From 462c1e208f02e4977c7e96c0f5936987931d5bc1 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sat, 30 Jul 2016 23:37:13 +0200
Subject: PSHB: work-around for SuperFeeder

Feeds using SuperFeeder for PubSubHubbub push had timeout problems
during substription.
SuperFeeder bot was returning 422 "We could not verify your callback
Error: ETIMEDOUT"
It seems to be due to the the fact that SuperFeeder bot uses keep-alive
but expects the server to close the connection.
https://github.com/FreshRSS/FreshRSS/issues/312#issuecomment-73716936
---
 p/api/pshb.php | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'p/api')

diff --git a/p/api/pshb.php b/p/api/pshb.php
index 7de4cc1a2..136b98fc9 100644
--- a/p/api/pshb.php
+++ b/p/api/pshb.php
@@ -65,11 +65,13 @@ if (!empty($_REQUEST['hub_mode']) && $_REQUEST['hub_mode'] === 'subscribe') {
 		$hubJson['error'] = true;	//Do not assume that PubSubHubbub works until the first successul push
 	}
 	file_put_contents('./!hub.json', json_encode($hubJson));
+	header('Connection: close');
 	exit(isset($_REQUEST['hub_challenge']) ? $_REQUEST['hub_challenge'] : '');
 }
 
 if (!empty($_REQUEST['hub_mode']) && $_REQUEST['hub_mode'] === 'unsubscribe') {
 	if (empty($hubJson['lease_end']) || $hubJson['lease_end'] < time()) {
+		header('Connection: close');
 		exit(isset($_REQUEST['hub_challenge']) ? $_REQUEST['hub_challenge'] : '');
 	} else {
 		header('HTTP/1.1 422 Unprocessable Entity');
-- 
cgit v1.2.3


From 21a6521ba9ab8df18ad8386465cba9e9af99ce7f Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 31 Jul 2016 01:38:46 +0200
Subject: More links for API help

https://github.com/FreshRSS/FreshRSS/issues/328#issuecomment-236100791
https://github.com/FreshRSS/FreshRSS/issues/957#issuecomment-133581712
---
 app/views/user/profile.phtml |  1 +
 p/api/index.html             | 20 --------------------
 p/api/index.php              | 29 +++++++++++++++++++++++++++++
 3 files changed, 30 insertions(+), 20 deletions(-)
 delete mode 100644 p/api/index.html
 create mode 100644 p/api/index.php

(limited to 'p/api')

diff --git a/app/views/user/profile.phtml b/app/views/user/profile.phtml
index 7ae2c7ede..a97970927 100644
--- a/app/views/user/profile.phtml
+++ b/app/views/user/profile.phtml
@@ -37,6 +37,7 @@
 					<input type="password" id="apiPasswordPlain" name="apiPasswordPlain" autocomplete="off" pattern=".{7,}" <?php echo cryptAvailable() ? '' : 'disabled="disabled" '; ?>/>
 					<a class="btn toggle-password" data-toggle="apiPasswordPlain"><?php echo _i('key'); ?></a>
 				</div>
+				<?php echo _i('help'); ?> <kbd><a href="../api/"><?php echo Minz_Url::display('/api/greader.php', 'html', true); ?></a></kbd>
 			</div>
 		</div>
 		<?php } ?>
diff --git a/p/api/index.html b/p/api/index.html
deleted file mode 100644
index 8da0bcb58..000000000
--- a/p/api/index.html
+++ /dev/null
@@ -1,20 +0,0 @@
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">
-<head>
-<meta charset="UTF-8" />
-<title>FreshRSS API</title>
-<meta name="robots" content="noindex" />
-<link rel="start" href="../i/" />
-</head>
-
-<body>
-<h1>FreshRSS API</h1>
-
-<h2>Google Reader compatible API</h2>
-<ul>
-<li><a href="greader.php/check%2Fcompatibility" rel="nofollow">Check full server configuration (with <code>%2F</code> support)</a></li>
-<li><a href="greader.php/check/compatibility" rel="nofollow">Check partial server configuration (without <code>%2F</code> support)</a></li>
-</ul>
-
-</body>
-</html>
diff --git a/p/api/index.php b/p/api/index.php
new file mode 100644
index 000000000..3ab4e02b3
--- /dev/null
+++ b/p/api/index.php
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">
+<head>
+<meta charset="UTF-8" />
+<title>FreshRSS API</title>
+<meta name="robots" content="noindex" />
+<link rel="start" href="../i/" />
+</head>
+
+<body>
+<h1>FreshRSS API</h1>
+
+<h2>Google Reader compatible API</h2>
+<dl>
+<dt>Your API address:</dt>
+<dd><?php
+require('../../constants.php');
+require(LIB_PATH . '/lib_rss.php');	//Includes class autoloader
+Minz_Configuration::register('system', DATA_PATH . '/config.php', DATA_PATH . '/config.default.php');
+echo Minz_Url::display('/api/greader.php', 'html', true);
+?></dd>
+</dl>
+<ul>
+<li><a href="greader.php/check%2Fcompatibility" rel="nofollow">Check full server configuration</a></li>
+<li><a href="greader.php/check/compatibility" rel="nofollow">Check partial server configuration (without <code>%2F</code> support)</a></li>
+</ul>
+
+</body>
+</html>
-- 
cgit v1.2.3


From 1a53058ef0887df6dfb91ae269ef76ee5d3f9a31 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre.alapetite@alexandra.dk>
Date: Mon, 29 Aug 2016 09:44:18 +0200
Subject: HTTP security: prevent reflection abuse

https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
---
 p/api/pshb.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'p/api')

diff --git a/p/api/pshb.php b/p/api/pshb.php
index 136b98fc9..650767114 100644
--- a/p/api/pshb.php
+++ b/p/api/pshb.php
@@ -5,6 +5,7 @@ require(LIB_PATH . '/lib_rss.php');	//Includes class autoloader
 define('MAX_PAYLOAD', 3145728);
 
 header('Content-Type: text/plain; charset=UTF-8');
+header('X-Content-Type-Options: nosniff');
 
 function logMe($text) {
 	file_put_contents(USERS_PATH . '/_/log_pshb.txt', date('c') . "\t" . $text . "\n", FILE_APPEND);
-- 
cgit v1.2.3