diff options
Diffstat (limited to 'common/admin')
| -rwxr-xr-x | common/admin/administration.php | 11 | ||||
| -rw-r--r-- | common/admin/changepassword.php | 8 | ||||
| -rw-r--r-- | common/admin/inc/auth.inc.php | 16 | ||||
| -rwxr-xr-x | common/admin/index.php | 15 | ||||
| -rwxr-xr-x | common/admin/login.php | 7 | ||||
| -rw-r--r-- | common/admin/logout.php | 9 | ||||
| -rw-r--r-- | common/admin/purgecache.php | 14 | ||||
| -rwxr-xr-x | common/admin/subscriptions.php | 30 |
8 files changed, 71 insertions, 39 deletions
diff --git a/common/admin/administration.php b/common/admin/administration.php index 1202e91..26f6710 100755 --- a/common/admin/administration.php +++ b/common/admin/administration.php @@ -1,9 +1,10 @@ <?php -require_once dirname(__FILE__) . '/inc/auth.inc.php'; -require_once dirname(__FILE__) . '/../app/app.php'; +require_once __DIR__ . '/../app/app.php'; +require_once __DIR__ . '/inc/auth.inc.php'; -$opml = OpmlManager::load(dirname(__FILE__) . '/../custom/people.opml'); + +$opml = OpmlManager::load(__DIR__ . '/../custom/people.opml'); $opml_people = $opml->getPeople(); $page_id = 'admin-admin'; $header_extra = <<<"HTML" @@ -23,6 +24,7 @@ $page_content = <<<"FRAGMENT" <div class="widget"> <h3>{$l10n->getString('Clear cache')}</h3> <form action="purgecache.php" method="post" id="frmPurge"> + <input type="hidden" value="{$csrf->generate('frmPurge')}" name="_csrf"> <p><label>{$l10n->getString('Clear cache:')}</label><input type="submit" class="submit delete" name="purge" id="purge" value="{$l10n->getString('Clear')}" /></p> <p class="help">{$l10n->getString('Clearing the cache will make moonmoon reload all feeds.')}</p> </form> @@ -31,6 +33,7 @@ $page_content = <<<"FRAGMENT" <div class="widget"> <h3>{$l10n->getString('Change administrator password')}</h3> <form action="changepassword.php" method="post" id="frmPassword"> + <input type="hidden" value="{$csrf->generate('frmPassword')}" name="_csrf"> <p><label for="password">{$l10n->getString('New password:')}</label> <input type="password" class="text" value="" name="password" id="password" size="20" /> <input type="submit" class="submit delete" name="changepwd" id="changepwd" value="{$l10n->getString('Change password')}" /></p> </form> </div> @@ -39,4 +42,4 @@ FRAGMENT; $footer_extra = ''; $admin_access = 1; -require_once dirname(__FILE__) . '/template.php'; +require_once __DIR__ . '/template.php'; diff --git a/common/admin/changepassword.php b/common/admin/changepassword.php index 1fa505e..3b4500e 100644 --- a/common/admin/changepassword.php +++ b/common/admin/changepassword.php @@ -1,9 +1,11 @@ <?php -require_once dirname(__FILE__).'/inc/auth.inc.php'; -if (isset($_POST['password']) && ('' != $_POST['password'])){ +require_once __DIR__.'/../app/app.php'; +require_once __DIR__.'/inc/auth.inc.php'; + +if ($csrf->verify($_POST['_csrf'], 'frmPassword') && isset($_POST['password']) && ('' != $_POST['password'])) { $out = '<?php $login="admin"; $password="'.md5($_POST['password']).'"; ?>'; - file_put_contents(dirname(__FILE__).'/inc/pwd.inc.php', $out); + file_put_contents(__DIR__.'/inc/pwd.inc.php', $out); die("Password changed. <a href='administration.php'>Login</a>"); } else { die('Can not change password'); diff --git a/common/admin/inc/auth.inc.php b/common/admin/inc/auth.inc.php index d21467b..0acf934 100644 --- a/common/admin/inc/auth.inc.php +++ b/common/admin/inc/auth.inc.php @@ -1,11 +1,13 @@ <?php -include (dirname(__FILE__).'/pwd.inc.php'); -if ( isset($_COOKIE['auth']) && $_COOKIE['auth'] == $password ) { - //ok, cool -} else { - setcookie('auth','', time()-3600); +include dirname(__FILE__).'/pwd.inc.php'; + +if (!class_exists('Planet')) { + require __DIR__.'/../../vendor/autoload.php'; +} + +if (!Planet::authenticateUser($_COOKIE['auth'], $password)) { + setcookie('auth', '', time() - 3600); header('Location: login.php'); - die; + die(); } -?>
\ No newline at end of file diff --git a/common/admin/index.php b/common/admin/index.php index 28f7198..0118923 100755 --- a/common/admin/index.php +++ b/common/admin/index.php @@ -1,10 +1,10 @@ <?php -require_once dirname(__FILE__) . '/inc/auth.inc.php'; -require_once dirname(__FILE__) . '/../app/app.php'; +require_once __DIR__ . '/../app/app.php'; +require_once __DIR__ . '/inc/auth.inc.php'; //Load configuration -$config_file = dirname(__FILE__) . '/../custom/config.yml'; +$config_file = __DIR__ . '/../custom/config.yml'; if (is_file($config_file)){ $conf = Spyc::YAMLLoad($config_file); @@ -17,7 +17,7 @@ if (is_file($config_file)){ $Planet = new Planet($PlanetConfig); //Load -if (0 < $Planet->loadOpml(dirname(__FILE__) . '/../custom/people.opml')) { +if (0 < $Planet->loadOpml(__DIR__ . '/../custom/people.opml')) { $Planet->loadFeeds(); $items = $Planet->getItems(); } @@ -79,6 +79,7 @@ ob_start(); <input type="submit" class="submit add" name="add" value="<?=_g('Add Feed')?>" /> </fieldset> <p class="help"><?=_g('Accepted formats are RSS and ATOM. If the link is not a feed, moonmoon will try to autodiscover the feed.')?></p> + <input type="hidden" value="<?php echo $csrf->generate('feedmanage'); ?>" name="_csrf"> </form> </div> @@ -87,6 +88,7 @@ ob_start(); <form action="subscriptions.php" method="post" id="feedmanage"> <p class="action"> <span class="count"><?php echo sprintf(_g('Number of feeds: %s'), $count_feeds)?></span> + <input type="hidden" value="<?php echo $csrf->generate('feedmanage'); ?>" name="_csrf"> <input type="submit" class="submit save" name="save" id="save" value="<?=_g('Save changes')?>" /> <input type="submit" class="submit delete" name="delete" id="delete" value="<?=_g('Delete selected Feeds')?>" /> </p> @@ -99,6 +101,7 @@ ob_start(); <th><?=_g('Last entry')?></th> <th><?=_g('Website link')?></th> <th><?=_g('Feed link')?></th> + <th><?=_g('Unavailable')?></th> </tr> </thead> <tbody> @@ -118,10 +121,12 @@ ob_start(); } else { echo _g('Not in cache'); } + $check_is_down = $opml_person->getIsDown() === '1' ? 'checked="checked"' : ''; ?> </td> <td><input type="text" size="30" class="text" name="opml[<?=$i; ?>][website]" value="<?=$opml_person->getWebsite(); ?>" /></td> <td><input type="text" size="30" class="text" name="opml[<?=$i; ?>][feed]" value="<?=$opml_person->getFeed(); ?>" /></td> + <td><input type="checkbox" readonly="readonly" name="opml[<?=$i; ?>][isDown]" <?=$check_is_down?> value="1" /></td> </tr> <?php } ?> </tbody> @@ -133,4 +138,4 @@ $page_content = ob_get_contents(); ob_end_clean(); $admin_access = 1; -require_once dirname(__FILE__) . '/template.php'; +require_once __DIR__ . '/template.php'; diff --git a/common/admin/login.php b/common/admin/login.php index 796011f..a95e59f 100755 --- a/common/admin/login.php +++ b/common/admin/login.php @@ -1,10 +1,13 @@ <?php + +require_once __DIR__ . '/../app/app.php'; + if (isset($_POST['password'])) { + session_regenerate_id(); setcookie('auth',md5($_POST['password'])); header('Location: index.php'); } -require_once dirname(__FILE__) . '/../app/app.php'; $page_content = <<<FRAGMENT <form action="" method="post" class="login"> <fieldset> @@ -31,4 +34,4 @@ FRAGMENT; $page_id = 'admin-login'; $admin_access = 0; -require_once dirname(__FILE__) . '/template.php'; +require_once __DIR__ . '/template.php'; diff --git a/common/admin/logout.php b/common/admin/logout.php index 6dd32aa..adb843f 100644 --- a/common/admin/logout.php +++ b/common/admin/logout.php @@ -1,5 +1,10 @@ <?php + +require_once __DIR__ . '/../app/app.php'; + setcookie('auth','', time()-3600); +session_destroy(); +session_regenerate_id(); + header('Location: login.php'); -die; -?>
\ No newline at end of file +die(); diff --git a/common/admin/purgecache.php b/common/admin/purgecache.php index a5af5cf..23a5712 100644 --- a/common/admin/purgecache.php +++ b/common/admin/purgecache.php @@ -1,16 +1,18 @@ <?php -require_once dirname(__FILE__).'/inc/auth.inc.php'; + +require_once __DIR__.'/../app/app.php'; +require_once __DIR__.'/inc/auth.inc.php'; if (isset($_POST['purge'])){ - $dir = dirname(__FILE__).'/../cache/'; - + $dir = __DIR__.'/../cache/'; + $dh = opendir($dir); - + while ($filename = readdir($dh)) { if ($filename == '.' OR $filename == '..') { continue; } - + if (filemtime($dir . DIRECTORY_SEPARATOR . $filename) < time()) { @unlink($dir . DIRECTORY_SEPARATOR . $filename); } @@ -18,4 +20,4 @@ if (isset($_POST['purge'])){ } header('Location: administration.php'); -die();
\ No newline at end of file +die(); diff --git a/common/admin/subscriptions.php b/common/admin/subscriptions.php index ea2f113..f0fd896 100755 --- a/common/admin/subscriptions.php +++ b/common/admin/subscriptions.php @@ -1,21 +1,24 @@ <?php -require_once dirname(__FILE__) . '/inc/auth.inc.php'; -require_once dirname(__FILE__) . '/../app/app.php'; + +require_once __DIR__ . '/../app/app.php'; +require_once __DIR__ . '/inc/auth.inc.php'; function removeSlashes(&$item, $key){ $item = stripslashes($item); } +if (!$csrf->verify($_POST['_csrf'], 'feedmanage')) { + die('Invalid CSRF token!'); +} + if (isset($_POST['opml']) || isset($_POST['add'])) { - // Load config and old OPML - $conf = Spyc::YAMLLoad(dirname(__FILE__).'/../custom/config.yml'); - $PlanetConfig = new PlanetConfig($conf); + // Load old OPML + $oldOpml = OpmlManager::load(__DIR__.'/../custom/people.opml'); if ($PlanetConfig->getName() === '') { $PlanetConfig->setName($oldOpml->getTitle()); } - $oldOpml = OpmlManager::load(dirname(__FILE__).'/../custom/people.opml'); - $newOpml = new opml(); + $newOpml = new Opml(); $newOpml->title = $PlanetConfig->getName(); // Remove slashes if needed @@ -43,11 +46,18 @@ if (isset($_POST['opml']) || isset($_POST['add'])) { $feed = new SimplePie(); $feed->enable_cache(false); $feed->set_feed_url($_POST['url']); + if ($conf['checkcerts'] === false) { + $feed->set_curl_options([ + CURLOPT_SSL_VERIFYHOST => false, + CURLOPT_SSL_VERIFYPEER => false + ]); + } $feed->init(); $feed->handle_content_type(); - $person['name'] = $feed->get_title(); + $person['name'] = html_entity_decode($feed->get_title()); $person['website'] = $feed->get_permalink(); $person['feed'] = $feed->feed_url; + $person['isDown'] = '0'; $oldOpml->entries[] = $person; } @@ -55,10 +65,10 @@ if (isset($_POST['opml']) || isset($_POST['add'])) { } // Backup old OPML - OpmlManager::backup(dirname(__FILE__).'/../custom/people.opml'); + OpmlManager::backup(__DIR__.'/../custom/people.opml'); // Save new OPML - OpmlManager::save($newOpml, dirname(__FILE__).'/../custom/people.opml'); + OpmlManager::save($newOpml, __DIR__.'/../custom/people.opml'); } header("Location: index.php"); die(); |