From 9cf6bac1a502d1418834f4f7619d40eb65378c60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= Date: Tue, 22 Jul 2014 18:01:27 +0200 Subject: fix to display the login successful message with the translation --- inc/poche/Poche.class.php | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'inc/poche') diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php index 09a9f5ff..2b0c3bf8 100755 --- a/inc/poche/Poche.class.php +++ b/inc/poche/Poche.class.php @@ -877,6 +877,14 @@ class Poche $longlastingsession = isset($_POST['longlastingsession']); $passwordTest = ($isauthenticated) ? $user['password'] : Tools::encodeString($password . $login); Session::login($user['username'], $user['password'], $login, $passwordTest, $longlastingsession, array('poche_user' => new User($user))); + + # reload l10n + $language = $user['config']['language']; + @putenv('LC_ALL=' . $language); + setlocale(LC_ALL, $language); + bindtextdomain($language, LOCALE); + textdomain($language); + $this->messages->add('s', _('welcome to your wallabag')); Tools::logm('login successful'); Tools::redirect($referer); -- cgit v1.2.3 From cca9284b6a8111f5dd07bca3f8d4f266ceee3c1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= Date: Tue, 22 Jul 2014 18:14:41 +0200 Subject: change default pagination, set it to 12, to have a nice baggy display --- inc/poche/config.inc.default.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/poche') diff --git a/inc/poche/config.inc.default.php b/inc/poche/config.inc.default.php index 95f727c6..d0158097 100755 --- a/inc/poche/config.inc.default.php +++ b/inc/poche/config.inc.default.php @@ -59,7 +59,7 @@ @define ('LOCALE', ROOT . '/locale'); @define ('CACHE', ROOT . '/cache'); -@define ('PAGINATION', '10'); +@define ('PAGINATION', '12'); //limit for download of articles during import @define ('IMPORT_LIMIT', 5); -- cgit v1.2.3 From 7dd8b5026d0ae52fc5be001ee224aac72f3e7b25 Mon Sep 17 00:00:00 2001 From: Maryana Rozhankivska Date: Thu, 24 Jul 2014 16:48:41 +0300 Subject: security issue --- inc/poche/Poche.class.php | 4 +-- inc/poche/Routing.class.php | 83 +++++++++++++++++++++++---------------------- 2 files changed, 45 insertions(+), 42 deletions(-) mode change 100644 => 100755 inc/poche/Routing.class.php (limited to 'inc/poche') diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php index a49413f2..098dd7c1 100755 --- a/inc/poche/Poche.class.php +++ b/inc/poche/Poche.class.php @@ -750,8 +750,8 @@ class Poche die(sprintf(_('User with this id (%d) does not exist.'), $user_id)); } - if (!in_array($type, $allowed_types) || $token != $config['token']) { - die(_('Uh, there is a problem while generating feeds.')); + if (!in_array($type, $allowed_types) || !isset($config['token']) || $token != $config['token']) { + die(_('Uh, there is a problem while generating feed. Wrong token used?')); } $feed = new FeedWriter(RSS2); diff --git a/inc/poche/Routing.class.php b/inc/poche/Routing.class.php old mode 100644 new mode 100755 index eb4c4d90..653fa900 --- a/inc/poche/Routing.class.php +++ b/inc/poche/Routing.class.php @@ -97,50 +97,53 @@ class Routing private function _launchAction() { - if (isset($_GET['login'])) { - // hello you - $this->wallabag->login($this->referer); - } elseif (isset($_GET['logout'])) { - // see you soon ! - $this->wallabag->logout(); - } elseif (isset($_GET['config'])) { - // update password - $this->wallabag->updatePassword($_POST['password'], $_POST['password_repeat']); - } elseif (isset($_GET['newuser'])) { - $this->wallabag->createNewUser($_POST['newusername'], $_POST['password4newuser']); - } elseif (isset($_GET['deluser'])) { - $this->wallabag->deleteUser($_POST['password4deletinguser']); - } elseif (isset($_GET['epub'])) { - $epub = new WallabagEpub($this->wallabag, $_GET['method'], $_GET['id'], $_GET['value']); - $epub->run(); - } elseif (isset($_GET['import'])) { - $import = $this->wallabag->import(); - $tplVars = array_merge($this->vars, $import); - } elseif (isset($_GET['download'])) { - Tools::downloadDb(); - } elseif (isset($_GET['empty-cache'])) { - Tools::emptyCache(); - } elseif (isset($_GET['export'])) { - $this->wallabag->export(); - } elseif (isset($_GET['updatetheme'])) { - $this->wallabag->tpl->updateTheme($_POST['theme']); - } elseif (isset($_GET['updatelanguage'])) { - $this->wallabag->language->updateLanguage($_POST['language']); - } elseif (isset($_GET['uploadfile'])) { - $this->wallabag->uploadFile(); - } elseif (isset($_GET['feed'])) { - if (isset($_GET['action']) && $_GET['action'] == 'generate') { + if (isset($_GET['login'])) { + // hello to you + $this->wallabag->login($this->referer); + } elseif (isset($_GET['feed']) && isset($_GET['user_id'])) { + $tag_id = (isset($_GET['tag_id']) ? intval($_GET['tag_id']) : 0); + $this->wallabag->generateFeeds($_GET['token'], filter_var($_GET['user_id'],FILTER_SANITIZE_NUMBER_INT), $tag_id, $_GET['type']); + } + + //allowed ONLY to logged in user + if ( \Session::isLogged() === true ) + { + if (isset($_GET['logout'])) { + // see you soon ! + $this->wallabag->logout(); + } elseif (isset($_GET['config'])) { + // update password + $this->wallabag->updatePassword($_POST['password'], $_POST['password_repeat']); + } elseif (isset($_GET['newuser'])) { + $this->wallabag->createNewUser($_POST['newusername'], $_POST['password4newuser']); + } elseif (isset($_GET['deluser'])) { + $this->wallabag->deleteUser($_POST['password4deletinguser']); + } elseif (isset($_GET['epub'])) { + $epub = new WallabagEpub($this->wallabag, $_GET['method'], $_GET['id'], $_GET['value']); + $epub->run(); + } elseif (isset($_GET['import'])) { + $import = $this->wallabag->import(); + $tplVars = array_merge($this->vars, $import); + } elseif (isset($_GET['download'])) { + Tools::downloadDb(); + } elseif (isset($_GET['empty-cache'])) { + Tools::emptyCache(); + } elseif (isset($_GET['export'])) { + $this->wallabag->export(); + } elseif (isset($_GET['updatetheme'])) { + $this->wallabag->tpl->updateTheme($_POST['theme']); + } elseif (isset($_GET['updatelanguage'])) { + $this->wallabag->language->updateLanguage($_POST['language']); + } elseif (isset($_GET['uploadfile'])) { + $this->wallabag->uploadFile(); + } elseif (isset($_GET['feed']) && isset($_GET['action']) && $_GET['action'] == 'generate') { $this->wallabag->updateToken(); } - else { - $tag_id = (isset($_GET['tag_id']) ? intval($_GET['tag_id']) : 0); - $this->wallabag->generateFeeds($_GET['token'], filter_var($_GET['user_id'],FILTER_SANITIZE_NUMBER_INT), $tag_id, $_GET['type']); + elseif (isset($_GET['plainurl']) && !empty($_GET['plainurl'])) { + $plainUrl = new Url(base64_encode($_GET['plainurl'])); + $this->wallabag->action('add', $plainUrl); } } - elseif (isset($_GET['plainurl']) && !empty($_GET['plainurl'])) { - $plainUrl = new Url(base64_encode($_GET['plainurl'])); - $this->wallabag->action('add', $plainUrl); - } } public function _render($file, $vars) -- cgit v1.2.3 From 830612f555d8bc72669fe9bc0686680001af0e52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= Date: Fri, 25 Jul 2014 07:26:56 +0200 Subject: typo --- inc/poche/Routing.class.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'inc/poche') diff --git a/inc/poche/Routing.class.php b/inc/poche/Routing.class.php index 653fa900..004bd45a 100755 --- a/inc/poche/Routing.class.php +++ b/inc/poche/Routing.class.php @@ -97,16 +97,16 @@ class Routing private function _launchAction() { - if (isset($_GET['login'])) { - // hello to you - $this->wallabag->login($this->referer); + if (isset($_GET['login'])) { + // hello to you + $this->wallabag->login($this->referer); } elseif (isset($_GET['feed']) && isset($_GET['user_id'])) { $tag_id = (isset($_GET['tag_id']) ? intval($_GET['tag_id']) : 0); $this->wallabag->generateFeeds($_GET['token'], filter_var($_GET['user_id'],FILTER_SANITIZE_NUMBER_INT), $tag_id, $_GET['type']); } //allowed ONLY to logged in user - if ( \Session::isLogged() === true ) + if (\Session::isLogged() === true) { if (isset($_GET['logout'])) { // see you soon ! -- cgit v1.2.3 From dc764892213e8d1cb458621910aa8d0ce0a3eb7e Mon Sep 17 00:00:00 2001 From: Maryana Rozhankivska Date: Fri, 15 Aug 2014 19:22:55 +0300 Subject: minimum of control on server side added --- inc/poche/Poche.class.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'inc/poche') diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php index 09a9f5ff..bcf2ddeb 100755 --- a/inc/poche/Poche.class.php +++ b/inc/poche/Poche.class.php @@ -906,7 +906,7 @@ class Poche */ public function import() { - if ( isset($_FILES['file']) ) { + if ( isset($_FILES['file']) && $_FILES['file']['tmp_name'] ) { Tools::logm('Import stated: parsing file'); // assume, that file is in json format @@ -976,6 +976,9 @@ class Poche } Tools::logm('Import of articles finished: '.$i.' articles added (w/o content if not provided).'); } + else { + $this->messages->add('s', _('Did you forget to select a file?')); + } //file parsing finished here //now download article contents if any -- cgit v1.2.3 From 211068ce504c48ee95e742a12ec04f16f3988c6c Mon Sep 17 00:00:00 2001 From: Maryana Rozhankivska Date: Thu, 21 Aug 2014 17:17:36 +0300 Subject: vendor dir is not accessible before install, sqlite db dir write check moved into db class --- inc/poche/Database.class.php | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'inc/poche') diff --git a/inc/poche/Database.class.php b/inc/poche/Database.class.php index 2c80b64b..dfd7ae34 100755 --- a/inc/poche/Database.class.php +++ b/inc/poche/Database.class.php @@ -23,6 +23,10 @@ class Database { { switch (STORAGE) { case 'sqlite': + // Check if /db is writeable + if ( !is_writable(STORAGE_SQLITE) || !is_writable(dirname(STORAGE_SQLITE))) { + die('An error occured: "db" directory must be writeable for your web server user!'); + } $db_path = 'sqlite:' . STORAGE_SQLITE; $this->handle = new PDO($db_path); break; -- cgit v1.2.3 From 8763e4efde17f133d0bda504640acada108e7870 Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Tue, 26 Aug 2014 12:43:56 +0200 Subject: Fix downloading SQLite database from all users --- inc/poche/Routing.class.php | 2 -- inc/poche/Tools.class.php | 20 +++++++++++--------- 2 files changed, 11 insertions(+), 11 deletions(-) (limited to 'inc/poche') diff --git a/inc/poche/Routing.class.php b/inc/poche/Routing.class.php index 004bd45a..0b373058 100755 --- a/inc/poche/Routing.class.php +++ b/inc/poche/Routing.class.php @@ -124,8 +124,6 @@ class Routing } elseif (isset($_GET['import'])) { $import = $this->wallabag->import(); $tplVars = array_merge($this->vars, $import); - } elseif (isset($_GET['download'])) { - Tools::downloadDb(); } elseif (isset($_GET['empty-cache'])) { Tools::emptyCache(); } elseif (isset($_GET['export'])) { diff --git a/inc/poche/Tools.class.php b/inc/poche/Tools.class.php index 63137d76..c2c1bdab 100755 --- a/inc/poche/Tools.class.php +++ b/inc/poche/Tools.class.php @@ -296,18 +296,20 @@ final class Tools /** * Download the sqlite database + * Function not longer used for security reasons */ - public static function downloadDb() - { - header('Content-Disposition: attachment; filename="poche.sqlite.gz"'); - self::_status(200); - header('Content-Transfer-Encoding: binary'); - header('Content-Type: application/octet-stream'); - echo gzencode(file_get_contents(STORAGE_SQLITE)); + // public static function downloadDb() + // { + // header('Content-Disposition: attachment; filename="poche.sqlite.gz"'); + // self::_status(200); - exit; - } + // header('Content-Transfer-Encoding: binary'); + // header('Content-Type: application/octet-stream'); + // echo gzencode(file_get_contents(STORAGE_SQLITE)); + + // exit; + // } /** * Get the content for a given URL (by a call to FullTextFeed) -- cgit v1.2.3 From d5c481c2f40f1d05750a7020df1f129439627247 Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Thu, 28 Aug 2014 21:01:43 +0200 Subject: remove old function --- inc/poche/Tools.class.php | 17 ----------------- 1 file changed, 17 deletions(-) (limited to 'inc/poche') diff --git a/inc/poche/Tools.class.php b/inc/poche/Tools.class.php index c2c1bdab..55fedac8 100755 --- a/inc/poche/Tools.class.php +++ b/inc/poche/Tools.class.php @@ -294,23 +294,6 @@ final class Tools } } - /** - * Download the sqlite database - * Function not longer used for security reasons - */ - - // public static function downloadDb() - // { - // header('Content-Disposition: attachment; filename="poche.sqlite.gz"'); - // self::_status(200); - - // header('Content-Transfer-Encoding: binary'); - // header('Content-Type: application/octet-stream'); - // echo gzencode(file_get_contents(STORAGE_SQLITE)); - - // exit; - // } - /** * Get the content for a given URL (by a call to FullTextFeed) * -- cgit v1.2.3 From 5af2555f59f13e06cf0ae65e5c0265d1d10bead8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20K=C3=B6nig?= Date: Thu, 11 Sep 2014 13:17:19 +0200 Subject: Implemented additional check for using the 'X-Forwarded-Port' header. --- inc/poche/Tools.class.php | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'inc/poche') diff --git a/inc/poche/Tools.class.php b/inc/poche/Tools.class.php index 55fedac8..93ec3fc6 100755 --- a/inc/poche/Tools.class.php +++ b/inc/poche/Tools.class.php @@ -54,6 +54,10 @@ final class Tools || ($https && $_SERVER["SERVER_PORT"] == '443') || ($https && $_SERVER["SERVER_PORT"]==SSL_PORT) //Custom HTTPS port detection ? '' : ':' . $_SERVER["SERVER_PORT"]); + + if (isset($_SERVER["HTTP_X_FORWARDED_PORT"])) { + $serverport = ':' . $_SERVER["HTTP_X_FORWARDED_PORT"]; + } $scriptname = str_replace('/index.php', '/', $_SERVER["SCRIPT_NAME"]); -- cgit v1.2.3 From aa1083bdac8c20285f9ee6822768cc75145c06d4 Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Tue, 16 Sep 2014 20:27:03 +0200 Subject: fix pictures display when DOWNLOAD_PICTURES is enabled --- inc/poche/pochePictures.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/poche') diff --git a/inc/poche/pochePictures.php b/inc/poche/pochePictures.php index 7a914f90..52394c70 100644 --- a/inc/poche/pochePictures.php +++ b/inc/poche/pochePictures.php @@ -33,7 +33,7 @@ final class Picture } if (self::_downloadPictures($absolute_path, $fullpath) === true) { - $content = str_replace($matches[$i][2], $fullpath, $content); + $content = str_replace($matches[$i][2], Tools::getPocheUrl() . $fullpath, $content); } $processing_pictures[] = $absolute_path; -- cgit v1.2.3