From 8a6b38115456f592c8a246f9abbb84f4449721c0 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sat, 25 Feb 2017 11:51:54 +0100 Subject: Sanitize Web site URL https://github.com/FreshRSS/FreshRSS/issues/1434 --- lib/lib_rss.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 560e5b256..78c9cabea 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -69,10 +69,10 @@ function idn_to_puny($url) { } function checkUrl($url) { - if (empty ($url)) { + if ($url == '') { return ''; } - if (!preg_match ('#^https?://#i', $url)) { + if (!preg_match('#^https?://#i', $url)) { $url = 'http://' . $url; } $url = idn_to_puny($url); //PHP bug #53474 IDN -- cgit v1.2.3 From 271a1fdc8900a8b2c32675c22dce1cc458209de4 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sat, 25 Feb 2017 12:39:08 +0100 Subject: Missing checkUsername and const patten https://github.com/FreshRSS/FreshRSS/pull/1423 https://github.com/YunoHost-Apps/freshrss_ynh/issues/27#issuecomment-279792363 --- app/Controllers/javascriptController.php | 2 +- app/Controllers/userController.php | 9 +++++++-- app/Models/Feed.php | 2 +- app/Models/UserDAO.php | 2 +- app/install.php | 2 +- app/views/auth/formLogin.phtml | 2 +- app/views/auth/register.phtml | 2 +- app/views/user/manage.phtml | 2 +- cli/reconfigure.php | 2 +- lib/lib_rss.php | 2 +- p/api/greader.php | 2 +- 11 files changed, 17 insertions(+), 12 deletions(-) (limited to 'lib') diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php index 00a7b5c38..6336106a9 100755 --- a/app/Controllers/javascriptController.php +++ b/app/Controllers/javascriptController.php @@ -26,7 +26,7 @@ class FreshRSS_javascript_Controller extends Minz_ActionController { header('Pragma: no-cache'); $user = isset($_GET['user']) ? $_GET['user'] : ''; - if (ctype_alnum($user)) { + if (FreshRSS_user_Controller::checkUsername($user)) { try { $salt = FreshRSS_Context::$system_conf->salt; $conf = get_user_configuration($user); diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 718207734..13a6fce67 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -34,9 +34,14 @@ class FreshRSS_user_Controller extends Minz_ActionController { return $passwordHash == '' ? '' : $passwordHash; } + /** + * The username is also used as folder name, and part of SQL table name. + * '_' is a reserved internal username. + */ + const USERNAME_PATTERN = '[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}'; + public static function checkUsername($username) { - $match = '/^[0-9a-zA-Z_]{1,38}$/'; - return preg_match($match, $username) === 1; + return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1; } /** diff --git a/app/Models/Feed.php b/app/Models/Feed.php index 97cb1c47e..7a9cf8612 100644 --- a/app/Models/Feed.php +++ b/app/Models/Feed.php @@ -442,7 +442,7 @@ class FreshRSS_Feed extends Minz_Model { file_put_contents(USERS_PATH . '/_/log_pshb.txt', date('c') . "\t" . $text . "\n", FILE_APPEND); } $currentUser = Minz_Session::param('currentUser'); - if (ctype_alnum($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) { + if (FreshRSS_user_Controller::checkUsername($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) { touch($path . '/' . $currentUser . '.txt'); } } diff --git a/app/Models/UserDAO.php b/app/Models/UserDAO.php index 32bc6de2f..a60caf395 100644 --- a/app/Models/UserDAO.php +++ b/app/Models/UserDAO.php @@ -85,7 +85,7 @@ class FreshRSS_UserDAO extends Minz_ModelPdo { } public static function touch($username = '') { - if (($username == '') || (!ctype_alnum($username))) { + if (!FreshRSS_user_Controller::checkUsername($username)) { $username = Minz_Session::param('currentUser', '_'); } return touch(join_path(DATA_PATH , 'users', $username, 'config.php')); diff --git a/app/install.php b/app/install.php index 8c65a0977..58674e3a7 100644 --- a/app/install.php +++ b/app/install.php @@ -553,7 +553,7 @@ function printStep2() {
- +
diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml index 24cb14c6e..2f881dde7 100644 --- a/app/views/auth/formLogin.phtml +++ b/app/views/auth/formLogin.phtml @@ -9,7 +9,7 @@
- +
diff --git a/app/views/auth/register.phtml b/app/views/auth/register.phtml index d7997f5f5..fce7e1388 100644 --- a/app/views/auth/register.phtml +++ b/app/views/auth/register.phtml @@ -5,7 +5,7 @@
- +
diff --git a/app/views/user/manage.phtml b/app/views/user/manage.phtml index 10bee5507..9238a01b9 100644 --- a/app/views/user/manage.phtml +++ b/app/views/user/manage.phtml @@ -22,7 +22,7 @@
- +
diff --git a/cli/reconfigure.php b/cli/reconfigure.php index 5294dd2df..da451b3ef 100755 --- a/cli/reconfigure.php +++ b/cli/reconfigure.php @@ -45,7 +45,7 @@ foreach ($dBparams as $dBparam) { } $config->db = $db; -if (!ctype_alnum($config->default_user)) { +if (!FreshRSS_user_Controller::checkUsername($config->default_user)) { fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $config->default_user); } diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 560e5b256..cdd08719d 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -285,7 +285,7 @@ function uSecString() { } function invalidateHttpCache($username = '') { - if (($username == '') || (!ctype_alnum($username))) { + if (!FreshRSS_user_Controller::checkUsername($username)) { Minz_Session::_param('touch', uTimeString()); $username = Minz_Session::param('currentUser', '_'); } diff --git a/p/api/greader.php b/p/api/greader.php index 4965ffd3b..01eca6d4f 100644 --- a/p/api/greader.php +++ b/p/api/greader.php @@ -152,7 +152,7 @@ function authorizationToUser() { $headerAuthX = explode('/', $headerAuth, 2); if (count($headerAuthX) === 2) { $user = $headerAuthX[0]; - if (ctype_alnum($user)) { + if (FreshRSS_user_Controller::checkUsername($user)) { FreshRSS_Context::$user_conf = get_user_configuration($user); if (FreshRSS_Context::$user_conf == null) { Minz_Log::warning('Invalid API user ' . $user . ': configuration cannot be found.'); -- cgit v1.2.3 From 17296f99d26ef3eb5a2e73428e3d67e418846ab7 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Tue, 28 Feb 2017 21:12:47 +0100 Subject: Fix CLI install bug with SQLite And improve requirements check https://github.com/FreshRSS/FreshRSS/issues/1443 --- cli/do-install.php | 41 ++++++++++++++++++++++------------------- lib/lib_install.php | 35 +++++++++++++++++++++++++++++++---- 2 files changed, 53 insertions(+), 23 deletions(-) (limited to 'lib') diff --git a/cli/do-install.php b/cli/do-install.php index c2f5b286d..16d03daaf 100755 --- a/cli/do-install.php +++ b/cli/do-install.php @@ -37,25 +37,6 @@ if (empty($options['default_user'])) { fwrite(STDERR, 'FreshRSS install…' . "\n"); -$requirements = checkRequirements(); -if ($requirements['all'] !== 'ok') { - $message = 'FreshRSS install failed requirements:' . "\n"; - foreach ($requirements as $requirement => $check) { - if ($check !== 'ok' && $requirement !== 'all') { - $message .= '• ' . $requirement . "\n"; - } - } - fail($message); -} - -if (!FreshRSS_user_Controller::checkUsername($options['default_user'])) { - fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $options['default_user']); -} - -if (isset($options['auth_type']) && !in_array($options['auth_type'], array('form', 'http_auth', 'none'))) { - fail('FreshRSS invalid authentication method (auth_type must be one of { form, http_auth, none }: ' . $options['auth_type']); -} - $config = array( 'salt' => generateSalt(), 'db' => FreshRSS_Context::$system_conf->db, @@ -80,6 +61,28 @@ foreach ($dBparams as $dBparam) { } } +$requirements = checkRequirements($config['db']['type']); +if ($requirements['all'] !== 'ok') { + $message = 'FreshRSS install failed requirements:' . "\n"; + foreach ($requirements as $requirement => $check) { + if ($check !== 'ok' && !in_array($requirement, array('all', 'pdo', 'message'))) { + $message .= '• ' . $requirement . "\n"; + } + } + if (!empty($requirements['message'])) { + $message .= '• ' . $requirements['message'] . "\n"; + } + fail($message); +} + +if (!FreshRSS_user_Controller::checkUsername($options['default_user'])) { + fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $options['default_user']); +} + +if (isset($options['auth_type']) && !in_array($options['auth_type'], array('form', 'http_auth', 'none'))) { + fail('FreshRSS invalid authentication method (auth_type must be one of { form, http_auth, none }: ' . $options['auth_type']); +} + if (file_put_contents(join_path(DATA_PATH, 'config.php'), "= 0; $minz = file_exists(join_path(LIB_PATH, 'Minz')); $curl = extension_loaded('curl'); $pdo_mysql = extension_loaded('pdo_mysql'); $pdo_sqlite = extension_loaded('pdo_sqlite'); $pdo_pgsql = extension_loaded('pdo_pgsql'); - $pdo = $pdo_mysql || $pdo_sqlite || $pdo_pgsql; + $message = ''; + switch ($dbType) { + case 'mysql': + $pdo_sqlite = $pdo_pgsql = true; + $pdo = $pdo_mysql; + break; + case 'sqlite': + $pdo_mysql = $pdo_pgsql = true; + $pdo = $pdo_sqlite; + break; + case 'pgsql': + $pdo_mysql = $pdo_sqlite = true; + $pdo = $pdo_pgsql; + break; + case '': + $pdo = $pdo_mysql || $pdo_sqlite || $pdo_pgsql; + break; + default: + $pdo_mysql = $pdo_sqlite = $pdo_pgsql = true; + $pdo = false; + $message = 'Invalid database type!'; + break; + } $pcre = extension_loaded('pcre'); $ctype = extension_loaded('ctype'); $fileinfo = extension_loaded('fileinfo'); @@ -44,8 +66,9 @@ function checkRequirements() { 'users' => $users ? 'ok' : 'ko', 'favicons' => $favicons ? 'ok' : 'ko', 'http_referer' => $http_referer ? 'ok' : 'ko', + 'message' => $message ?: 'ok', 'all' => $php && $minz && $curl && $pdo && $pcre && $ctype && $fileinfo && $dom && $xml && - $data && $cache && $users && $favicons && $http_referer ? + $data && $cache && $users && $favicons && $http_referer && $message == '' ? 'ok' : 'ko' ); } @@ -77,7 +100,11 @@ function checkDb(&$dbOptions) { break; case 'sqlite': include_once(APP_PATH . '/SQL/install.sql.sqlite.php'); - $dsn = 'sqlite:' . join_path(USERS_PATH, $dbOptions['default_user'], 'db.sqlite'); + $path = join_path(USERS_PATH, $dbOptions['default_user']); + if (!is_dir($path)) { + mkdir($path); + } + $dsn = 'sqlite:' . join_path($path, 'db.sqlite'); $driver_options = array( PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, ); -- cgit v1.2.3 From 9c012e6c81e435736bfef78e0669cd236ed9d73b Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Thu, 2 Mar 2017 22:57:02 +0100 Subject: Fix SQLite CLI install https://github.com/FreshRSS/FreshRSS/issues/1445 https://github.com/FreshRSS/FreshRSS/issues/1443 https://github.com/FreshRSS/FreshRSS/issues/1443 --- app/Controllers/userController.php | 7 +++++-- lib/lib_rss.php | 9 ++------- 2 files changed, 7 insertions(+), 9 deletions(-) (limited to 'lib') diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 593e24cf2..f910cecd9 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -115,6 +115,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { } $ok = self::checkUsername($new_user_name); + $homeDir = join_path(DATA_PATH, 'users', $new_user_name); if ($ok) { $languages = Minz_Translate::availableLanguages(); @@ -124,7 +125,7 @@ class FreshRSS_user_Controller extends Minz_ActionController { $ok &= !in_array(strtoupper($new_user_name), array_map('strtoupper', listUsers())); //Not an existing user, case-insensitive - $configPath = join_path(DATA_PATH, 'users', $new_user_name, 'config.php'); + $configPath = join_path($homeDir, 'config.php'); $ok &= !file_exists($configPath); } if ($ok) { @@ -141,7 +142,9 @@ class FreshRSS_user_Controller extends Minz_ActionController { } } if ($ok) { - mkdir(join_path(DATA_PATH, 'users', $new_user_name)); + if (!is_dir($homeDir)) { + mkdir($homeDir); + } $userConfig['passwordHash'] = $passwordHash; $userConfig['apiPasswordHash'] = $apiPasswordHash; $ok &= (file_put_contents($configPath, " Date: Thu, 2 Mar 2017 23:10:36 +0100 Subject: Fix favicon warning https://github.com/FreshRSS/FreshRSS/issues/1445 --- lib/Favicon/DataAccess.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/Favicon/DataAccess.php b/lib/Favicon/DataAccess.php index ae7509881..838df66c3 100644 --- a/lib/Favicon/DataAccess.php +++ b/lib/Favicon/DataAccess.php @@ -16,7 +16,7 @@ class DataAccess { public function retrieveHeader($url) { $this->set_context(); $headers = @get_headers($url, 1); - return $headers ? array_change_key_case($headers) : array(); + return is_array($headers) ? array_change_key_case($headers) : array(); } public function saveCache($file, $data) { -- cgit v1.2.3 From a7541315c3eb46c156fe79aca9110f7275a4215d Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Thu, 2 Mar 2017 23:11:13 +0100 Subject: Favicon DataAccess whitespace --- lib/Favicon/DataAccess.php | 50 +++++++++++++++++++++++----------------------- 1 file changed, 25 insertions(+), 25 deletions(-) (limited to 'lib') diff --git a/lib/Favicon/DataAccess.php b/lib/Favicon/DataAccess.php index 838df66c3..4c1a29541 100644 --- a/lib/Favicon/DataAccess.php +++ b/lib/Favicon/DataAccess.php @@ -9,33 +9,33 @@ namespace Favicon; **/ class DataAccess { public function retrieveUrl($url) { - $this->set_context(); - return @file_get_contents($url); + $this->set_context(); + return @file_get_contents($url); } - + public function retrieveHeader($url) { - $this->set_context(); + $this->set_context(); $headers = @get_headers($url, 1); return is_array($headers) ? array_change_key_case($headers) : array(); } - - public function saveCache($file, $data) { - file_put_contents($file, $data); - } - - public function readCache($file) { - return file_get_contents($file); - } - - private function set_context() { - stream_context_set_default( - array( - 'http' => array( - 'method' => 'GET', - 'timeout' => 10, - 'header' => "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0; Favicon; +https://github.com/ArthurHoaro/favicon) Gecko/20100101 Firefox/32.0\r\n", - ) - ) - ); - } -} \ No newline at end of file + + public function saveCache($file, $data) { + file_put_contents($file, $data); + } + + public function readCache($file) { + return file_get_contents($file); + } + + private function set_context() { + stream_context_set_default( + array( + 'http' => array( + 'method' => 'GET', + 'timeout' => 10, + 'header' => "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0; Favicon; +https://github.com/ArthurHoaro/favicon) Gecko/20100101 Firefox/32.0\r\n", + ) + ) + ); + } +} -- cgit v1.2.3 From 2818c72f5ae00276a083d0c24454394e9d064c7c Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sat, 4 Mar 2017 11:53:57 +0100 Subject: Changelog CLI https://github.com/FreshRSS/FreshRSS/issues/1443 https://github.com/FreshRSS/FreshRSS/pull/1444 https://github.com/FreshRSS/FreshRSS/issues/1445 https://github.com/FreshRSS/FreshRSS/pull/1447 https://github.com/FreshRSS/FreshRSS/issues/1448 https://github.com/FreshRSS/FreshRSS/issues/1449 --- CHANGELOG.md | 6 ++++++ lib/lib_rss.php | 5 ++++- 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/CHANGELOG.md b/CHANGELOG.md index 44c6d333f..27f04791e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,13 +8,19 @@ * Share with GNU social [#1422](https://github.com/FreshRSS/FreshRSS/issues/1422) * CLI * New command `./cli/reconfigure.php` to update an existing installation [#1439](https://github.com/FreshRSS/FreshRSS/pull/1439) + * Many CLI improvements [#1447](https://github.com/FreshRSS/FreshRSS/pull/1447) + * More information (number of feeds, articles, etc.) in `./cli/user-info.php` + * Better idempotency of `./cli/do-install.php` and language parameter [#1449](https://github.com/FreshRSS/FreshRSS/issues/1449) * UI * New theme *Origine-compact* [#1388](https://github.com/FreshRSS/FreshRSS/pull/1388) * Chrome parity with Firefox: auto-focus tab when clicking on notification [#1409](https://github.com/FreshRSS/FreshRSS/pull/1409) * Bug fixing * Fix PostgreSQL bugs with API and feed modifications [#1417](https://github.com/FreshRSS/FreshRSS/pull/1417) + * Fix several CLI issues [#1445](https://github.com/FreshRSS/FreshRSS/issues/1445) + * Fix CLI install bugs with SQLite [#1443](https://github.com/FreshRSS/FreshRSS/issues/1443), [#1448](https://github.com/FreshRSS/FreshRSS/issues/1448) * Allow empty strings in CLI do-install [#1435](https://github.com/FreshRSS/FreshRSS/pull/1435) * Do not mark as read in anonymous mode [#1431](https://github.com/FreshRSS/FreshRSS/issues/1431) + * Fix Favicons warning [#59dfc64](https://github.com/FreshRSS/FreshRSS/pull/1447/commits/59dfc64512372eaba7609d84500d943bb7274399) * Security * Sanitize feed Web site URL [#1434](https://github.com/FreshRSS/FreshRSS/issues/1434) * No version number for anonymous users [#1404](https://github.com/FreshRSS/FreshRSS/issues/1404) diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 2d593b6a2..4298e90bf 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -295,7 +295,10 @@ function invalidateHttpCache($username = '') { function listUsers() { $final_list = array(); $base_path = join_path(DATA_PATH, 'users'); - $dir_list = scandir($base_path); + $dir_list = array_values(array_diff( + scandir($base_path), + array('..', '.', '_') + )); foreach ($dir_list as $file) { if ($file[0] !== '.' && is_dir(join_path($base_path, $file)) && file_exists(join_path($base_path, $file, 'config.php'))) { $final_list[] = $file; -- cgit v1.2.3 From 6102489d579293a837e29c0056db887ac0c170ca Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sun, 5 Mar 2017 01:05:42 +0100 Subject: Fix Favicon library warning https://github.com/Alkarex/FreshRSS/commit/59dfc64512372eaba7609d84500d943bb7274399 https://github.com/FreshRSS/FreshRSS/issues/1445#issuecomment-284176492 --- lib/Favicon/Favicon.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lib') diff --git a/lib/Favicon/Favicon.php b/lib/Favicon/Favicon.php index 1912050d6..8571a1b95 100644 --- a/lib/Favicon/Favicon.php +++ b/lib/Favicon/Favicon.php @@ -89,6 +89,9 @@ class Favicon $loop = TRUE; while ($loop && $max_loop-- > 0) { $headers = $this->dataAccess->retrieveHeader($url); + if (empty($headers)) { + return false; + } $exploded = explode(' ', $headers[0]); if( !isset($exploded[1]) ) { -- cgit v1.2.3