- Timestamp:
- 02/21/06 16:29:49 (3 years ago)
- Location:
- branches/new-themes-model/rss
- Files:
-
- 2 added
- 13 modified
-
INSTALL (modified) (1 diff)
-
admin/channels.php (modified) (1 diff)
-
admin/config.php (modified) (4 diffs)
-
admin/folders.php (modified) (6 diffs)
-
cls/search.php (modified) (2 diffs)
-
cls/wrappers/searchform.php (modified) (1 diff)
-
constants.php (modified) (1 diff)
-
feed.php (modified) (3 diffs)
-
index.php (modified) (1 diff)
-
schema.php (modified) (5 diffs)
-
tags.php (modified) (1 diff)
-
themes/default/rss/item.php (modified) (1 diff)
-
themes/default/web/media/installer (added)
-
themes/default/web/media/installer/codename.jpg (added)
-
util.php (modified) (7 diffs)
Legend:
- Unmodified
- Added
- Removed
-
branches/new-themes-model/rss/INSTALL
r1252 r1301 66 66 67 67 68 7. Point your browser to the URL corresponding the install location69 and click "Admin". You can start adding feeds by pasting URLs of70 RSS or RDF feeds into the "Add a feed" field. Alternatively you71 can import a whole structure of items using the OPML import72 feature.68 7. Point your browser to the URL corresponding the install 69 location and click "Admin". After selecting a new password, 70 you can start adding feeds by pasting URLs of RSS or RDF feeds 71 into the "Add a feed" field. Alternatively you can import a 72 list of feeds using the OPML import feature. 73 73 74 8. You may wish to password-protect the administration section of75 your fresh gregarius installation, to prevent unauthorized users76 from messing with your subscriptions and breaking stuff.74 8. This version of Gregarius comes with default password 75 protection, however you may wish to to strengthen it by using 76 a .htaccess file. 77 77 78 See http://wiki.gregarius.net/index.php/Password_Protection for79 this purpose.78 See http://wiki.gregarius.net/index.php/Password_Protection 79 for this purpose. -
branches/new-themes-model/rss/admin/channels.php
r1278 r1301 535 535 rss_plugin_hook('rss.plugins.admin.feed.properties.submit', null); 536 536 // TBD 537 $title= rss_real_escape_string(real_strip_slashes($_POST['c_name']));537 $title= strip_tags(rss_real_escape_string(real_strip_slashes($_POST['c_name']))); 538 538 $url= rss_real_escape_string($_POST['c_url']); 539 539 $siteurl= rss_real_escape_string($_POST['c_siteurl']); 540 540 $parent= rss_real_escape_string($_POST['c_parent']); 541 $descr= rss_real_escape_string(real_strip_slashes($_POST['c_descr']));541 $descr= strip_tags(rss_real_escape_string(real_strip_slashes($_POST['c_descr']))); 542 542 $icon = rss_real_escape_string($_POST['c_icon']); 543 543 $priv = (array_key_exists('c_private',$_POST) && $_POST['c_private'] == '1'); -
branches/new-themes-model/rss/admin/config.php
r1278 r1301 49 49 $class_ = (($cntr++ % 2 == 0)?"even":"odd"); 50 50 51 // Fix for #279. Plugins have their own section. 52 if ($row['key_'] == 'rss.config.plugins' or $row['key_'] == 53 'rss.output.theme' or $row['key_'] == 'rss.output.barefrontpage' 54 or $row['key_'] == 'rss.output.noreaditems' or $row['key_'] == 'rss.output.numitemsonpage') { 51 // Don't show old/moved config keys in the main config list 52 if ($row['key_'] == 'rss.config.plugins' or 53 $row['key_'] == 'rss.output.theme' or 54 $row['key_'] == 'rss.output.barefrontpage' or 55 $row['key_'] == 'rss.output.noreaditems' or 56 $row['key_'] == 'rss.output.cachedir' or 57 $row['key_'] == 'rss.output.numitemsonpage') { 55 58 continue; 56 59 } … … 90 93 . preg_replace('/ /',' ',date("g:i A",mktime()+$value*3600)) 91 94 .")"; 92 break;93 case 'rss.output.cachedir':94 echo $value;95 if (!is_writable($value)) {96 echo "<br />"97 ."<span class=\"error\">Warning: this isn't a writable directory!</span>";98 }99 95 break; 100 96 default: … … 299 295 echo "</select>\n"; 300 296 break; 301 case 'rss.output.cachedir':302 if (!is_writable($value)) {303 echo "</p><p class=\"error\">"304 ."Warning! The current value ($value) is not a writable directory!<br />"305 ."See <a href=\"http://wiki.gregarius.net/index.php/MagpieRSS\">here</a> "306 ."why it is important you provide a valid, writable directory."307 ."</p><p>\n";308 } else {309 echo "</p><p>"310 ."The current value ($value) is a valid, writable directory!"311 ."</p><p>\n";312 }313 // no break: fall back into the normal handling314 297 default: 315 298 … … 381 364 $value = sanitize($_POST['value'], RSS_SANITIZER_SIMPLE_SQL); 382 365 366 367 // sanitizine routines for values 368 switch ($key) { 369 case 'rss.output.title': 370 $value = strip_tags($value); 371 break; 372 373 case 'rss.config.robotsmeta': 374 $value = preg_replace('#[^a-zA-Z,\s]#','',$value); 375 break; 376 } 377 378 383 379 switch ($key) { 384 380 -
branches/new-themes-model/rss/admin/folders.php
r1278 r1301 189 189 $sql = "update " . getTable("channels") ." set parent=" . getRootFolder() . " where parent=$fid"; 190 190 rss_query($sql); 191 rss_invalidate_cache(); 191 192 } 192 193 elseif (array_key_exists(CST_ADMIN_CONFIRMED,$_REQUEST) && $_REQUEST[CST_ADMIN_CONFIRMED] == LBL_ADMIN_NO) { … … 212 213 case CST_ADMIN_SUBMIT_EDIT: 213 214 // TBD 214 $new_label = rss_real_escape_string($_REQUEST['f_name']);215 $new_label = sanitize($_REQUEST['f_name'], RSS_SANITIZER_CHARACTERS_EXT); 215 216 if (is_numeric($fid) && strlen($new_label) > 0) { 216 217 … … 222 223 } 223 224 rss_query("update " .getTable("folders") ." set name='$new_label' where id=$fid"); 225 rss_invalidate_cache(); 224 226 } 225 227 break; … … 227 229 case LBL_ADMIN_ADD: 228 230 case 'LBL_ADMIN_ADD': 229 $label=sanitize($_REQUEST['new_folder'],RSS_SANITIZER_ SIMPLE_SQL);231 $label=sanitize($_REQUEST['new_folder'],RSS_SANITIZER_CHARACTERS_EXT); 230 232 assert(strlen($label) > 0); 231 233 create_folder($label); … … 271 273 rss_query( "update " . getTable("folders") ." set position = $switch_with_position where id=$fid" ); 272 274 rss_query( "update " . getTable("folders") ." set position = $position where id=$switch_with_id" ); 275 rss_invalidate_cache(); 273 276 } 274 277 break; … … 303 306 } 304 307 rss_query("insert into " .getTable("folders") ." (name,position) values ('" . rss_real_escape_string($label) ."', $np)"); 308 rss_invalidate_cache(); 305 309 } 306 310 -
branches/new-themes-model/rss/cls/search.php
r1181 r1301 106 106 } 107 107 108 $this->query = $_REQUEST[QUERY_PRM]; 108 // fixme: this probably breaks on queries with weird characters, depending 109 // on the locale. 110 // see: http://php.benscom.com/manual/en/reference.pcre.pattern.syntax.php 111 $this->query = trim(preg_replace('#[^\w\s]#','',$_REQUEST[QUERY_PRM])); 112 109 113 if (!$this->query) { 110 114 return; 111 115 } 112 116 113 $this->matchMode = (!array_key_exists(QUERY_MATCH_MODE, $_REQUEST) ? QUERY_MATCH_AND : $_REQUEST[QUERY_MATCH_MODE]); 114 $this->channelId = (array_key_exists(QUERY_CHANNEL, $_REQUEST)) ? (int) $_REQUEST[QUERY_CHANNEL] : ALL_CHANNELS_ID; 115 116 $this->resultsPerPage = (array_key_exists(QUERY_RESULTS, $_REQUEST)) ? (int) $_REQUEST[QUERY_RESULTS] : INFINE_RESULTS; 117 $this->currentPage = (array_key_exists(QUERY_CURRENT_PAGE, $_REQUEST) ? (int) $_REQUEST[QUERY_CURRENT_PAGE] : 0); 117 $this->matchMode = sanitize( 118 (!array_key_exists(QUERY_MATCH_MODE, $_REQUEST) ? QUERY_MATCH_AND : $_REQUEST[QUERY_MATCH_MODE]), 119 RSS_SANITIZER_CHARACTERS_EXT); 120 121 $this->channelId = sanitize( 122 ((array_key_exists(QUERY_CHANNEL, $_REQUEST)) ? $_REQUEST[QUERY_CHANNEL] : ALL_CHANNELS_ID), 123 RSS_SANITIZER_NUMERIC); 124 125 $this->resultsPerPage = sanitize( 126 ((array_key_exists(QUERY_RESULTS, $_REQUEST)) ? $_REQUEST[QUERY_RESULTS] : INFINE_RESULTS), 127 RSS_SANITIZER_NUMERIC); 128 129 $this->currentPage = sanitize( 130 (array_key_exists(QUERY_CURRENT_PAGE, $_REQUEST) ? $_REQUEST[QUERY_CURRENT_PAGE] : 0), 131 RSS_SANITIZER_NUMERIC); 118 132 119 133 $this->startItem = $this->resultsPerPage * $this->currentPage; … … 125 139 } 126 140 127 $this->orderBy = (array_key_exists(QUERY_ORDER_BY, $_REQUEST) ? $_REQUEST[QUERY_ORDER_BY] : QUERY_ORDER_BY_DATE); 141 $this->orderBy = sanitize( 142 (array_key_exists(QUERY_ORDER_BY, $_REQUEST) ? $_REQUEST[QUERY_ORDER_BY] : QUERY_ORDER_BY_DATE), 143 RSS_SANITIZER_CHARACTERS_EXT); 144 128 145 $qWhere = ""; 129 146 $this->regMatch = ""; -
branches/new-themes-model/rss/cls/wrappers/searchform.php
r1181 r1301 104 104 $sql .=" and not(c.mode & " . RSS_MODE_PRIVATE_STATE .") "; 105 105 } 106 106 107 108 $sql .=" and not(c.mode & " . RSS_MODE_DELETED_STATE .") "; 109 107 110 $sql .= " order by " 108 111 .((getConfig('rss.config.absoluteordering'))?"f.position asc, c.position asc":"f.name asc, c.title asc"); -
branches/new-themes-model/rss/constants.php
r1278 r1301 165 165 define ('RSS_SANITIZER_NUMERIC', 0x04); 166 166 define ('RSS_SANITIZER_CHARACTERS',0x08); 167 define ('RSS_SANITIZER_CHARACTERS_EXT',0x10); 167 168 168 169 // Profiling -
branches/new-themes-model/rss/feed.php
r1278 r1301 169 169 } 170 170 elseif (array_key_exists('channel',$_REQUEST) || array_key_exists('folder',$_REQUEST) || array_key_exists('vfolder',$_REQUEST)) { 171 $cid= (array_key_exists('channel',$_REQUEST))?sanitize($_REQUEST['channel'],RSS_SANITIZER_N O_SPACES):"";172 $iid= (array_key_exists('iid',$_REQUEST))?sanitize($_REQUEST['iid'],RSS_SANITIZER_N O_SPACES):"";173 $fid= (array_key_exists('folder',$_REQUEST))?sanitize($_REQUEST['folder'],RSS_SANITIZER_N O_SPACES):"";174 $vfid= (array_key_exists('vfolder',$_REQUEST))?sanitize($_REQUEST['vfolder'],RSS_SANITIZER_N O_SPACES):"";171 $cid= (array_key_exists('channel',$_REQUEST))?sanitize($_REQUEST['channel'],RSS_SANITIZER_NUMERIC):""; 172 $iid= (array_key_exists('iid',$_REQUEST))?sanitize($_REQUEST['iid'],RSS_SANITIZER_NUMERIC):""; 173 $fid= (array_key_exists('folder',$_REQUEST))?sanitize($_REQUEST['folder'],RSS_SANITIZER_NUMERIC):""; 174 $vfid= (array_key_exists('vfolder',$_REQUEST))?sanitize($_REQUEST['vfolder'],RSS_SANITIZER_NUMERIC):""; 175 175 176 176 $y= (array_key_exists('y',$_REQUEST))?sanitize($_REQUEST['y'],RSS_SANITIZER_NUMERIC):"0"; … … 415 415 // folder 416 416 case 'LBL_MARK_FOLDER_READ': 417 $fid = $_REQUEST['folder'];417 $fid = sanitize($_REQUEST['folder'],RSS_SANITIZER_NUMERIC); 418 418 $sql = "update " .getTable('item') . " i, " . getTable('channels') . " c " 419 419 . " set i.unread = i.unread & ".SET_MODE_READ_STATE … … 476 476 // virtual folder - code extremely similar to LBL_MARK_FOLDER_READ 477 477 case 'LBL_MARK_VFOLDER_READ': 478 $vfid = $_REQUEST['vfolder'];478 $vfid = sanitize($_REQUEST['vfolder'],RSS_SANITIZER_NUMERIC); 479 479 $sql = "update " .getTable('item') . " i, " . getTable('metatag') . " m" 480 480 . " set i.unread = i.unread & ".SET_MODE_READ_STATE -
branches/new-themes-model/rss/index.php
r1215 r1301 68 68 if (array_key_exists('logout',$_GET)) { 69 69 logoutUserCookie(); 70 rss_redirect(''); 70 71 } 71 72 -
branches/new-themes-model/rss/schema.php
r1226 r1301 224 224 } 225 225 break; 226 227 case 'userips': 228 case 'i.userips': 229 // users.userips: list of valid IP subnets the user has logged in from 230 rss_query('alter table ' . getTable('users') . ' add column userips text default \'\''); 231 if (rss_is_sql_error(RSS_SQL_ERROR_NO_ERROR)) { 232 $updated++; 233 rss_error('updated schema for table ' . getTable('users'), RSS_ERROR_NOTICE); 234 } else { 235 rss_error('Failed updating schema for table ' . getTable('users') . ': ' 236 . rss_sql_error_message(), RSS_ERROR_ERROR); 237 } 238 break; 239 240 226 241 case 'i.md5sum': 227 242 case 'md5sum': … … 248 263 . rss_sql_error_message(), RSS_ERROR_ERROR); 249 264 } 265 250 266 break; 251 267 } … … 413 429 rss_error('inserting some default config values...', RSS_ERROR_NOTICE); 414 430 $defaults = array ( 415 "rss.output.cachedir" => array("/tmp/magpierss","/tmp/magpierss","string","Where should magpie store its temporary files? (Apache needs write permissions on this dir.)","MAGPIE_CACHE_DIR"),416 431 "rss.output.encoding" => array("UTF-8","UTF-8","string","Output encoding for the PHP XML parser.","MAGPIE_OUTPUT_ENCODING"), 417 432 "rss.output.itemsinchannelview"=>array("10","10","num","Number of read items shown on for a single channel.",NULL), … … 426 441 "rss.config.markreadonupdate"=> array("false","false","boolean","Mark all old unread feeds as read when updating if new unread feeds are found.",NULL), 427 442 "rss.output.lang" => array("en,es,fr,dk,it,pt_BR,se,0","en,es,fr,dk,it,pt_BR,se,0","enum","Language pack to use.",NULL), 428 "rss.config.absoluteordering"=> array("true","true","boolean","Allow ordering of channels and folders in the admin section. If false, channels and folders will be organized by their titles.",NULL),443 "rss.config.absoluteordering"=> array("true","true","boolean","Allow ordering of channels and folders in the admin section. If false, channels and folders will be organized alphabetically by their titles.",NULL), 429 444 "rss.config.robotsmeta" => array("noindex,follow","noindex,follow","string","How should spiders crawl us? (see http://www.robotstxt.org/wc/meta-user.html for more info).",NULL), 430 445 "rss.config.serverpush" => array("true","true","boolean","Use server push on update.php for a more user-friendly experience. This is only supported by Mozilla browsers (Netscape, Mozilla, Firefox,...) and Opera. These browsers will be autodetected. If you\'re not using one of these (you should) you can as well turn this off.",NULL), … … 633 648 realname varchar(255) default NULL, 634 649 lastip varchar(255) default NULL, 650 userips TEXT default '', 635 651 lastlogin datetime NULL default '0000-00-00 00:00:00', 636 652 PRIMARY KEY (uid), -
branches/new-themes-model/rss/tags.php
r1181 r1301 84 84 if (array_key_exists('tag', $_GET)) { 85 85 // while this one displays a list of items for the requested tag(s) 86 $tag = $_GET['tag'];86 $tag = strip_tags($_GET['tag']); 87 87 $twhere = ""; 88 88 $tarr = explode(" ", $tag); -
branches/new-themes-model/rss/themes/default/rss/item.php
r1215 r1301 1 1 <item> 2 <title><?php echo rss_ feed_escaped_title(); ?>: <?php echo rss_item_escaped_title(); ?></title>2 <title><?php echo rss_htmlspecialchars(rss_feed_title()); ?>: <?php echo rss_htmlspecialchars(rss_item_title()); ?></title> 3 3 <link><?php echo rss_item_url(); ?></link> 4 4 <pubDate><?php echo rss_item_date_with_format('r'); ?></pubDate> -
branches/new-themes-model/rss/util.php
r1289 r1301 792 792 'realname' => null, 793 793 'lastip' => null, 794 'userips' => null, 794 795 'lastlogin' => null 795 796 ); … … 804 805 $sql = "select * from " . getTable('users') . " where uname='" 805 806 .rss_real_escape_string($cuname) ."' and password='" 806 . rss_real_escape_string($chash) ."'";807 .preg_replace('#[^a-zA-Z0-9]#','',$chash) ."'"; 807 808 $rs = rss_query($sql); 808 809 if (rss_num_rows($rs) == 1) { 809 $user = rss_fetch_assoc($rs); 810 unset($user['password']); 810 $tmp = rss_fetch_assoc($rs); 811 if (isset($tmp['userips'])) { 812 $tmp['userips'] = explode(' ',$tmp['userips']); 813 } else { 814 $tmp['userips'] = array(); 815 } 816 817 unset($tmp['password']); 818 $subnet = preg_replace('#^([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+$#','\1',$_SERVER['REMOTE_ADDR']); 819 if (array_search($subnet, $tmp['userips']) !== FALSE) { 820 // success: password hash was checked and the user's IP 821 // address subnet is registered 822 $user = $tmp; 823 } 811 824 } 812 825 } … … 826 839 function logoutUserCookie() { 827 840 if (array_key_exists(RSS_USER_COOKIE, $_COOKIE)) { 828 unset($_COOKIE[RSS_USER_COOKIE]); 829 setcookie(RSS_USER_COOKIE, "", -1, getPath()); 841 842 // remove the user's IP subnet from the list of valid addresses 843 $user = rss_getUser(); 844 $subnet = preg_replace('#^([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+$#','\1',$_SERVER['REMOTE_ADDR']); 845 846 if (($idx = array_search($subnet, $user['userips'])) !== FALSE) { 847 $cnt = count($user['userips']); 848 unset($user['userips'][$idx]); 849 $uname = trim($user['uname']); 850 if ($uname && ($cnt > count($user['userips']))) { 851 $sql = "update " .getTable('users') 852 . " set userips = '" . implode(' ',$user['userips']) ."'" 853 ." where uname = '$uname' "; 854 rss_query($sql); 855 } 856 } 857 858 // get rid of the cookie 859 unset($_COOKIE[RSS_USER_COOKIE]); 860 setcookie(RSS_USER_COOKIE, "", -1, getPath()); 861 rss_invalidate_cache(); 862 830 863 } 831 864 } … … 835 868 if ($ret === null) { 836 869 $ret = !rss_check_user_level(RSS_USER_LEVEL_PRIVATE); 837 ;838 870 } 839 871 … … 847 879 848 880 function __exp_login($uname,$pass,$cb) { 849 $sql ="select uname,ulevel from " .getTable('users') . "where uname='"881 $sql ="select uname,ulevel,userips from " .getTable('users') . "where uname='" 850 882 .rss_real_escape_string($uname)."' and password='$pass'"; 851 list($uname,$ulevel ) = rss_fetch_row(rss_query($sql));883 list($uname,$ulevel,$userips) = rss_fetch_row(rss_query($sql)); 852 884 if ($ulevel == '') { 853 885 $ulevel = RSS_USER_LEVEL_NOLEVEL; 854 886 } else { 887 // is the user's IP subnet in the database, already? 888 $subnet = preg_replace('#^([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+$#','\1',$_SERVER['REMOTE_ADDR']); 889 $useripsArray = explode(' ',$userips); 890 if (array_search($subnet, $useripsArray) === FALSE) { 891 $useripsArray[] = $subnet; 892 $sql = "update " .getTable('users') 893 . " set userips = '" . implode(' ',$useripsArray) ."'" 894 ." where uname = '$uname' "; 895 rss_query($sql); 896 } 897 898 855 899 //setcookie(RSS_USER_COOKIE,$uname ."|". $pass,time()+3600*365,getPath()); 856 900 rss_invalidate_cache(); … … 1128 1172 $theme = preg_replace('/[^a-zA-Z0-9_]/','',$_GET['theme']); 1129 1173 } 1174 1175 $theme = sanitize($theme,RSS_SANITIZER_CHARACTERS); 1130 1176 1131 1177 // Media 1132 1178 $media = getThemeMedia(); 1133 1134 1135 1179 1136 1180 $ret = array($theme,$media); … … 1212 1256 if ($rules & RSS_SANITIZER_NO_SPACES) { 1213 1257 $ret = preg_replace('#\s#','',$ret); 1258 // also strip out SQL comments 1259 $ret = preg_replace('#/\*.*\*/#','',$ret); 1214 1260 } 1215 1261 if ($rules & RSS_SANITIZER_NUMERIC) { 1216 $ret = preg_replace('#[^0-9\. ]#','',$ret);1262 $ret = preg_replace('#[^0-9\.-]#','',$ret); 1217 1263 } 1218 1264 if ($rules & RSS_SANITIZER_CHARACTERS) { 1219 1265 $ret = preg_replace('#[^a-zA-Z]#','',$ret); 1220 1266 } 1267 if ($rules & RSS_SANITIZER_CHARACTERS_EXT) { 1268 $ret = preg_replace('#[^a-zA-Z_]#','',$ret); 1269 } 1221 1270 return $ret; 1222 1271 }
