rpc: addfeed: gets login and pass only if need_auth is checked.

Because of browser form auto-completion, the hidden field login and password can be automatically filled when adding a feed. It would enable feed authentication even if the user doesn't click on need_auth button.
author: Colin Vidal <[email protected]> 2018-01-14 20:55:39 +0100
committer: Colin Vidal <[email protected]> 2018-01-14 20:55:39 +0100
commit: c217de557f172871e85472c4aa21651d32ae680e (patch)
tree: 027fb9d652f3eb236401526a05d865d5b24c7b1c /classes
parent: c30f5e18119d1935e8fe6d422053b127e8f4f1b3 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/classes/rpc.php b/classes/rpc.php
index f8cf7a828..bd4337fbe 100755
--- a/classes/rpc.php
+++ b/classes/rpc.php
@@ -97,8 +97,9 @@ class RPC extends Handler_Protected {
 	function addfeed() {
 		$feed = clean($_REQUEST['feed']);
 		$cat = clean($_REQUEST['cat']);
-		$login = clean($_REQUEST['login']);
-		$pass = trim(clean($_REQUEST['pass']));
+		$need_auth = isset($_REQUEST['need_auth']);
+		$login = $need_auth ? clean($_REQUEST['login']) : '';
+		$pass = $need_auth ? trim(clean($_REQUEST['pass'])) : '';
 
 		$rc = Feeds::subscribe_to_feed($feed, $cat, $login, $pass);
author	Colin Vidal <[email protected]>	2018-01-14 20:55:39 +0100
committer	Colin Vidal <[email protected]>	2018-01-14 20:55:39 +0100
commit	c217de557f172871e85472c4aa21651d32ae680e (patch)
tree	027fb9d652f3eb236401526a05d865d5b24c7b1c /classes
parent	c30f5e18119d1935e8fe6d422053b127e8f4f1b3 (diff)