From e3de9d7dd1331f9718e04cc98e9ca7cfa27cf4aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20L=C3=A9cureuil?= <neoclust@mageia.org>
Date: Sun, 17 May 2020 14:46:00 +0200
Subject: Sync with master of moonmoon ( version 9.0.0-rc) Source from
 https://github.com/Emmafrs/moonmoon/

---
 common/admin/administration.php | 11 +++++++----
 common/admin/changepassword.php |  8 +++++---
 common/admin/inc/auth.inc.php   | 16 +++++++++-------
 common/admin/index.php          | 15 ++++++++++-----
 common/admin/login.php          |  7 +++++--
 common/admin/logout.php         |  9 +++++++--
 common/admin/purgecache.php     | 14 ++++++++------
 common/admin/subscriptions.php  | 30 ++++++++++++++++++++----------
 8 files changed, 71 insertions(+), 39 deletions(-)

(limited to 'common/admin')

diff --git a/common/admin/administration.php b/common/admin/administration.php
index 1202e91..26f6710 100755
--- a/common/admin/administration.php
+++ b/common/admin/administration.php
@@ -1,9 +1,10 @@
 <?php
 
-require_once dirname(__FILE__) . '/inc/auth.inc.php';
-require_once dirname(__FILE__) . '/../app/app.php';
+require_once __DIR__ . '/../app/app.php';
+require_once __DIR__ . '/inc/auth.inc.php';
 
-$opml         = OpmlManager::load(dirname(__FILE__) . '/../custom/people.opml');
+
+$opml         = OpmlManager::load(__DIR__ . '/../custom/people.opml');
 $opml_people  = $opml->getPeople();
 $page_id      = 'admin-admin';
 $header_extra = <<<"HTML"
@@ -23,6 +24,7 @@ $page_content = <<<"FRAGMENT"
             <div class="widget">
                 <h3>{$l10n->getString('Clear cache')}</h3>
                 <form action="purgecache.php" method="post" id="frmPurge">
+                    <input type="hidden" value="{$csrf->generate('frmPurge')}" name="_csrf">
                     <p><label>{$l10n->getString('Clear cache:')}</label><input type="submit" class="submit delete" name="purge" id="purge" value="{$l10n->getString('Clear')}" /></p>
                     <p class="help">{$l10n->getString('Clearing the cache will make moonmoon reload all feeds.')}</p>
                 </form>
@@ -31,6 +33,7 @@ $page_content = <<<"FRAGMENT"
             <div class="widget">
                 <h3>{$l10n->getString('Change administrator password')}</h3>
                 <form action="changepassword.php" method="post" id="frmPassword">
+                    <input type="hidden" value="{$csrf->generate('frmPassword')}" name="_csrf">
                     <p><label for="password">{$l10n->getString('New password:')}</label> <input type="password" class="text" value="" name="password" id="password" size="20" /> <input type="submit" class="submit delete" name="changepwd" id="changepwd" value="{$l10n->getString('Change password')}" /></p>
                 </form>
             </div>
@@ -39,4 +42,4 @@ FRAGMENT;
 
 $footer_extra = '';
 $admin_access = 1;
-require_once dirname(__FILE__) . '/template.php';
+require_once __DIR__ . '/template.php';
diff --git a/common/admin/changepassword.php b/common/admin/changepassword.php
index 1fa505e..3b4500e 100644
--- a/common/admin/changepassword.php
+++ b/common/admin/changepassword.php
@@ -1,9 +1,11 @@
 <?php
-require_once dirname(__FILE__).'/inc/auth.inc.php';
 
-if (isset($_POST['password']) && ('' != $_POST['password'])){
+require_once __DIR__.'/../app/app.php';
+require_once __DIR__.'/inc/auth.inc.php';
+
+if ($csrf->verify($_POST['_csrf'], 'frmPassword') && isset($_POST['password']) && ('' != $_POST['password'])) {
     $out = '<?php $login="admin"; $password="'.md5($_POST['password']).'"; ?>';
-    file_put_contents(dirname(__FILE__).'/inc/pwd.inc.php', $out);
+    file_put_contents(__DIR__.'/inc/pwd.inc.php', $out);
     die("Password changed. <a href='administration.php'>Login</a>");
 } else {
     die('Can not change password');
diff --git a/common/admin/inc/auth.inc.php b/common/admin/inc/auth.inc.php
index d21467b..0acf934 100644
--- a/common/admin/inc/auth.inc.php
+++ b/common/admin/inc/auth.inc.php
@@ -1,11 +1,13 @@
 <?php
-include (dirname(__FILE__).'/pwd.inc.php');
 
-if ( isset($_COOKIE['auth']) && $_COOKIE['auth'] == $password ) {
-    //ok, cool
-} else {
-    setcookie('auth','', time()-3600);
+include dirname(__FILE__).'/pwd.inc.php';
+
+if (!class_exists('Planet')) {
+    require __DIR__.'/../../vendor/autoload.php';
+}
+
+if (!Planet::authenticateUser($_COOKIE['auth'], $password)) {
+    setcookie('auth', '', time() - 3600);
     header('Location: login.php');
-    die;
+    die();
 }
-?>
\ No newline at end of file
diff --git a/common/admin/index.php b/common/admin/index.php
index 28f7198..0118923 100755
--- a/common/admin/index.php
+++ b/common/admin/index.php
@@ -1,10 +1,10 @@
 <?php
 
-require_once dirname(__FILE__) . '/inc/auth.inc.php';
-require_once dirname(__FILE__) . '/../app/app.php';
+require_once __DIR__ . '/../app/app.php';
+require_once __DIR__ . '/inc/auth.inc.php';
 
 //Load configuration
-$config_file = dirname(__FILE__) . '/../custom/config.yml';
+$config_file = __DIR__ . '/../custom/config.yml';
 
 if (is_file($config_file)){
     $conf = Spyc::YAMLLoad($config_file);
@@ -17,7 +17,7 @@ if (is_file($config_file)){
 $Planet = new Planet($PlanetConfig);
 
 //Load
-if (0 < $Planet->loadOpml(dirname(__FILE__) . '/../custom/people.opml')) {
+if (0 < $Planet->loadOpml(__DIR__ . '/../custom/people.opml')) {
     $Planet->loadFeeds();
     $items = $Planet->getItems();
 }
@@ -79,6 +79,7 @@ ob_start();
                         <input type="submit" class="submit add" name="add" value="<?=_g('Add Feed')?>" />
                     </fieldset>
                     <p class="help"><?=_g('Accepted formats are RSS and ATOM. If the link is not a feed, moonmoon will try to autodiscover the feed.')?></p>
+                <input type="hidden" value="<?php echo $csrf->generate('feedmanage'); ?>" name="_csrf">
                 </form>
             </div>
 
@@ -87,6 +88,7 @@ ob_start();
                 <form action="subscriptions.php" method="post" id="feedmanage">
                 <p class="action">
                 <span class="count"><?php echo sprintf(_g('Number of feeds: %s'), $count_feeds)?></span>
+                <input type="hidden" value="<?php echo $csrf->generate('feedmanage'); ?>" name="_csrf">
                 <input type="submit" class="submit save" name="save" id="save" value="<?=_g('Save changes')?>" />
                 <input type="submit" class="submit delete" name="delete" id="delete" value="<?=_g('Delete selected Feeds')?>" />
                 </p>
@@ -99,6 +101,7 @@ ob_start();
                             <th><?=_g('Last entry')?></th>
                             <th><?=_g('Website link')?></th>
                             <th><?=_g('Feed link')?></th>
+                            <th><?=_g('Unavailable')?></th>
                         </tr>
                     </thead>
                     <tbody>
@@ -118,10 +121,12 @@ ob_start();
                                 } else {
                                     echo _g('Not in cache');
                                 }
+                                $check_is_down = $opml_person->getIsDown() === '1' ? 'checked="checked"' : '';
                                 ?>
                             </td>
                             <td><input type="text" size="30" class="text" name="opml[<?=$i; ?>][website]" value="<?=$opml_person->getWebsite(); ?>" /></td>
                             <td><input type="text" size="30" class="text" name="opml[<?=$i; ?>][feed]" value="<?=$opml_person->getFeed(); ?>" /></td>
+                            <td><input type="checkbox" readonly="readonly" name="opml[<?=$i; ?>][isDown]" <?=$check_is_down?> value="1" /></td>
                         </tr>
                         <?php } ?>
                     </tbody>
@@ -133,4 +138,4 @@ $page_content = ob_get_contents();
 ob_end_clean();
 
 $admin_access = 1;
-require_once dirname(__FILE__) . '/template.php';
+require_once __DIR__ . '/template.php';
diff --git a/common/admin/login.php b/common/admin/login.php
index 796011f..a95e59f 100755
--- a/common/admin/login.php
+++ b/common/admin/login.php
@@ -1,10 +1,13 @@
 <?php
+
+require_once __DIR__ . '/../app/app.php';
+
 if (isset($_POST['password'])) {
+    session_regenerate_id();
     setcookie('auth',md5($_POST['password']));
     header('Location: index.php');
 }
 
-require_once dirname(__FILE__) . '/../app/app.php';
 $page_content = <<<FRAGMENT
             <form action="" method="post" class="login">
                 <fieldset>
@@ -31,4 +34,4 @@ FRAGMENT;
 $page_id      = 'admin-login';
 $admin_access = 0;
 
-require_once dirname(__FILE__) . '/template.php';
+require_once __DIR__ . '/template.php';
diff --git a/common/admin/logout.php b/common/admin/logout.php
index 6dd32aa..adb843f 100644
--- a/common/admin/logout.php
+++ b/common/admin/logout.php
@@ -1,5 +1,10 @@
 <?php
+
+require_once __DIR__ . '/../app/app.php';
+
 setcookie('auth','', time()-3600);
+session_destroy();
+session_regenerate_id();
+
 header('Location: login.php');
-die;
-?>
\ No newline at end of file
+die();
diff --git a/common/admin/purgecache.php b/common/admin/purgecache.php
index a5af5cf..23a5712 100644
--- a/common/admin/purgecache.php
+++ b/common/admin/purgecache.php
@@ -1,16 +1,18 @@
 <?php
-require_once dirname(__FILE__).'/inc/auth.inc.php';
+
+require_once __DIR__.'/../app/app.php';
+require_once __DIR__.'/inc/auth.inc.php';
 
 if (isset($_POST['purge'])){
-    $dir = dirname(__FILE__).'/../cache/';
-    
+    $dir = __DIR__.'/../cache/';
+
     $dh = opendir($dir);
-    
+
     while ($filename = readdir($dh)) {
         if ($filename == '.' OR $filename == '..') {
             continue;
         }
-        
+
         if (filemtime($dir . DIRECTORY_SEPARATOR . $filename) < time()) {
             @unlink($dir . DIRECTORY_SEPARATOR . $filename);
         }
@@ -18,4 +20,4 @@ if (isset($_POST['purge'])){
 }
 
 header('Location: administration.php');
-die();
\ No newline at end of file
+die();
diff --git a/common/admin/subscriptions.php b/common/admin/subscriptions.php
index ea2f113..f0fd896 100755
--- a/common/admin/subscriptions.php
+++ b/common/admin/subscriptions.php
@@ -1,21 +1,24 @@
 <?php
-require_once dirname(__FILE__) . '/inc/auth.inc.php';
-require_once dirname(__FILE__) . '/../app/app.php';
+
+require_once __DIR__ . '/../app/app.php';
+require_once __DIR__ . '/inc/auth.inc.php';
 
 function removeSlashes(&$item, $key){
     $item = stripslashes($item);
 }
 
+if (!$csrf->verify($_POST['_csrf'], 'feedmanage')) {
+    die('Invalid CSRF token!');
+}
+
 if (isset($_POST['opml']) || isset($_POST['add'])) {
 
-    // Load config and old OPML
-    $conf = Spyc::YAMLLoad(dirname(__FILE__).'/../custom/config.yml');
-    $PlanetConfig = new PlanetConfig($conf);
+    // Load old OPML
+    $oldOpml = OpmlManager::load(__DIR__.'/../custom/people.opml');
     if ($PlanetConfig->getName() === '') {
         $PlanetConfig->setName($oldOpml->getTitle());
     }
-    $oldOpml = OpmlManager::load(dirname(__FILE__).'/../custom/people.opml');
-    $newOpml = new opml();
+    $newOpml = new Opml();
     $newOpml->title = $PlanetConfig->getName();
 
     // Remove slashes if needed
@@ -43,11 +46,18 @@ if (isset($_POST['opml']) || isset($_POST['add'])) {
             $feed = new SimplePie();
             $feed->enable_cache(false);
             $feed->set_feed_url($_POST['url']);
+            if ($conf['checkcerts'] === false) {
+                $feed->set_curl_options([
+                    CURLOPT_SSL_VERIFYHOST => false,
+                    CURLOPT_SSL_VERIFYPEER => false
+                ]);
+            }
             $feed->init();
             $feed->handle_content_type();
-            $person['name'] = $feed->get_title();
+            $person['name'] = html_entity_decode($feed->get_title());
             $person['website'] = $feed->get_permalink();
             $person['feed'] = $feed->feed_url;
+            $person['isDown'] = '0';
 
             $oldOpml->entries[] = $person;
         }
@@ -55,10 +65,10 @@ if (isset($_POST['opml']) || isset($_POST['add'])) {
     }
 
     // Backup old OPML
-    OpmlManager::backup(dirname(__FILE__).'/../custom/people.opml');
+    OpmlManager::backup(__DIR__.'/../custom/people.opml');
 
     // Save new OPML
-    OpmlManager::save($newOpml, dirname(__FILE__).'/../custom/people.opml');
+    OpmlManager::save($newOpml, __DIR__.'/../custom/people.opml');
 }
 header("Location: index.php");
 die();
-- 
cgit v1.2.1