diff options
Diffstat (limited to 'classes/pref/prefs.php')
-rw-r--r-- | classes/pref/prefs.php | 126 |
1 files changed, 96 insertions, 30 deletions
diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php index ac16b5971..d7b486cbb 100644 --- a/classes/pref/prefs.php +++ b/classes/pref/prefs.php @@ -8,7 +8,7 @@ class Pref_Prefs extends Handler_Protected { private $profile_blacklist = []; function csrf_ignore($method) { - $csrf_ignored = array("index", "updateself", "customizecss", "editprefprofiles"); + $csrf_ignored = array("index", "updateself", "customizecss", "editprefprofiles", "otpqrcode"); return array_search($method, $csrf_ignored) !== false; } @@ -125,8 +125,14 @@ class Pref_Prefs extends Handler_Protected { $old_pw = clean($_POST["old_password"]); $new_pw = clean($_POST["new_password"]); + $new_unclean_pw = $_POST["new_password"]; $con_pw = clean($_POST["confirm_password"]); + if ($new_unclean_pw != $new_pw) { + print "ERROR: ".format_error("New password contains disallowed characters."); + return; + } + if ($old_pw == $new_pw) { print "ERROR: ".format_error("New password must be different from the old one."); return; @@ -213,11 +219,9 @@ class Pref_Prefs extends Handler_Protected { if ($old_email != $email) { $mailer = new Mailer(); - require_once "lib/MiniTemplator.class.php"; + $tpl = new Templator(); - $tpl = new MiniTemplator; - - $tpl->readTemplateFromFile("templates/mail_change_template.txt"); + $tpl->readTemplateFromFile("mail_change_template.txt"); $tpl->setVariable('LOGIN', $row["login"]); $tpl->setVariable('NEWMAIL', $email); @@ -253,7 +257,7 @@ class Pref_Prefs extends Handler_Protected { AND owner_uid = :uid"); $sth->execute([":profile" => $_SESSION['profile'], ":uid" => $_SESSION['uid']]); - initialize_user_prefs($_SESSION["uid"], $_SESSION["profile"]); + $this->initialize_user_prefs($_SESSION["uid"], $_SESSION["profile"]); echo __("Your preferences are now set to default values."); } @@ -382,12 +386,12 @@ class Pref_Prefs extends Handler_Protected { print "<fieldset>"; print "<label>" . __("New password:") . "</label>"; - print "<input dojoType='dijit.form.ValidationTextBox' type='password' required='1' name='new_password'>"; + print "<input dojoType='dijit.form.ValidationTextBox' type='password' regexp='^[^<>]+' required='1' name='new_password'>"; print "</fieldset>"; print "<fieldset>"; print "<label>" . __("Confirm password:") . "</label>"; - print "<input dojoType='dijit.form.ValidationTextBox' type='password' required='1' name='confirm_password'>"; + print "<input dojoType='dijit.form.ValidationTextBox' type='password' regexp='^[^<>]+' required='1' name='confirm_password'>"; print "</fieldset>"; print_hidden("op", "pref-prefs"); @@ -479,8 +483,8 @@ class Pref_Prefs extends Handler_Protected { if (function_exists("imagecreatefromstring")) { print "<h3>" . __("Scan the following code by the Authenticator application or copy the key manually") . "</h3>"; - $csrf_token = $_SESSION["csrf_token"]; - print "<img alt='otp qr-code' src='backend.php?op=pref-prefs&method=otpqrcode&csrf_token=$csrf_token'>"; + $csrf_token_hash = sha1($_SESSION["csrf_token"]); + print "<img alt='otp qr-code' src='backend.php?op=pref-prefs&method=otpqrcode&csrf_token_hash=$csrf_token_hash'>"; } else { print_error("PHP GD functions are required to generate QR codes."); print "<h3>" . __("Use the following OTP key with a compatible Authenticator application") . "</h3>"; @@ -586,9 +590,9 @@ class Pref_Prefs extends Handler_Protected { if ($profile) { print_notice(__("Some preferences are only available in default profile.")); - initialize_user_prefs($_SESSION["uid"], $profile); + $this->initialize_user_prefs($_SESSION["uid"], $profile); } else { - initialize_user_prefs($_SESSION["uid"]); + $this->initialize_user_prefs($_SESSION["uid"]); } $prefs_available = []; @@ -854,6 +858,10 @@ class Pref_Prefs extends Handler_Protected { print_warning("Your PHP configuration has open_basedir restrictions enabled. Some plugins relying on CURL for functionality may not work correctly."); } + if ($_SESSION["safe_mode"]) { + print_error("You have logged in using safe mode, no user plugins will be actually enabled until you login again."); + } + $feed_handler_whitelist = [ "Af_Comics" ]; $feed_handlers = array_merge( @@ -862,7 +870,7 @@ class Pref_Prefs extends Handler_Protected { PluginHost::getInstance()->get_hooks(PluginHost::HOOK_FETCH_FEED)); $feed_handlers = array_filter($feed_handlers, function($plugin) use ($feed_handler_whitelist) { - return in_array(get_class($plugin), $feed_handler_whitelist) === FALSE; }); + return in_array(get_class($plugin), $feed_handler_whitelist) === false; }); if (count($feed_handlers) > 0) { print_error( @@ -1006,21 +1014,28 @@ class Pref_Prefs extends Handler_Protected { } function otpqrcode() { - require_once "lib/phpqrcode/phpqrcode.php"; + $csrf_token_hash = clean($_REQUEST["csrf_token_hash"]); - $sth = $this->pdo->prepare("SELECT login - FROM ttrss_users - WHERE id = ?"); - $sth->execute([$_SESSION['uid']]); + if (sha1($_SESSION["csrf_token"]) === $csrf_token_hash) { + require_once "lib/phpqrcode/phpqrcode.php"; - if ($row = $sth->fetch()) { - $secret = $this->otpsecret(); - $login = $row['login']; + $sth = $this->pdo->prepare("SELECT login + FROM ttrss_users + WHERE id = ?"); + $sth->execute([$_SESSION['uid']]); - if ($secret) { - QRcode::png("otpauth://totp/".urlencode($login). - "?secret=$secret&issuer=".urlencode("Tiny Tiny RSS")); + if ($row = $sth->fetch()) { + $secret = $this->otpsecret(); + $login = $row['login']; + + if ($secret) { + QRcode::png("otpauth://totp/".urlencode($login). + "?secret=$secret&issuer=".urlencode("Tiny Tiny RSS")); + } } + } else { + header("Content-Type: text/json"); + print error_json(6); } } @@ -1087,11 +1102,9 @@ class Pref_Prefs extends Handler_Protected { if ($row = $sth->fetch()) { $mailer = new Mailer(); - require_once "lib/MiniTemplator.class.php"; - - $tpl = new MiniTemplator; + $tpl = new Templator(); - $tpl->readTemplateFromFile("templates/otp_disabled_template.txt"); + $tpl->readTemplateFromFile("otp_disabled_template.txt"); $tpl->setVariable('LOGIN', $row["login"]); $tpl->setVariable('TTRSS_HOST', SELF_URL_PATH); @@ -1307,11 +1320,11 @@ class Pref_Prefs extends Handler_Protected { print "<td>" . htmlspecialchars($row["title"]) . "</td>"; print "<td align='right' class='text-muted'>"; - print make_local_datetime($row['created'], false); + print TimeHelper::make_local_datetime($row['created'], false); print "</td>"; print "<td align='right' class='text-muted'>"; - print make_local_datetime($row['last_used'], false); + print TimeHelper::make_local_datetime($row['last_used'], false); print "</td>"; print "</tr>"; @@ -1353,4 +1366,57 @@ class Pref_Prefs extends Handler_Protected { $this->appPasswordList(); } + + static function initialize_user_prefs($uid, $profile = false) { + + if (get_schema_version() < 63) $profile_qpart = ""; + + $pdo = Db::pdo(); + $in_nested_tr = false; + + try { + $pdo->beginTransaction(); + } catch (Exception $e) { + $in_nested_tr = true; + } + + $sth = $pdo->query("SELECT pref_name,def_value FROM ttrss_prefs"); + + if (!is_numeric($profile) || !$profile || get_schema_version() < 63) $profile = null; + + $u_sth = $pdo->prepare("SELECT pref_name + FROM ttrss_user_prefs WHERE owner_uid = :uid AND + (profile = :profile OR (:profile IS NULL AND profile IS NULL))"); + $u_sth->execute([':uid' => $uid, ':profile' => $profile]); + + $active_prefs = array(); + + while ($line = $u_sth->fetch()) { + array_push($active_prefs, $line["pref_name"]); + } + + while ($line = $sth->fetch()) { + if (array_search($line["pref_name"], $active_prefs) === false) { +// print "adding " . $line["pref_name"] . "<br>"; + + if (get_schema_version() < 63) { + $i_sth = $pdo->prepare("INSERT INTO ttrss_user_prefs + (owner_uid,pref_name,value) VALUES + (?, ?, ?)"); + $i_sth->execute([$uid, $line["pref_name"], $line["def_value"]]); + + } else { + $i_sth = $pdo->prepare("INSERT INTO ttrss_user_prefs + (owner_uid,pref_name,value, profile) VALUES + (?, ?, ?, ?)"); + $i_sth->execute([$uid, $line["pref_name"], $line["def_value"], $profile]); + } + + } + } + + if (!$in_nested_tr) $pdo->commit(); + + } + } |