security fix

diff --git a/index.php b/index.php
index 481841ece69067d1e971caff7f52cd2dff5c5fc2..2c532c0ee8f2d156cfbef5486d62ab4e69ae60a9 100755 (executable)
--- a/index.php
+++ b/index.php
@@ -63,54 +63,54 @@ if (! empty($notInstalledMessage)) {
 
 # poche actions
 if (isset($_GET['login'])) {
-    # hello you
+    # hello to you
     $poche->login($referer);
-} elseif (isset($_GET['logout'])) {
-    # see you soon !
-    $poche->logout();
-} elseif (isset($_GET['config'])) {
-    # Update password
-    $poche->updatePassword();
-} elseif (isset($_GET['newuser'])) {
-    $poche->createNewUser();
-} elseif (isset($_GET['deluser'])) {
-    $poche->deleteUser();
-} elseif (isset($_GET['epub'])) {
-    $poche->createEpub();
-} elseif (isset($_GET['import'])) {
-    $import = $poche->import();
-    $tpl_vars = array_merge($tpl_vars, $import);
-} elseif (isset($_GET['download'])) {
-    Tools::download_db();
-} elseif (isset($_GET['empty-cache'])) {
-    $poche->emptyCache();
-} elseif (isset($_GET['export'])) {
-    $poche->export();
-} elseif (isset($_GET['updatetheme'])) {
-    $poche->updateTheme();
-} elseif (isset($_GET['updatelanguage'])) {
-    $poche->updateLanguage();
-} elseif (isset($_GET['uploadfile'])) {
-    $poche->uploadFile();
-} elseif (isset($_GET['feed'])) {
-    if (isset($_GET['action']) && $_GET['action'] == 'generate') {
-        $poche->generateToken();
-    }
-    else {
-        $tag_id = (isset($_GET['tag_id']) ? intval($_GET['tag_id']) : 0);
-        $poche->generateFeeds($_GET['token'], filter_var($_GET['user_id'],FILTER_SANITIZE_NUMBER_INT), $tag_id, $_GET['type']);
-    }
-}
-
-elseif (isset($_GET['plainurl']) && !empty($_GET['plainurl'])) {
-    $plain_url = new Url(base64_encode($_GET['plainurl']));
-    $poche->action('add', $plain_url);
+} elseif (isset($_GET['feed']) && isset($_GET['user_id'])) {
+               $tag_id = (isset($_GET['tag_id']) ? intval($_GET['tag_id']) : 0);
+               $poche->generateFeeds($_GET['token'], filter_var($_GET['user_id'],FILTER_SANITIZE_NUMBER_INT), $tag_id, $_GET['type']);
 }
 
 if (Session::isLogged()) {
+    
+    if (isset($_GET['logout'])) {\r
+       # see you soon !\r
+       $poche->logout();\r
+    } elseif (isset($_GET['config'])) {\r
+       # Update password\r
+       $poche->updatePassword();\r
+    } elseif (isset($_GET['newuser'])) {\r
+       $poche->createNewUser();\r
+    } elseif (isset($_GET['deluser'])) {\r
+       $poche->deleteUser();\r
+    } elseif (isset($_GET['epub'])) {\r
+       $poche->createEpub();\r
+    } elseif (isset($_GET['import'])) {\r
+       $import = $poche->import();\r
+       $tpl_vars = array_merge($tpl_vars, $import);\r
+    } elseif (isset($_GET['download'])) {\r
+       Tools::download_db();\r
+    } elseif (isset($_GET['empty-cache'])) {\r
+       $poche->emptyCache();\r
+    } elseif (isset($_GET['export'])) {\r
+       $poche->export();\r
+    } elseif (isset($_GET['updatetheme'])) {\r
+       $poche->updateTheme();\r
+    } elseif (isset($_GET['updatelanguage'])) {\r
+       $poche->updateLanguage();\r
+    } elseif (isset($_GET['uploadfile'])) {\r
+       $poche->uploadFile();\r
+    } elseif (isset($_GET['feed']) && isset($_GET['action']) && $_GET['action'] == 'generate') {\r
+               $poche->generateToken();\r
+    }\r
+    elseif (isset($_GET['plainurl']) && !empty($_GET['plainurl'])) {\r
+       $plain_url = new Url(base64_encode($_GET['plainurl']));\r
+       $poche->action('add', $plain_url);\r
+    }
+  
     $poche->action($action, $url, $id);
     $tpl_file = Tools::getTplFile($view);
     $tpl_vars = array_merge($tpl_vars, $poche->displayView($view, $id));
+    
 } elseif(isset($_SERVER['PHP_AUTH_USER'])) {
     if($poche->store->userExists($_SERVER['PHP_AUTH_USER'])) {
         $poche->login($referer);