From eceb7756cfcf117c2a18984291181a84697ed3cd Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Sun, 10 Aug 2014 20:29:43 +0200 Subject: Add possibility to keep logged in with form Add an option to keep logged in. Change lifetime of session cookie to 1 year. See https://github.com/marienfressinaud/FreshRSS/issues/465 --- lib/Minz/Session.php | 35 ++++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) (limited to 'lib') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index ddabc4658..c859be2ed 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -15,13 +15,15 @@ class Minz_Session { * Le nom de session est utilisé comme nom pour les cookies et les URLs (i.e. PHPSESSID). * Il ne doit contenir que des caractères alphanumériques ; il doit être court et descriptif */ - public static function init ($name) { + public static function init($name) { + $cookie = session_get_cookie_params(); + self::keepCookie($cookie['lifetime']); + // démarre la session - session_name ($name); - session_set_cookie_params (0, dirname(empty($_SERVER['REQUEST_URI']) ? '/' : dirname($_SERVER['REQUEST_URI'])), null, false, true); - session_start (); + session_name($name); + session_start(); - if (isset ($_SESSION)) { + if (isset($_SESSION)) { self::$session = $_SESSION; } } @@ -68,4 +70,27 @@ class Minz_Session { Minz_Translate::reset (); } } + + + /** + * Spécifie la durée de vie des cookies + * @param $l la durée de vie + */ + public static function keepCookie($l) { + $cookie_dir = dirname( + empty($_SERVER['SCRIPT_NAME']) ? '' : $_SERVER['SCRIPT_NAME'] + ) . '/'; + session_set_cookie_params($l, $cookie_dir, $_SERVER['HTTP_HOST'], + false, true); + } + + + /** + * Régénère un id de session. + * Utile pour appeler session_set_cookie_params après session_start() + */ + public static function regenerateID() { + session_regenerate_id(true); + } + } -- cgit v1.2.3 From df47217839ccddb8e03015959c61b61e748d9700 Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Sun, 10 Aug 2014 23:41:36 +0200 Subject: Set session.gc_maxlifetime Take the maxvalue between 1440 (24m) and cookie lifetime when calling Minz_Session::keepCookie() See https://github.com/marienfressinaud/FreshRSS/issues/465 --- lib/Minz/Session.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lib') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index c859be2ed..fb3c5d74b 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -82,6 +82,9 @@ class Minz_Session { ) . '/'; session_set_cookie_params($l, $cookie_dir, $_SERVER['HTTP_HOST'], false, true); + + $l_session = max(1440, $l); + ini_set('session.gc_maxlifetime', $l_session); } -- cgit v1.2.3 From bc71a577fe3154080df9949b394c7ae552773c7b Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Mon, 11 Aug 2014 18:39:22 +0200 Subject: Revert "Set session.gc_maxlifetime" This reverts commit df47217839ccddb8e03015959c61b61e748d9700. See https://github.com/marienfressinaud/FreshRSS/issues/465 --- lib/Minz/Session.php | 3 --- 1 file changed, 3 deletions(-) (limited to 'lib') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index fb3c5d74b..c859be2ed 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -82,9 +82,6 @@ class Minz_Session { ) . '/'; session_set_cookie_params($l, $cookie_dir, $_SERVER['HTTP_HOST'], false, true); - - $l_session = max(1440, $l); - ini_set('session.gc_maxlifetime', $l_session); } -- cgit v1.2.3 From 1b20f6bd025a08a7a741b2751d837f736758eb2d Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 20:59:27 +0200 Subject: New wrappers Minz_Request::good() and bad() 1. Set a notification message in session variable 2. Redirect to a specific url First use in importExportController.php See https://github.com/marienfressinaud/FreshRSS/conversations/576 --- app/Controllers/importExportController.php | 57 ++++++------------------------ lib/Minz/Request.php | 25 +++++++++++++ 2 files changed, 35 insertions(+), 47 deletions(-) (limited to 'lib') diff --git a/app/Controllers/importExportController.php b/app/Controllers/importExportController.php index 15871ed80..92b39b575 100644 --- a/app/Controllers/importExportController.php +++ b/app/Controllers/importExportController.php @@ -43,17 +43,9 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { $zip = zip_open($file['tmp_name']); if (!is_resource($zip)) { - Minz_Log::error( - 'Zip file cannot be imported. Error code: ' . $zip - ); - // zip_open cannot open file: something is wrong - Minz_Session::_param('notification', array( - 'type' => 'bad', - 'content' => _t('zip_error') - )); - - Minz_Request::forward(array('c' => 'importExport'), true); + Minz_Log::error('Zip file cannot be imported. Error code: ' . $zip); + Minz_Request::bad(_t('zip_error'), array('c' => 'importExport')); } while (($zipfile = zip_read($zip)) !== false) { @@ -72,12 +64,7 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { zip_close($zip); } elseif ($type_file === 'zip') { // Zip extension is not loaded - Minz_Session::_param('notification', array( - 'type' => 'bad', - 'content' => _t('no_zip_extension') - )); - - Minz_Request::forward(array('c' => 'importExport'), true); + Minz_Request::bad(_t('no_zip_extension'), array('c' => 'importExport')); } elseif ($type_file !== 'unknown') { $list_files[$type_file][] = file_get_contents( $file['tmp_name'] @@ -100,35 +87,16 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { } // And finally, we get import status and redirect to the home page - $notif = null; - if ($error === true) { - $content_notif = Minz_Translate::t( - 'feeds_imported_with_errors' - ); - } else { - $content_notif = Minz_Translate::t( - 'feeds_imported' - ); - } - - Minz_Session::_param('notification', array( - 'type' => 'good', - 'content' => $content_notif - )); Minz_Session::_param('actualize_feeds', true); - Minz_Request::forward(array( - 'c' => 'index', - 'a' => 'index' - ), true); + $content_notif = $error === true ? _t('feeds_imported_with_errors') : + _t('feeds_imported'); + Minz_Request::good($content_notif); } // What are you doing? you have to call this controller // with a POST request! - Minz_Request::forward(array( - 'c' => 'importExport', - 'a' => 'index' - )); + Minz_Request::forward(array('c' => 'importExport')); } private function guessFileType($filename) { @@ -362,17 +330,12 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { $nb_files = count($export_files); if ($nb_files > 1) { - // If there are more than 1 file to export, we need an .zip + // If there are more than 1 file to export, we need a zip archive. try { $this->exportZip($export_files); } catch (Exception $e) { # Oops, there is no Zip extension! - $notif = array( - 'type' => 'bad', - 'content' => _t('export_no_zip_extension') - ); - Minz_Session::_param('notification', $notif); - Minz_Request::forward(array('c' => 'importExport'), true); + Minz_Request::bad(_t('export_no_zip_extension'), array('c' => 'importExport')); } } elseif ($nb_files === 1) { // Only one file? Guess its type and export it. @@ -386,7 +349,7 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { $this->exportFile($filename, $export_files[$filename], $type); } else { - Minz_Request::forward(array('c' => 'importExport'), true); + Minz_Request::forward(array('c' => 'importExport')); } } } diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php index 755784522..2f745a04c 100644 --- a/lib/Minz/Request.php +++ b/lib/Minz/Request.php @@ -146,6 +146,31 @@ class Minz_Request { } } + + /** + * Wrappers good notifications + redirection + * @param $msg notification content + * @param $url url array to where we should be forwarded + */ + public static function good($msg, $url = array()) { + Minz_Session::_param('notification', array( + 'type' => 'good', + 'content' => $msg + )); + + Minz_Request::forward($url, true); + } + + public static function bad($msg, $url = array()) { + Minz_Session::_param('notification', array( + 'type' => 'bad', + 'content' => $msg + )); + + Minz_Request::forward($url, true); + } + + /** * Permet de récupérer une variable de type $_GET * @param $param nom de la variable -- cgit v1.2.3 From ed7d8aa44fe5a005380056b7d164fc53079506fb Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 21:04:39 +0200 Subject: Use REQUEST_URI instead of SCRIPT_NAME for cookies See https://github.com/marienfressinaud/FreshRSS/commit/eceb7756cfcf117c2a18984291181a84697ed3cd#commitcomment-7345438 --- lib/Minz/Session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index c859be2ed..efc8332e5 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -78,7 +78,7 @@ class Minz_Session { */ public static function keepCookie($l) { $cookie_dir = dirname( - empty($_SERVER['SCRIPT_NAME']) ? '' : $_SERVER['SCRIPT_NAME'] + empty($_SERVER['REQUEST_URI']) ? '' : $_SERVER['REQUEST_URI'] ) . '/'; session_set_cookie_params($l, $cookie_dir, $_SERVER['HTTP_HOST'], false, true); -- cgit v1.2.3 From 08a9009c19b2ae84555340622c344a2da38ae019 Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 21:09:13 +0200 Subject: Fix a Minz_Session TODO Not use additional variable to manipulate session variables Fix coding style --- lib/Minz/Session.php | 32 ++++++++++---------------------- 1 file changed, 10 insertions(+), 22 deletions(-) (limited to 'lib') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index efc8332e5..906acc03c 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -2,17 +2,11 @@ /** * La classe Session gère la session utilisateur - * C'est un singleton */ class Minz_Session { - /** - * $session stocke les variables de session - */ - private static $session = array (); //TODO: Try to avoid having another local copy - /** * Initialise la session, avec un nom - * Le nom de session est utilisé comme nom pour les cookies et les URLs (i.e. PHPSESSID). + * Le nom de session est utilisé comme nom pour les cookies et les URLs(i.e. PHPSESSID). * Il ne doit contenir que des caractères alphanumériques ; il doit être court et descriptif */ public static function init($name) { @@ -22,10 +16,6 @@ class Minz_Session { // démarre la session session_name($name); session_start(); - - if (isset($_SESSION)) { - self::$session = $_SESSION; - } } @@ -34,8 +24,8 @@ class Minz_Session { * @param $p le paramètre à récupérer * @return la valeur de la variable de session, false si n'existe pas */ - public static function param ($p, $default = false) { - return isset(self::$session[$p]) ? self::$session[$p] : $default; + public static function param($p, $default = false) { + return isset($_SESSION[$p]) ? $_SESSION[$p] : $default; } @@ -44,13 +34,11 @@ class Minz_Session { * @param $p le paramètre à créer ou modifier * @param $v la valeur à attribuer, false pour supprimer */ - public static function _param ($p, $v = false) { + public static function _param($p, $v = false) { if ($v === false) { - unset ($_SESSION[$p]); - unset (self::$session[$p]); + unset($_SESSION[$p]); } else { $_SESSION[$p] = $v; - self::$session[$p] = $v; } } @@ -59,15 +47,15 @@ class Minz_Session { * Permet d'effacer une session * @param $force si à false, n'efface pas le paramètre de langue */ - public static function unset_session ($force = false) { - $language = self::param ('language'); + public static function unset_session($force = false) { + $language = self::param('language'); session_destroy(); - self::$session = array (); + $_SESSION = array(); if (!$force) { - self::_param ('language', $language); - Minz_Translate::reset (); + self::_param('language', $language); + Minz_Translate::reset(); } } -- cgit v1.2.3 From 22e2bf9239c3c5ee87a59910d88107ff359b24df Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 21:12:02 +0200 Subject: Fix coding style of Minz_Request --- lib/Minz/Request.php | 84 ++++++++++++++++++++++++++-------------------------- 1 file changed, 42 insertions(+), 42 deletions(-) (limited to 'lib') diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php index 2f745a04c..f9b8e2564 100644 --- a/lib/Minz/Request.php +++ b/lib/Minz/Request.php @@ -10,7 +10,7 @@ class Minz_Request { private static $controller_name = ''; private static $action_name = ''; - private static $params = array (); + private static $params = array(); private static $default_controller_name = 'index'; private static $default_action_name = 'index'; @@ -18,25 +18,25 @@ class Minz_Request { /** * Getteurs */ - public static function controllerName () { + public static function controllerName() { return self::$controller_name; } - public static function actionName () { + public static function actionName() { return self::$action_name; } - public static function params () { + public static function params() { return self::$params; } - static function htmlspecialchars_utf8 ($p) { + static function htmlspecialchars_utf8($p) { if (is_array($p)) { return array_map('self::htmlspecialchars_utf8', $p); } return htmlspecialchars($p, ENT_COMPAT, 'UTF-8'); } - public static function param ($key, $default = false, $specialchars = false) { - if (isset (self::$params[$key])) { + public static function param($key, $default = false, $specialchars = false) { + if (isset(self::$params[$key])) { $p = self::$params[$key]; - if(is_object($p) || $specialchars) { + if (is_object($p) || $specialchars) { return $p; } else { return self::htmlspecialchars_utf8($p); @@ -45,32 +45,32 @@ class Minz_Request { return $default; } } - public static function defaultControllerName () { + public static function defaultControllerName() { return self::$default_controller_name; } - public static function defaultActionName () { + public static function defaultActionName() { return self::$default_action_name; } /** * Setteurs */ - public static function _controllerName ($controller_name) { + public static function _controllerName($controller_name) { self::$controller_name = $controller_name; } - public static function _actionName ($action_name) { + public static function _actionName($action_name) { self::$action_name = $action_name; } - public static function _params ($params) { + public static function _params($params) { if (!is_array($params)) { - $params = array ($params); + $params = array($params); } self::$params = $params; } - public static function _param ($key, $value = false) { + public static function _param($key, $value = false) { if ($value === false) { - unset (self::$params[$key]); + unset(self::$params[$key]); } else { self::$params[$key] = $value; } @@ -79,14 +79,14 @@ class Minz_Request { /** * Initialise la Request */ - public static function init () { - self::magicQuotesOff (); + public static function init() { + self::magicQuotesOff(); } /** * Retourn le nom de domaine du site */ - public static function getDomainName () { + public static function getDomainName() { return $_SERVER['HTTP_HOST']; } @@ -94,7 +94,7 @@ class Minz_Request { * Détermine la base de l'url * @return la base de l'url */ - public static function getBaseUrl () { + public static function getBaseUrl() { $defaultBaseUrl = Minz_Configuration::baseUrl(); if (!empty($defaultBaseUrl)) { return $defaultBaseUrl; @@ -109,13 +109,13 @@ class Minz_Request { * Récupère l'URI de la requête * @return l'URI */ - public static function getURI () { - if (isset ($_SERVER['REQUEST_URI'])) { - $base_url = self::getBaseUrl (); + public static function getURI() { + if (isset($_SERVER['REQUEST_URI'])) { + $base_url = self::getBaseUrl(); $uri = $_SERVER['REQUEST_URI']; - $len_base_url = strlen ($base_url); - $real_uri = substr ($uri, $len_base_url); + $len_base_url = strlen($base_url); + $real_uri = substr($uri, $len_base_url); } else { $real_uri = ''; } @@ -129,16 +129,16 @@ class Minz_Request { * @param $redirect si vrai, force la redirection http * > sinon, le dispatcher recharge en interne */ - public static function forward ($url = array (), $redirect = false) { - $url = Minz_Url::checkUrl ($url); + public static function forward($url = array(), $redirect = false) { + $url = Minz_Url::checkUrl($url); if ($redirect) { - header ('Location: ' . Minz_Url::display ($url, 'php')); - exit (); + header('Location: ' . Minz_Url::display($url, 'php')); + exit(); } else { - self::_controllerName ($url['c']); - self::_actionName ($url['a']); - self::_params (array_merge ( + self::_controllerName($url['c']); + self::_actionName($url['a']); + self::_params(array_merge( self::$params, $url['params'] )); @@ -179,10 +179,10 @@ class Minz_Request { * $_GET si $param = false * $default si $_GET[$param] n'existe pas */ - public static function fetchGET ($param = false, $default = false) { + public static function fetchGET($param = false, $default = false) { if ($param === false) { return $_GET; - } elseif (isset ($_GET[$param])) { + } elseif (isset($_GET[$param])) { return $_GET[$param]; } else { return $default; @@ -197,10 +197,10 @@ class Minz_Request { * $_POST si $param = false * $default si $_POST[$param] n'existe pas */ - public static function fetchPOST ($param = false, $default = false) { + public static function fetchPOST($param = false, $default = false) { if ($param === false) { return $_POST; - } elseif (isset ($_POST[$param])) { + } elseif (isset($_POST[$param])) { return $_POST[$param]; } else { return $default; @@ -213,15 +213,15 @@ class Minz_Request { * $_POST * $_COOKIE */ - private static function magicQuotesOff () { - if (get_magic_quotes_gpc ()) { - $_GET = Minz_Helper::stripslashes_r ($_GET); - $_POST = Minz_Helper::stripslashes_r ($_POST); - $_COOKIE = Minz_Helper::stripslashes_r ($_COOKIE); + private static function magicQuotesOff() { + if (get_magic_quotes_gpc()) { + $_GET = Minz_Helper::stripslashes_r($_GET); + $_POST = Minz_Helper::stripslashes_r($_POST); + $_COOKIE = Minz_Helper::stripslashes_r($_COOKIE); } } - public static function isPost () { + public static function isPost() { return $_SERVER['REQUEST_METHOD'] === 'POST'; } } -- cgit v1.2.3 From ede94098be5d330d4bf120eb8064c5c87eed7ef0 Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 21:15:12 +0200 Subject: Fix missing REQUEST_METHOD Useful when executing actualize_script.php --- lib/Minz/Request.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php index f9b8e2564..f3ecaf55c 100644 --- a/lib/Minz/Request.php +++ b/lib/Minz/Request.php @@ -222,6 +222,7 @@ class Minz_Request { } public static function isPost() { - return $_SERVER['REQUEST_METHOD'] === 'POST'; + return isset($_SERVER['REQUEST_METHOD']) && + $_SERVER['REQUEST_METHOD'] === 'POST'; } } -- cgit v1.2.3 From 7900c5e550acafaf0b877635840a8a270eb06078 Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 21:56:34 +0200 Subject: Move htmlspecialchars_utf8 from Request to Helper And remove html_chars_utf8 to use htmlspecialchars_utf8 instead in importExportController --- app/Controllers/importExportController.php | 10 +++++----- lib/Minz/Helper.php | 11 +++++++++++ lib/Minz/Request.php | 8 +------- lib/lib_rss.php | 4 ---- 4 files changed, 17 insertions(+), 16 deletions(-) (limited to 'lib') diff --git a/app/Controllers/importExportController.php b/app/Controllers/importExportController.php index 92b39b575..a8e2c2bc2 100644 --- a/app/Controllers/importExportController.php +++ b/app/Controllers/importExportController.php @@ -166,15 +166,15 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { } // We get different useful information - $url = html_chars_utf8($feed_elt['xmlUrl']); - $name = html_chars_utf8($feed_elt['text']); + $url = Minz_Helper::htmlspecialchars_utf8($feed_elt['xmlUrl']); + $name = Minz_Helper::htmlspecialchars_utf8($feed_elt['text']); $website = ''; if (isset($feed_elt['htmlUrl'])) { - $website = html_chars_utf8($feed_elt['htmlUrl']); + $website = Minz_Helper::htmlspecialchars_utf8($feed_elt['htmlUrl']); } $description = ''; if (isset($feed_elt['description'])) { - $description = html_chars_utf8($feed_elt['description']); + $description = Minz_Helper::htmlspecialchars_utf8($feed_elt['description']); } $error = false; @@ -200,7 +200,7 @@ class FreshRSS_importExport_Controller extends Minz_ActionController { private function addCategoryOpml($cat_elt, $parent_cat) { // Create a new Category object - $cat = new FreshRSS_Category(html_chars_utf8($cat_elt['text'])); + $cat = new FreshRSS_Category(Minz_Helper::htmlspecialchars_utf8($cat_elt['text'])); $id = $this->catDAO->addCategoryObject($cat); $error = ($id === false); diff --git a/lib/Minz/Helper.php b/lib/Minz/Helper.php index b058211d3..13bfdd93e 100644 --- a/lib/Minz/Helper.php +++ b/lib/Minz/Helper.php @@ -19,4 +19,15 @@ class Minz_Helper { return stripslashes($var); } } + + /** + * Wrapper for htmlspecialchars. + * Force UTf-8 value and can be used on array too. + */ + public static function htmlspecialchars_utf8($p) { + if (is_array($p)) { + return array_map('self::htmlspecialchars_utf8', $p); + } + return htmlspecialchars($p, ENT_COMPAT, 'UTF-8'); + } } diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php index f3ecaf55c..52f53012f 100644 --- a/lib/Minz/Request.php +++ b/lib/Minz/Request.php @@ -27,19 +27,13 @@ class Minz_Request { public static function params() { return self::$params; } - static function htmlspecialchars_utf8($p) { - if (is_array($p)) { - return array_map('self::htmlspecialchars_utf8', $p); - } - return htmlspecialchars($p, ENT_COMPAT, 'UTF-8'); - } public static function param($key, $default = false, $specialchars = false) { if (isset(self::$params[$key])) { $p = self::$params[$key]; if (is_object($p) || $specialchars) { return $p; } else { - return self::htmlspecialchars_utf8($p); + return Minz_Helper::htmlspecialchars_utf8($p); } } else { return $default; diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 86c0a4ae4..823f53716 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -230,7 +230,3 @@ function cryptAvailable() { } return false; } - -function html_chars_utf8($str) { - return htmlspecialchars($str, ENT_COMPAT, 'UTF-8'); -} -- cgit v1.2.3 From 93b2a5f240b061103fce5cf563a3cd5cae2c6bfe Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 21:59:07 +0200 Subject: Coding style in Minz_Helper --- lib/Minz/Helper.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'lib') diff --git a/lib/Minz/Helper.php b/lib/Minz/Helper.php index 13bfdd93e..8d8b177ae 100644 --- a/lib/Minz/Helper.php +++ b/lib/Minz/Helper.php @@ -12,9 +12,9 @@ class Minz_Helper { * Annule les effets des magic_quotes pour une variable donnée * @param $var variable à traiter (tableau ou simple variable) */ - public static function stripslashes_r ($var) { - if (is_array ($var)){ - return array_map (array ('Helper', 'stripslashes_r'), $var); + public static function stripslashes_r($var) { + if (is_array($var)){ + return array_map(array('Helper', 'stripslashes_r'), $var); } else { return stripslashes($var); } @@ -24,10 +24,10 @@ class Minz_Helper { * Wrapper for htmlspecialchars. * Force UTf-8 value and can be used on array too. */ - public static function htmlspecialchars_utf8($p) { - if (is_array($p)) { - return array_map('self::htmlspecialchars_utf8', $p); + public static function htmlspecialchars_utf8($var) { + if (is_array($var)) { + return array_map(array('Helper', 'htmlspecialchars_utf8'), $var); } - return htmlspecialchars($p, ENT_COMPAT, 'UTF-8'); + return htmlspecialchars($var, ENT_COMPAT, 'UTF-8'); } } -- cgit v1.2.3 From f2b1826b475a7ad71ee68b13d22c03259e631195 Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 12 Aug 2014 22:27:07 +0200 Subject: Fix missing Minz_ prefix in Minz_Helper Nice bug :) It means another hidden bug is now corrected! --- lib/Minz/Helper.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/Minz/Helper.php b/lib/Minz/Helper.php index 8d8b177ae..f4a547c4e 100644 --- a/lib/Minz/Helper.php +++ b/lib/Minz/Helper.php @@ -14,7 +14,7 @@ class Minz_Helper { */ public static function stripslashes_r($var) { if (is_array($var)){ - return array_map(array('Helper', 'stripslashes_r'), $var); + return array_map(array('Minz_Helper', 'stripslashes_r'), $var); } else { return stripslashes($var); } @@ -26,7 +26,7 @@ class Minz_Helper { */ public static function htmlspecialchars_utf8($var) { if (is_array($var)) { - return array_map(array('Helper', 'htmlspecialchars_utf8'), $var); + return array_map(array('Minz_Helper', 'htmlspecialchars_utf8'), $var); } return htmlspecialchars($var, ENT_COMPAT, 'UTF-8'); } -- cgit v1.2.3 From ee1b8f6f72e8c2cbd3e0ad7b4322a4bb6863c028 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Wed, 13 Aug 2014 00:09:48 +0200 Subject: Long term cookie to keep session open Token system https://github.com/marienfressinaud/FreshRSS/issues/465 --- app/Controllers/indexController.php | 41 +++++++++++++++++++++++++++++-------- app/FreshRSS.php | 28 ++++++++++++++++++++++--- data/tokens/.gitignore | 1 + data/tokens/index.html | 13 ++++++++++++ lib/Minz/Session.php | 19 ++++++++++++----- 5 files changed, 86 insertions(+), 16 deletions(-) create mode 100644 data/tokens/.gitignore create mode 100644 data/tokens/index.html (limited to 'lib') diff --git a/app/Controllers/indexController.php b/app/Controllers/indexController.php index b907c8eed..dd5b91e47 100755 --- a/app/Controllers/indexController.php +++ b/app/Controllers/indexController.php @@ -295,10 +295,39 @@ class FreshRSS_index_Controller extends Minz_ActionController { Minz_Session::_param('passwordHash'); } + private static function makeLongTermCookie($username, $passwordHash) { + do { + $token = sha1(Minz_Configuration::salt() . $username . uniqid(mt_rand(), true)); + $tokenFile = DATA_PATH . '/tokens/' . $token . '.txt'; + } while (file_exists($tokenFile)); + if (@file_put_contents($tokenFile, $username . "\t" . $passwordHash) === false) { + return false; + } + $expire = time() + 2629744; //1 month //TODO: Use a configuration instead + Minz_Session::setLongTermCookie('FreshRSS_login', $token, $expire); + Minz_Session::_param('token', $token); + return $token; + } + + private static function deleteLongTermCookie() { + Minz_Session::deleteLongTermCookie('FreshRSS_login'); + $token = Minz_Session::param('token', null); + if (ctype_alnum($token)) { + @unlink(DATA_PATH . '/tokens/' . $token . '.txt'); + } + Minz_Session::_param('token'); + if (rand(0, 10) === 1) { + self::purgeTokens(); + } + } + + private static function purgeTokens() { + //TODO: Delete old token files + } + public function formLoginAction () { if (Minz_Request::isPost()) { $ok = false; - $keep_logged_in = Minz_Request::param('keep_logged_in', false); $nonce = Minz_Session::param('nonce'); $username = Minz_Request::param('username', ''); $c = Minz_Request::param('challenge', ''); @@ -313,10 +342,8 @@ class FreshRSS_index_Controller extends Minz_ActionController { if ($ok) { Minz_Session::_param('currentUser', $username); Minz_Session::_param('passwordHash', $s); - if ($keep_logged_in) { - // New cookie with a lifetime of 1 month. - Minz_Session::keepCookie(2592000); - Minz_Session::regenerateID(); + if (Minz_Request::param('keep_logged_in', false)) { + self::makeLongTermCookie($username, $s); } } else { Minz_Log::record('Password mismatch for user ' . $username . ', nonce=' . $nonce . ', c=' . $c, Minz_Log::WARNING); @@ -377,9 +404,7 @@ class FreshRSS_index_Controller extends Minz_ActionController { Minz_Session::_param('currentUser'); Minz_Session::_param('mail'); Minz_Session::_param('passwordHash'); - Minz_Session::keepCookie(0); - Minz_Session::regenerateID(); - + self::deleteLongTermCookie(); Minz_Request::forward(array('c' => 'index', 'a' => 'index'), true); } } diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 7c333b090..30f711e20 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -20,13 +20,35 @@ class FreshRSS extends Minz_FrontController { $this->loadNotifications(); } + private static function getCredentialsFromLongTermCookie() { + $token = Minz_Session::getLongTermCookie('FreshRSS_login'); + if (!ctype_alnum($token)) { + return array(); + } + $tokenFile = DATA_PATH . '/tokens/' . $token . '.txt'; + $mtime = @filemtime($tokenFile); + if ($mtime + 2629744 < time()) { //1 month //TODO: Use a configuration instead + @unlink($tokenFile); + return array(); //Expired or token does not exist + } + $credentials = @file_get_contents($tokenFile); + return $credentials === false ? array() : explode("\t", $credentials, 2); + } + private function accessControl($currentUser) { if ($currentUser == '') { switch (Minz_Configuration::authType()) { case 'form': - $currentUser = Minz_Configuration::defaultUser(); - Minz_Session::_param('passwordHash'); - $loginOk = false; + $credentials = self::getCredentialsFromLongTermCookie(); + if (isset($credentials[1])) { + $currentUser = trim($credentials[0]); + Minz_Session::_param('passwordHash', trim($credentials[1])); + } + $loginOk = $currentUser != ''; + if (!$loginOk) { + $currentUser = Minz_Configuration::defaultUser(); + Minz_Session::_param('passwordHash'); + } break; case 'http_auth': $currentUser = httpAuthUser(); diff --git a/data/tokens/.gitignore b/data/tokens/.gitignore new file mode 100644 index 000000000..2211df63d --- /dev/null +++ b/data/tokens/.gitignore @@ -0,0 +1 @@ +*.txt diff --git a/data/tokens/index.html b/data/tokens/index.html new file mode 100644 index 000000000..85faaa37e --- /dev/null +++ b/data/tokens/index.html @@ -0,0 +1,13 @@ + + + + + +Redirection + + + + +

Redirection

+ + diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index 906acc03c..af4de75bb 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -65,11 +65,8 @@ class Minz_Session { * @param $l la durée de vie */ public static function keepCookie($l) { - $cookie_dir = dirname( - empty($_SERVER['REQUEST_URI']) ? '' : $_SERVER['REQUEST_URI'] - ) . '/'; - session_set_cookie_params($l, $cookie_dir, $_SERVER['HTTP_HOST'], - false, true); + $cookie_dir = empty($_SERVER['REQUEST_URI']) ? '' : $_SERVER['REQUEST_URI']; + session_set_cookie_params($l, $cookie_dir, '', false, true); } @@ -81,4 +78,16 @@ class Minz_Session { session_regenerate_id(true); } + public static function deleteLongTermCookie($name) { + setcookie($name, '', 1, '', '', false, true); + } + + public static function setLongTermCookie($name, $value, $expire) { + setcookie($name, $value, $expire, '', '', false, true); + } + + public static function getLongTermCookie($name) { + return isset($_COOKIE[$name]) ? $_COOKIE[$name] : null; + } + } -- cgit v1.2.3 From a126d99b3c87c12d6da86a32f0615ad36ec99d60 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sat, 30 Aug 2014 18:31:50 +0200 Subject: Bug referer for systems with non-standard HTTP port Now tests also for the scheme and port, which must be identical to the ones in the referer. https://github.com/marienfressinaud/FreshRSS/issues/565#issuecomment-53916915 https://github.com/marienfressinaud/FreshRSS/issues/554 --- app/FreshRSS.php | 3 +-- lib/Minz/Request.php | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 30f711e20..cf6390f68 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -6,8 +6,7 @@ class FreshRSS extends Minz_FrontController { } $loginOk = $this->accessControl(Minz_Session::param('currentUser', '')); $this->loadParamsView(); - if (Minz_Request::isPost() && (empty($_SERVER['HTTP_REFERER']) || - Minz_Request::getDomainName() !== parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST))) { + if (Minz_Request::isPost() && !Minz_Request::isRefererFromSameDomain()) { $loginOk = false; //Basic protection against XSRF attacks Minz_Error::error( 403, diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php index 52f53012f..ec4e25a6b 100644 --- a/lib/Minz/Request.php +++ b/lib/Minz/Request.php @@ -84,6 +84,20 @@ class Minz_Request { return $_SERVER['HTTP_HOST']; } + public static function isRefererFromSameDomain() { + if (empty($_SERVER['HTTP_REFERER'])) { + return false; + } + $host = parse_url(((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? 'https://' : 'http://') . + (empty($_SERVER['HTTP_HOST']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST'])); + $referer = parse_url($_SERVER['HTTP_REFERER']); + if (empty($host['scheme']) || empty($referer['scheme']) || $host['scheme'] !== $referer['scheme'] || + empty($host['host']) || empty($referer['host']) || $host['host'] !== $referer['host']) { + return false; + } + return (isset($host['port']) ? $host['port'] : 0) === (isset($referer['port']) ? $referer['port'] : 0); + } + /** * Détermine la base de l'url * @return la base de l'url -- cgit v1.2.3 From c3fd8877c021b86180b3bea4d4260e6478f0558e Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sat, 6 Sep 2014 16:04:49 +0200 Subject: Bug warning in case of invalid CDATA --- lib/SimplePie/SimplePie/Parser.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/SimplePie/SimplePie/Parser.php b/lib/SimplePie/SimplePie/Parser.php index 9300b4ba9..7fb7bd9be 100644 --- a/lib/SimplePie/SimplePie/Parser.php +++ b/lib/SimplePie/SimplePie/Parser.php @@ -142,7 +142,7 @@ class SimplePie_Parser $dom = new DOMDocument(); $dom->recover = true; $dom->strictErrorChecking = false; - $dom->loadXML($data); + @$dom->loadXML($data); $this->encoding = $encoding = $dom->encoding = 'UTF-8'; $data2 = $dom->saveXML(); if (function_exists('mb_convert_encoding')) -- cgit v1.2.3