From 8a6b38115456f592c8a246f9abbb84f4449721c0 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sat, 25 Feb 2017 11:51:54 +0100 Subject: Sanitize Web site URL https://github.com/FreshRSS/FreshRSS/issues/1434 --- lib/lib_rss.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/lib_rss.php') diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 560e5b256..78c9cabea 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -69,10 +69,10 @@ function idn_to_puny($url) { } function checkUrl($url) { - if (empty ($url)) { + if ($url == '') { return ''; } - if (!preg_match ('#^https?://#i', $url)) { + if (!preg_match('#^https?://#i', $url)) { $url = 'http://' . $url; } $url = idn_to_puny($url); //PHP bug #53474 IDN -- cgit v1.2.3 From 271a1fdc8900a8b2c32675c22dce1cc458209de4 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sat, 25 Feb 2017 12:39:08 +0100 Subject: Missing checkUsername and const patten https://github.com/FreshRSS/FreshRSS/pull/1423 https://github.com/YunoHost-Apps/freshrss_ynh/issues/27#issuecomment-279792363 --- app/Controllers/javascriptController.php | 2 +- app/Controllers/userController.php | 9 +++++++-- app/Models/Feed.php | 2 +- app/Models/UserDAO.php | 2 +- app/install.php | 2 +- app/views/auth/formLogin.phtml | 2 +- app/views/auth/register.phtml | 2 +- app/views/user/manage.phtml | 2 +- cli/reconfigure.php | 2 +- lib/lib_rss.php | 2 +- p/api/greader.php | 2 +- 11 files changed, 17 insertions(+), 12 deletions(-) (limited to 'lib/lib_rss.php') diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php index 00a7b5c38..6336106a9 100755 --- a/app/Controllers/javascriptController.php +++ b/app/Controllers/javascriptController.php @@ -26,7 +26,7 @@ class FreshRSS_javascript_Controller extends Minz_ActionController { header('Pragma: no-cache'); $user = isset($_GET['user']) ? $_GET['user'] : ''; - if (ctype_alnum($user)) { + if (FreshRSS_user_Controller::checkUsername($user)) { try { $salt = FreshRSS_Context::$system_conf->salt; $conf = get_user_configuration($user); diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 718207734..13a6fce67 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -34,9 +34,14 @@ class FreshRSS_user_Controller extends Minz_ActionController { return $passwordHash == '' ? '' : $passwordHash; } + /** + * The username is also used as folder name, and part of SQL table name. + * '_' is a reserved internal username. + */ + const USERNAME_PATTERN = '[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}'; + public static function checkUsername($username) { - $match = '/^[0-9a-zA-Z_]{1,38}$/'; - return preg_match($match, $username) === 1; + return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1; } /** diff --git a/app/Models/Feed.php b/app/Models/Feed.php index 97cb1c47e..7a9cf8612 100644 --- a/app/Models/Feed.php +++ b/app/Models/Feed.php @@ -442,7 +442,7 @@ class FreshRSS_Feed extends Minz_Model { file_put_contents(USERS_PATH . '/_/log_pshb.txt', date('c') . "\t" . $text . "\n", FILE_APPEND); } $currentUser = Minz_Session::param('currentUser'); - if (ctype_alnum($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) { + if (FreshRSS_user_Controller::checkUsername($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) { touch($path . '/' . $currentUser . '.txt'); } } diff --git a/app/Models/UserDAO.php b/app/Models/UserDAO.php index 32bc6de2f..a60caf395 100644 --- a/app/Models/UserDAO.php +++ b/app/Models/UserDAO.php @@ -85,7 +85,7 @@ class FreshRSS_UserDAO extends Minz_ModelPdo { } public static function touch($username = '') { - if (($username == '') || (!ctype_alnum($username))) { + if (!FreshRSS_user_Controller::checkUsername($username)) { $username = Minz_Session::param('currentUser', '_'); } return touch(join_path(DATA_PATH , 'users', $username, 'config.php')); diff --git a/app/install.php b/app/install.php index 8c65a0977..58674e3a7 100644 --- a/app/install.php +++ b/app/install.php @@ -553,7 +553,7 @@ function printStep2() {
- +
diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml index 24cb14c6e..2f881dde7 100644 --- a/app/views/auth/formLogin.phtml +++ b/app/views/auth/formLogin.phtml @@ -9,7 +9,7 @@
- +
diff --git a/app/views/auth/register.phtml b/app/views/auth/register.phtml index d7997f5f5..fce7e1388 100644 --- a/app/views/auth/register.phtml +++ b/app/views/auth/register.phtml @@ -5,7 +5,7 @@
- +
diff --git a/app/views/user/manage.phtml b/app/views/user/manage.phtml index 10bee5507..9238a01b9 100644 --- a/app/views/user/manage.phtml +++ b/app/views/user/manage.phtml @@ -22,7 +22,7 @@
- +
diff --git a/cli/reconfigure.php b/cli/reconfigure.php index 5294dd2df..da451b3ef 100755 --- a/cli/reconfigure.php +++ b/cli/reconfigure.php @@ -45,7 +45,7 @@ foreach ($dBparams as $dBparam) { } $config->db = $db; -if (!ctype_alnum($config->default_user)) { +if (!FreshRSS_user_Controller::checkUsername($config->default_user)) { fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $config->default_user); } diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 560e5b256..cdd08719d 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -285,7 +285,7 @@ function uSecString() { } function invalidateHttpCache($username = '') { - if (($username == '') || (!ctype_alnum($username))) { + if (!FreshRSS_user_Controller::checkUsername($username)) { Minz_Session::_param('touch', uTimeString()); $username = Minz_Session::param('currentUser', '_'); } diff --git a/p/api/greader.php b/p/api/greader.php index 4965ffd3b..01eca6d4f 100644 --- a/p/api/greader.php +++ b/p/api/greader.php @@ -152,7 +152,7 @@ function authorizationToUser() { $headerAuthX = explode('/', $headerAuth, 2); if (count($headerAuthX) === 2) { $user = $headerAuthX[0]; - if (ctype_alnum($user)) { + if (FreshRSS_user_Controller::checkUsername($user)) { FreshRSS_Context::$user_conf = get_user_configuration($user); if (FreshRSS_Context::$user_conf == null) { Minz_Log::warning('Invalid API user ' . $user . ': configuration cannot be found.'); -- cgit v1.2.3 From 9c012e6c81e435736bfef78e0669cd236ed9d73b Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Thu, 2 Mar 2017 22:57:02 +0100 Subject: Fix SQLite CLI install https://github.com/FreshRSS/FreshRSS/issues/1445 https://github.com/FreshRSS/FreshRSS/issues/1443 https://github.com/FreshRSS/FreshRSS/issues/1443 --- app/Controllers/userController.php | 7 +++++-- lib/lib_rss.php | 9 ++------- 2 files changed, 7 insertions(+), 9 deletions(-) (limited to 'lib/lib_rss.php') diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 593e24cf2..f910cecd9 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -115,6 +115,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { } $ok = self::checkUsername($new_user_name); + $homeDir = join_path(DATA_PATH, 'users', $new_user_name); if ($ok) { $languages = Minz_Translate::availableLanguages(); @@ -124,7 +125,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { $ok &= !in_array(strtoupper($new_user_name), array_map('strtoupper', listUsers())); //Not an existing user, case-insensitive - $configPath = join_path(DATA_PATH, 'users', $new_user_name, 'config.php'); + $configPath = join_path($homeDir, 'config.php'); $ok &= !file_exists($configPath); } if ($ok) { @@ -141,7 +142,9 @@ class FreshRSS_user_Controller extends Minz_ActionController { } } if ($ok) { - mkdir(join_path(DATA_PATH, 'users', $new_user_name)); + if (!is_dir($homeDir)) { + mkdir($homeDir); + } $userConfig['passwordHash'] = $passwordHash; $userConfig['apiPasswordHash'] = $apiPasswordHash; $ok &= (file_put_contents($configPath, " Date: Sat, 4 Mar 2017 11:53:57 +0100 Subject: Changelog CLI https://github.com/FreshRSS/FreshRSS/issues/1443 https://github.com/FreshRSS/FreshRSS/pull/1444 https://github.com/FreshRSS/FreshRSS/issues/1445 https://github.com/FreshRSS/FreshRSS/pull/1447 https://github.com/FreshRSS/FreshRSS/issues/1448 https://github.com/FreshRSS/FreshRSS/issues/1449 --- CHANGELOG.md | 6 ++++++ lib/lib_rss.php | 5 ++++- 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'lib/lib_rss.php') diff --git a/CHANGELOG.md b/CHANGELOG.md index 44c6d333f..27f04791e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,13 +8,19 @@ * Share with GNU social [#1422](https://github.com/FreshRSS/FreshRSS/issues/1422) * CLI * New command `./cli/reconfigure.php` to update an existing installation [#1439](https://github.com/FreshRSS/FreshRSS/pull/1439) + * Many CLI improvements [#1447](https://github.com/FreshRSS/FreshRSS/pull/1447) + * More information (number of feeds, articles, etc.) in `./cli/user-info.php` + * Better idempotency of `./cli/do-install.php` and language parameter [#1449](https://github.com/FreshRSS/FreshRSS/issues/1449) * UI * New theme *Origine-compact* [#1388](https://github.com/FreshRSS/FreshRSS/pull/1388) * Chrome parity with Firefox: auto-focus tab when clicking on notification [#1409](https://github.com/FreshRSS/FreshRSS/pull/1409) * Bug fixing * Fix PostgreSQL bugs with API and feed modifications [#1417](https://github.com/FreshRSS/FreshRSS/pull/1417) + * Fix several CLI issues [#1445](https://github.com/FreshRSS/FreshRSS/issues/1445) + * Fix CLI install bugs with SQLite [#1443](https://github.com/FreshRSS/FreshRSS/issues/1443), [#1448](https://github.com/FreshRSS/FreshRSS/issues/1448) * Allow empty strings in CLI do-install [#1435](https://github.com/FreshRSS/FreshRSS/pull/1435) * Do not mark as read in anonymous mode [#1431](https://github.com/FreshRSS/FreshRSS/issues/1431) + * Fix Favicons warning [#59dfc64](https://github.com/FreshRSS/FreshRSS/pull/1447/commits/59dfc64512372eaba7609d84500d943bb7274399) * Security * Sanitize feed Web site URL [#1434](https://github.com/FreshRSS/FreshRSS/issues/1434) * No version number for anonymous users [#1404](https://github.com/FreshRSS/FreshRSS/issues/1404) diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 2d593b6a2..4298e90bf 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -295,7 +295,10 @@ function invalidateHttpCache($username = '') { function listUsers() { $final_list = array(); $base_path = join_path(DATA_PATH, 'users'); - $dir_list = scandir($base_path); + $dir_list = array_values(array_diff( + scandir($base_path), + array('..', '.', '_') + )); foreach ($dir_list as $file) { if ($file[0] !== '.' && is_dir(join_path($base_path, $file)) && file_exists(join_path($base_path, $file, 'config.php'))) { $final_list[] = $file; -- cgit v1.2.3