From e3de9d7dd1331f9718e04cc98e9ca7cfa27cf4aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20L=C3=A9cureuil?= <neoclust@mageia.org>
Date: Sun, 17 May 2020 14:46:00 +0200
Subject: Sync with master of moonmoon ( version 9.0.0-rc) Source from
https://github.com/Emmafrs/moonmoon/
---
common/admin/administration.php | 11 +++++++----
common/admin/changepassword.php | 8 +++++---
common/admin/inc/auth.inc.php | 16 +++++++++-------
common/admin/index.php | 15 ++++++++++-----
common/admin/login.php | 7 +++++--
common/admin/logout.php | 9 +++++++--
common/admin/purgecache.php | 14 ++++++++------
common/admin/subscriptions.php | 30 ++++++++++++++++++++----------
8 files changed, 71 insertions(+), 39 deletions(-)
(limited to 'common/admin')
diff --git a/common/admin/administration.php b/common/admin/administration.php
index 1202e91..26f6710 100755
--- a/common/admin/administration.php
+++ b/common/admin/administration.php
@@ -1,9 +1,10 @@
<?php
-require_once dirname(__FILE__) . '/inc/auth.inc.php';
-require_once dirname(__FILE__) . '/../app/app.php';
+require_once __DIR__ . '/../app/app.php';
+require_once __DIR__ . '/inc/auth.inc.php';
-$opml = OpmlManager::load(dirname(__FILE__) . '/../custom/people.opml');
+
+$opml = OpmlManager::load(__DIR__ . '/../custom/people.opml');
$opml_people = $opml->getPeople();
$page_id = 'admin-admin';
$header_extra = <<<"HTML"
@@ -23,6 +24,7 @@ $page_content = <<<"FRAGMENT"
<div class="widget">
<h3>{$l10n->getString('Clear cache')}</h3>
<form action="purgecache.php" method="post" id="frmPurge">
+ <input type="hidden" value="{$csrf->generate('frmPurge')}" name="_csrf">
<p><label>{$l10n->getString('Clear cache:')}</label><input type="submit" class="submit delete" name="purge" id="purge" value="{$l10n->getString('Clear')}" /></p>
<p class="help">{$l10n->getString('Clearing the cache will make moonmoon reload all feeds.')}</p>
</form>
@@ -31,6 +33,7 @@ $page_content = <<<"FRAGMENT"
<div class="widget">
<h3>{$l10n->getString('Change administrator password')}</h3>
<form action="changepassword.php" method="post" id="frmPassword">
+ <input type="hidden" value="{$csrf->generate('frmPassword')}" name="_csrf">
<p><label for="password">{$l10n->getString('New password:')}</label> <input type="password" class="text" value="" name="password" id="password" size="20" /> <input type="submit" class="submit delete" name="changepwd" id="changepwd" value="{$l10n->getString('Change password')}" /></p>
</form>
</div>
@@ -39,4 +42,4 @@ FRAGMENT;
$footer_extra = '';
$admin_access = 1;
-require_once dirname(__FILE__) . '/template.php';
+require_once __DIR__ . '/template.php';
diff --git a/common/admin/changepassword.php b/common/admin/changepassword.php
index 1fa505e..3b4500e 100644
--- a/common/admin/changepassword.php
+++ b/common/admin/changepassword.php
@@ -1,9 +1,11 @@
<?php
-require_once dirname(__FILE__).'/inc/auth.inc.php';
-if (isset($_POST['password']) && ('' != $_POST['password'])){
+require_once __DIR__.'/../app/app.php';
+require_once __DIR__.'/inc/auth.inc.php';
+
+if ($csrf->verify($_POST['_csrf'], 'frmPassword') && isset($_POST['password']) && ('' != $_POST['password'])) {
$out = '<?php $login="admin"; $password="'.md5($_POST['password']).'"; ?>';
- file_put_contents(dirname(__FILE__).'/inc/pwd.inc.php', $out);
+ file_put_contents(__DIR__.'/inc/pwd.inc.php', $out);
die("Password changed. <a href='administration.php'>Login</a>");
} else {
die('Can not change password');
diff --git a/common/admin/inc/auth.inc.php b/common/admin/inc/auth.inc.php
index d21467b..0acf934 100644
--- a/common/admin/inc/auth.inc.php
+++ b/common/admin/inc/auth.inc.php
@@ -1,11 +1,13 @@
<?php
-include (dirname(__FILE__).'/pwd.inc.php');
-if ( isset($_COOKIE['auth']) && $_COOKIE['auth'] == $password ) {
- //ok, cool
-} else {
- setcookie('auth','', time()-3600);
+include dirname(__FILE__).'/pwd.inc.php';
+
+if (!class_exists('Planet')) {
+ require __DIR__.'/../../vendor/autoload.php';
+}
+
+if (!Planet::authenticateUser($_COOKIE['auth'], $password)) {
+ setcookie('auth', '', time() - 3600);
header('Location: login.php');
- die;
+ die();
}
-?>
\ No newline at end of file
diff --git a/common/admin/index.php b/common/admin/index.php
index 28f7198..0118923 100755
--- a/common/admin/index.php
+++ b/common/admin/index.php
@@ -1,10 +1,10 @@
<?php
-require_once dirname(__FILE__) . '/inc/auth.inc.php';
-require_once dirname(__FILE__) . '/../app/app.php';
+require_once __DIR__ . '/../app/app.php';
+require_once __DIR__ . '/inc/auth.inc.php';
//Load configuration
-$config_file = dirname(__FILE__) . '/../custom/config.yml';
+$config_file = __DIR__ . '/../custom/config.yml';
if (is_file($config_file)){
$conf = Spyc::YAMLLoad($config_file);
@@ -17,7 +17,7 @@ if (is_file($config_file)){
$Planet = new Planet($PlanetConfig);
//Load
-if (0 < $Planet->loadOpml(dirname(__FILE__) . '/../custom/people.opml')) {
+if (0 < $Planet->loadOpml(__DIR__ . '/../custom/people.opml')) {
$Planet->loadFeeds();
$items = $Planet->getItems();
}
@@ -79,6 +79,7 @@ ob_start();
<input type="submit" class="submit add" name="add" value="<?=_g('Add Feed')?>" />
</fieldset>
<p class="help"><?=_g('Accepted formats are RSS and ATOM. If the link is not a feed, moonmoon will try to autodiscover the feed.')?></p>
+ <input type="hidden" value="<?php echo $csrf->generate('feedmanage'); ?>" name="_csrf">
</form>
</div>
@@ -87,6 +88,7 @@ ob_start();
<form action="subscriptions.php" method="post" id="feedmanage">
<p class="action">
<span class="count"><?php echo sprintf(_g('Number of feeds: %s'), $count_feeds)?></span>
+ <input type="hidden" value="<?php echo $csrf->generate('feedmanage'); ?>" name="_csrf">
<input type="submit" class="submit save" name="save" id="save" value="<?=_g('Save changes')?>" />
<input type="submit" class="submit delete" name="delete" id="delete" value="<?=_g('Delete selected Feeds')?>" />
</p>
@@ -99,6 +101,7 @@ ob_start();
<th><?=_g('Last entry')?></th>
<th><?=_g('Website link')?></th>
<th><?=_g('Feed link')?></th>
+ <th><?=_g('Unavailable')?></th>
</tr>
</thead>
<tbody>
@@ -118,10 +121,12 @@ ob_start();
} else {
echo _g('Not in cache');
}
+ $check_is_down = $opml_person->getIsDown() === '1' ? 'checked="checked"' : '';
?>
</td>
<td><input type="text" size="30" class="text" name="opml[<?=$i; ?>][website]" value="<?=$opml_person->getWebsite(); ?>" /></td>
<td><input type="text" size="30" class="text" name="opml[<?=$i; ?>][feed]" value="<?=$opml_person->getFeed(); ?>" /></td>
+ <td><input type="checkbox" readonly="readonly" name="opml[<?=$i; ?>][isDown]" <?=$check_is_down?> value="1" /></td>
</tr>
<?php } ?>
</tbody>
@@ -133,4 +138,4 @@ $page_content = ob_get_contents();
ob_end_clean();
$admin_access = 1;
-require_once dirname(__FILE__) . '/template.php';
+require_once __DIR__ . '/template.php';
diff --git a/common/admin/login.php b/common/admin/login.php
index 796011f..a95e59f 100755
--- a/common/admin/login.php
+++ b/common/admin/login.php
@@ -1,10 +1,13 @@
<?php
+
+require_once __DIR__ . '/../app/app.php';
+
if (isset($_POST['password'])) {
+ session_regenerate_id();
setcookie('auth',md5($_POST['password']));
header('Location: index.php');
}
-require_once dirname(__FILE__) . '/../app/app.php';
$page_content = <<<FRAGMENT
<form action="" method="post" class="login">
<fieldset>
@@ -31,4 +34,4 @@ FRAGMENT;
$page_id = 'admin-login';
$admin_access = 0;
-require_once dirname(__FILE__) . '/template.php';
+require_once __DIR__ . '/template.php';
diff --git a/common/admin/logout.php b/common/admin/logout.php
index 6dd32aa..adb843f 100644
--- a/common/admin/logout.php
+++ b/common/admin/logout.php
@@ -1,5 +1,10 @@
<?php
+
+require_once __DIR__ . '/../app/app.php';
+
setcookie('auth','', time()-3600);
+session_destroy();
+session_regenerate_id();
+
header('Location: login.php');
-die;
-?>
\ No newline at end of file
+die();
diff --git a/common/admin/purgecache.php b/common/admin/purgecache.php
index a5af5cf..23a5712 100644
--- a/common/admin/purgecache.php
+++ b/common/admin/purgecache.php
@@ -1,16 +1,18 @@
<?php
-require_once dirname(__FILE__).'/inc/auth.inc.php';
+
+require_once __DIR__.'/../app/app.php';
+require_once __DIR__.'/inc/auth.inc.php';
if (isset($_POST['purge'])){
- $dir = dirname(__FILE__).'/../cache/';
-
+ $dir = __DIR__.'/../cache/';
+
$dh = opendir($dir);
-
+
while ($filename = readdir($dh)) {
if ($filename == '.' OR $filename == '..') {
continue;
}
-
+
if (filemtime($dir . DIRECTORY_SEPARATOR . $filename) < time()) {
@unlink($dir . DIRECTORY_SEPARATOR . $filename);
}
@@ -18,4 +20,4 @@ if (isset($_POST['purge'])){
}
header('Location: administration.php');
-die();
\ No newline at end of file
+die();
diff --git a/common/admin/subscriptions.php b/common/admin/subscriptions.php
index ea2f113..f0fd896 100755
--- a/common/admin/subscriptions.php
+++ b/common/admin/subscriptions.php
@@ -1,21 +1,24 @@
<?php
-require_once dirname(__FILE__) . '/inc/auth.inc.php';
-require_once dirname(__FILE__) . '/../app/app.php';
+
+require_once __DIR__ . '/../app/app.php';
+require_once __DIR__ . '/inc/auth.inc.php';
function removeSlashes(&$item, $key){
$item = stripslashes($item);
}
+if (!$csrf->verify($_POST['_csrf'], 'feedmanage')) {
+ die('Invalid CSRF token!');
+}
+
if (isset($_POST['opml']) || isset($_POST['add'])) {
- // Load config and old OPML
- $conf = Spyc::YAMLLoad(dirname(__FILE__).'/../custom/config.yml');
- $PlanetConfig = new PlanetConfig($conf);
+ // Load old OPML
+ $oldOpml = OpmlManager::load(__DIR__.'/../custom/people.opml');
if ($PlanetConfig->getName() === '') {
$PlanetConfig->setName($oldOpml->getTitle());
}
- $oldOpml = OpmlManager::load(dirname(__FILE__).'/../custom/people.opml');
- $newOpml = new opml();
+ $newOpml = new Opml();
$newOpml->title = $PlanetConfig->getName();
// Remove slashes if needed
@@ -43,11 +46,18 @@ if (isset($_POST['opml']) || isset($_POST['add'])) {
$feed = new SimplePie();
$feed->enable_cache(false);
$feed->set_feed_url($_POST['url']);
+ if ($conf['checkcerts'] === false) {
+ $feed->set_curl_options([
+ CURLOPT_SSL_VERIFYHOST => false,
+ CURLOPT_SSL_VERIFYPEER => false
+ ]);
+ }
$feed->init();
$feed->handle_content_type();
- $person['name'] = $feed->get_title();
+ $person['name'] = html_entity_decode($feed->get_title());
$person['website'] = $feed->get_permalink();
$person['feed'] = $feed->feed_url;
+ $person['isDown'] = '0';
$oldOpml->entries[] = $person;
}
@@ -55,10 +65,10 @@ if (isset($_POST['opml']) || isset($_POST['add'])) {
}
// Backup old OPML
- OpmlManager::backup(dirname(__FILE__).'/../custom/people.opml');
+ OpmlManager::backup(__DIR__.'/../custom/people.opml');
// Save new OPML
- OpmlManager::save($newOpml, dirname(__FILE__).'/../custom/people.opml');
+ OpmlManager::save($newOpml, __DIR__.'/../custom/people.opml');
}
header("Location: index.php");
die();
--
cgit v1.2.1