From cbc75befb5bdf368bec15f47413bd7669273a181 Mon Sep 17 00:00:00 2001 From: Maryana Rozhankivska Date: Fri, 30 May 2014 17:14:53 +0300 Subject: small xss vulnerability and translation ability fix --- inc/poche/Poche.class.php | 41 ++++++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 21 deletions(-) (limited to 'inc/poche') diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php index 37cf66a3..b0c0adf8 100755 --- a/inc/poche/Poche.class.php +++ b/inc/poche/Poche.class.php @@ -1083,11 +1083,10 @@ class Poche $config = $this->store->getConfigUser($user_id); if ($config == null) { - die(_('User with this id (' . $user_id . ') does not exist.')); + die(_( sprintf('User with this id (%d) does not exist.', $user_id) )); } - if (!in_array($type, $allowed_types) || - $token != $config['token']) { + if (!in_array($type, $allowed_types) || $token != $config['token']) { die(_('Uh, there is a problem while generating feeds.')); } // Check the token @@ -1150,12 +1149,12 @@ class Poche return new HTMLPurifier($config); } - + /** * handle epub */ public function createEpub() { - + switch ($_GET['method']) { case 'id': $entryID = filter_var($_GET['id'],FILTER_SANITIZE_NUMBER_INT); @@ -1191,7 +1190,7 @@ class Poche break; case 'default': die(_('Uh, there is a problem while generating epub.')); - + } $content_start = @@ -1204,11 +1203,11 @@ class Poche . "\n"; $bookEnd = "\n\n"; - + $log = new Logger("wallabag", TRUE); $fileDir = CACHE; - + $book = new EPub(EPub::BOOK_VERSION_EPUB3); $log->logLine("new EPub()"); $log->logLine("EPub class version: " . EPub::VERSION); @@ -1216,7 +1215,7 @@ class Poche $log->logLine("Zip version: " . Zip::VERSION); $log->logLine("getCurrentServerURL: " . $book->getCurrentServerURL()); $log->logLine("getCurrentPageURL..: " . $book->getCurrentPageURL()); - + $book->setTitle(_('wallabag\'s articles')); $book->setIdentifier("http://$_SERVER[HTTP_HOST]", EPub::IDENTIFIER_URI); // Could also be the ISBN number, prefered for published books, or a UUID. //$book->setLanguage("en"); // Not needed, but included for the example, Language is mandatory, but EPub defaults to "en". Use RFC3066 Language codes, such as "en", "da", "fr" etc. @@ -1226,39 +1225,39 @@ class Poche $book->setDate(time()); // Strictly not needed as the book date defaults to time(). //$book->setRights("Copyright and licence information specific for the book."); // As this is generated, this _could_ contain the name or licence information of the user who purchased the book, if needed. If this is used that way, the identifier must also be made unique for the book. $book->setSourceURL("http://$_SERVER[HTTP_HOST]"); - + $book->addDublinCoreMetadata(DublinCore::CONTRIBUTOR, "PHP"); $book->addDublinCoreMetadata(DublinCore::CONTRIBUTOR, "wallabag"); - + $cssData = "body {\n margin-left: .5em;\n margin-right: .5em;\n text-align: justify;\n}\n\np {\n font-family: serif;\n font-size: 10pt;\n text-align: justify;\n text-indent: 1em;\n margin-top: 0px;\n margin-bottom: 1ex;\n}\n\nh1, h2 {\n font-family: sans-serif;\n font-style: italic;\n text-align: center;\n background-color: #6b879c;\n color: white;\n width: 100%;\n}\n\nh1 {\n margin-bottom: 2px;\n}\n\nh2 {\n margin-top: -2px;\n margin-bottom: 2px;\n}\n"; - + $log->logLine("Add Cover"); - + $fullTitle = "

" . $bookTitle . "

\n"; - + $book->setCoverImage("Cover.png", file_get_contents("themes/baggy/img/apple-touch-icon-152.png"), "image/png", $fullTitle); - + $cover = $content_start . '

' . _('Produced by wallabag with PHPePub') . '

'. _('Please open an issue if you have trouble with the display of this E-Book on your device.') . '

' . $bookEnd; - + //$book->addChapter("Table of Contents", "TOC.xhtml", NULL, false, EPub::EXTERNAL_REF_IGNORE); $book->addChapter("Notices", "Cover2.html", $cover); - + $book->buildTOC(); - + foreach ($entries as $entry) { //set tags as subjects $tags = $this->store->retrieveTagsByEntry($entry['id']); foreach ($tags as $tag) { $book->setSubject($tag['value']); } - + $log->logLine("Set up parameters"); - + $chapter = $content_start . $entry['content'] . $bookEnd; $book->addChapter($entry['title'], htmlspecialchars($entry['title']) . ".html", $chapter, true, EPub::EXTERNAL_REF_ADD); $log->logLine("Added chapter " . $entry['title']); } - if (DEBUG_POCHE) { + if (DEBUG_POCHE) { $epuplog = $book->getLog(); $book->addChapter("Log", "Log.html", $content_start . $log->getLog() . "\n" . $bookEnd); // log generation } -- cgit v1.2.3 From 30bd273580a326db1fcc7263e1f52948672f9848 Mon Sep 17 00:00:00 2001 From: Maryana Rozhankivska Date: Fri, 30 May 2014 17:17:34 +0300 Subject: small xss vulnerability and translation ability fix --- inc/poche/Poche.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/poche') diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php index b0c0adf8..3d1337f3 100755 --- a/inc/poche/Poche.class.php +++ b/inc/poche/Poche.class.php @@ -1083,7 +1083,7 @@ class Poche $config = $this->store->getConfigUser($user_id); if ($config == null) { - die(_( sprintf('User with this id (%d) does not exist.', $user_id) )); + die(sprintf(_('User with this id (%d) does not exist.'), $user_id)); } if (!in_array($type, $allowed_types) || $token != $config['token']) { -- cgit v1.2.3 From 752cd4a8ef7bbc8ebd6c481ed890e0d8e46819a8 Mon Sep 17 00:00:00 2001 From: Maryana Rozhankivska Date: Mon, 2 Jun 2014 18:00:09 +0300 Subject: error reporting level set in E_ALL & ~E_NOTICE by default, can be overriden in config --- inc/poche/Tools.class.php | 4 +--- inc/poche/config.inc.default.php | 4 ++++ 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'inc/poche') diff --git a/inc/poche/Tools.class.php b/inc/poche/Tools.class.php index 8073a3fe..1ef875c9 100755 --- a/inc/poche/Tools.class.php +++ b/inc/poche/Tools.class.php @@ -18,8 +18,6 @@ class Tools die(_('Oops, it seems you don\'t have PHP 5.')); } - error_reporting(E_ALL); - function stripslashesDeep($value) { return is_array($value) ? array_map('stripslashesDeep', $value) @@ -64,7 +62,7 @@ class Tools if (strpos($host, ':') !== false) { $serverport = ''; } - + return 'http' . ($https ? 's' : '') . '://' . $host . $serverport . $scriptname; } diff --git a/inc/poche/config.inc.default.php b/inc/poche/config.inc.default.php index ffcd205d..95f727c6 100755 --- a/inc/poche/config.inc.default.php +++ b/inc/poche/config.inc.default.php @@ -30,6 +30,10 @@ @define ('MODE_DEMO', FALSE); @define ('DEBUG_POCHE', FALSE); + +//default level of error reporting in application. Developers should override it in their config.inc.php: set to E_ALL. +@define ('ERROR_REPORTING', E_ALL & ~E_NOTICE); + @define ('DOWNLOAD_PICTURES', FALSE); # This can slow down the process of adding articles @define ('REGENERATE_PICTURES_QUALITY', 75); @define ('CONVERT_LINKS_FOOTNOTES', FALSE); -- cgit v1.2.3 From ec15d0a784a84e07b284c76e71fd8496e00559d5 Mon Sep 17 00:00:00 2001 From: tcit Date: Sat, 7 Jun 2014 15:53:39 +0200 Subject: do not debug inside an epub --- inc/poche/Poche.class.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'inc/poche') diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php index 1b69cd61..4139c4f4 100755 --- a/inc/poche/Poche.class.php +++ b/inc/poche/Poche.class.php @@ -1142,11 +1142,11 @@ class Poche * return new purifier object with actual config */ protected function getPurifier() { - $config = HTMLPurifier_Config::createDefault(); - $config->set('Cache.SerializerPath', CACHE); - $config->set('HTML.SafeIframe', true); + $config = HTMLPurifier_Config::createDefault(); + $config->set('Cache.SerializerPath', CACHE); + $config->set('HTML.SafeIframe', true); $config->set('URI.SafeIframeRegexp', '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/)%'); //allow YouTube and Vimeo$purifier = new HTMLPurifier($config); - + return new HTMLPurifier($config); } @@ -1208,7 +1208,7 @@ class Poche $fileDir = CACHE; - $book = new EPub(EPub::BOOK_VERSION_EPUB3); + $book = new EPub(EPub::BOOK_VERSION_EPUB3, DEBUG_POCHE); $log->logLine("new EPub()"); $log->logLine("EPub class version: " . EPub::VERSION); $log->logLine("EPub Req. Zip version: " . EPub::REQ_ZIP_VERSION); -- cgit v1.2.3 From 25052a76ca4524916f1f7fde40f977e16643680e Mon Sep 17 00:00:00 2001 From: tcitworld Date: Mon, 30 Jun 2014 23:24:46 +0200 Subject: fix for #738 --- inc/poche/Database.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/poche') diff --git a/inc/poche/Database.class.php b/inc/poche/Database.class.php index 9e901974..dddb2512 100755 --- a/inc/poche/Database.class.php +++ b/inc/poche/Database.class.php @@ -487,7 +487,7 @@ class Database { $sql = "SELECT entries.* FROM entries LEFT JOIN tags_entries ON tags_entries.entry_id=entries.id - WHERE tags_entries.tag_id = ? AND entries.user_id=?"; + WHERE tags_entries.tag_id = ? AND entries.user_id=? ORDER by entries.id DESC"; $query = $this->executeQuery($sql, array($tag_id, $user_id)); $entries = $query->fetchAll(); -- cgit v1.2.3 From 5425b0dd82863d548f49dcbd81636ed8dabd7866 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= Date: Tue, 8 Jul 2014 21:46:32 +0200 Subject: new fields in database, reading time / date and domain name are stored --- inc/poche/Database.class.php | 23 +++++++++++++++++++++-- inc/poche/Poche.class.php | 8 -------- inc/poche/Tools.class.php | 14 -------------- 3 files changed, 21 insertions(+), 24 deletions(-) (limited to 'inc/poche') diff --git a/inc/poche/Database.class.php b/inc/poche/Database.class.php index dddb2512..a222ed39 100755 --- a/inc/poche/Database.class.php +++ b/inc/poche/Database.class.php @@ -398,6 +398,21 @@ class Database { return $query; } + + private function _getDomain($url) + { + return parse_url($url, PHP_URL_HOST); + } + + private function _getReadingTime($text) { + $word = str_word_count(strip_tags($text)); + $minutes = floor($word / 200); + $seconds = floor($word % 200 / (200 / 60)); + $time = array('minutes' => $minutes, 'seconds' => $seconds); + + return $minutes; + } + /** * * @param string $url @@ -407,8 +422,12 @@ class Database { * @return integer $id of inserted record */ public function add($url, $title, $content, $user_id, $isFavorite=0, $isRead=0) { - $sql_action = 'INSERT INTO entries ( url, title, content, user_id, is_fav, is_read ) VALUES (?, ?, ?, ?, ?, ?)'; - $params_action = array($url, $title, $content, $user_id, $isFavorite, $isRead); + $readingTime = $this->_getReadingTime($content); + $domainName = $this->_getDomain($url); + $date = date('Y-m-d H:i:s'); + + $sql_action = 'INSERT INTO entries ( url, title, content, user_id, is_fav, is_read, date, reading_time, domain_name ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)'; + $params_action = array($url, $title, $content, $user_id, $isFavorite, $isRead, $date, $readingTime, $domainName); if ( !$this->executeQuery($sql_action, $params_action) ) { $id = null; } diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php index 09a9f5ff..e8c32024 100755 --- a/inc/poche/Poche.class.php +++ b/inc/poche/Poche.class.php @@ -232,14 +232,6 @@ class Poche $this->tpl = new Twig_Environment($loaderChain, $twigParams); $this->tpl->addExtension(new Twig_Extensions_Extension_I18n()); - - # filter to display domain name of an url - $filter = new Twig_SimpleFilter('getDomain', 'Tools::getDomain'); - $this->tpl->addFilter($filter); - - # filter for reading time - $filter = new Twig_SimpleFilter('getReadingTime', 'Tools::getReadingTime'); - $this->tpl->addFilter($filter); } public function createNewUser() { diff --git a/inc/poche/Tools.class.php b/inc/poche/Tools.class.php index 1ef875c9..13f48903 100755 --- a/inc/poche/Tools.class.php +++ b/inc/poche/Tools.class.php @@ -214,20 +214,6 @@ class Tools return ((isset ($_REQUEST["$var"])) ? htmlentities($_REQUEST["$var"]) : $default); } - public static function getDomain($url) - { - return parse_url($url, PHP_URL_HOST); - } - - public static function getReadingTime($text) { - $word = str_word_count(strip_tags($text)); - $minutes = floor($word / 200); - $seconds = floor($word % 200 / (200 / 60)); - $time = array('minutes' => $minutes, 'seconds' => $seconds); - - return $minutes; - } - public static function getDocLanguage($userlanguage) { $lang = explode('.', $userlanguage); return str_replace('_', '-', $lang[0]); -- cgit v1.2.3 From 6400371ff93782d25cdbd50aa224c70145b3890a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= Date: Thu, 10 Jul 2014 13:17:04 +0200 Subject: I removed my previous commit. We have to create a new branch for that. --- inc/poche/Database.class.php | 22 ++-------------------- inc/poche/Poche.class.php | 8 ++++++++ inc/poche/Tools.class.php | 14 ++++++++++++++ 3 files changed, 24 insertions(+), 20 deletions(-) (limited to 'inc/poche') diff --git a/inc/poche/Database.class.php b/inc/poche/Database.class.php index a222ed39..11cccb72 100755 --- a/inc/poche/Database.class.php +++ b/inc/poche/Database.class.php @@ -398,21 +398,6 @@ class Database { return $query; } - - private function _getDomain($url) - { - return parse_url($url, PHP_URL_HOST); - } - - private function _getReadingTime($text) { - $word = str_word_count(strip_tags($text)); - $minutes = floor($word / 200); - $seconds = floor($word % 200 / (200 / 60)); - $time = array('minutes' => $minutes, 'seconds' => $seconds); - - return $minutes; - } - /** * * @param string $url @@ -422,12 +407,9 @@ class Database { * @return integer $id of inserted record */ public function add($url, $title, $content, $user_id, $isFavorite=0, $isRead=0) { - $readingTime = $this->_getReadingTime($content); - $domainName = $this->_getDomain($url); - $date = date('Y-m-d H:i:s'); + $sql_action = 'INSERT INTO entries ( url, title, content, user_id, is_fav, is_read ) VALUES (?, ?, ?, ?, ?, ?)'; + $params_action = array($url, $title, $content, $user_id, $isFavorite, $isRead); - $sql_action = 'INSERT INTO entries ( url, title, content, user_id, is_fav, is_read, date, reading_time, domain_name ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)'; - $params_action = array($url, $title, $content, $user_id, $isFavorite, $isRead, $date, $readingTime, $domainName); if ( !$this->executeQuery($sql_action, $params_action) ) { $id = null; } diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php index e8c32024..09a9f5ff 100755 --- a/inc/poche/Poche.class.php +++ b/inc/poche/Poche.class.php @@ -232,6 +232,14 @@ class Poche $this->tpl = new Twig_Environment($loaderChain, $twigParams); $this->tpl->addExtension(new Twig_Extensions_Extension_I18n()); + + # filter to display domain name of an url + $filter = new Twig_SimpleFilter('getDomain', 'Tools::getDomain'); + $this->tpl->addFilter($filter); + + # filter for reading time + $filter = new Twig_SimpleFilter('getReadingTime', 'Tools::getReadingTime'); + $this->tpl->addFilter($filter); } public function createNewUser() { diff --git a/inc/poche/Tools.class.php b/inc/poche/Tools.class.php index 13f48903..cc01f403 100755 --- a/inc/poche/Tools.class.php +++ b/inc/poche/Tools.class.php @@ -214,6 +214,20 @@ class Tools return ((isset ($_REQUEST["$var"])) ? htmlentities($_REQUEST["$var"]) : $default); } + public static function getDomain($url) + { + return parse_url($url, PHP_URL_HOST); + } + + public static function getReadingTime($text) { + $word = str_word_count(strip_tags($text)); + $minutes = floor($word / 200); + $seconds = floor($word % 200 / (200 / 60)); + $time = array('minutes' => $minutes, 'seconds' => $seconds); + + return $minutes; + } + public static function getDocLanguage($userlanguage) { $lang = explode('.', $userlanguage); return str_replace('_', '-', $lang[0]); -- cgit v1.2.3