xingcheng
/
FreshRSS
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Missing checkUsername and const patten

Browse Source 
https://github.com/FreshRSS/FreshRSS/pull/1423

https://github.com/YunoHost-Apps/freshrss_ynh/issues/27#issuecomment-279792363
pull/1423/head
Alexandre Alapetite 8 years ago
parent 2e871a0adf
commit 271a1fdc89
11 changed files with 17 additions and 12 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      app/Controllers/javascriptController.php
  2. 9
      app/Controllers/userController.php
  3. 2
      app/Models/Feed.php
  4. 2
      app/Models/UserDAO.php
  5. 2
      app/install.php
  6. 2
      app/views/auth/formLogin.phtml
  7. 2
      app/views/auth/register.phtml
  8. 2
      app/views/user/manage.phtml
  9. 2
      cli/reconfigure.php
  10. 2
      lib/lib_rss.php
  11. 2
      p/api/greader.php

2
app/Controllers/javascriptController.php
Unescape View File

@ -26,7 +26,7 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
header('Pragma: no-cache');
$user = isset($_GET['user']) ? $_GET['user'] : '';
if (ctype_alnum($user)) {
if (FreshRSS_user_Controller::checkUsername($user)) {
try {
$salt = FreshRSS_Context::$system_conf->salt;
$conf = get_user_configuration($user);

9
app/Controllers/userController.php
Unescape View File

@ -34,9 +34,14 @@ class FreshRSS_user_Controller extends Minz_ActionController {
return $passwordHash == '' ? '' : $passwordHash;
}
/**
* The username is also used as folder name, and part of SQL table name.
* '_' is a reserved internal username.
*/
const USERNAME_PATTERN = '[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}';
public static function checkUsername($username) {
$match = '/^[0-9a-zA-Z_]{1,38}$/';
return preg_match($match, $username) === 1;
return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1;
}
/**

2
app/Models/Feed.php
Unescape View File

@ -442,7 +442,7 @@ class FreshRSS_Feed extends Minz_Model {
file_put_contents(USERS_PATH . '/_/log_pshb.txt', date('c') . "\t" . $text . "\n", FILE_APPEND);
}
$currentUser = Minz_Session::param('currentUser');
if (ctype_alnum($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) {
if (FreshRSS_user_Controller::checkUsername($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) {
touch($path . '/' . $currentUser . '.txt');
}
}

2
app/Models/UserDAO.php
Unescape View File

@ -85,7 +85,7 @@ class FreshRSS_UserDAO extends Minz_ModelPdo {
}
public static function touch($username = '') {
if (($username == '') || (!ctype_alnum($username))) {
if (!FreshRSS_user_Controller::checkUsername($username)) {
$username = Minz_Session::param('currentUser', '_');
}
return touch(join_path(DATA_PATH , 'users', $username, 'config.php'));

2
app/install.php
Unescape View File

@ -553,7 +553,7 @@ function printStep2() {
<div class="form-group">
<label class="group-name" for="default_user"><?php echo _t('install.default_user'); ?></label>
<div class="group-controls">
<input type="text" id="default_user" name="default_user" required="required" size="16" maxlength="16" pattern="[0-9a-zA-Z_]{1,16}" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" />
<input type="text" id="default_user" name="default_user" required="required" size="16" maxlength="16" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" />
</div>
</div>

2
app/views/auth/formLogin.phtml
Unescape View File

@ -9,7 +9,7 @@
<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
<div>
<label for="username"><?php echo _t('gen.auth.username'); ?></label>
<input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z_]{1,16}" autofocus="autofocus" />
<input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" autofocus="autofocus" />
</div>
<div>
<label for="passwordPlain"><?php echo _t('gen.auth.password'); ?></label>

2
app/views/auth/register.phtml
Unescape View File

@ -5,7 +5,7 @@
<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
<div>
<label class="group-name" for="new_user_name"><?php echo _t('gen.auth.username'), '<br />', _i('help'), ' ', _t('gen.auth.username.format'); ?></label>
<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z_]{1,16}" />
<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" />
</div>
<div>

2
app/views/user/manage.phtml
Unescape View File

@ -22,7 +22,7 @@
<div class="form-group">
<label class="group-name" for="new_user_name"><?php echo _t('admin.user.username'); ?></label>
<div class="group-controls">
<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z_]{1,16}" placeholder="demo" />
<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" placeholder="demo" />
</div>
</div>

2
cli/reconfigure.php
Unescape View File

@ -45,7 +45,7 @@ foreach ($dBparams as $dBparam) {
}
$config->db = $db;
if (!ctype_alnum($config->default_user)) {
if (!FreshRSS_user_Controller::checkUsername($config->default_user)) {
fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $config->default_user);
}

2
lib/lib_rss.php
Unescape View File

@ -285,7 +285,7 @@ function uSecString() {
}
function invalidateHttpCache($username = '') {
if (($username == '') || (!ctype_alnum($username))) {
if (!FreshRSS_user_Controller::checkUsername($username)) {
Minz_Session::_param('touch', uTimeString());
$username = Minz_Session::param('currentUser', '_');
}

2
p/api/greader.php
Unescape View File

@ -152,7 +152,7 @@ function authorizationToUser() {
$headerAuthX = explode('/', $headerAuth, 2);
if (count($headerAuthX) === 2) {
$user = $headerAuthX[0];
if (ctype_alnum($user)) {
if (FreshRSS_user_Controller::checkUsername($user)) {
FreshRSS_Context::$user_conf = get_user_configuration($user);
if (FreshRSS_Context::$user_conf == null) {
Minz_Log::warning('Invalid API user ' . $user . ': configuration cannot be found.');

Write Preview
Loading…
Cancel
Save