diff options
| -rw-r--r-- | backend.php | 216 | ||||
| -rw-r--r-- | debian/tt-rss-mysql.cron.d | 2 | ||||
| -rw-r--r-- | debian/tt-rss-pgsql.cron.d | 2 | ||||
| -rw-r--r-- | functions.php | 235 | ||||
| -rw-r--r-- | modules/backend-rpc.php | 2 | ||||
| -rw-r--r-- | modules/popup-dialog.php | 2 | ||||
| -rw-r--r-- | modules/pref-feeds.php | 2 | ||||
| -rw-r--r-- | public.php | 62 |
8 files changed, 304 insertions, 219 deletions
diff --git a/backend.php b/backend.php index 1d8a99bdd..c702c9fb8 100644 --- a/backend.php +++ b/backend.php @@ -59,10 +59,15 @@ authenticate_user($link, "admin", null); } - if (!($_SESSION["uid"] && validate_session($link)) && $op != "globalUpdateFeeds" && - $op != "rss" && $op != "getUnread" && $op != "getProfiles" && $op != "share" && - $op != "fbexport" && $op != "logout" && $op != "pubsub") { + $public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share", + "fbexport", "logout", "pubsub"); + if (array_search($op, $public_calls) !== false) { + + handle_public_request($link, $op); + return; + + } else if (!($_SESSION["uid"] && validate_session($link))) { if ($op == 'pref-feeds' && $_REQUEST['subop'] == 'add') { header("Content-Type: text/html"); login_sequence($link); @@ -431,11 +436,6 @@ module_pref_pub_items($link); break; // pref-pub-items - case "globalUpdateFeeds": - // Update all feeds needing a update. - update_daemon_common($link, 0, true, true); - break; // globalUpdateFeeds - case "pref-feed-browser": module_pref_feed_browser($link); break; // pref-feed-browser @@ -444,63 +444,6 @@ module_pref_instances($link); break; // pref-instances - case "rss": - $feed = db_escape_string($_REQUEST["id"]); - $key = db_escape_string($_REQUEST["key"]); - $is_cat = $_REQUEST["is_cat"] != false; - $limit = (int)db_escape_string($_REQUEST["limit"]); - - $search = db_escape_string($_REQUEST["q"]); - $match_on = db_escape_string($_REQUEST["m"]); - $search_mode = db_escape_string($_REQUEST["smode"]); - $view_mode = db_escape_string($_REQUEST["view-mode"]); - - if (SINGLE_USER_MODE) { - authenticate_user($link, "admin", null); - } - - $owner_id = false; - - if ($key) { - $result = db_query($link, "SELECT owner_uid FROM - ttrss_access_keys WHERE access_key = '$key' AND feed_id = '$feed'"); - - if (db_num_rows($result) == 1) - $owner_id = db_fetch_result($result, 0, "owner_uid"); - } - - if ($owner_id) { - $_SESSION['uid'] = $owner_id; - - generate_syndicated_feed($link, 0, $feed, $is_cat, $limit, - $search, $search_mode, $match_on, $view_mode); - } else { - header('HTTP/1.1 403 Forbidden'); - } - break; // rss - - case "getUnread": - $login = db_escape_string($_REQUEST["login"]); - $fresh = $_REQUEST["fresh"] == "1"; - - $result = db_query($link, "SELECT id FROM ttrss_users WHERE login = '$login'"); - - if (db_num_rows($result) == 1) { - $uid = db_fetch_result($result, 0, "id"); - - print getGlobalUnread($link, $uid); - - if ($fresh) { - print ";"; - print getFeedArticles($link, -3, false, true, $uid); - } - - } else { - print "-1;User not found"; - } - - break; // getUnread - case "digestTest": print_r(prepare_headlines_digest($link, $_SESSION["uid"])); break; // digestTest @@ -515,149 +458,6 @@ "<img src='images/indicator_tiny.gif'>"; break; // loading - case "getProfiles": - $login = db_escape_string($_REQUEST["login"]); - $password = db_escape_string($_REQUEST["password"]); - - if (authenticate_user($link, $login, $password)) { - $result = db_query($link, "SELECT * FROM ttrss_settings_profiles - WHERE owner_uid = " . $_SESSION["uid"] . " ORDER BY title"); - - print "<select style='width: 100%' name='profile'>"; - - print "<option value='0'>" . __("Default profile") . "</option>"; - - while ($line = db_fetch_assoc($result)) { - $id = $line["id"]; - $title = $line["title"]; - - print "<option value='$id'>$title</option>"; - } - - print "</select>"; - - $_SESSION = array(); - } - break; // getprofiles - - case "pubsub": - $mode = db_escape_string($_REQUEST['hub_mode']); - $feed_id = (int) db_escape_string($_REQUEST['id']); - $feed_url = db_escape_string($_REQUEST['hub_topic']); - - if (!PUBSUBHUBBUB_ENABLED) { - header('HTTP/1.0 404 Not Found'); - echo "404 Not found"; - return; - } - - // TODO: implement hub_verifytoken checking - - $result = db_query($link, "SELECT feed_url FROM ttrss_feeds - WHERE id = '$feed_id'"); - - if (db_num_rows($result) != 0) { - - $check_feed_url = db_fetch_result($result, 0, "feed_url"); - - if ($check_feed_url && ($check_feed_url == $feed_url || !$feed_url)) { - if ($mode == "subscribe") { - - db_query($link, "UPDATE ttrss_feeds SET pubsub_state = 2 - WHERE id = '$feed_id'"); - - print $_REQUEST['hub_challenge']; - return; - - } else if ($mode == "unsubscribe") { - - db_query($link, "UPDATE ttrss_feeds SET pubsub_state = 0 - WHERE id = '$feed_id'"); - - print $_REQUEST['hub_challenge']; - return; - - } else if (!$mode) { - - // Received update ping, schedule feed update. - //update_rss_feed($link, $feed_id, true, true); - - db_query($link, "UPDATE ttrss_feeds SET - last_update_started = '1970-01-01', - last_updated = '1970-01-01' WHERE id = '$feed_id' AND - owner_uid = ".$_SESSION["uid"]); - - } - } else { - header('HTTP/1.0 404 Not Found'); - echo "404 Not found"; - } - } else { - header('HTTP/1.0 404 Not Found'); - echo "404 Not found"; - } - - break; // pubsub - - case "logout": - logout_user(); - header("Location: tt-rss.php"); - break; // logout - - case "fbexport": - - $access_key = db_escape_string($_POST["key"]); - - // TODO: rate limit checking using last_connected - $result = db_query($link, "SELECT id FROM ttrss_linked_instances - WHERE access_key = '$access_key'"); - - if (db_num_rows($result) == 1) { - - $instance_id = db_fetch_result($result, 0, "id"); - - $result = db_query($link, "SELECT feed_url, site_url, title, subscribers - FROM ttrss_feedbrowser_cache ORDER BY subscribers DESC LIMIT 100"); - - $feeds = array(); - - while ($line = db_fetch_assoc($result)) { - array_push($feeds, $line); - } - - db_query($link, "UPDATE ttrss_linked_instances SET - last_status_in = 1 WHERE id = '$instance_id'"); - - print json_encode(array("feeds" => $feeds)); - } else { - print json_encode(array("error" => array("code" => 6))); - } - break; // fbexport - - case "share": - $uuid = db_escape_string($_REQUEST["key"]); - - $result = db_query($link, "SELECT ref_id, owner_uid FROM ttrss_user_entries WHERE - uuid = '$uuid'"); - - if (db_num_rows($result) != 0) { - header("Content-Type: text/html"); - - $id = db_fetch_result($result, 0, "ref_id"); - $owner_uid = db_fetch_result($result, 0, "owner_uid"); - - $_SESSION["uid"] = $owner_uid; - $article = format_article($link, $id, false, true); - $_SESSION["uid"] = ""; - - print_r($article['content']); - - } else { - print "Article not found."; - } - - break; - default: header("Content-Type: text/plain"); print json_encode(array("error" => array("code" => 7))); diff --git a/debian/tt-rss-mysql.cron.d b/debian/tt-rss-mysql.cron.d index 672791bdc..a692ce14d 100644 --- a/debian/tt-rss-mysql.cron.d +++ b/debian/tt-rss-mysql.cron.d @@ -1,4 +1,4 @@ # /etc/cron.d/tt-rss-mysql: crontab fragment for tt-rss-mysql # This update feeds for tiny tiny RSS every 20min -12,42 * * * * www-data /usr/bin/wget --output-document=/dev/null --quiet http://localhost/tt-rss/backend.php?op=globalUpdateFeeds&daemon=1 +12,42 * * * * www-data /usr/bin/wget --output-document=/dev/null --quiet http://localhost/tt-rss/public.php?op=globalUpdateFeeds&daemon=1 diff --git a/debian/tt-rss-pgsql.cron.d b/debian/tt-rss-pgsql.cron.d index e03991482..c40837ec6 100644 --- a/debian/tt-rss-pgsql.cron.d +++ b/debian/tt-rss-pgsql.cron.d @@ -1,4 +1,4 @@ # /etc/cron.d/tt-rss-pgsql: crontab fragment for tt-rss-pgsql # This update feeds for tiny tiny RSS every 20min -12,42 * * * * www-data /usr/bin/wget --output-document=/dev/null --quiet http://localhost/tt-rss/backend.php?op=globalUpdateFeeds&daemon=1 +12,42 * * * * www-data /usr/bin/wget --output-document=/dev/null --quiet http://localhost/tt-rss/public.php?op=globalUpdateFeeds&daemon=1 diff --git a/functions.php b/functions.php index 0dd9ccab3..83159e62c 100644 --- a/functions.php +++ b/functions.php @@ -840,7 +840,7 @@ !ini_get("open_basedir")) { $callback_url = get_self_url_prefix() . - "/backend.php?op=pubsub&id=$feed"; + "/public.php?op=pubsub&id=$feed"; $s = new Subscriber($feed_hub_url, $callback_url); @@ -1284,7 +1284,7 @@ if (PUBSUBHUBBUB_HUB && $published == 'true') { $rss_link = get_self_url_prefix() . - "/backend.php?op=rss&id=-2&key=" . + "/public.php?op=rss&id=-2&key=" . get_feed_access_key($link, -2, false, $owner_uid); $p = new Publisher(PUBSUBHUBBUB_HUB); @@ -3830,7 +3830,7 @@ $last_error = $qfh_ret[3]; $feed_self_url = get_self_url_prefix() . - "/backend.php?op=rss&id=-2&key=" . + "/public.php?op=rss&id=-2&key=" . get_feed_access_key($link, -2, false); if (!$feed_site_url) $feed_site_url = get_self_url_prefix(); @@ -4239,7 +4239,7 @@ if (PUBSUBHUBBUB_HUB) { $rss_link = get_self_url_prefix() . - "/backend.php?op=rss&id=-2&key=" . + "/public.php?op=rss&id=-2&key=" . get_feed_access_key($link, -2, false); $p = new Publisher(PUBSUBHUBBUB_HUB); @@ -4378,7 +4378,7 @@ } $rss_link = htmlspecialchars(get_self_url_prefix() . - "/backend.php?op=rss&id=$feed_id$cat_q$search_q"); + "/public.php?op=rss&id=$feed_id$cat_q$search_q"); $reply .= "<option value=\"0\" disabled=\"1\">".__('Feed:')."</option>"; @@ -7544,11 +7544,17 @@ _debug("Updating: " . $line['access_url'] . " ($id)"); - $fetch_url = $line['access_url'] . '/backend.php?op=fbexport'; + $fetch_url = $line['access_url'] . '/public.php?op=fbexport'; $post_query = 'key=' . $line['access_key']; $feeds = fetch_file_contents($fetch_url, false, false, false, $post_query); + // try doing it the old way + if (!$feeds) { + $fetch_url = $line['access_url'] . '/backend.php?op=fbexport'; + $feeds = fetch_file_contents($fetch_url, false, false, false, $post_query); + } + if ($feeds) { $feeds = json_decode($feeds, true); @@ -7598,6 +7604,223 @@ last_status_out = '$status', last_connected = NOW() WHERE id = '$id'"); } + } + + function handle_public_request($link, $op) { + switch ($op) { + + case "getUnread": + $login = db_escape_string($_REQUEST["login"]); + $fresh = $_REQUEST["fresh"] == "1"; + + $result = db_query($link, "SELECT id FROM ttrss_users WHERE login = '$login'"); + + if (db_num_rows($result) == 1) { + $uid = db_fetch_result($result, 0, "id"); + + print getGlobalUnread($link, $uid); + + if ($fresh) { + print ";"; + print getFeedArticles($link, -3, false, true, $uid); + } + + } else { + print "-1;User not found"; + } + + break; // getUnread + + case "getProfiles": + $login = db_escape_string($_REQUEST["login"]); + $password = db_escape_string($_REQUEST["password"]); + + if (authenticate_user($link, $login, $password)) { + $result = db_query($link, "SELECT * FROM ttrss_settings_profiles + WHERE owner_uid = " . $_SESSION["uid"] . " ORDER BY title"); + + print "<select style='width: 100%' name='profile'>"; + + print "<option value='0'>" . __("Default profile") . "</option>"; + + while ($line = db_fetch_assoc($result)) { + $id = $line["id"]; + $title = $line["title"]; + + print "<option value='$id'>$title</option>"; + } + + print "</select>"; + + $_SESSION = array(); + } + break; // getprofiles + + case "pubsub": + $mode = db_escape_string($_REQUEST['hub_mode']); + $feed_id = (int) db_escape_string($_REQUEST['id']); + $feed_url = db_escape_string($_REQUEST['hub_topic']); + + if (!PUBSUBHUBBUB_ENABLED) { + header('HTTP/1.0 404 Not Found'); + echo "404 Not found"; + return; + } + + // TODO: implement hub_verifytoken checking + + $result = db_query($link, "SELECT feed_url FROM ttrss_feeds + WHERE id = '$feed_id'"); + + if (db_num_rows($result) != 0) { + + $check_feed_url = db_fetch_result($result, 0, "feed_url"); + + if ($check_feed_url && ($check_feed_url == $feed_url || !$feed_url)) { + if ($mode == "subscribe") { + + db_query($link, "UPDATE ttrss_feeds SET pubsub_state = 2 + WHERE id = '$feed_id'"); + + print $_REQUEST['hub_challenge']; + return; + + } else if ($mode == "unsubscribe") { + + db_query($link, "UPDATE ttrss_feeds SET pubsub_state = 0 + WHERE id = '$feed_id'"); + + print $_REQUEST['hub_challenge']; + return; + + } else if (!$mode) { + + // Received update ping, schedule feed update. + //update_rss_feed($link, $feed_id, true, true); + + db_query($link, "UPDATE ttrss_feeds SET + last_update_started = '1970-01-01', + last_updated = '1970-01-01' WHERE id = '$feed_id' AND + owner_uid = ".$_SESSION["uid"]); + + } + } else { + header('HTTP/1.0 404 Not Found'); + echo "404 Not found"; + } + } else { + header('HTTP/1.0 404 Not Found'); + echo "404 Not found"; + } + + break; // pubsub + + case "logout": + logout_user(); + header("Location: tt-rss.php"); + break; // logout + + case "fbexport": + + $access_key = db_escape_string($_POST["key"]); + + // TODO: rate limit checking using last_connected + $result = db_query($link, "SELECT id FROM ttrss_linked_instances + WHERE access_key = '$access_key'"); + + if (db_num_rows($result) == 1) { + + $instance_id = db_fetch_result($result, 0, "id"); + + $result = db_query($link, "SELECT feed_url, site_url, title, subscribers + FROM ttrss_feedbrowser_cache ORDER BY subscribers DESC LIMIT 100"); + + $feeds = array(); + + while ($line = db_fetch_assoc($result)) { + array_push($feeds, $line); + } + + db_query($link, "UPDATE ttrss_linked_instances SET + last_status_in = 1 WHERE id = '$instance_id'"); + + print json_encode(array("feeds" => $feeds)); + } else { + print json_encode(array("error" => array("code" => 6))); + } + break; // fbexport + + case "share": + $uuid = db_escape_string($_REQUEST["key"]); + + $result = db_query($link, "SELECT ref_id, owner_uid FROM ttrss_user_entries WHERE + uuid = '$uuid'"); + + if (db_num_rows($result) != 0) { + header("Content-Type: text/html"); + + $id = db_fetch_result($result, 0, "ref_id"); + $owner_uid = db_fetch_result($result, 0, "owner_uid"); + + $_SESSION["uid"] = $owner_uid; + $article = format_article($link, $id, false, true); + $_SESSION["uid"] = ""; + print_r($article['content']); + + } else { + print "Article not found."; + } + + break; + + case "rss": + $feed = db_escape_string($_REQUEST["id"]); + $key = db_escape_string($_REQUEST["key"]); + $is_cat = $_REQUEST["is_cat"] != false; + $limit = (int)db_escape_string($_REQUEST["limit"]); + + $search = db_escape_string($_REQUEST["q"]); + $match_on = db_escape_string($_REQUEST["m"]); + $search_mode = db_escape_string($_REQUEST["smode"]); + $view_mode = db_escape_string($_REQUEST["view-mode"]); + + if (SINGLE_USER_MODE) { + authenticate_user($link, "admin", null); + } + + $owner_id = false; + + if ($key) { + $result = db_query($link, "SELECT owner_uid FROM + ttrss_access_keys WHERE access_key = '$key' AND feed_id = '$feed'"); + + if (db_num_rows($result) == 1) + $owner_id = db_fetch_result($result, 0, "owner_uid"); + } + + if ($owner_id) { + $_SESSION['uid'] = $owner_id; + + generate_syndicated_feed($link, 0, $feed, $is_cat, $limit, + $search, $search_mode, $match_on, $view_mode); + } else { + header('HTTP/1.1 403 Forbidden'); + } + break; // rss + + + case "globalUpdateFeeds": + // Update all feeds needing a update. + update_daemon_common($link, 0, true, true); + break; // globalUpdateFeeds + + + default: + header("Content-Type: text/plain"); + print json_encode(array("error" => array("code" => 7))); + break; // fallback + + } } ?> diff --git a/modules/backend-rpc.php b/modules/backend-rpc.php index f6b66885e..f1bbd0698 100644 --- a/modules/backend-rpc.php +++ b/modules/backend-rpc.php @@ -215,7 +215,7 @@ if (PUBSUBHUBBUB_HUB) { $rss_link = get_self_url_prefix() . - "/backend.php?op=rss&id=-2&key=" . + "/public.php?op=rss&id=-2&key=" . get_feed_access_key($link, -2, false); $p = new Publisher(PUBSUBHUBBUB_HUB); diff --git a/modules/popup-dialog.php b/modules/popup-dialog.php index f65d005ff..26b2e7cf6 100644 --- a/modules/popup-dialog.php +++ b/modules/popup-dialog.php @@ -1094,7 +1094,7 @@ print __("You can share this article by the following unique URL:"); $url_path = get_self_url_prefix(); - $url_path .= "/backend.php?op=share&key=$uuid"; + $url_path .= "/public.php?op=share&key=$uuid"; print "<div class=\"tagCloudContainer\">"; print "<a id='pub_opml_url' href='$url_path' target='_blank'>$url_path</a>"; diff --git a/modules/pref-feeds.php b/modules/pref-feeds.php index b033a3787..bbae468bf 100644 --- a/modules/pref-feeds.php +++ b/modules/pref-feeds.php @@ -1520,7 +1520,7 @@ print "<p>".__('Published articles are exported as a public RSS feed and can be subscribed by anyone who knows the URL specified below.')."</p>"; $rss_url = '-2::' . htmlspecialchars(get_self_url_prefix() . - "/backend.php?op=rss&id=-2&view-mode=all_articles");; + "/public.php?op=rss&id=-2&view-mode=all_articles");; print "<button dojoType=\"dijit.form.Button\" onclick=\"return displayDlg('generatedFeed', '$rss_url')\">". __('Display URL')."</button> "; diff --git a/public.php b/public.php new file mode 100644 index 000000000..c2de2185f --- /dev/null +++ b/public.php @@ -0,0 +1,62 @@ +<?php + /* remove ill effects of magic quotes */ + + if (get_magic_quotes_gpc()) { + function stripslashes_deep($value) { + $value = is_array($value) ? + array_map('stripslashes_deep', $value) : stripslashes($value); + return $value; + } + + $_POST = array_map('stripslashes_deep', $_POST); + $_GET = array_map('stripslashes_deep', $_GET); + $_COOKIE = array_map('stripslashes_deep', $_COOKIE); + $_REQUEST = array_map('stripslashes_deep', $_REQUEST); + } + + $op = $_REQUEST["op"]; + + require_once "functions.php"; + if ($op != "share") require_once "sessions.php"; + require_once "modules/backend-rpc.php"; + require_once "sanity_check.php"; + require_once "config.php"; + require_once "db.php"; + require_once "db-prefs.php"; + + no_cache_incantation(); + + startup_gettext(); + + $script_started = getmicrotime(); + + $link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME); + + if (!$link) { + if (DB_TYPE == "mysql") { + print mysql_error(); + } + // PG seems to display its own errors just fine by default. + return; + } + + init_connection($link); + + $subop = $_REQUEST["subop"]; + $mode = $_REQUEST["mode"]; + + if ((!$op || $op == "rss" || $op == "dlg") && !$_REQUEST["noxml"]) { + header("Content-Type: application/xml; charset=utf-8"); + } else { + header("Content-Type: text/plain; charset=utf-8"); + } + + if (ENABLE_GZIP_OUTPUT) { + ob_start("ob_gzhandler"); + } + + handle_public_request($link, $op); + + // We close the connection to database. + db_close($link); +?> |