions(-) (limited to 'lib/Minz') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index fb3c5d74b..c859be2ed 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -82,9 +82,6 @@ class Minz_Session { ) . '/'; session_set_cookie_params($l, $cookie_dir, $_SERVER['HTTP_HOST'], false, true); - - $l_session = max(1440, $l); - ini_set('session.gc_maxlifetime', $l_session); } -- cgit v1.2.3 From 1b20f6bd025a08a7a741b2751d837f736758eb2d Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 20:59:27 +0200 Subject: New wrappers Minz_Request::good() and bad() 1. Set a notification message in session variable 2. Redirect to a specific url First use in importExportController.php See https://github.com/marienfressinaud/FreshRSS/conversations/576 --- app/Controllers/importExportController.php | 57 ++++++------------------------ lib/Minz/Request.php | 25 +++++++++++++ 2 files changed, 35 insertions(+), 47 deletions(-) (limited to 'lib/Minz') diff --git a/app/Controllers/importExportController.php b/app/Controllers/importExportController.php index 15871ed80..92b39b575 100644 --- a/app/Controllers/importExportController.php +++ b/app/Controllers/importExportController.php @@ -43,17 +43,9 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { $zip = zip_open($file['tmp_name']); if (!is_resource($zip)) { - Minz_Log::error( - 'Zip file cannot be imported. Error code: ' . $zip - ); - // zip_open cannot open file: something is wrong - Minz_Session::_param('notification', array( - 'type' => 'bad', - 'content' => _t('zip_error') - )); - - Minz_Request::forward(array('c' => 'importExport'), true); + Minz_Log::error('Zip file cannot be imported. Error code: ' . $zip); + Minz_Request::bad(_t('zip_error'), array('c' => 'importExport')); } while (($zipfile = zip_read($zip)) !== false) { @@ -72,12 +64,7 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { zip_close($zip); } elseif ($type_file === 'zip') { // Zip extension is not loaded - Minz_Session::_param('notification', array( - 'type' => 'bad', - 'content' => _t('no_zip_extension') - )); - - Minz_Request::forward(array('c' => 'importExport'), true); + Minz_Request::bad(_t('no_zip_extension'), array('c' => 'importExport')); } elseif ($type_file !== 'unknown') { $list_files[$type_file][] = file_get_contents( $file['tmp_name'] @@ -100,35 +87,16 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { } // And finally, we get import status and redirect to the home page - $notif = null; - if ($error === true) { - $content_notif = Minz_Translate::t( - 'feeds_imported_with_errors' - ); - } else { - $content_notif = Minz_Translate::t( - 'feeds_imported' - ); - } - - Minz_Session::_param('notification', array( - 'type' => 'good', - 'content' => $content_notif - )); Minz_Session::_param('actualize_feeds', true); - Minz_Request::forward(array( - 'c' => 'index', - 'a' => 'index' - ), true); + $content_notif = $error === true ? _t('feeds_imported_with_errors') : + _t('feeds_imported'); + Minz_Request::good($content_notif); } // What are you doing? you have to call this controller // with a POST request! - Minz_Request::forward(array( - 'c' => 'importExport', - 'a' => 'index' - )); + Minz_Request::forward(array('c' => 'importExport')); } private function guessFileType($filename) { @@ -362,17 +330,12 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { $nb_files = count($export_files); if ($nb_files > 1) { - // If there are more than 1 file to export, we need an .zip + // If there are more than 1 file to export, we need a zip archive. try { $this->exportZip($export_files); } catch (Exception $e) { # Oops, there is no Zip extension! - $notif = array( - 'type' => 'bad', - 'content' => _t('export_no_zip_extension') - ); - Minz_Session::_param('notification', $notif); - Minz_Request::forward(array('c' => 'importExport'), true); + Minz_Request::bad(_t('export_no_zip_extension'), array('c' => 'importExport')); } } elseif ($nb_files === 1) { // Only one file? Guess its type and export it. @@ -386,7 +349,7 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { $this->exportFile($filename, $export_files[$filename], $type); } else { - Minz_Request::forward(array('c' => 'importExport'), true); + Minz_Request::forward(array('c' => 'importExport')); } } } diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php index 755784522..2f745a04c 100644 --- a/lib/Minz/Request.php +++ b/lib/Minz/Request.php @@ -146,6 +146,31 @@ class Minz_Request { } } + + /** + * Wrappers good notifications + redirection + * @param $msg notification content + * @param $url url array to where we should be forwarded + */ + public static function good($msg, $url = array()) { + Minz_Session::_param('notification', array( + 'type' => 'good', + 'content' => $msg + )); + + Minz_Request::forward($url, true); + } + + public static function bad($msg, $url = array()) { + Minz_Session::_param('notification', array( + 'type' => 'bad', + 'content' => $msg + )); + + Minz_Request::forward($url, true); + } + + /** * Permet de récupérer une variable de type $_GET * @param $param nom de la variable -- cgit v1.2.3 From ed7d8aa44fe5a005380056b7d164fc53079506fb Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 21:04:39 +0200 Subject: Use REQUEST_URI instead of SCRIPT_NAME for cookies See https://github.com/marienfressinaud/FreshRSS/commit/eceb7756cfcf117c2a18984291181a84697ed3cd#commitcomment-7345438 --- lib/Minz/Session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/Minz') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index c859be2ed..efc8332e5 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -78,7 +78,7 @@ class Minz_Session { */ public static function keepCookie($l) { $cookie_dir = dirname( - empty($_SERVER['SCRIPT_NAME']) ? '' : $_SERVER['SCRIPT_NAME'] + empty($_SERVER['REQUEST_URI']) ? '' : $_SERVER['REQUEST_URI'] ) . '/'; session_set_cookie_params($l, $cookie_dir, $_SERVER['HTTP_HOST'], false, true); -- cgit v1.2.3 From 08a9009c19b2ae84555340622c344a2da38ae019 Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 21:09:13 +0200 Subject: Fix a Minz_Session TODO Not use additional variable to manipulate session variables Fix coding style --- lib/Minz/Session.php | 32 ++++++++++---------------------- 1 file changed, 10 insertions(+), 22 deletions(-) (limited to 'lib/Minz') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index efc8332e5..906acc03c 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -2,17 +2,11 @@ /** * La classe Session gère la session utilisateur - * C'est un singleton */ class Minz_Session { - /** - * $session stocke les variables de session - */ - private static $session = array (); //TODO: Try to avoid having another local copy - /** * Initialise la session, avec un nom - * Le nom de session est utilisé comme nom pour les cookies et les URLs (i.e. PHPSESSID). + * Le nom de session est utilisé comme nom pour les cookies et les URLs(i.e. PHPSESSID). * Il ne doit contenir que des caractères alphanumériques ; il doit être court et descriptif */ public static function init($name) { @@ -22,10 +16,6 @@ class Minz_Session { // démarre la session session_name($name); session_start(); - - if (isset($_SESSION)) { - self::$session = $_SESSION; - } } @@ -34,8 +24,8 @@ class Minz_Session { * @param $p le paramètre à récupérer * @return la valeur de la variable de session, false si n'existe pas */ - public static function param ($p, $default = false) { - return isset(self::$session[$p]) ? self::$session[$p] : $default; + public static function param($p, $default = false) { + return isset($_SESSION[$p]) ? $_SESSION[$p] : $default; } @@ -44,13 +34,11 @@ class Minz_Session { * @param $p le paramètre à créer ou modifier * @param $v la valeur à attribuer, false pour supprimer */ - public static function _param ($p, $v = false) { + public static function _param($p, $v = false) { if ($v === false) { - unset ($_SESSION[$p]); - unset (self::$session[$p]); + unset($_SESSION[$p]); } else { $_SESSION[$p] = $v; - self::$session[$p] = $v; } } @@ -59,15 +47,15 @@ class Minz_Session { * Permet d'effacer une session * @param $force si à false, n'efface pas le paramètre de langue */ - public static function unset_session ($force = false) { - $language = self::param ('language'); + public static function unset_session($force = false) { + $language = self::param('language'); session_destroy(); - self::$session = array (); + $_SESSION = array(); if (!$force) { - self::_param ('language', $language); - Minz_Translate::reset (); + self::_param('language', $language); + Minz_Translate::reset(); } } -- cgit v1.2.3 From 22e2bf9239c3c5ee87a59910d88107ff359b24df Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 21:12:02 +0200 Subject: Fix coding style of Minz_Request --- lib/Minz/Request.php | 84 ++++++++++++++++++++++++++-------------------------- 1 file changed, 42 insertions(+), 42 deletions(-) (limited to 'lib/Minz') diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php index 2f745a04c..f9b8e2564 100644 --- a/lib/Minz/Request.php +++ b/lib/Minz/Request.php @@ -10,7 +10,7 @@ class Minz_Request { private static $controller_name = ''; private static $action_name = ''; - private static $params = array (); + private static $params = array(); private static $default_controller_name = 'index'; private static $default_action_name = 'index'; @@ -18,25 +18,25 @@ class Minz_Request { /** * Getteurs */ - public static function controllerName () { + public static function controllerName() { return self::$controller_name; } - public static function actionName () { + public static function actionName() { return self::$action_name; } - public static function params () { + public static function params() { return self::$params; } - static function htmlspecialchars_utf8 ($p) { + static function htmlspecialchars_utf8($p) { if (is_array($p)) { return array_map('self::htmlspecialchars_utf8', $p); } return htmlspecialchars($p, ENT_COMPAT, 'UTF-8'); } - public static function param ($key, $default = false, $specialchars = false) { - if (isset (self::$params[$key])) { + public static function param($key, $default = false, $specialchars = false) { + if (isset(self::$params[$key])) { $p = self::$params[$key]; - if(is_object($p) || $specialchars) { + if (is_object($p) || $specialchars) { return $p; } else { return self::htmlspecialchars_utf8($p); @@ -45,32 +45,32 @@ class Minz_Request { return $default; } } - public static function defaultControllerName () { + public static function defaultControllerName() { return self::$default_controller_name; } - public static function defaultActionName () { + public static function defaultActionName() { return self::$default_action_name; } /** * Setteurs */ - public static function _controllerName ($controller_name) { + public static function _controllerName($controller_name) { self::$controller_name = $controller_name; } - public static function _actionName ($action_name) { + public static function _actionName($action_name) { self::$action_name = $action_name; } - public static function _params ($params) { + public static function _params($params) { if (!is_array($params)) { - $params = array ($params); + $params = array($params); } self::$params = $params; } - public static function _param ($key, $value = false) { + public static function _param($key, $value = false) { if ($value === false) { - unset (self::$params[$key]); + unset(self::$params[$key]); } else { self::$params[$key] = $value; } @@ -79,14 +79,14 @@ class Minz_Request { /** * Initialise la Request */ - public static function init () { - self::magicQuotesOff (); + public static function init() { + self::magicQuotesOff(); } /** * Retourn le nom de domaine du site */ - public static function getDomainName () { + public static function getDomainName() { return $_SERVER['HTTP_HOST']; } @@ -94,7 +94,7 @@ class Minz_Request { * Détermine la base de l'url * @return la base de l'url */ - public static function getBaseUrl () { + public static function getBaseUrl() { $defaultBaseUrl = Minz_Configuration::baseUrl(); if (!empty($defaultBaseUrl)) { return $defaultBaseUrl; @@ -109,13 +109,13 @@ class Minz_Request { * Récupère l'URI de la requête * @return l'URI */ - public static function getURI () { - if (isset ($_SERVER['REQUEST_URI'])) { - $base_url = self::getBaseUrl (); + public static function getURI() { + if (isset($_SERVER['REQUEST_URI'])) { + $base_url = self::getBaseUrl(); $uri = $_SERVER['REQUEST_URI']; - $len_base_url = strlen ($base_url); - $real_uri = substr ($uri, $len_base_url); + $len_base_url = strlen($base_url); + $real_uri = substr($uri, $len_base_url); } else { $real_uri = ''; } @@ -129,16 +129,16 @@ class Minz_Request { * @param $redirect si vrai, force la redirection http * > sinon, le dispatcher recharge en interne */ - public static function forward ($url = array (), $redirect = false) { - $url = Minz_Url::checkUrl ($url); + public static function forward($url = array(), $redirect = false) { + $url = Minz_Url::checkUrl($url); if ($redirect) { - header ('Location: ' . Minz_Url::display ($url, 'php')); - exit (); + header('Location: ' . Minz_Url::display($url, 'php')); + exit(); } else { - self::_controllerName ($url['c']); - self::_actionName ($url['a']); - self::_params (array_merge ( + self::_controllerName($url['c']); + self::_actionName($url['a']); + self::_params(array_merge( self::$params, $url['params'] )); @@ -179,10 +179,10 @@ class Minz_Request { * $_GET si $param = false * $default si $_GET[$param] n'existe pas */ - public static function fetchGET ($param = false, $default = false) { + public static function fetchGET($param = false, $default = false) { if ($param === false) { return $_GET; - } elseif (isset ($_GET[$param])) { + } elseif (isset($_GET[$param])) { return $_GET[$param]; } else { return $default; @@ -197,10 +197,10 @@ class Minz_Request { * $_POST si $param = false * $default si $_POST[$param] n'existe pas */ - public static function fetchPOST ($param = false, $default = false) { + public static function fetchPOST($param = false, $default = false) { if ($param === false) { return $_POST; - } elseif (isset ($_POST[$param])) { + } elseif (isset($_POST[$param])) { return $_POST[$param]; } else { return $default; @@ -213,15 +213,15 @@ class Minz_Request { * $_POST * $_COOKIE */ - private static function magicQuotesOff () { - if (get_magic_quotes_gpc ()) { - $_GET = Minz_Helper::stripslashes_r ($_GET); - $_POST = Minz_Helper::stripslashes_r ($_POST); - $_COOKIE = Minz_Helper::stripslashes_r ($_COOKIE); + private static function magicQuotesOff() { + if (get_magic_quotes_gpc()) { + $_GET = Minz_Helper::stripslashes_r($_GET); + $_POST = Minz_Helper::stripslashes_r($_POST); + $_COOKIE = Minz_Helper::stripslashes_r($_COOKIE); } } - public static function isPost () { + public static function isPost() { return $_SERVER['REQUEST_METHOD'] === 'POST'; } } -- cgit v1.2.3 From ede94098be5d330d4bf120eb8064c5c87eed7ef0 Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 21:15:12 +0200 Subject: Fix missing REQUEST_METHOD Useful when executing actualize_script.php --- lib/Minz/Request.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib/Minz') diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php index f9b8e2564..f3ecaf55c 100644 --- a/lib/Minz/Request.php +++ b/lib/Minz/Request.php @@ -222,6 +222,7 @@ class Minz_Request { } public static function isPost() { - return $_SERVER['REQUEST_METHOD'] === 'POST'; + return isset($_SERVER['REQUEST_METHOD']) && + $_SERVER['REQUEST_METHOD'] === 'POST'; } } -- cgit v1.2.3 From 7900c5e550acafaf0b877635840a8a270eb06078 Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 21:56:34 +0200 Subject: Move htmlspecialchars_utf8 from Request to Helper And remove html_chars_utf8 to use htmlspecialchars_utf8 instead in importExportController --- app/Controllers/importExportController.php | 10 +++++----- lib/Minz/Helper.php | 11 +++++++++++ lib/Minz/Request.php | 8 +------- lib/lib_rss.php | 4 ---- 4 files changed, 17 insertions(+), 16 deletions(-) (limited to 'lib/Minz') diff --git a/app/Controllers/importExportController.php b/app/Controllers/importExportController.php index 92b39b575..a8e2c2bc2 100644 --- a/app/Controllers/importExportController.php +++ b/app/Controllers/importExportController.php @@ -166,15 +166,15 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { } // We get different useful information - $url = html_chars_utf8($feed_elt['xmlUrl']); - $name = html_chars_utf8($feed_elt['text']); + $url = Minz_Helper::htmlspecialchars_utf8($feed_elt['xmlUrl']); + $name = Minz_Helper::htmlspecialchars_utf8($feed_elt['text']); $website = ''; if (isset($feed_elt['htmlUrl'])) { - $website = html_chars_utf8($feed_elt['htmlUrl']); + $website = Minz_Helper::htmlspecialchars_utf8($feed_elt['htmlUrl']); } $description = ''; if (isset($feed_elt['description'])) { - $description = html_chars_utf8($feed_elt['description']); + $description = Minz_Helper::htmlspecialchars_utf8($feed_elt['description']); } $error = false; @@ -200,7 +200,7 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { private function addCategoryOpml($cat_elt, $parent_cat) { // Create a new Category object - $cat = new FreshRSS_Category(html_chars_utf8($cat_elt['text'])); + $cat = new FreshRSS_Category(Minz_Helper::htmlspecialchars_utf8($cat_elt['text'])); $id = $this->catDAO->addCategoryObject($cat); $error = ($id === false); diff --git a/lib/Minz/Helper.php b/lib/Minz/Helper.php index b058211d3..13bfdd93e 100644 --- a/lib/Minz/Helper.php +++ b/lib/Minz/Helper.php @@ -19,4 +19,15 @@ class Minz_Helper { return stripslashes($var); } } + + /** + * Wrapper for htmlspecialchars. + * Force UTf-8 value and can be used on array too. + */ + public static function htmlspecialchars_utf8($p) { + if (is_array($p)) { + return array_map('self::htmlspecialchars_utf8', $p); + } + return htmlspecialchars($p, ENT_COMPAT, 'UTF-8'); + } } diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php index f3ecaf55c..52f53012f 100644 --- a/lib/Minz/Request.php +++ b/lib/Minz/Request.php @@ -27,19 +27,13 @@ class Minz_Request { public static function params() { return self::$params; } - static function htmlspecialchars_utf8($p) { - if (is_array($p)) { - return array_map('self::htmlspecialchars_utf8', $p); - } - return htmlspecialchars($p, ENT_COMPAT, 'UTF-8'); - } public static function param($key, $default = false, $specialchars = false) { if (isset(self::$params[$key])) { $p = self::$params[$key]; if (is_object($p) || $specialchars) { return $p; } else { - return self::htmlspecialchars_utf8($p); + return Minz_Helper::htmlspecialchars_utf8($p); } } else { return $default; diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 86c0a4ae4..823f53716 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -230,7 +230,3 @@ function cryptAvailable() { } return false; } - -function html_chars_utf8($str) { - return htmlspecialchars($str, ENT_COMPAT, 'UTF-8'); -} -- cgit v1.2.3 From 93b2a5f240b061103fce5cf563a3cd5cae2c6bfe Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 21:59:07 +0200 Subject: Coding style in Minz_Helper --- lib/Minz/Helper.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'lib/Minz') diff --git a/lib/Minz/Helper.php b/lib/Minz/Helper.php index 13bfdd93e..8d8b177ae 100644 --- a/lib/Minz/Helper.php +++ b/lib/Minz/Helper.php @@ -12,9 +12,9 @@ class Minz_Helper { * Annule les effets des magic_quotes pour une variable donnée * @param $var variable à traiter (tableau ou simple variable) */ - public static function stripslashes_r ($var) { - if (is_array ($var)){ - return array_map (array ('Helper', 'stripslashes_r'), $var); + public static function stripslashes_r($var) { + if (is_array($var)){ + return array_map(array('Helper', 'stripslashes_r'), $var); } else { return stripslashes($var); } @@ -24,10 +24,10 @@ class Minz_Helper { * Wrapper for htmlspecialchars. * Force UTf-8 value and can be used on array too. */ - public static function htmlspecialchars_utf8($p) { - if (is_array($p)) { - return array_map('self::htmlspecialchars_utf8', $p); + public static function htmlspecialchars_utf8($var) { + if (is_array($var)) { + return array_map(array('Helper', 'htmlspecialchars_utf8'), $var); } - return htmlspecialchars($p, ENT_COMPAT, 'UTF-8'); + return htmlspecialchars($var, ENT_COMPAT, 'UTF-8'); } } -- cgit v1.2.3 From f2b1826b475a7ad71ee68b13d22c03259e631195 Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 22:27:07 +0200 Subject: Fix missing Minz_ prefix in Minz_Helper Nice bug :) It means another hidden bug is now corrected! --- lib/Minz/Helper.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/Minz') diff --git a/lib/Minz/Helper.php b/lib/Minz/Helper.php index 8d8b177ae..f4a547c4e 100644 --- a/lib/Minz/Helper.php +++ b/lib/Minz/Helper.php @@ -14,7 +14,7 @@ class Minz_Helper { */ public static function stripslashes_r($var) { if (is_array($var)){ - return array_map(array('Helper', 'stripslashes_r'), $var); + return array_map(array('Minz_Helper', 'stripslashes_r'), $var); } else { return stripslashes($var); } @@ -26,7 +26,7 @@ class Minz_Helper { */ public static function htmlspecialchars_utf8($var) { if (is_array($var)) { - return array_map(array('Helper', 'htmlspecialchars_utf8'), $var); + return array_map(array('Minz_Helper', 'htmlspecialchars_utf8'), $var); } return htmlspecialchars($var, ENT_COMPAT, 'UTF-8'); } -- cgit v1.2.3 From ee1b8f6f72e8c2cbd3e0ad7b4322a4bb6863c028 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Wed, 13 Aug 2014 00:09:48 +0200 Subject: Long term cookie to keep session open Token system https://github.com/marienfressinaud/FreshRSS/issues/465 --- app/Controllers/indexController.php | 41 +++++++++++++++++++++++++++++-------- app/FreshRSS.php | 28 ++++++++++++++++++++++--- data/tokens/.gitignore | 1 + data/tokens/index.html | 13 ++++++++++++ lib/Minz/Session.php | 19 ++++++++++++----- 5 files changed, 86 insertions(+), 16 deletions(-) create mode 100644 data/tokens/.gitignore create mode 100644 data/tokens/index.html (limited to 'lib/Minz') diff --git a/app/Controllers/indexController.php b/app/Controllers/indexController.php index b907c8eed..dd5b91e47 100755 --- a/app/Controllers/indexController.php +++ b/app/Controllers/indexController.php @@ -295,10 +295,39 @@ class FreshRSS_index_Controller extends Minz_ActionController { Minz_Session::_param('passwordHash'); } + private static function makeLongTermCookie($username, $passwordHash) { + do { + $token = sha1(Minz_Configuration::salt() . $username . uniqid(mt_rand(), true)); + $tokenFile = DATA_PATH . '/tokens/' . $token . '.txt'; + } while (file_exists($tokenFile)); + if (@file_put_contents($tokenFile, $username . "\t" . $passwordHash) === false) { + return false; + } + $expire = time() + 2629744; //1 month //TODO: Use a configuration instead + Minz_Session::setLongTermCookie('FreshRSS_login', $token, $expire); + Minz_Session::_param('token', $token); + return $token; + } + + private static function deleteLongTermCookie() { + Minz_Session::deleteLongTermCookie('FreshRSS_login'); + $token = Minz_Session::param('token', null); + if (ctype_alnum($token)) { + @unlink(DATA_PATH . '/tokens/' . $token . '.txt'); + } + Minz_Session::_param('token'); + if (rand(0, 10) === 1) { + self::purgeTokens(); + } + } + + private static function purgeTokens() { + //TODO: Delete old token files + } + public function formLoginAction () { if (Minz_Request::isPost()) { $ok = false; - $keep_logged_in = Minz_Request::param('keep_logged_in', false); $nonce = Minz_Session::param('nonce'); $username = Minz_Request::param('username', ''); $c = Minz_Request::param('challenge', ''); @@ -313,10 +342,8 @@ class FreshRSS_index_Controller extends Minz_ActionController { if ($ok) { Minz_Session::_param('currentUser', $username); Minz_Session::_param('passwordHash', $s); - if ($keep_logged_in) { - // New cookie with a lifetime of 1 month. - Minz_Session::keepCookie(2592000); - Minz_Session::regenerateID(); + if (Minz_Request::param('keep_logged_in', false)) { + self::makeLongTermCookie($username, $s); } } else { Minz_Log::record('Password mismatch for user ' . $username . ', nonce=' . $nonce . ', c=' . $c, Minz_Log::WARNING); @@ -377,9 +404,7 @@ class FreshRSS_index_Controller extends Minz_ActionController { Minz_Session::_param('currentUser'); Minz_Session::_param('mail'); Minz_Session::_param('passwordHash'); - Minz_Session::keepCookie(0); - Minz_Session::regenerateID(); - + self::deleteLongTermCookie(); Minz_Request::forward(array('c' => 'index', 'a' => 'index'), true); } } diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 7c333b090..30f711e20 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -20,13 +20,35 @@ class FreshRSS extends Minz_FrontController { $this->loadNotifications(); } + private static function getCredentialsFromLongTermCookie() { + $token = Minz_Session::getLongTermCookie('FreshRSS_login'); + if (!ctype_alnum($token)) { + return array(); + } + $tokenFile = DATA_PATH . '/tokens/' . $token . '.txt'; + $mtime = @filemtime($tokenFile); + if ($mtime + 2629744 < time()) { //1 month //TODO: Use a configuration instead + @unlink($tokenFile); + return array(); //Expired or token does not exist + } + $credentials = @file_get_contents($tokenFile); + return $credentials === false ? array() : explode("\t", $credentials, 2); + } + private function accessControl($currentUser) { if ($currentUser == '') { switch (Minz_Configuration::authType()) { case 'form': - $currentUser = Minz_Configuration::defaultUser(); - Minz_Session::_param('passwordHash'); - $loginOk = false; + $credentials = self::getCredentialsFromLongTermCookie(); + if (isset($credentials[1])) { + $currentUser = trim($credentials[0]); + Minz_Session::_param('passwordHash', trim($credentials[1])); + } + $loginOk = $currentUser != ''; + if (!$loginOk) { + $currentUser = Minz_Configuration::defaultUser(); + Minz_Session::_param('passwordHash'); + } break; case 'http_auth': $currentUser = httpAuthUser(); diff --git a/data/tokens/.gitignore b/data/tokens/.gitignore new file mode 100644 index 000000000..2211df63d --- /dev/null +++ b/data/tokens/.gitignore @@ -0,0 +1 @@ +*.txt diff --git a/data/tokens/index.html b/data/tokens/index.html new file mode 100644 index 000000000..85faaa37e --- /dev/null +++ b/data/tokens/index.html @@ -0,0 +1,13 @@ + + + + + +Redirection + + + + +

Redirection

+ + diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index 906acc03c..af4de75bb 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -65,11 +65,8 @@ class Minz_Session { * @param $l la durée de vie */ public static function keepCookie($l) { - $cookie_dir = dirname( - empty($_SERVER['REQUEST_URI']) ? '' : $_SERVER['REQUEST_URI'] - ) . '/'; - session_set_cookie_params($l, $cookie_dir, $_SERVER['HTTP_HOST'], - false, true); + $cookie_dir = empty($_SERVER['REQUEST_URI']) ? '' : $_SERVER['REQUEST_URI']; + session_set_cookie_params($l, $cookie_dir, '', false, true); } @@ -81,4 +78,16 @@ class Minz_Session { session_regenerate_id(true); } + public static function deleteLongTermCookie($name) { + setcookie($name, '', 1, '', '', false, true); + } + + public static function setLongTermCookie($name, $value, $expire) { + setcookie($name, $value, $expire, '', '', false, true); + } + + public static function getLongTermCookie($name) { + return isset($_COOKIE[$name]) ? $_COOKIE[$name] : null; + } + } -- cgit v1.2.3