blallo/tt-rss
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

fix double-escaping possible with encrypted passwords

Browse source
This commit is contained in:
Andrew Dolgov 2013-04-13 18:58:09 +04:00
parent 5276b7c768
commit 41694a956d
3 changed files with 9 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
classes/pref/feeds.php
View file

@ -932,7 +932,7 @@ class Pref_Feeds extends Handler_Protected {
$feed_ids = db_escape_string($this->link, $_POST["ids"]); /* batchEditSave */
$cat_id = (int) db_escape_string($this->link, $_POST["cat_id"]);
$auth_login = db_escape_string($this->link, trim($_POST["auth_login"]));
$auth_pass = db_escape_string($this->link, trim($_POST["auth_pass"]));
$auth_pass = trim($_POST["auth_pass"]);
$private = checkbox_to_sql_bool(db_escape_string($this->link, $_POST["private"]));
$include_in_digest = checkbox_to_sql_bool(
db_escape_string($this->link, $_POST["include_in_digest"]));
@ -954,6 +954,8 @@ class Pref_Feeds extends Handler_Protected {
$auth_pass_encrypted = 'false';
}
$auth_pass = db_escape_string($this->link, $auth_pass);
if (get_pref($this->link, 'ENABLE_FEED_CATS')) {
if ($cat_id && $cat_id != 0) {
$category_qpart = "cat_id = '$cat_id',";
@ -1842,7 +1844,7 @@ class Pref_Feeds extends Handler_Protected {
$cat_id = db_escape_string($this->link, $_REQUEST['cat']);
$feeds = explode("\n", $_REQUEST['feeds']);
$login = db_escape_string($this->link, $_REQUEST['login']);
$pass = db_escape_string($this->link, $_REQUEST['pass']);
$pass = trim($_REQUEST['pass']);
foreach ($feeds as $feed) {
$feed = db_escape_string($this->link, trim($feed));
@ -1869,6 +1871,8 @@ class Pref_Feeds extends Handler_Protected {
$auth_pass_encrypted = 'false';
}
$pass = db_escape_string($this->link, $pass);
if (db_num_rows($result) == 0) {
$result = db_query($this->link,
"INSERT INTO ttrss_feeds

2
classes/rpc.php
View file

@ -104,7 +104,7 @@ class RPC extends Handler_Protected {
$feed = db_escape_string($this->link, $_REQUEST['feed']);
$cat = db_escape_string($this->link, $_REQUEST['cat']);
$login = db_escape_string($this->link, $_REQUEST['login']);
$pass = db_escape_string($this->link, $_REQUEST['pass']);
$pass = trim($_REQUEST['pass']); // escaped later
$rc = subscribe_to_feed($this->link, $feed, $cat, $login, $pass);

2
include/functions.php
View file

@ -1622,6 +1622,8 @@
$auth_pass_encrypted = 'false';
}
$auth_pass = db_escape_string($this->link, $auth_pass);
if (db_num_rows($result) == 0) {
$result = db_query($link,
"INSERT INTO ttrss_feeds