1 files changed, 704 insertions, 0 deletions
diff --git a/classes/Config.php b/classes/Config.php
new file mode 100644
index 000000000..72d6c5106
--- /dev/null
+++ b/classes/Config.php
@@ -0,0 +1,704 @@
+<?php
+class Config {
+	private const _ENVVAR_PREFIX = "TTRSS_";
+
+	const T_BOOL = 1;
+	const T_STRING = 2;
+	const T_INT = 3;
+
+	const SCHEMA_VERSION = 147;
+
+	/** override default values, defined below in _DEFAULTS[], prefixing with _ENVVAR_PREFIX:
+	 *
+	 * DB_TYPE becomes:
+	 *
+	 * .env (docker environment):
+	 *
+	 * TTRSS_DB_TYPE=pgsql
+	 *
+	 * or config.php:
+	 *
+	 * putenv('TTRSS_DB_TYPE=pgsql');
+	 *
+	 * note lack of quotes and spaces before and after "=".
+	 *
+	*/
+
+	/** database type: pgsql or mysql */
+	const DB_TYPE = "DB_TYPE";
+
+	/** database server hostname */
+	const DB_HOST = "DB_HOST";
+
+	/** database user */
+	const DB_USER = "DB_USER";
+
+	/** database name */
+	const DB_NAME = "DB_NAME";
+
+	/** database password */
+	const DB_PASS = "DB_PASS";
+
+	/** database server port */
+	const DB_PORT = "DB_PORT";
+
+	/** connection charset for MySQL. if you have a legacy database and/or experience
+	 * garbage unicode characters with this option, try setting it to a blank string. */
+	const MYSQL_CHARSET = "MYSQL_CHARSET";
+
+	/** this is a fallback falue for the CLI SAPI, it should be set to a fully-qualified tt-rss URL */
+	const SELF_URL_PATH = "SELF_URL_PATH";
+
+	/** operate in single user mode, disables all functionality related to
+	 * multiple users and authentication. enabling this assumes you have
+	 * your tt-rss directory protected by other means (e.g. http auth). */
+	const SINGLE_USER_MODE = "SINGLE_USER_MODE";
+
+	/** enables fallback update mode where tt-rss tries to update feeds in
+	 * background while tt-rss is open in your browser.
+	 * if you don't have a lot of feeds and don't want to or can't run
+	 * background processes while not running tt-rss, this method is generally
+	 * viable to keep your feeds up to date. */
+	const SIMPLE_UPDATE_MODE = "SIMPLE_UPDATE_MODE";
+
+	/** use this PHP CLI executable to start various tasks */
+	const PHP_EXECUTABLE = "PHP_EXECUTABLE";
+
+	/** base directory for lockfiles (must be writable) */
+	const LOCK_DIRECTORY = "LOCK_DIRECTORY";
+
+	/** base directory for local cache (must be writable) */
+	const CACHE_DIR = "CACHE_DIR";
+
+	/** directory for feed favicons (directory must be writable) */
+	const ICONS_DIR = "ICONS_DIR";
+
+	/** URL for feed favicons */
+	const ICONS_URL = "ICONS_URL";
+
+	/** auto create users authenticated via external modules */
+	const AUTH_AUTO_CREATE = "AUTH_AUTO_CREATE";
+
+	/** auto log in users authenticated via external modules i.e. auth_remote */
+	const AUTH_AUTO_LOGIN = "AUTH_AUTO_LOGIN";
+
+	/** unconditinally purge all articles older than this amount, in days
+	 * overrides user-controlled purge interval */
+	const FORCE_ARTICLE_PURGE = "FORCE_ARTICLE_PURGE";
+
+	/** default lifetime of a session (e.g. login) cookie. In seconds,
+	 * 0 means cookie will be deleted when browser closes. */
+	const SESSION_COOKIE_LIFETIME = "SESSION_COOKIE_LIFETIME";
+
+	/** send email using this name */
+	const SMTP_FROM_NAME = "SMTP_FROM_NAME";
+
+	/** send email using this address */
+	const SMTP_FROM_ADDRESS = "SMTP_FROM_ADDRESS";
+
+	/** default subject for email digest */
+	const DIGEST_SUBJECT = "DIGEST_SUBJECT";
+
+	/** enable built-in update checker, both for core code and plugins (using git) */
+	const CHECK_FOR_UPDATES = "CHECK_FOR_UPDATES";
+
+	/** system plugins enabled for all users, comma separated list, no quotes
+	 * keep at least one auth module in there (i.e. auth_internal) */
+	const PLUGINS = "PLUGINS";
+
+	/** available options: sql (default, event log), syslog, stdout (for debugging) */
+	const LOG_DESTINATION = "LOG_DESTINATION";
+
+	/** link this stylesheet on all pages (if it exists), should be placed in themes.local */
+	const LOCAL_OVERRIDE_STYLESHEET = "LOCAL_OVERRIDE_STYLESHEET";
+
+	/** same but this javascript file (you can use that for polyfills), should be placed in themes.local */
+	const LOCAL_OVERRIDE_JS = "LOCAL_OVERRIDE_JS";
+
+	/** in seconds, terminate update tasks that ran longer than this interval */
+	const DAEMON_MAX_CHILD_RUNTIME = "DAEMON_MAX_CHILD_RUNTIME";
+
+	/** max concurrent update jobs forking update daemon starts */
+	const DAEMON_MAX_JOBS = "DAEMON_MAX_JOBS";
+
+	/** How long to wait for response when requesting feed from a site (seconds)  */
+	const FEED_FETCH_TIMEOUT = "FEED_FETCH_TIMEOUT";
+
+	/** How long to wait for response when requesting uncached feed from a site (seconds)  */
+	const FEED_FETCH_NO_CACHE_TIMEOUT = "FEED_FETCH_NO_CACHE_TIMEOUT";
+
+	/** Default timeout when fetching files from remote sites */
+	const FILE_FETCH_TIMEOUT = "FILE_FETCH_TIMEOUT";
+
+	/** How long to wait for initial response from website when fetching remote files */
+	const FILE_FETCH_CONNECT_TIMEOUT = "FILE_FETCH_CONNECT_TIMEOUT";
+
+	/** stop updating feeds if user haven't logged in for X days */
+	const DAEMON_UPDATE_LOGIN_LIMIT = "DAEMON_UPDATE_LOGIN_LIMIT";
+
+	/** how many feeds to update in one batch */
+	const DAEMON_FEED_LIMIT = "DAEMON_FEED_LIMIT";
+
+	/** default sleep interval between feed updates (sec) */
+	const DAEMON_SLEEP_INTERVAL = "DAEMON_SLEEP_INTERVAL";
+
+	/** do not cache files larger than that (bytes) */
+	const MAX_CACHE_FILE_SIZE = "MAX_CACHE_FILE_SIZE";
+
+	/** do not download files larger than that (bytes) */
+	const MAX_DOWNLOAD_FILE_SIZE = "MAX_DOWNLOAD_FILE_SIZE";
+
+	/** max file size for downloaded favicons (bytes) */
+	const MAX_FAVICON_FILE_SIZE = "MAX_FAVICON_FILE_SIZE";
+
+	/** max age in days for various automatically cached (temporary) files */
+	const CACHE_MAX_DAYS = "CACHE_MAX_DAYS";
+
+	/** max interval between forced unconditional updates for servers
+	 * not complying with http if-modified-since (seconds) */
+	const MAX_CONDITIONAL_INTERVAL = "MAX_CONDITIONAL_INTERVAL";
+
+	/** automatically disable updates for feeds which failed to
+	 * update for this amount of days; 0 disables */
+	const DAEMON_UNSUCCESSFUL_DAYS_LIMIT = "DAEMON_UNSUCCESSFUL_DAYS_LIMIT";
+
+	/** log all sent emails in the event log */
+	const LOG_SENT_MAIL = "LOG_SENT_MAIL";
+
+	/** use HTTP proxy for requests */
+	const HTTP_PROXY = "HTTP_PROXY";
+
+	/** prevent users from changing passwords */
+	const FORBID_PASSWORD_CHANGES = "FORBID_PASSWORD_CHANGES";
+
+	/** default session cookie name */
+	const SESSION_NAME = "SESSION_NAME";
+
+	/** enable plugin update checker (using git) */
+	const CHECK_FOR_PLUGIN_UPDATES = "CHECK_FOR_PLUGIN_UPDATES";
+
+	/** allow installing first party plugins using plugin installer in prefs */
+	const ENABLE_PLUGIN_INSTALLER = "ENABLE_PLUGIN_INSTALLER";
+
+	/** minimum amount of seconds required between authentication attempts */
+	const AUTH_MIN_INTERVAL = "AUTH_MIN_INTERVAL";
+
+	/** http user agent (changing this is not recommended) */
+	const HTTP_USER_AGENT = "HTTP_USER_AGENT";
+
+	/** delay updates for this feed if received HTTP 429 (Too Many Requests) for this amount of seconds (base value, actual delay is base...base*2) */
+	const HTTP_429_THROTTLE_INTERVAL = "HTTP_429_THROTTLE_INTERVAL";
+
+	/** host running Jaeger collector to receive traces (disabled if empty) */
+	const OPENTELEMETRY_ENDPOINT = "OPENTELEMETRY_ENDPOINT";
+
+	/** Jaeger service name */
+	const OPENTELEMETRY_SERVICE = "OPENTELEMETRY_SERVICE";
+
+	/** default values for all global configuration options */
+	private const _DEFAULTS = [
+		Config::DB_TYPE => [ "pgsql", 									Config::T_STRING ],
+		Config::DB_HOST => [ "db", 										Config::T_STRING ],
+		Config::DB_USER => [ "",											Config::T_STRING ],
+		Config::DB_NAME => [ "", 											Config::T_STRING ],
+		Config::DB_PASS => [ "", 											Config::T_STRING ],
+		Config::DB_PORT => [ "5432",										Config::T_STRING ],
+		Config::MYSQL_CHARSET => [ "UTF8",								Config::T_STRING ],
+		Config::SELF_URL_PATH => [ "https://example.com/tt-rss", Config::T_STRING ],
+		Config::SINGLE_USER_MODE => [ "",								Config::T_BOOL ],
+		Config::SIMPLE_UPDATE_MODE => [ "",								Config::T_BOOL ],
+		Config::PHP_EXECUTABLE => [ "/usr/bin/php",					Config::T_STRING ],
+		Config::LOCK_DIRECTORY => [ "lock",								Config::T_STRING ],
+		Config::CACHE_DIR => [ "cache",									Config::T_STRING ],
+		Config::ICONS_DIR => [ "feed-icons",							Config::T_STRING ],
+		Config::ICONS_URL => [ "feed-icons",							Config::T_STRING ],
+		Config::AUTH_AUTO_CREATE => [ "true",							Config::T_BOOL ],
+		Config::AUTH_AUTO_LOGIN => [ "true",							Config::T_BOOL ],
+		Config::FORCE_ARTICLE_PURGE => [ 0,								Config::T_INT ],
+		Config::SESSION_COOKIE_LIFETIME => [ 86400,					Config::T_INT ],
+		Config::SMTP_FROM_NAME => [ "Tiny Tiny RSS",					Config::T_STRING ],
+		Config::SMTP_FROM_ADDRESS => [ "noreply@localhost",		Config::T_STRING ],
+		Config::DIGEST_SUBJECT => [ "[tt-rss] New headlines for last 24 hours",
+																					Config::T_STRING ],
+		Config::CHECK_FOR_UPDATES => [ "true",							Config::T_BOOL ],
+		Config::PLUGINS => [ "auth_internal",							Config::T_STRING ],
+		Config::LOG_DESTINATION => [ Logger::LOG_DEST_SQL,			Config::T_STRING ],
+		Config::LOCAL_OVERRIDE_STYLESHEET => [ "local-overrides.css",
+																					Config::T_STRING ],
+		Config::LOCAL_OVERRIDE_JS => [ "local-overrides.js",
+																					Config::T_STRING ],
+		Config::DAEMON_MAX_CHILD_RUNTIME => [ 1800,					Config::T_INT ],
+		Config::DAEMON_MAX_JOBS => [ 2,									Config::T_INT ],
+		Config::FEED_FETCH_TIMEOUT => [ 45,								Config::T_INT ],
+		Config::FEED_FETCH_NO_CACHE_TIMEOUT => [ 15,					Config::T_INT ],
+		Config::FILE_FETCH_TIMEOUT => [ 45,								Config::T_INT ],
+		Config::FILE_FETCH_CONNECT_TIMEOUT => [ 15,					Config::T_INT ],
+		Config::DAEMON_UPDATE_LOGIN_LIMIT => [ 30,					Config::T_INT ],
+		Config::DAEMON_FEED_LIMIT => [ 500,								Config::T_INT ],
+		Config::DAEMON_SLEEP_INTERVAL => [ 120,						Config::T_INT ],
+		Config::MAX_CACHE_FILE_SIZE => [ 64*1024*1024,				Config::T_INT ],
+		Config::MAX_DOWNLOAD_FILE_SIZE => [ 16*1024*1024,			Config::T_INT ],
+		Config::MAX_FAVICON_FILE_SIZE => [ 1*1024*1024,				Config::T_INT ],
+		Config::CACHE_MAX_DAYS => [ 7,									Config::T_INT ],
+		Config::MAX_CONDITIONAL_INTERVAL => [ 3600*12,				Config::T_INT ],
+		Config::DAEMON_UNSUCCESSFUL_DAYS_LIMIT => [ 30,				Config::T_INT ],
+		Config::LOG_SENT_MAIL => [ "",									Config::T_BOOL ],
+		Config::HTTP_PROXY => [ "",										Config::T_STRING ],
+		Config::FORBID_PASSWORD_CHANGES => [ "",						Config::T_BOOL ],
+		Config::SESSION_NAME => [ "ttrss_sid",							Config::T_STRING ],
+		Config::CHECK_FOR_PLUGIN_UPDATES => [ "true",				Config::T_BOOL ],
+		Config::ENABLE_PLUGIN_INSTALLER => [ "true",					Config::T_BOOL ],
+		Config::AUTH_MIN_INTERVAL => [ 5,								Config::T_INT ],
+		Config::HTTP_USER_AGENT => [ 'Tiny Tiny RSS/%s (https://tt-rss.org/)',
+																					Config::T_STRING ],
+		Config::HTTP_429_THROTTLE_INTERVAL => [ 3600,				Config::T_INT ],
+		Config::OPENTELEMETRY_ENDPOINT => [ "",							Config::T_STRING ],
+		Config::OPENTELEMETRY_SERVICE => [ "tt-rss",					Config::T_STRING ],
+	];
+
+	/** @var Config|null */
+	private static $instance;
+
+	/** @var array<string, array<bool|int|string>> */
+	private $params = [];
+
+	/** @var array<string, mixed> */
+	private $version = [];
+
+	/** @var Db_Migrations|null $migrations */
+	private $migrations;
+
+	public static function get_instance() : Config {
+		if (self::$instance == null)
+			self::$instance = new self();
+
+		return self::$instance;
+	}
+
+	private function __clone() {
+		//
+	}
+
+	function __construct() {
+		$ref = new ReflectionClass(get_class($this));
+
+		foreach ($ref->getConstants() as $const => $cvalue) {
+			if (isset(self::_DEFAULTS[$const])) {
+				$override = getenv(self::_ENVVAR_PREFIX . $const);
+
+				list ($defval, $deftype) = self::_DEFAULTS[$const];
+
+				$this->params[$cvalue] = [ self::cast_to($override !== false ? $override : $defval, $deftype), $deftype ];
+			}
+		}
+	}
+
+	/** determine tt-rss version (using git)
+	 *
+	 * package maintainers who don't use git: if version_static.txt exists in tt-rss root
+	 * directory, its contents are displayed instead of git commit-based version, this could be generated
+	 * based on source git tree commit used when creating the package
+	 * @return array<string, mixed>|string
+	 */
+	static function get_version(bool $as_string = true) {
+		return self::get_instance()->_get_version($as_string);
+	}
+
+	// returns version showing (if possible) full timestamp of commit id
+	static function get_version_html() : string {
+		$version = self::get_version(false);
+
+		return sprintf("<span title=\"%s\n%s\n%s\">%s</span>",
+			date("Y-m-d H:i:s", ($version['timestamp'] ?? 0)),
+				$version['commit'] ?? '',
+				$version['branch'] ?? '',
+				$version['version']);
+	}
+
+	/**
+	 * @return array<string, mixed>|string
+	 */
+	private function _get_version(bool $as_string = true) {
+		$root_dir = dirname(__DIR__);
+
+		if (empty($this->version)) {
+			$this->version["status"] = -1;
+
+			if (getenv("CI_COMMIT_SHORT_SHA") && getenv("CI_COMMIT_TIMESTAMP")) {
+
+				$this->version["branch"] = getenv("CI_COMMIT_BRANCH");
+				$this->version["timestamp"] = strtotime(getenv("CI_COMMIT_TIMESTAMP"));
+				$this->version["version"] = sprintf("%s-%s", date("y.m", $this->version["timestamp"]), getenv("CI_COMMIT_SHORT_SHA"));
+				$this->version["commit"] = getenv("CI_COMMIT_SHORT_SHA");
+				$this->version["status"] = 0;
+
+			} else if (PHP_OS === "Darwin") {
+				$this->version["version"] = "UNKNOWN (Unsupported, Darwin)";
+			} else if (file_exists("$root_dir/version_static.txt")) {
+				$this->version["version"] = trim(file_get_contents("$root_dir/version_static.txt")) . " (Unsupported)";
+			} else if (ini_get("open_basedir")) {
+				$this->version["version"] = "UNKNOWN (Unsupported, open_basedir)";
+			} else if (is_dir("$root_dir/.git")) {
+				$this->version = self::get_version_from_git($root_dir);
+
+				if ($this->version["status"] != 0) {
+					user_error("Unable to determine version: " . $this->version["version"], E_USER_WARNING);
+
+					$this->version["version"] = "UNKNOWN (Unsupported, Git error)";
+				} else if (!getenv("SCRIPT_ROOT") || !file_exists("/.dockerenv")) {
+					$this->version["version"] .= " (Unsupported)";
+				}
+
+			} else {
+				$this->version["version"] = "UNKNOWN (Unsupported)";
+			}
+		}
+
+		return $as_string ? $this->version["version"] : $this->version;
+	}
+
+	/**
+	 * @return array<string, int|string>
+	 */
+	static function get_version_from_git(string $dir): array {
+		$descriptorspec = [
+			1 => ["pipe", "w"], // STDOUT
+			2 => ["pipe", "w"], // STDERR
+		];
+
+		$rv = [
+			"status" => -1,
+			"version" => "",
+			"branch" => "",
+			"commit" => "",
+			"timestamp" => 0,
+		];
+
+		$proc = proc_open("git --no-pager log --pretty=\"version-%ct-%h\" -n1 HEAD",
+						$descriptorspec, $pipes, $dir);
+
+		if (is_resource($proc)) {
+			$stdout = trim(stream_get_contents($pipes[1]));
+			$stderr = trim(stream_get_contents($pipes[2]));
+			$status = proc_close($proc);
+
+			$rv["status"] = $status;
+
+			list($check, $timestamp, $commit) = explode("-", $stdout);
+
+			if ($check == "version") {
+
+				$rv["version"] = sprintf("%s-%s", date("y.m", (int)$timestamp), $commit);
+				$rv["commit"] = $commit;
+				$rv["timestamp"] = $timestamp;
+
+				// proc_close() may return -1 even if command completed successfully
+				// so if it looks like we got valid data, we ignore it
+
+				if ($rv["status"] == -1)
+					$rv["status"] = 0;
+
+			} else {
+				$rv["version"] = T_sprintf("Git error [RC=%d]: %s", $status, $stderr);
+			}
+		}
+
+		return $rv;
+	}
+
+	static function get_migrations() : Db_Migrations {
+		return self::get_instance()->_get_migrations();
+	}
+
+	private function _get_migrations() : Db_Migrations {
+		if (empty($this->migrations)) {
+			$this->migrations = new Db_Migrations();
+			$this->migrations->initialize(dirname(__DIR__) . "/sql", "ttrss_version", true, self::SCHEMA_VERSION);
+		}
+
+		return $this->migrations;
+	}
+
+	static function is_migration_needed() : bool {
+		return self::get_migrations()->is_migration_needed();
+	}
+
+	static function get_schema_version() : int {
+		return self::get_migrations()->get_version();
+	}
+
+	/**
+	 * @return bool|int|string
+	 */
+	static function cast_to(string $value, int $type_hint) {
+		switch ($type_hint) {
+			case self::T_BOOL:
+				return sql_bool_to_bool($value);
+			case self::T_INT:
+				return (int) $value;
+			default:
+				return $value;
+		}
+	}
+
+	/**
+	 * @return bool|int|string
+	 */
+	private function _get(string $param) {
+		list ($value, $type_hint) = $this->params[$param];
+
+		return $this->cast_to($value, $type_hint);
+	}
+
+	private function _add(string $param, string $default, int $type_hint): void {
+		$override = getenv(self::_ENVVAR_PREFIX . $param);
+
+		$this->params[$param] = [ self::cast_to($override !== false ? $override : $default, $type_hint), $type_hint ];
+	}
+
+	static function add(string $param, string $default, int $type_hint = Config::T_STRING): void {
+		$instance = self::get_instance();
+
+		$instance->_add($param, $default, $type_hint);
+	}
+
+	/**
+	 * @return bool|int|string
+	 */
+	static function get(string $param) {
+		$instance = self::get_instance();
+
+		return $instance->_get($param);
+	}
+
+	static function is_server_https() : bool {
+		return (!empty($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] != 'off')) ||
+			(!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https');
+	}
+
+	/** returns fully-qualified external URL to tt-rss (no trailing slash)
+	 * SELF_URL_PATH configuration variable is used as a fallback for the CLI SAPI
+	 * */
+	static function get_self_url(bool $always_detect = false) : string {
+		if (!$always_detect && php_sapi_name() == "cli") {
+			return self::get(Config::SELF_URL_PATH);
+		} else {
+			$proto = self::is_server_https() ? 'https' : 'http';
+
+			$self_url_path = $proto . '://' . $_SERVER["HTTP_HOST"] . parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH);
+			$self_url_path = preg_replace("/(\/api\/{1,})?(\w+\.php)?(\?.*$)?$/", "", $self_url_path);
+
+			if (substr($self_url_path, -1) === "/") {
+				return substr($self_url_path, 0, -1);
+			} else {
+				return $self_url_path;
+			}
+		}
+	}
+	/* sanity check stuff */
+
+	/** checks for mysql tables not using InnoDB (tt-rss is incompatible with MyISAM)
+	 * @return array<int, array<string, string>> A list of entries identifying tt-rss tables with bad config
+	 */
+	private static function check_mysql_tables() {
+		$pdo = Db::pdo();
+
+		$sth = $pdo->prepare("SELECT engine, table_name FROM information_schema.tables WHERE
+				table_schema = ? AND table_name LIKE 'ttrss_%' AND engine != 'InnoDB'");
+		$sth->execute([self::get(Config::DB_NAME)]);
+
+		$bad_tables = [];
+
+		while ($line = $sth->fetch()) {
+			array_push($bad_tables, $line);
+		}
+
+		return $bad_tables;
+	}
+
+	static function sanity_check(): void {
+
+		/*
+			we don't actually need the DB object right now but some checks below might use ORM which won't be initialized
+			because it is set up in the Db constructor, which is why it's a good idea to invoke it as early as possible
+
+			it is a bit of a hack, maybe ORM should be initialized somewhere else (functions.php?)
+		*/
+
+		$pdo = Db::pdo();
+
+		$errors = [];
+
+		if (strpos(self::get(Config::PLUGINS), "auth_") === false) {
+			array_push($errors, "Please enable at least one authentication module via PLUGINS");
+		}
+
+		/* we assume our dependencies are sane under docker, so some sanity checks are skipped.
+			this also allows tt-rss process to run under root if requested (I'm using this for development
+			under podman because of uidmapping issues with rootless containers, don't use in production -fox) */
+		if (!getenv("container")) {
+			if (function_exists('posix_getuid') && posix_getuid() == 0) {
+				array_push($errors, "Please don't run this script as root.");
+			}
+
+			if (version_compare(PHP_VERSION, '7.4.0', '<')) {
+				array_push($errors, "PHP version 7.4.0 or newer required. You're using " . PHP_VERSION . ".");
+			}
+
+			if (!class_exists("UConverter")) {
+				array_push($errors, "PHP UConverter class is missing, it's provided by the Internationalization (intl) module.");
+			}
+
+			if (!function_exists("curl_init") && !ini_get("allow_url_fopen")) {
+				array_push($errors, "PHP configuration option allow_url_fopen is disabled, and CURL functions are not present. Either enable allow_url_fopen or install PHP extension for CURL.");
+			}
+
+			if (!function_exists("json_encode")) {
+				array_push($errors, "PHP support for JSON is required, but was not found.");
+			}
+
+			if (!function_exists("flock")) {
+				array_push($errors, "PHP support for flock() function is required.");
+			}
+
+			if (!class_exists("PDO")) {
+				array_push($errors, "PHP support for PDO is required but was not found.");
+			}
+
+			if (!function_exists("mb_strlen")) {
+				array_push($errors, "PHP support for mbstring functions is required but was not found.");
+			}
+
+			if (!function_exists("hash")) {
+				array_push($errors, "PHP support for hash() function is required but was not found.");
+			}
+
+			if (ini_get("safe_mode")) {
+				array_push($errors, "PHP safe mode setting is obsolete and not supported by tt-rss.");
+			}
+
+			if (!function_exists("mime_content_type")) {
+				array_push($errors, "PHP function mime_content_type() is missing, try enabling fileinfo module.");
+			}
+
+			if (!class_exists("DOMDocument")) {
+				array_push($errors, "PHP support for DOMDocument is required, but was not found.");
+			}
+		}
+
+		if (!is_writable(self::get(Config::CACHE_DIR) . "/images")) {
+			array_push($errors, "Image cache is not writable (chmod -R 777 ".self::get(Config::CACHE_DIR)."/images)");
+		}
+
+		if (!is_writable(self::get(Config::CACHE_DIR) . "/upload")) {
+			array_push($errors, "Upload cache is not writable (chmod -R 777 ".self::get(Config::CACHE_DIR)."/upload)");
+		}
+
+		if (!is_writable(self::get(Config::CACHE_DIR) . "/export")) {
+			array_push($errors, "Data export cache is not writable (chmod -R 777 ".self::get(Config::CACHE_DIR)."/export)");
+		}
+
+		if (!is_writable(self::get(Config::ICONS_DIR))) {
+			array_push($errors, "ICONS_DIR defined in config.php is not writable (chmod -R 777 ".self::get(Config::ICONS_DIR).").\n");
+		}
+
+		if (!is_writable(self::get(Config::LOCK_DIRECTORY))) {
+			array_push($errors, "LOCK_DIRECTORY is not writable (chmod -R 777 ".self::get(Config::LOCK_DIRECTORY).").\n");
+		}
+
+		// ttrss_users won't be there on initial startup (before migrations are done)
+		if (!Config::is_migration_needed() && self::get(Config::SINGLE_USER_MODE)) {
+			if (UserHelper::get_login_by_id(1) != "admin") {
+				array_push($errors, "SINGLE_USER_MODE is enabled but default admin account (ID: 1) is not found.");
+			}
+		}
+
+		// skip check for CLI scripts so that we could install database schema if it is missing.
+		if (php_sapi_name() != "cli") {
+			if (self::get_schema_version() < 0) {
+				array_push($errors, "Base database schema is missing. Either load it manually or perform a migration (<code>update.php --update-schema</code>)");
+			}
+		}
+
+		if (self::get(Config::DB_TYPE) == "mysql") {
+			$bad_tables = self::check_mysql_tables();
+
+			if (count($bad_tables) > 0) {
+				$bad_tables_fmt = [];
+
+				foreach ($bad_tables as $bt) {
+					array_push($bad_tables_fmt, sprintf("%s (%s)", $bt['table_name'], $bt['engine']));
+				}
+
+				$msg = "<p>The following tables use an unsupported MySQL engine: <b>" .
+					implode(", ", $bad_tables_fmt) . "</b>.</p>";
+
+				$msg .= "<p>The only supported engine on MySQL is InnoDB. MyISAM lacks functionality to run
+					tt-rss.
+					Please backup your data (via OPML) and re-import the schema before continuing.</p>
+					<p><b>WARNING: importing the schema would mean LOSS OF ALL YOUR DATA.</b></p>";
+
+
+				array_push($errors, $msg);
+			}
+		}
+
+		if (count($errors) > 0 && php_sapi_name() != "cli") { ?>
+			<!DOCTYPE html>
+			<html>
+				<head>
+					<title>Startup failed</title>
+					<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+					<link rel="stylesheet" type="text/css" href="themes/light.css">
+				</head>
+				<body class="sanity_failed flat ttrss_utility">
+					<div class="content">
+						<h1>Startup failed</h1>
+
+						<p>Please fix errors indicated by the following messages:</p>
+
+						<?php foreach ($errors as $error) { echo self::format_error($error); } ?>
+
+						<p>You might want to check tt-rss <a target="_blank" href="https://tt-rss.org/wiki.php">wiki</a> or the
+							<a target="_blank" href="https://community.tt-rss.org/">forums</a> for more information. Please search the forums before creating new topic
+							for your question.</p>
+					</div>
+				</body>
+			</html>
+
+		<?php
+			die;
+		} else if (count($errors) > 0) {
+			echo "Please fix errors indicated by the following messages:\n\n";
+
+			foreach ($errors as $error) {
+				echo " * " . strip_tags($error)."\n";
+			}
+
+			echo "\nYou might want to check tt-rss wiki or the forums for more information.\n";
+			echo "Please search the forums before creating new topic for your question.\n";
+
+			exit(1);
+		}
+	}
+
+	private static function format_error(string $msg): string {
+		return "<div class=\"alert alert-danger\">$msg</div>";
+	}
+
+	static function get_override_links(): string {
+		$rv = "";
+
+		$local_css = get_theme_path(self::get(self::LOCAL_OVERRIDE_STYLESHEET));
+		if ($local_css) $rv .= stylesheet_tag($local_css);
+
+		$local_js = get_theme_path(self::get(self::LOCAL_OVERRIDE_JS));
+		if ($local_js) $rv .= javascript_tag($local_js);
+
+		return $rv;
+	}
+
+	static function get_user_agent(): string {
+		return sprintf(self::get(self::HTTP_USER_AGENT), self::get_version());
+	}
+}