summaryrefslogtreecommitdiff
path: root/classes/pref/prefs.php
diff options
context:
space:
mode:
Diffstat (limited to 'classes/pref/prefs.php')
-rw-r--r--classes/pref/prefs.php126
1 files changed, 96 insertions, 30 deletions
diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php
index ac16b5971..d7b486cbb 100644
--- a/classes/pref/prefs.php
+++ b/classes/pref/prefs.php
@@ -8,7 +8,7 @@ class Pref_Prefs extends Handler_Protected {
private $profile_blacklist = [];
function csrf_ignore($method) {
- $csrf_ignored = array("index", "updateself", "customizecss", "editprefprofiles");
+ $csrf_ignored = array("index", "updateself", "customizecss", "editprefprofiles", "otpqrcode");
return array_search($method, $csrf_ignored) !== false;
}
@@ -125,8 +125,14 @@ class Pref_Prefs extends Handler_Protected {
$old_pw = clean($_POST["old_password"]);
$new_pw = clean($_POST["new_password"]);
+ $new_unclean_pw = $_POST["new_password"];
$con_pw = clean($_POST["confirm_password"]);
+ if ($new_unclean_pw != $new_pw) {
+ print "ERROR: ".format_error("New password contains disallowed characters.");
+ return;
+ }
+
if ($old_pw == $new_pw) {
print "ERROR: ".format_error("New password must be different from the old one.");
return;
@@ -213,11 +219,9 @@ class Pref_Prefs extends Handler_Protected {
if ($old_email != $email) {
$mailer = new Mailer();
- require_once "lib/MiniTemplator.class.php";
+ $tpl = new Templator();
- $tpl = new MiniTemplator;
-
- $tpl->readTemplateFromFile("templates/mail_change_template.txt");
+ $tpl->readTemplateFromFile("mail_change_template.txt");
$tpl->setVariable('LOGIN', $row["login"]);
$tpl->setVariable('NEWMAIL', $email);
@@ -253,7 +257,7 @@ class Pref_Prefs extends Handler_Protected {
AND owner_uid = :uid");
$sth->execute([":profile" => $_SESSION['profile'], ":uid" => $_SESSION['uid']]);
- initialize_user_prefs($_SESSION["uid"], $_SESSION["profile"]);
+ $this->initialize_user_prefs($_SESSION["uid"], $_SESSION["profile"]);
echo __("Your preferences are now set to default values.");
}
@@ -382,12 +386,12 @@ class Pref_Prefs extends Handler_Protected {
print "<fieldset>";
print "<label>" . __("New password:") . "</label>";
- print "<input dojoType='dijit.form.ValidationTextBox' type='password' required='1' name='new_password'>";
+ print "<input dojoType='dijit.form.ValidationTextBox' type='password' regexp='^[^<>]+' required='1' name='new_password'>";
print "</fieldset>";
print "<fieldset>";
print "<label>" . __("Confirm password:") . "</label>";
- print "<input dojoType='dijit.form.ValidationTextBox' type='password' required='1' name='confirm_password'>";
+ print "<input dojoType='dijit.form.ValidationTextBox' type='password' regexp='^[^<>]+' required='1' name='confirm_password'>";
print "</fieldset>";
print_hidden("op", "pref-prefs");
@@ -479,8 +483,8 @@ class Pref_Prefs extends Handler_Protected {
if (function_exists("imagecreatefromstring")) {
print "<h3>" . __("Scan the following code by the Authenticator application or copy the key manually") . "</h3>";
- $csrf_token = $_SESSION["csrf_token"];
- print "<img alt='otp qr-code' src='backend.php?op=pref-prefs&method=otpqrcode&csrf_token=$csrf_token'>";
+ $csrf_token_hash = sha1($_SESSION["csrf_token"]);
+ print "<img alt='otp qr-code' src='backend.php?op=pref-prefs&method=otpqrcode&csrf_token_hash=$csrf_token_hash'>";
} else {
print_error("PHP GD functions are required to generate QR codes.");
print "<h3>" . __("Use the following OTP key with a compatible Authenticator application") . "</h3>";
@@ -586,9 +590,9 @@ class Pref_Prefs extends Handler_Protected {
if ($profile) {
print_notice(__("Some preferences are only available in default profile."));
- initialize_user_prefs($_SESSION["uid"], $profile);
+ $this->initialize_user_prefs($_SESSION["uid"], $profile);
} else {
- initialize_user_prefs($_SESSION["uid"]);
+ $this->initialize_user_prefs($_SESSION["uid"]);
}
$prefs_available = [];
@@ -854,6 +858,10 @@ class Pref_Prefs extends Handler_Protected {
print_warning("Your PHP configuration has open_basedir restrictions enabled. Some plugins relying on CURL for functionality may not work correctly.");
}
+ if ($_SESSION["safe_mode"]) {
+ print_error("You have logged in using safe mode, no user plugins will be actually enabled until you login again.");
+ }
+
$feed_handler_whitelist = [ "Af_Comics" ];
$feed_handlers = array_merge(
@@ -862,7 +870,7 @@ class Pref_Prefs extends Handler_Protected {
PluginHost::getInstance()->get_hooks(PluginHost::HOOK_FETCH_FEED));
$feed_handlers = array_filter($feed_handlers, function($plugin) use ($feed_handler_whitelist) {
- return in_array(get_class($plugin), $feed_handler_whitelist) === FALSE; });
+ return in_array(get_class($plugin), $feed_handler_whitelist) === false; });
if (count($feed_handlers) > 0) {
print_error(
@@ -1006,21 +1014,28 @@ class Pref_Prefs extends Handler_Protected {
}
function otpqrcode() {
- require_once "lib/phpqrcode/phpqrcode.php";
+ $csrf_token_hash = clean($_REQUEST["csrf_token_hash"]);
- $sth = $this->pdo->prepare("SELECT login
- FROM ttrss_users
- WHERE id = ?");
- $sth->execute([$_SESSION['uid']]);
+ if (sha1($_SESSION["csrf_token"]) === $csrf_token_hash) {
+ require_once "lib/phpqrcode/phpqrcode.php";
- if ($row = $sth->fetch()) {
- $secret = $this->otpsecret();
- $login = $row['login'];
+ $sth = $this->pdo->prepare("SELECT login
+ FROM ttrss_users
+ WHERE id = ?");
+ $sth->execute([$_SESSION['uid']]);
- if ($secret) {
- QRcode::png("otpauth://totp/".urlencode($login).
- "?secret=$secret&issuer=".urlencode("Tiny Tiny RSS"));
+ if ($row = $sth->fetch()) {
+ $secret = $this->otpsecret();
+ $login = $row['login'];
+
+ if ($secret) {
+ QRcode::png("otpauth://totp/".urlencode($login).
+ "?secret=$secret&issuer=".urlencode("Tiny Tiny RSS"));
+ }
}
+ } else {
+ header("Content-Type: text/json");
+ print error_json(6);
}
}
@@ -1087,11 +1102,9 @@ class Pref_Prefs extends Handler_Protected {
if ($row = $sth->fetch()) {
$mailer = new Mailer();
- require_once "lib/MiniTemplator.class.php";
-
- $tpl = new MiniTemplator;
+ $tpl = new Templator();
- $tpl->readTemplateFromFile("templates/otp_disabled_template.txt");
+ $tpl->readTemplateFromFile("otp_disabled_template.txt");
$tpl->setVariable('LOGIN', $row["login"]);
$tpl->setVariable('TTRSS_HOST', SELF_URL_PATH);
@@ -1307,11 +1320,11 @@ class Pref_Prefs extends Handler_Protected {
print "<td>" . htmlspecialchars($row["title"]) . "</td>";
print "<td align='right' class='text-muted'>";
- print make_local_datetime($row['created'], false);
+ print TimeHelper::make_local_datetime($row['created'], false);
print "</td>";
print "<td align='right' class='text-muted'>";
- print make_local_datetime($row['last_used'], false);
+ print TimeHelper::make_local_datetime($row['last_used'], false);
print "</td>";
print "</tr>";
@@ -1353,4 +1366,57 @@ class Pref_Prefs extends Handler_Protected {
$this->appPasswordList();
}
+
+ static function initialize_user_prefs($uid, $profile = false) {
+
+ if (get_schema_version() < 63) $profile_qpart = "";
+
+ $pdo = Db::pdo();
+ $in_nested_tr = false;
+
+ try {
+ $pdo->beginTransaction();
+ } catch (Exception $e) {
+ $in_nested_tr = true;
+ }
+
+ $sth = $pdo->query("SELECT pref_name,def_value FROM ttrss_prefs");
+
+ if (!is_numeric($profile) || !$profile || get_schema_version() < 63) $profile = null;
+
+ $u_sth = $pdo->prepare("SELECT pref_name
+ FROM ttrss_user_prefs WHERE owner_uid = :uid AND
+ (profile = :profile OR (:profile IS NULL AND profile IS NULL))");
+ $u_sth->execute([':uid' => $uid, ':profile' => $profile]);
+
+ $active_prefs = array();
+
+ while ($line = $u_sth->fetch()) {
+ array_push($active_prefs, $line["pref_name"]);
+ }
+
+ while ($line = $sth->fetch()) {
+ if (array_search($line["pref_name"], $active_prefs) === false) {
+// print "adding " . $line["pref_name"] . "<br>";
+
+ if (get_schema_version() < 63) {
+ $i_sth = $pdo->prepare("INSERT INTO ttrss_user_prefs
+ (owner_uid,pref_name,value) VALUES
+ (?, ?, ?)");
+ $i_sth->execute([$uid, $line["pref_name"], $line["def_value"]]);
+
+ } else {
+ $i_sth = $pdo->prepare("INSERT INTO ttrss_user_prefs
+ (owner_uid,pref_name,value, profile) VALUES
+ (?, ?, ?, ?)");
+ $i_sth->execute([$uid, $line["pref_name"], $line["def_value"], $profile]);
+ }
+
+ }
+ }
+
+ if (!$in_nested_tr) $pdo->commit();
+
+ }
+
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-14 15:11:28 +0000