diff options
| author | Andrew Dolgov <[email protected]> | 2012-06-07 10:09:07 +0400 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2012-06-07 10:09:16 +0400 |
| commit | 64436e103915e02f8c926639646002b60055dbbd (patch) | |
| tree | d0524cd1c19cc6b5b07c4d54286ce3b3d93c9c6f /include | |
| parent | 76428e4b02b3ef41999c3cd732bcf1a0c081f51b (diff) | |
prevent session modification in public/share
Diffstat (limited to 'include')
| -rw-r--r-- | include/functions.php | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/include/functions.php b/include/functions.php index 5eb5b97af..3ad438d86 100644 --- a/include/functions.php +++ b/include/functions.php @@ -3102,7 +3102,7 @@ if ($tag_cache === false) { $result = db_query($link, "SELECT tag_cache FROM ttrss_user_entries - WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]); + WHERE ref_id = '$id' AND owner_uid = $owner_uid"); $tag_cache = db_fetch_result($result, 0, "tag_cache"); } @@ -3125,7 +3125,7 @@ db_query($link, "UPDATE ttrss_user_entries SET tag_cache = '$tags_str' WHERE ref_id = '$id' - AND owner_uid = " . $_SESSION["uid"]); + AND owner_uid = $owner_uid"); } if ($memcache) $memcache->add($obj_id, $tags, 0, 3600); @@ -3251,7 +3251,9 @@ return $entry; } - function format_article($link, $id, $mark_as_read = true, $zoom_mode = false) { + function format_article($link, $id, $mark_as_read = true, $zoom_mode = false, $owner_uid = false) { + + if (!$owner_uid) $owner_uid = $_SESSION["uid"]; $rv = array(); @@ -3270,7 +3272,7 @@ //if (!$zoom_mode) { print "<article id='$id'><![CDATA["; }; $result = db_query($link, "SELECT rtl_content, always_display_enclosures FROM ttrss_feeds - WHERE id = '$feed_id' AND owner_uid = " . $_SESSION["uid"]); + WHERE id = '$feed_id' AND owner_uid = $owner_uid"); if (db_num_rows($result) == 1) { $rtl_content = sql_bool_to_bool(db_fetch_result($result, 0, "rtl_content")); @@ -3291,9 +3293,9 @@ if ($mark_as_read) { $result = db_query($link, "UPDATE ttrss_user_entries SET unread = false,last_read = NOW() - WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]); + WHERE ref_id = '$id' AND owner_uid = $owner_uid"); - ccache_update($link, $feed_id, $_SESSION["uid"]); + ccache_update($link, $feed_id, $owner_uid); } $result = db_query($link, "SELECT title,link,content,feed_id,comments,int_id, @@ -3306,7 +3308,7 @@ orig_feed_id, note FROM ttrss_entries,ttrss_user_entries - WHERE id = '$id' AND ref_id = id AND owner_uid = " . $_SESSION["uid"]); + WHERE id = '$id' AND ref_id = id AND owner_uid = $owner_uid"); if ($result) { @@ -3360,7 +3362,7 @@ } $parsed_updated = make_local_datetime($link, $line["updated"], true, - false, true); + $owner_uid, true); $rv['content'] .= "<div class=\"postDate$rtl_class\">$parsed_updated</div>"; @@ -3378,7 +3380,7 @@ $tag_cache = $line["tag_cache"]; if (!$tag_cache) - $tags = get_article_tags($link, $id); + $tags = get_article_tags($link, $id, $owner_uid); else $tags = explode(",", $tag_cache); @@ -3472,7 +3474,7 @@ $rv['content'] .= "<div class=\"postContent\">"; - $article_content = sanitize($link, $line["content"], false, false, + $article_content = sanitize($link, $line["content"], false, $owner_uid, $feed_site_url); $rv['content'] .= $article_content; |