force strip_tags() on all user input unless explicitly allowed

This commit is contained in:
Andrew Dolgov 2017-12-03 23:35:38 +03:00
parent 7c6f7bb0aa
commit e6532439d6
13 changed files with 286 additions and 275 deletions

View file

@ -26,7 +26,7 @@ class API extends Handler {
return false; return false;
} }
$this->seq = (int) $_REQUEST['seq']; $this->seq = (int) clean($_REQUEST['seq']);
return true; return true;
} }
@ -53,9 +53,9 @@ class API extends Handler {
@session_destroy(); @session_destroy();
@session_start(); @session_start();
$login = $_REQUEST["user"]; $login = clean($_REQUEST["user"]);
$password = $_REQUEST["password"]; $password = clean($_REQUEST["password"]);
$password_base64 = base64_decode($_REQUEST["password"]); $password_base64 = base64_decode(clean($_REQUEST["password"]));
if (SINGLE_USER_MODE) $login = "admin"; if (SINGLE_USER_MODE) $login = "admin";
@ -100,8 +100,8 @@ class API extends Handler {
} }
function getUnread() { function getUnread() {
$feed_id = $_REQUEST["feed_id"]; $feed_id = clean($_REQUEST["feed_id"]);
$is_cat = $_REQUEST["is_cat"]; $is_cat = clean($_REQUEST["is_cat"]);
if ($feed_id) { if ($feed_id) {
$this->wrap(self::STATUS_OK, array("unread" => getFeedUnread($feed_id, $is_cat))); $this->wrap(self::STATUS_OK, array("unread" => getFeedUnread($feed_id, $is_cat)));
@ -116,11 +116,11 @@ class API extends Handler {
} }
function getFeeds() { function getFeeds() {
$cat_id = $_REQUEST["cat_id"]; $cat_id = clean($_REQUEST["cat_id"]);
$unread_only = API::param_to_bool($_REQUEST["unread_only"]); $unread_only = API::param_to_bool(clean($_REQUEST["unread_only"]));
$limit = (int) $_REQUEST["limit"]; $limit = (int) clean($_REQUEST["limit"]);
$offset = (int) $_REQUEST["offset"]; $offset = (int) clean($_REQUEST["offset"]);
$include_nested = API::param_to_bool($_REQUEST["include_nested"]); $include_nested = API::param_to_bool(clean($_REQUEST["include_nested"]));
$feeds = $this->api_get_feeds($cat_id, $unread_only, $limit, $offset, $include_nested); $feeds = $this->api_get_feeds($cat_id, $unread_only, $limit, $offset, $include_nested);
@ -128,9 +128,9 @@ class API extends Handler {
} }
function getCategories() { function getCategories() {
$unread_only = API::param_to_bool($_REQUEST["unread_only"]); $unread_only = API::param_to_bool(clean($_REQUEST["unread_only"]));
$enable_nested = API::param_to_bool($_REQUEST["enable_nested"]); $enable_nested = API::param_to_bool(clean($_REQUEST["enable_nested"]));
$include_empty = API::param_to_bool($_REQUEST['include_empty']); $include_empty = API::param_to_bool(clean($_REQUEST['include_empty']));
// TODO do not return empty categories, return Uncategorized and standard virtual cats // TODO do not return empty categories, return Uncategorized and standard virtual cats
@ -185,39 +185,39 @@ class API extends Handler {
} }
function getHeadlines() { function getHeadlines() {
$feed_id = $_REQUEST["feed_id"]; $feed_id = clean($_REQUEST["feed_id"]);
if ($feed_id != "") { if ($feed_id != "") {
if (is_numeric($feed_id)) $feed_id = (int) $feed_id; if (is_numeric($feed_id)) $feed_id = (int) $feed_id;
$limit = (int)$_REQUEST["limit"]; $limit = (int)clean($_REQUEST["limit"]);
if (!$limit || $limit >= 200) $limit = 200; if (!$limit || $limit >= 200) $limit = 200;
$offset = (int)$_REQUEST["skip"]; $offset = (int)clean($_REQUEST["skip"]);
$filter = $_REQUEST["filter"]; $filter = clean($_REQUEST["filter"]);
$is_cat = API::param_to_bool($_REQUEST["is_cat"]); $is_cat = API::param_to_bool(clean($_REQUEST["is_cat"]));
$show_excerpt = API::param_to_bool($_REQUEST["show_excerpt"]); $show_excerpt = API::param_to_bool(clean($_REQUEST["show_excerpt"]));
$show_content = API::param_to_bool($_REQUEST["show_content"]); $show_content = API::param_to_bool(clean($_REQUEST["show_content"]));
/* all_articles, unread, adaptive, marked, updated */ /* all_articles, unread, adaptive, marked, updated */
$view_mode = $_REQUEST["view_mode"]; $view_mode = clean($_REQUEST["view_mode"]);
$include_attachments = API::param_to_bool($_REQUEST["include_attachments"]); $include_attachments = API::param_to_bool(clean($_REQUEST["include_attachments"]));
$since_id = (int)$_REQUEST["since_id"]; $since_id = (int)clean($_REQUEST["since_id"]);
$include_nested = API::param_to_bool($_REQUEST["include_nested"]); $include_nested = API::param_to_bool(clean($_REQUEST["include_nested"]));
$sanitize_content = !isset($_REQUEST["sanitize"]) || $sanitize_content = !isset($_REQUEST["sanitize"]) ||
API::param_to_bool($_REQUEST["sanitize"]); API::param_to_bool($_REQUEST["sanitize"]);
$force_update = API::param_to_bool($_REQUEST["force_update"]); $force_update = API::param_to_bool(clean($_REQUEST["force_update"]));
$has_sandbox = API::param_to_bool($_REQUEST["has_sandbox"]); $has_sandbox = API::param_to_bool(clean($_REQUEST["has_sandbox"]));
$excerpt_length = (int)$_REQUEST["excerpt_length"]; $excerpt_length = (int)clean($_REQUEST["excerpt_length"]);
$check_first_id = (int)$_REQUEST["check_first_id"]; $check_first_id = (int)clean($_REQUEST["check_first_id"]);
$include_header = API::param_to_bool($_REQUEST["include_header"]); $include_header = API::param_to_bool(clean($_REQUEST["include_header"]));
$_SESSION['hasSandbox'] = $has_sandbox; $_SESSION['hasSandbox'] = $has_sandbox;
$skip_first_id_check = false; $skip_first_id_check = false;
$override_order = false; $override_order = false;
switch ($_REQUEST["order_by"]) { switch (clean($_REQUEST["order_by"])) {
case "title": case "title":
$override_order = "ttrss_entries.title, date_entered, updated"; $override_order = "ttrss_entries.title, date_entered, updated";
break; break;
@ -232,7 +232,7 @@ class API extends Handler {
/* do not rely on params below */ /* do not rely on params below */
$search = $_REQUEST["search"]; $search = clean($_REQUEST["search"]);
list($headlines, $headlines_header) = $this->api_get_headlines($feed_id, $limit, $offset, list($headlines, $headlines_header) = $this->api_get_headlines($feed_id, $limit, $offset,
$filter, $is_cat, $show_excerpt, $show_content, $view_mode, $override_order, $filter, $is_cat, $show_excerpt, $show_content, $view_mode, $override_order,
@ -250,10 +250,10 @@ class API extends Handler {
} }
function updateArticle() { function updateArticle() {
$article_ids = explode(",", $_REQUEST["article_ids"]); $article_ids = explode(",", clean($_REQUEST["article_ids"]));
$mode = (int) $_REQUEST["mode"]; $mode = (int) clean($_REQUEST["mode"]);
$data = $_REQUEST["data"]; $data = clean($_REQUEST["data"]);
$field_raw = (int)$_REQUEST["field"]; $field_raw = (int)clean($_REQUEST["field"]);
$field = ""; $field = "";
$set_to = ""; $set_to = "";
@ -321,7 +321,7 @@ class API extends Handler {
function getArticle() { function getArticle() {
$article_ids = explode(",", $_REQUEST["article_id"]); $article_ids = explode(",", clean($_REQUEST["article_id"]));
$sanitize_content = !isset($_REQUEST["sanitize"]) || $sanitize_content = !isset($_REQUEST["sanitize"]) ||
API::param_to_bool($_REQUEST["sanitize"]); API::param_to_bool($_REQUEST["sanitize"]);
@ -407,7 +407,7 @@ class API extends Handler {
} }
function updateFeed() { function updateFeed() {
$feed_id = (int) $_REQUEST["feed_id"]; $feed_id = (int) clean($_REQUEST["feed_id"]);
if (!ini_get("open_basedir")) { if (!ini_get("open_basedir")) {
RSSUtils::update_rss_feed($feed_id); RSSUtils::update_rss_feed($feed_id);
@ -417,8 +417,8 @@ class API extends Handler {
} }
function catchupFeed() { function catchupFeed() {
$feed_id = $_REQUEST["feed_id"]; $feed_id = clean($_REQUEST["feed_id"]);
$is_cat = $_REQUEST["is_cat"]; $is_cat = clean($_REQUEST["is_cat"]);
Feeds::catchup_feed($feed_id, $is_cat); Feeds::catchup_feed($feed_id, $is_cat);
@ -426,13 +426,13 @@ class API extends Handler {
} }
function getPref() { function getPref() {
$pref_name = $_REQUEST["pref_name"]; $pref_name = clean($_REQUEST["pref_name"]);
$this->wrap(self::STATUS_OK, array("value" => get_pref($pref_name))); $this->wrap(self::STATUS_OK, array("value" => get_pref($pref_name)));
} }
function getLabels() { function getLabels() {
$article_id = (int)$_REQUEST['article_id']; $article_id = (int)clean($_REQUEST['article_id']);
$rv = array(); $rv = array();
@ -469,9 +469,9 @@ class API extends Handler {
function setArticleLabel() { function setArticleLabel() {
$article_ids = explode(",", $_REQUEST["article_ids"]); $article_ids = explode(",", clean($_REQUEST["article_ids"]));
$label_id = (int) $_REQUEST['label_id']; $label_id = (int) clean($_REQUEST['label_id']);
$assign = API::param_to_bool($_REQUEST['assign']); $assign = API::param_to_bool(clean($_REQUEST['assign']));
$label = Labels::find_caption(Labels::feed_to_label_id($label_id), $_SESSION["uid"]); $label = Labels::find_caption(Labels::feed_to_label_id($label_id), $_SESSION["uid"]);
@ -510,9 +510,9 @@ class API extends Handler {
} }
function shareToPublished() { function shareToPublished() {
$title = strip_tags($_REQUEST["title"]); $title = strip_tags(clean($_REQUEST["title"]));
$url = strip_tags($_REQUEST["url"]); $url = strip_tags(clean($_REQUEST["url"]));
$content = strip_tags($_REQUEST["content"]); $content = strip_tags(clean($_REQUEST["content"]));
if (Article::create_published_article($title, $url, $content, "", $_SESSION["uid"])) { if (Article::create_published_article($title, $url, $content, "", $_SESSION["uid"])) {
$this->wrap(self::STATUS_OK, array("status" => 'OK')); $this->wrap(self::STATUS_OK, array("status" => 'OK'));
@ -809,7 +809,7 @@ class API extends Handler {
} }
function unsubscribeFeed() { function unsubscribeFeed() {
$feed_id = (int) $_REQUEST["feed_id"]; $feed_id = (int) clean($_REQUEST["feed_id"]);
$sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE
id = ? AND owner_uid = ?"); id = ? AND owner_uid = ?");
@ -824,10 +824,10 @@ class API extends Handler {
} }
function subscribeToFeed() { function subscribeToFeed() {
$feed_url = $_REQUEST["feed_url"]; $feed_url = clean($_REQUEST["feed_url"]);
$category_id = (int) $_REQUEST["category_id"]; $category_id = (int) clean($_REQUEST["category_id"]);
$login = $_REQUEST["login"]; $login = clean($_REQUEST["login"]);
$password = $_REQUEST["password"]; $password = clean($_REQUEST["password"]);
if ($feed_url) { if ($feed_url) {
$rc = Feeds::subscribe_to_feed($feed_url, $category_id, $login, $password); $rc = Feeds::subscribe_to_feed($feed_url, $category_id, $login, $password);
@ -839,7 +839,7 @@ class API extends Handler {
} }
function getFeedTree() { function getFeedTree() {
$include_empty = API::param_to_bool($_REQUEST['include_empty']); $include_empty = API::param_to_bool(clean($_REQUEST['include_empty']));
$pf = new Pref_Feeds($_REQUEST); $pf = new Pref_Feeds($_REQUEST);

View file

@ -8,7 +8,7 @@ class Article extends Handler_Protected {
} }
function redirect() { function redirect() {
$id = $_REQUEST['id']; $id = clean($_REQUEST['id']);
$sth = $this->pdo->prepare("SELECT link FROM ttrss_entries, ttrss_user_entries $sth = $this->pdo->prepare("SELECT link FROM ttrss_entries, ttrss_user_entries
WHERE id = ? AND id = ref_id AND owner_uid = ? WHERE id = ? AND id = ref_id AND owner_uid = ?
@ -28,9 +28,9 @@ class Article extends Handler_Protected {
} }
function view() { function view() {
$id = $_REQUEST["id"]; $id = clean($_REQUEST["id"]);
$cids = explode(",", $_REQUEST["cids"]); $cids = explode(",", clean($_REQUEST["cids"]));
$mode = $_REQUEST["mode"]; $mode = clean($_REQUEST["mode"]);
// in prefetch mode we only output requested cids, main article // in prefetch mode we only output requested cids, main article
// just gets marked as read (it already exists in client cache) // just gets marked as read (it already exists in client cache)
@ -210,7 +210,7 @@ class Article extends Handler_Protected {
print __("Tags for this article (separated by commas):")."<br>"; print __("Tags for this article (separated by commas):")."<br>";
$param = $_REQUEST['param']; $param = clean($_REQUEST['param']);
$tags = Article::get_article_tags($param); $tags = Article::get_article_tags($param);
@ -241,8 +241,8 @@ class Article extends Handler_Protected {
} }
function setScore() { function setScore() {
$ids = explode(",", $_REQUEST['id']); $ids = explode(",", clean($_REQUEST['id']));
$score = (int)$_REQUEST['score']; $score = (int)clean($_REQUEST['score']);
$ids_qmarks = arr_qmarks($ids); $ids_qmarks = arr_qmarks($ids);
@ -257,7 +257,7 @@ class Article extends Handler_Protected {
} }
function getScore() { function getScore() {
$id = $_REQUEST['id']; $id = clean($_REQUEST['id']);
$sth = $this->pdo->prepare("SELECT score FROM ttrss_user_entries WHERE ref_id = ? AND owner_uid = ?"); $sth = $this->pdo->prepare("SELECT score FROM ttrss_user_entries WHERE ref_id = ? AND owner_uid = ?");
$sth->execute([$id, $_SESSION['uid']]); $sth->execute([$id, $_SESSION['uid']]);
@ -273,9 +273,9 @@ class Article extends Handler_Protected {
function setArticleTags() { function setArticleTags() {
$id = $_REQUEST["id"]; $id = clean($_REQUEST["id"]);
$tags_str = $_REQUEST["tags_str"]; $tags_str = clean($_REQUEST["tags_str"]);
$tags = array_unique(trim_array(explode(",", $tags_str))); $tags = array_unique(trim_array(explode(",", $tags_str)));
$this->pdo->beginTransaction(); $this->pdo->beginTransaction();
@ -342,7 +342,7 @@ class Article extends Handler_Protected {
function completeTags() { function completeTags() {
$search = $_REQUEST["search"]; $search = clean($_REQUEST["search"]);
$sth = $this->pdo->prepare("SELECT DISTINCT tag_name FROM ttrss_tags $sth = $this->pdo->prepare("SELECT DISTINCT tag_name FROM ttrss_tags
WHERE owner_uid = ? AND WHERE owner_uid = ? AND
@ -369,8 +369,8 @@ class Article extends Handler_Protected {
private function labelops($assign) { private function labelops($assign) {
$reply = array(); $reply = array();
$ids = explode(",", $_REQUEST["ids"]); $ids = explode(",", clean($_REQUEST["ids"]));
$label_id = $_REQUEST["lid"]; $label_id = clean($_REQUEST["lid"]);
$label = db_escape_string(Labels::find_caption($label_id, $label = db_escape_string(Labels::find_caption($label_id,
$_SESSION["uid"])); $_SESSION["uid"]));

View file

@ -84,7 +84,7 @@ class Backend extends Handler {
} }
function help() { function help() {
$topic = basename($_REQUEST["topic"]); $topic = basename(clean($_REQUEST["topic"]));
switch ($topic) { switch ($topic) {
case "main": case "main":

View file

@ -139,7 +139,7 @@ class Handler_Public extends Handler {
$tpl->addBlock('feed'); $tpl->addBlock('feed');
$tpl->generateOutputToString($tmp); $tpl->generateOutputToString($tmp);
if (@!$_REQUEST["noxml"]) { if (@!clean($_REQUEST["noxml"])) {
header("Content-Type: text/xml; charset=utf-8"); header("Content-Type: text/xml; charset=utf-8");
} else { } else {
header("Content-Type: text/plain; charset=utf-8"); header("Content-Type: text/plain; charset=utf-8");
@ -219,8 +219,8 @@ class Handler_Public extends Handler {
} }
function getUnread() { function getUnread() {
$login = $_REQUEST["login"]; $login = clean($_REQUEST["login"]);
$fresh = $_REQUEST["fresh"] == "1"; $fresh = clean($_REQUEST["fresh"]) == "1";
$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE login = ?"); $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE login = ?");
$sth->execute([$login]); $sth->execute([$login]);
@ -241,7 +241,7 @@ class Handler_Public extends Handler {
} }
function getProfiles() { function getProfiles() {
$login = $_REQUEST["login"]; $login = clean($_REQUEST["login"]);
$sth = $this->pdo->prepare("SELECT ttrss_settings_profiles.* FROM ttrss_settings_profiles,ttrss_users $sth = $this->pdo->prepare("SELECT ttrss_settings_profiles.* FROM ttrss_settings_profiles,ttrss_users
WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = ? ORDER BY title"); WHERE ttrss_users.id = ttrss_settings_profiles.owner_uid AND login = ? ORDER BY title");
@ -267,7 +267,7 @@ class Handler_Public extends Handler {
} }
function share() { function share() {
$uuid = $_REQUEST["key"]; $uuid = clean($_REQUEST["key"]);
$sth = $this->pdo->prepare("SELECT ref_id, owner_uid FROM ttrss_user_entries WHERE $sth = $this->pdo->prepare("SELECT ref_id, owner_uid FROM ttrss_user_entries WHERE
uuid = ?"); uuid = ?");
@ -290,19 +290,19 @@ class Handler_Public extends Handler {
} }
function rss() { function rss() {
$feed = $_REQUEST["id"]; $feed = clean($_REQUEST["id"]);
$key = $_REQUEST["key"]; $key = clean($_REQUEST["key"]);
$is_cat = $_REQUEST["is_cat"]; $is_cat = clean($_REQUEST["is_cat"]);
$limit = (int)$_REQUEST["limit"]; $limit = (int)clean($_REQUEST["limit"]);
$offset = (int)$_REQUEST["offset"]; $offset = (int)clean($_REQUEST["offset"]);
$search = $_REQUEST["q"]; $search = clean($_REQUEST["q"]);
$view_mode = $_REQUEST["view-mode"]; $view_mode = clean($_REQUEST["view-mode"]);
$order = $_REQUEST["order"]; $order = clean($_REQUEST["order"]);
$start_ts = $_REQUEST["ts"]; $start_ts = clean($_REQUEST["ts"]);
$format = $_REQUEST['format']; $format = clean($_REQUEST['format']);
$orig_guid = $_REQUEST["orig_guid"]; $orig_guid = clean($_REQUEST["orig_guid"]);
if (!$format) $format = 'atom'; if (!$format) $format = 'atom';
@ -359,16 +359,16 @@ class Handler_Public extends Handler {
print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/> print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>
</head><body id='sharepopup' class='ttrss_utility'>"; </head><body id='sharepopup' class='ttrss_utility'>";
$action = $_REQUEST["action"]; $action = clean($_REQUEST["action"]);
if ($_SESSION["uid"]) { if ($_SESSION["uid"]) {
if ($action == 'share') { if ($action == 'share') {
$title = strip_tags($_REQUEST["title"]); $title = strip_tags(clean($_REQUEST["title"]));
$url = strip_tags($_REQUEST["url"]); $url = strip_tags(clean($_REQUEST["url"]));
$content = strip_tags($_REQUEST["content"]); $content = strip_tags(clean($_REQUEST["content"]));
$labels = strip_tags($_REQUEST["labels"]); $labels = strip_tags(clean($_REQUEST["labels"]));
Article::create_published_article($title, $url, $content, $labels, Article::create_published_article($title, $url, $content, $labels,
$_SESSION["uid"]); $_SESSION["uid"]);
@ -378,8 +378,8 @@ class Handler_Public extends Handler {
print "</script>"; print "</script>";
} else { } else {
$title = htmlspecialchars($_REQUEST["title"]); $title = htmlspecialchars(clean($_REQUEST["title"]));
$url = htmlspecialchars($_REQUEST["url"]); $url = htmlspecialchars(clean($_REQUEST["url"]));
?> ?>
@ -466,9 +466,9 @@ class Handler_Public extends Handler {
function login() { function login() {
if (!SINGLE_USER_MODE) { if (!SINGLE_USER_MODE) {
$login = $_POST["login"]; $login = clean($_POST["login"]);
$password = $_POST["password"]; $password = clean($_POST["password"]);
$remember_me = $_POST["remember_me"]; $remember_me = clean($_POST["remember_me"]);
if ($remember_me) { if ($remember_me) {
session_set_cookie_params(SESSION_COOKIE_LIFETIME); session_set_cookie_params(SESSION_COOKIE_LIFETIME);
@ -486,11 +486,11 @@ class Handler_Public extends Handler {
} }
$_SESSION["ref_schema_version"] = get_schema_version(true); $_SESSION["ref_schema_version"] = get_schema_version(true);
$_SESSION["bw_limit"] = !!$_POST["bw_limit"]; $_SESSION["bw_limit"] = !!clean($_POST["bw_limit"]);
if ($_POST["profile"]) { if (clean($_POST["profile"])) {
$profile = $_POST["profile"]; $profile = clean($_POST["profile"]);
$sth = $this->pdo->prepare("SELECT id FROM ttrss_settings_profiles $sth = $this->pdo->prepare("SELECT id FROM ttrss_settings_profiles
WHERE id = ? AND owner_uid = ?"); WHERE id = ? AND owner_uid = ?");
@ -505,8 +505,8 @@ class Handler_Public extends Handler {
user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING); user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
} }
if ($_REQUEST['return']) { if (clean($_REQUEST['return'])) {
header("Location: " . $_REQUEST['return']); header("Location: " . clean($_REQUEST['return']));
} else { } else {
header("Location: " . get_self_url_prefix()); header("Location: " . get_self_url_prefix());
} }
@ -516,7 +516,7 @@ class Handler_Public extends Handler {
/* function subtest() { /* function subtest() {
header("Content-type: text/plain; charset=utf-8"); header("Content-type: text/plain; charset=utf-8");
$url = $_REQUEST["url"]; $url = clean($_REQUEST["url"]);
print "$url\n\n"; print "$url\n\n";
@ -532,7 +532,7 @@ class Handler_Public extends Handler {
if ($_SESSION["uid"]) { if ($_SESSION["uid"]) {
$feed_url = trim($_REQUEST["feed_url"]); $feed_url = trim(clean($_REQUEST["feed_url"]));
header('Content-Type: text/html; charset=utf-8'); header('Content-Type: text/html; charset=utf-8');
print "<html> print "<html>
@ -638,7 +638,7 @@ class Handler_Public extends Handler {
function forgotpass() { function forgotpass() {
startup_gettext(); startup_gettext();
@$hash = $_REQUEST["hash"]; @$hash = clean($_REQUEST["hash"]);
header('Content-Type: text/html; charset=utf-8'); header('Content-Type: text/html; charset=utf-8');
print "<html><head><title>Tiny Tiny RSS</title> print "<html><head><title>Tiny Tiny RSS</title>
@ -656,10 +656,10 @@ class Handler_Public extends Handler {
print "<h1>".__("Password recovery")."</h1>"; print "<h1>".__("Password recovery")."</h1>";
print "<div class='content'>"; print "<div class='content'>";
@$method = $_POST['method']; @$method = clean($_POST['method']);
if ($hash) { if ($hash) {
$login = $_REQUEST["login"]; $login = clean($_REQUEST["login"]);
if ($login) { if ($login) {
$sth = $this->pdo->prepare("SELECT id, resetpass_token FROM ttrss_users $sth = $this->pdo->prepare("SELECT id, resetpass_token FROM ttrss_users
@ -725,9 +725,9 @@ class Handler_Public extends Handler {
print "</form>"; print "</form>";
} else if ($method == 'do') { } else if ($method == 'do') {
$login = $_POST["login"]; $login = clean($_POST["login"]);
$email = $_POST["email"]; $email = clean($_POST["email"]);
$test = $_POST["test"]; $test = clean($_POST["test"]);
if (($test != 4 && $test != 'four') || !$email || !$login) { if (($test != 4 && $test != 'four') || !$email || !$login) {
print_error(__('Some of the required form parameters are missing or incorrect.')); print_error(__('Some of the required form parameters are missing or incorrect.'));
@ -852,7 +852,7 @@ class Handler_Public extends Handler {
<div class="content"> <div class="content">
<?php <?php
@$op = $_REQUEST["subop"]; @$op = clean($_REQUEST["subop"]);
$updater = new DbUpdater(Db::pdo(), DB_TYPE, SCHEMA_VERSION); $updater = new DbUpdater(Db::pdo(), DB_TYPE, SCHEMA_VERSION);
if ($op == "performupdate") { if ($op == "performupdate") {
@ -968,8 +968,8 @@ class Handler_Public extends Handler {
public function pluginhandler() { public function pluginhandler() {
$host = new PluginHost(); $host = new PluginHost();
$plugin = basename($_REQUEST["plugin"]); $plugin = basename(clean($_REQUEST["plugin"]));
$method = $_REQUEST["pmethod"]; $method = clean($_REQUEST["pmethod"]);
$host->load($plugin, PluginHost::KIND_USER, 0); $host->load($plugin, PluginHost::KIND_USER, 0);
$host->load_data(); $host->load_data();

View file

@ -5,7 +5,7 @@ class PluginHandler extends Handler_Protected {
} }
function catchall($method) { function catchall($method) {
$plugin = PluginHost::getInstance()->get_plugin($_REQUEST["plugin"]); $plugin = PluginHost::getInstance()->get_plugin(clean($_REQUEST["plugin"]));
if ($plugin) { if ($plugin) {
if (method_exists($plugin, $method)) { if (method_exists($plugin, $method)) {

View file

@ -17,8 +17,8 @@ class Pref_Feeds extends Handler_Protected {
} }
function renamecat() { function renamecat() {
$title = $_REQUEST['title']; $title = clean($_REQUEST['title']);
$id = $_REQUEST['id']; $id = clean($_REQUEST['id']);
if ($title) { if ($title) {
$sth = $this->pdo->prepare("UPDATE ttrss_feed_categories SET $sth = $this->pdo->prepare("UPDATE ttrss_feed_categories SET
@ -29,14 +29,14 @@ class Pref_Feeds extends Handler_Protected {
private function get_category_items($cat_id) { private function get_category_items($cat_id) {
if ($_REQUEST['mode'] != 2) if (clean($_REQUEST['mode']) != 2)
$search = $_SESSION["prefs_feed_search"]; $search = $_SESSION["prefs_feed_search"];
else else
$search = ""; $search = "";
// first one is set by API // first one is set by API
$show_empty_cats = $_REQUEST['force_show_empty'] || $show_empty_cats = clean($_REQUEST['force_show_empty']) ||
($_REQUEST['mode'] != 2 && !$search); (clean($_REQUEST['mode']) != 2 && !$search);
$items = array(); $items = array();
@ -103,7 +103,7 @@ class Pref_Feeds extends Handler_Protected {
function makefeedtree() { function makefeedtree() {
if ($_REQUEST['mode'] != 2) if (clean($_REQUEST['mode']) != 2)
$search = $_SESSION["prefs_feed_search"]; $search = $_SESSION["prefs_feed_search"];
else else
$search = ""; $search = "";
@ -116,7 +116,7 @@ class Pref_Feeds extends Handler_Protected {
$enable_cats = get_pref('ENABLE_FEED_CATS'); $enable_cats = get_pref('ENABLE_FEED_CATS');
if ($_REQUEST['mode'] == 2) { if (clean($_REQUEST['mode']) == 2) {
if ($enable_cats) { if ($enable_cats) {
$cat = $this->feedlist_init_cat(-1); $cat = $this->feedlist_init_cat(-1);
@ -193,8 +193,8 @@ class Pref_Feeds extends Handler_Protected {
} }
if ($enable_cats) { if ($enable_cats) {
$show_empty_cats = $_REQUEST['force_show_empty'] || $show_empty_cats = clean($_REQUEST['force_show_empty']) ||
($_REQUEST['mode'] != 2 && !$search); (clean($_REQUEST['mode']) != 2 && !$search);
$sth = $this->pdo->prepare("SELECT id, title FROM ttrss_feed_categories $sth = $this->pdo->prepare("SELECT id, title FROM ttrss_feed_categories
WHERE owner_uid = ? AND parent_cat IS NULL ORDER BY order_id, title"); WHERE owner_uid = ? AND parent_cat IS NULL ORDER BY order_id, title");
@ -303,7 +303,7 @@ class Pref_Feeds extends Handler_Protected {
$fl['identifier'] = 'id'; $fl['identifier'] = 'id';
$fl['label'] = 'name'; $fl['label'] = 'name';
if ($_REQUEST['mode'] != 2) { if (clean($_REQUEST['mode']) != 2) {
$fl['items'] = array($root); $fl['items'] = array($root);
} else { } else {
$fl['items'] = $root['items']; $fl['items'] = $root['items'];
@ -389,9 +389,9 @@ class Pref_Feeds extends Handler_Protected {
} }
function savefeedorder() { function savefeedorder() {
$data = json_decode($_POST['payload'], true); $data = json_decode(clean($_POST['payload']), true);
#file_put_contents("/tmp/saveorder.json", $_POST['payload']); #file_put_contents("/tmp/saveorder.json", clean($_POST['payload']));
#$data = json_decode(file_get_contents("/tmp/saveorder.json"), true); #$data = json_decode(file_get_contents("/tmp/saveorder.json"), true);
if (!is_array($data['items'])) if (!is_array($data['items']))
@ -425,7 +425,7 @@ class Pref_Feeds extends Handler_Protected {
} }
function removeicon() { function removeicon() {
$feed_id = $_REQUEST["feed_id"]; $feed_id = clean($_REQUEST["feed_id"]);
$sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds
WHERE id = ? AND owner_uid = ?"); WHERE id = ? AND owner_uid = ?");
@ -457,7 +457,7 @@ class Pref_Feeds extends Handler_Protected {
} }
$icon_file = $tmp_file; $icon_file = $tmp_file;
$feed_id = $_REQUEST["feed_id"]; $feed_id = clean($_REQUEST["feed_id"]);
if (is_file($icon_file) && $feed_id) { if (is_file($icon_file) && $feed_id) {
if (filesize($icon_file) < 65535) { if (filesize($icon_file) < 65535) {
@ -500,7 +500,7 @@ class Pref_Feeds extends Handler_Protected {
global $update_intervals; global $update_intervals;
$feed_id = $_REQUEST["id"]; $feed_id = clean($_REQUEST["id"]);
$sth = $this->pdo->prepare("SELECT * FROM ttrss_feeds WHERE id = ? AND $sth = $this->pdo->prepare("SELECT * FROM ttrss_feeds WHERE id = ? AND
owner_uid = ?"); owner_uid = ?");
@ -775,7 +775,7 @@ class Pref_Feeds extends Handler_Protected {
global $purge_intervals; global $purge_intervals;
global $update_intervals; global $update_intervals;
$feed_ids = $_REQUEST["ids"]; $feed_ids = clean($_REQUEST["ids"]);
print_notice("Enable the options you wish to apply using checkboxes on the right:"); print_notice("Enable the options you wish to apply using checkboxes on the right:");
@ -924,32 +924,32 @@ class Pref_Feeds extends Handler_Protected {
function editsaveops($batch) { function editsaveops($batch) {
$feed_title = trim($_POST["title"]); $feed_title = trim(clean($_POST["title"]));
$feed_url = trim($_POST["feed_url"]); $feed_url = trim(clean($_POST["feed_url"]));
$upd_intl = (int) $_POST["update_interval"]; $upd_intl = (int) clean($_POST["update_interval"]);
$purge_intl = (int) $_POST["purge_interval"]; $purge_intl = (int) clean($_POST["purge_interval"]);
$feed_id = (int) $_POST["id"]; /* editSave */ $feed_id = (int) clean($_POST["id"]); /* editSave */
$feed_ids = explode(",", $_POST["ids"]); /* batchEditSave */ $feed_ids = explode(",", clean($_POST["ids"])); /* batchEditSave */
$cat_id = (int) $_POST["cat_id"]; $cat_id = (int) clean($_POST["cat_id"]);
$auth_login = trim($_POST["auth_login"]); $auth_login = trim(clean($_POST["auth_login"]));
$auth_pass = trim($_POST["auth_pass"]); $auth_pass = trim(clean($_POST["auth_pass"]));
$private = checkbox_to_sql_bool($_POST["private"]); $private = checkbox_to_sql_bool(clean($_POST["private"]));
$include_in_digest = checkbox_to_sql_bool( $include_in_digest = checkbox_to_sql_bool(
$_POST["include_in_digest"]); clean($_POST["include_in_digest"]));
$cache_images = checkbox_to_sql_bool( $cache_images = checkbox_to_sql_bool(
$_POST["cache_images"]); clean($_POST["cache_images"]));
$hide_images = checkbox_to_sql_bool( $hide_images = checkbox_to_sql_bool(
$_POST["hide_images"]); clean($_POST["hide_images"]));
$always_display_enclosures = checkbox_to_sql_bool( $always_display_enclosures = checkbox_to_sql_bool(
$_POST["always_display_enclosures"]); clean($_POST["always_display_enclosures"]));
$mark_unread_on_update = checkbox_to_sql_bool( $mark_unread_on_update = checkbox_to_sql_bool(
$_POST["mark_unread_on_update"]); clean($_POST["mark_unread_on_update"]));
$feed_language = trim($_POST["feed_language"]); $feed_language = trim(clean($_POST["feed_language"]));
if (!$batch) { if (!$batch) {
if ($_POST["need_auth"] !== 'on') { if (clean($_POST["need_auth"]) !== 'on') {
$auth_login = ''; $auth_login = '';
$auth_pass = ''; $auth_pass = '';
} }
@ -1008,7 +1008,7 @@ class Pref_Feeds extends Handler_Protected {
foreach (array_keys($_POST) as $k) { foreach (array_keys($_POST) as $k) {
if ($k != "op" && $k != "method" && $k != "ids") { if ($k != "op" && $k != "method" && $k != "ids") {
$feed_data[$k] = $_POST[$k]; $feed_data[$k] = clean($_POST[$k]);
} }
} }
@ -1102,7 +1102,7 @@ class Pref_Feeds extends Handler_Protected {
function remove() { function remove() {
$ids = explode(",", $_REQUEST["ids"]); $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) { foreach ($ids as $id) {
Pref_Feeds::remove_feed($id, $_SESSION["uid"]); Pref_Feeds::remove_feed($id, $_SESSION["uid"]);
@ -1112,14 +1112,14 @@ class Pref_Feeds extends Handler_Protected {
} }
function removeCat() { function removeCat() {
$ids = explode(",", $_REQUEST["ids"]); $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) { foreach ($ids as $id) {
$this->remove_feed_category($id, $_SESSION["uid"]); $this->remove_feed_category($id, $_SESSION["uid"]);
} }
} }
function addCat() { function addCat() {
$feed_cat = trim($_REQUEST["cat"]); $feed_cat = trim(clean($_REQUEST["cat"]));
add_feed_category($feed_cat); add_feed_category($feed_cat);
} }
@ -1152,7 +1152,7 @@ class Pref_Feeds extends Handler_Protected {
onclick=\"showInactiveFeeds()\">" . onclick=\"showInactiveFeeds()\">" .
__("Inactive feeds") . "</button>"; __("Inactive feeds") . "</button>";
$feed_search = $_REQUEST["search"]; $feed_search = clean($_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) { if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_feed_search"] = $feed_search; $_SESSION["prefs_feed_search"] = $feed_search;
@ -1675,10 +1675,10 @@ class Pref_Feeds extends Handler_Protected {
} }
function batchAddFeeds() { function batchAddFeeds() {
$cat_id = $_REQUEST['cat']; $cat_id = clean($_REQUEST['cat']);
$feeds = explode("\n", $_REQUEST['feeds']); $feeds = explode("\n", clean($_REQUEST['feeds']));
$login = $_REQUEST['login']; $login = clean($_REQUEST['login']);
$pass = trim($_REQUEST['pass']); $pass = trim(clean($_REQUEST['pass']));
foreach ($feeds as $feed) { foreach ($feeds as $feed) {
$feed = trim($feed); $feed = trim($feed);
@ -1714,8 +1714,8 @@ class Pref_Feeds extends Handler_Protected {
} }
function regenFeedKey() { function regenFeedKey() {
$feed_id = $_REQUEST['id']; $feed_id = clean($_REQUEST['id']);
$is_cat = $_REQUEST['is_cat'] == "true"; $is_cat = clean($_REQUEST['is_cat']) == "true";
$new_key = $this->update_feed_access_key($feed_id, $is_cat); $new_key = $this->update_feed_access_key($feed_id, $is_cat);

View file

@ -16,9 +16,9 @@ class Pref_Filters extends Handler_Protected {
} }
function savefilterorder() { function savefilterorder() {
$data = json_decode($_POST['payload'], true); $data = json_decode(clean($_POST['payload']), true);
#file_put_contents("/tmp/saveorder.json", $_POST['payload']); #file_put_contents("/tmp/saveorder.json", clean($_POST['payload']));
#$data = json_decode(file_get_contents("/tmp/saveorder.json"), true); #$data = json_decode(file_get_contents("/tmp/saveorder.json"), true);
if (!is_array($data['items'])) if (!is_array($data['items']))
@ -46,14 +46,14 @@ class Pref_Filters extends Handler_Protected {
} }
function testFilterDo() { function testFilterDo() {
$offset = (int) $_REQUEST["offset"]; $offset = (int) clean($_REQUEST["offset"]);
$limit = (int) $_REQUEST["limit"]; $limit = (int) clean($_REQUEST["limit"]);
$filter = array(); $filter = array();
$filter["enabled"] = true; $filter["enabled"] = true;
$filter["match_any_rule"] = checkbox_to_sql_bool($_REQUEST["match_any_rule"]); $filter["match_any_rule"] = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
$filter["inverse"] = checkbox_to_sql_bool($_REQUEST["inverse"]); $filter["inverse"] = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
$filter["rules"] = array(); $filter["rules"] = array();
$filter["actions"] = array("dummy-action"); $filter["actions"] = array("dummy-action");
@ -68,7 +68,7 @@ class Pref_Filters extends Handler_Protected {
$scope_qparts = array(); $scope_qparts = array();
$rctr = 0; $rctr = 0;
foreach ($_REQUEST["rule"] AS $r) { foreach (clean($_REQUEST["rule"]) AS $r) {
$rule = json_decode($r, true); $rule = json_decode($r, true);
if ($rule && $rctr < 5) { if ($rule && $rctr < 5) {
@ -354,7 +354,7 @@ class Pref_Filters extends Handler_Protected {
function edit() { function edit() {
$filter_id = $_REQUEST["id"]; $filter_id = clean($_REQUEST["id"]);
$sth = $this->pdo->prepare("SELECT * FROM ttrss_filters2 $sth = $this->pdo->prepare("SELECT * FROM ttrss_filters2
WHERE id = ? AND owner_uid = ?"); WHERE id = ? AND owner_uid = ?");
@ -533,7 +533,7 @@ class Pref_Filters extends Handler_Protected {
} }
private function getRuleName($rule) { private function getRuleName($rule) {
if (!$rule) $rule = json_decode($_REQUEST["rule"], true); if (!$rule) $rule = json_decode(clean($_REQUEST["rule"]), true);
$feeds = $rule["feed_id"]; $feeds = $rule["feed_id"];
$feeds_fmt = []; $feeds_fmt = [];
@ -573,7 +573,7 @@ class Pref_Filters extends Handler_Protected {
} }
function printRuleName() { function printRuleName() {
print $this->getRuleName(json_decode($_REQUEST["rule"], true)); print $this->getRuleName(json_decode(clean($_REQUEST["rule"]), true));
} }
private function getActionName($action) { private function getActionName($action) {
@ -611,19 +611,19 @@ class Pref_Filters extends Handler_Protected {
} }
function printActionName() { function printActionName() {
print $this->getActionName(json_decode($_REQUEST["action"], true)); print $this->getActionName(json_decode(clean($_REQUEST["action"]), true));
} }
function editSave() { function editSave() {
if ($_REQUEST["savemode"] && $_REQUEST["savemode"] == "test") { if (clean($_REQUEST["savemode"] && $_REQUEST["savemode"]) == "test") {
return $this->testFilter(); return $this->testFilter();
} }
$filter_id = $_REQUEST["id"]; $filter_id = clean($_REQUEST["id"]);
$enabled = checkbox_to_sql_bool($_REQUEST["enabled"]); $enabled = checkbox_to_sql_bool(clean($_REQUEST["enabled"]));
$match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]); $match_any_rule = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
$inverse = checkbox_to_sql_bool($_REQUEST["inverse"]); $inverse = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
$title = $_REQUEST["title"]; $title = clean($_REQUEST["title"]);
$this->pdo->beginTransaction(); $this->pdo->beginTransaction();
@ -642,7 +642,7 @@ class Pref_Filters extends Handler_Protected {
function remove() { function remove() {
$ids = explode(",", $_REQUEST["ids"]); $ids = explode(",", clean($_REQUEST["ids"]));
$ids_qmarks = arr_qmarks($ids); $ids_qmarks = arr_qmarks($ids);
$sth = $this->pdo->prepare("DELETE FROM ttrss_filters2 WHERE id IN ($ids_qmarks) $sth = $this->pdo->prepare("DELETE FROM ttrss_filters2 WHERE id IN ($ids_qmarks)
@ -659,8 +659,8 @@ class Pref_Filters extends Handler_Protected {
$sth = $this->pdo->prepare("DELETE FROM ttrss_filters2_actions WHERE filter_id = ?"); $sth = $this->pdo->prepare("DELETE FROM ttrss_filters2_actions WHERE filter_id = ?");
$sth->execute([$filter_id]); $sth->execute([$filter_id]);
if (!is_array($_REQUEST["rule"])) $_REQUEST["rule"] = []; if (!is_array(clean($_REQUEST["rule"]))) $_REQUEST["rule"] = [];
if (!is_array($_REQUEST["action"])) $_REQUEST["action"] = []; if (!is_array(clean($_REQUEST["action"]))) $_REQUEST["action"] = [];
if ($filter_id) { if ($filter_id) {
/* create rules */ /* create rules */
@ -668,7 +668,7 @@ class Pref_Filters extends Handler_Protected {
$rules = array(); $rules = array();
$actions = array(); $actions = array();
foreach ($_REQUEST["rule"] as $rule) { foreach (clean($_REQUEST["rule"]) as $rule) {
$rule = json_decode($rule, true); $rule = json_decode($rule, true);
unset($rule["id"]); unset($rule["id"]);
@ -677,7 +677,7 @@ class Pref_Filters extends Handler_Protected {
} }
} }
foreach ($_REQUEST["action"] as $action) { foreach (clean($_REQUEST["action"]) as $action) {
$action = json_decode($action, true); $action = json_decode($action, true);
unset($action["id"]); unset($action["id"]);
@ -729,14 +729,14 @@ class Pref_Filters extends Handler_Protected {
} }
function add() { function add() {
if ($_REQUEST["savemode"] && $_REQUEST["savemode"] == "test") { if (clean($_REQUEST["savemode"] && $_REQUEST["savemode"]) == "test") {
return $this->testFilter(); return $this->testFilter();
} }
$enabled = checkbox_to_sql_bool($_REQUEST["enabled"]); $enabled = checkbox_to_sql_bool(clean($_REQUEST["enabled"]));
$match_any_rule = checkbox_to_sql_bool($_REQUEST["match_any_rule"]); $match_any_rule = checkbox_to_sql_bool(clean($_REQUEST["match_any_rule"]));
$title = $_REQUEST["title"]; $title = clean($_REQUEST["title"]);
$inverse = checkbox_to_sql_bool($_REQUEST["inverse"]); $inverse = checkbox_to_sql_bool(clean($_REQUEST["inverse"]));
$this->pdo->beginTransaction(); $this->pdo->beginTransaction();
@ -762,7 +762,7 @@ class Pref_Filters extends Handler_Protected {
function index() { function index() {
$filter_search = $_REQUEST["search"]; $filter_search = clean($_REQUEST["search"]);
if (array_key_exists("search", $_REQUEST)) { if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_filter_search"] = $filter_search; $_SESSION["prefs_filter_search"] = $filter_search;
@ -948,7 +948,7 @@ class Pref_Filters extends Handler_Protected {
} }
function newrule() { function newrule() {
$rule = json_decode($_REQUEST["rule"], true); $rule = json_decode(clean($_REQUEST["rule"]), true);
if ($rule) { if ($rule) {
$reg_exp = htmlspecialchars($rule["reg_exp"]); $reg_exp = htmlspecialchars($rule["reg_exp"]);
@ -1022,7 +1022,7 @@ class Pref_Filters extends Handler_Protected {
} }
function newaction() { function newaction() {
$action = json_decode($_REQUEST["action"], true); $action = json_decode(clean($_REQUEST["action"]), true);
if ($action) { if ($action) {
$action_param = $action["action_param"]; $action_param = $action["action_param"];
@ -1159,7 +1159,7 @@ class Pref_Filters extends Handler_Protected {
} }
function join() { function join() {
$ids = explode(",", $_REQUEST["ids"]); $ids = explode(",", clean($_REQUEST["ids"]));
if (count($ids) > 1) { if (count($ids) > 1) {
$base_id = array_shift($ids); $base_id = array_shift($ids);

View file

@ -8,7 +8,7 @@ class Pref_Labels extends Handler_Protected {
} }
function edit() { function edit() {
$label_id = $_REQUEST['id']; $label_id = clean($_REQUEST['id']);
$sth = $this->pdo->prepare("SELECT * FROM ttrss_labels2 WHERE $sth = $this->pdo->prepare("SELECT * FROM ttrss_labels2 WHERE
id = ? AND owner_uid = ?"); id = ? AND owner_uid = ?");
@ -119,11 +119,11 @@ class Pref_Labels extends Handler_Protected {
} }
function colorset() { function colorset() {
$kind = $_REQUEST["kind"]; $kind = clean($_REQUEST["kind"]);
$ids = explode(',', $_REQUEST["ids"]); $ids = explode(',', clean($_REQUEST["ids"]));
$color = $_REQUEST["color"]; $color = clean($_REQUEST["color"]);
$fg = $_REQUEST["fg"]; $fg = clean($_REQUEST["fg"]);
$bg = $_REQUEST["bg"]; $bg = clean($_REQUEST["bg"]);
foreach ($ids as $id) { foreach ($ids as $id) {
@ -154,7 +154,7 @@ class Pref_Labels extends Handler_Protected {
} }
function colorreset() { function colorreset() {
$ids = explode(',', $_REQUEST["ids"]); $ids = explode(',', clean($_REQUEST["ids"]));
foreach ($ids as $id) { foreach ($ids as $id) {
$sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET $sth = $this->pdo->prepare("UPDATE ttrss_labels2 SET
@ -174,8 +174,8 @@ class Pref_Labels extends Handler_Protected {
function save() { function save() {
$id = $_REQUEST["id"]; $id = clean($_REQUEST["id"]);
$caption = trim($_REQUEST["caption"]); $caption = trim(clean($_REQUEST["caption"]));
$this->pdo->beginTransaction(); $this->pdo->beginTransaction();
@ -206,7 +206,7 @@ class Pref_Labels extends Handler_Protected {
$sth->execute([$caption, $old_caption, $_SESSION['uid']]); $sth->execute([$caption, $old_caption, $_SESSION['uid']]);
print $_REQUEST["value"]; print clean($_REQUEST["value"]);
} else { } else {
print $old_caption; print $old_caption;
} }
@ -221,7 +221,7 @@ class Pref_Labels extends Handler_Protected {
function remove() { function remove() {
$ids = explode(",", $_REQUEST["ids"]); $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) { foreach ($ids as $id) {
Labels::remove($id, $_SESSION["uid"]); Labels::remove($id, $_SESSION["uid"]);
@ -230,8 +230,8 @@ class Pref_Labels extends Handler_Protected {
} }
function add() { function add() {
$caption = $_REQUEST["caption"]; $caption = clean($_REQUEST["caption"]);
$output = $_REQUEST["output"]; $output = clean($_REQUEST["output"]);
if ($caption) { if ($caption) {

View file

@ -60,9 +60,9 @@ class Pref_Prefs extends Handler_Protected {
function changepassword() { function changepassword() {
$old_pw = $_POST["old_password"]; $old_pw = clean($_POST["old_password"]);
$new_pw = $_POST["new_password"]; $new_pw = clean($_POST["new_password"]);
$con_pw = $_POST["confirm_password"]; $con_pw = clean($_POST["confirm_password"]);
if ($old_pw == "") { if ($old_pw == "") {
print "ERROR: ".format_error("Old password cannot be blank."); print "ERROR: ".format_error("Old password cannot be blank.");
@ -89,7 +89,7 @@ class Pref_Prefs extends Handler_Protected {
} }
function saveconfig() { function saveconfig() {
$boolean_prefs = explode(",", $_POST["boolean_prefs"]); $boolean_prefs = explode(",", clean($_POST["boolean_prefs"]));
foreach ($boolean_prefs as $pref) { foreach ($boolean_prefs as $pref) {
if (!isset($_POST[$pref])) $_POST[$pref] = 'false'; if (!isset($_POST[$pref])) $_POST[$pref] = 'false';
@ -129,8 +129,8 @@ class Pref_Prefs extends Handler_Protected {
function changeemail() { function changeemail() {
$email = $_POST["email"]; $email = clean($_POST["email"]);
$full_name = $_POST["full_name"]; $full_name = clean($_POST["full_name"]);
$active_uid = $_SESSION["uid"]; $active_uid = $_SESSION["uid"];
$sth = $this->pdo->prepare("UPDATE ttrss_users SET email = ?, $sth = $this->pdo->prepare("UPDATE ttrss_users SET email = ?,
@ -880,8 +880,8 @@ class Pref_Prefs extends Handler_Protected {
require_once "lib/otphp/lib/otp.php"; require_once "lib/otphp/lib/otp.php";
require_once "lib/otphp/lib/totp.php"; require_once "lib/otphp/lib/totp.php";
$password = $_REQUEST["password"]; $password = clean($_REQUEST["password"]);
$otp = $_REQUEST["otp"]; $otp = clean($_REQUEST["otp"]);
$authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]); $authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]);
@ -930,7 +930,7 @@ class Pref_Prefs extends Handler_Protected {
} }
function otpdisable() { function otpdisable() {
$password = $_REQUEST["password"]; $password = clean($_REQUEST["password"]);
$authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]); $authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]);
@ -948,8 +948,8 @@ class Pref_Prefs extends Handler_Protected {
} }
function setplugins() { function setplugins() {
if (is_array($_REQUEST["plugins"])) if (is_array(clean($_REQUEST["plugins"])))
$plugins = join(",", $_REQUEST["plugins"]); $plugins = join(",", clean($_REQUEST["plugins"]));
else else
$plugins = ""; $plugins = "";
@ -957,7 +957,7 @@ class Pref_Prefs extends Handler_Protected {
} }
function clearplugindata() { function clearplugindata() {
$name = $_REQUEST["name"]; $name = clean($_REQUEST["name"]);
PluginHost::getInstance()->clear_data(PluginHost::getInstance()->get_plugin($name)); PluginHost::getInstance()->clear_data(PluginHost::getInstance()->get_plugin($name));
} }

View file

@ -25,7 +25,7 @@ class Pref_Users extends Handler_Protected {
print "<form id=\"user_edit_form\" onsubmit='return false' dojoType=\"dijit.form.Form\">"; print "<form id=\"user_edit_form\" onsubmit='return false' dojoType=\"dijit.form.Form\">";
$id = (int) $_REQUEST["id"]; $id = (int) clean($_REQUEST["id"]);
print_hidden("id", "$id"); print_hidden("id", "$id");
print_hidden("op", "pref-users"); print_hidden("op", "pref-users");
@ -108,7 +108,7 @@ class Pref_Users extends Handler_Protected {
} }
function userdetails() { function userdetails() {
$id = (int) $_REQUEST["id"]; $id = (int) clean($_REQUEST["id"]);
$sth = $this->pdo->prepare("SELECT login, $sth = $this->pdo->prepare("SELECT login,
".SUBSTRING_FOR_DATE."(last_login,1,16) AS last_login, ".SUBSTRING_FOR_DATE."(last_login,1,16) AS last_login,
@ -177,11 +177,11 @@ class Pref_Users extends Handler_Protected {
} }
function editSave() { function editSave() {
$login = trim($_REQUEST["login"]); $login = trim(clean($_REQUEST["login"]));
$uid = $_REQUEST["id"]; $uid = clean($_REQUEST["id"]);
$access_level = (int) $_REQUEST["access_level"]; $access_level = (int) clean($_REQUEST["access_level"]);
$email = trim($_REQUEST["email"]); $email = trim(clean($_REQUEST["email"]));
$password = $_REQUEST["password"]; $password = clean($_REQUEST["password"]);
if ($password) { if ($password) {
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
@ -199,7 +199,7 @@ class Pref_Users extends Handler_Protected {
} }
function remove() { function remove() {
$ids = explode(",", $_REQUEST["ids"]); $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) { foreach ($ids as $id) {
if ($id != $_SESSION["uid"] && $id != 1) { if ($id != $_SESSION["uid"] && $id != 1) {
@ -217,7 +217,7 @@ class Pref_Users extends Handler_Protected {
function add() { function add() {
$login = trim($_REQUEST["login"]); $login = trim(clean($_REQUEST["login"]));
$tmp_user_pwd = make_password(8); $tmp_user_pwd = make_password(8);
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
$pwd_hash = encrypt_password($tmp_user_pwd, $salt, true); $pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
@ -316,7 +316,7 @@ class Pref_Users extends Handler_Protected {
} }
function resetPass() { function resetPass() {
$uid = $_REQUEST["id"]; $uid = clean($_REQUEST["id"]);
Pref_Users::resetUserPassword($uid, true); Pref_Users::resetUserPassword($uid, true);
} }
@ -329,7 +329,7 @@ class Pref_Users extends Handler_Protected {
print "<div id=\"pref-user-toolbar\" dojoType=\"dijit.Toolbar\">"; print "<div id=\"pref-user-toolbar\" dojoType=\"dijit.Toolbar\">";
$user_search = trim($_REQUEST["search"]); $user_search = trim(clean($_REQUEST["search"]));
if (array_key_exists("search", $_REQUEST)) { if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_user_search"] = $user_search; $_SESSION["prefs_user_search"] = $user_search;
@ -344,7 +344,7 @@ class Pref_Users extends Handler_Protected {
__('Search')."</button> __('Search')."</button>
</div>"; </div>";
$sort = $_REQUEST["sort"]; $sort = clean($_REQUEST["sort"]);
if (!$sort || $sort == "undefined") { if (!$sort || $sort == "undefined") {
$sort = "login"; $sort = "login";

View file

@ -8,14 +8,14 @@ class RPC extends Handler_Protected {
} }
function setprofile() { function setprofile() {
$_SESSION["profile"] = $_REQUEST["id"]; $_SESSION["profile"] = clean($_REQUEST["id"]);
// default value // default value
if (!$_SESSION["profile"]) $_SESSION["profile"] = null; if (!$_SESSION["profile"]) $_SESSION["profile"] = null;
} }
function remprofiles() { function remprofiles() {
$ids = explode(",", trim($_REQUEST["ids"])); $ids = explode(",", trim(clean($_REQUEST["ids"])));
foreach ($ids as $id) { foreach ($ids as $id) {
if ($_SESSION["profile"] != $id) { if ($_SESSION["profile"] != $id) {
@ -28,7 +28,7 @@ class RPC extends Handler_Protected {
// Silent // Silent
function addprofile() { function addprofile() {
$title = trim($_REQUEST["title"]); $title = trim(clean($_REQUEST["title"]));
if ($title) { if ($title) {
$this->pdo->beginTransaction(); $this->pdo->beginTransaction();
@ -62,8 +62,8 @@ class RPC extends Handler_Protected {
} }
function saveprofile() { function saveprofile() {
$id = $_REQUEST["id"]; $id = clean($_REQUEST["id"]);
$title = trim($_REQUEST["value"]); $title = trim(clean($_REQUEST["value"]));
if ($id == 0) { if ($id == 0) {
print __("Default profile"); print __("Default profile");
@ -82,7 +82,7 @@ class RPC extends Handler_Protected {
// Silent // Silent
function remarchive() { function remarchive() {
$ids = explode(",", $_REQUEST["ids"]); $ids = explode(",", clean($_REQUEST["ids"]));
$sth = $this->pdo->prepare("DELETE FROM ttrss_archived_feeds WHERE $sth = $this->pdo->prepare("DELETE FROM ttrss_archived_feeds WHERE
(SELECT COUNT(*) FROM ttrss_user_entries (SELECT COUNT(*) FROM ttrss_user_entries
@ -95,10 +95,10 @@ class RPC extends Handler_Protected {
} }
function addfeed() { function addfeed() {
$feed = $_REQUEST['feed']; $feed = clean($_REQUEST['feed']);
$cat = $_REQUEST['cat']; $cat = clean($_REQUEST['cat']);
$login = $_REQUEST['login']; $login = clean($_REQUEST['login']);
$pass = trim($_REQUEST['pass']); $pass = trim(clean($_REQUEST['pass']));
$rc = Feeds::subscribe_to_feed($feed, $cat, $login, $pass); $rc = Feeds::subscribe_to_feed($feed, $cat, $login, $pass);
@ -106,7 +106,7 @@ class RPC extends Handler_Protected {
} }
function togglepref() { function togglepref() {
$key = $_REQUEST["key"]; $key = clean($_REQUEST["key"]);
set_pref($key, !get_pref($key)); set_pref($key, !get_pref($key));
$value = get_pref($key); $value = get_pref($key);
@ -115,8 +115,8 @@ class RPC extends Handler_Protected {
function setpref() { function setpref() {
// set_pref escapes input, so no need to double escape it here // set_pref escapes input, so no need to double escape it here
$key = $_REQUEST['key']; $key = clean($_REQUEST['key']);
$value = str_replace("\n", "<br/>", $_REQUEST['value']); $value = nl2br($_REQUEST['value']);
set_pref($key, $value, false, $key != 'USER_STYLESHEET'); set_pref($key, $value, false, $key != 'USER_STYLESHEET');
@ -124,8 +124,8 @@ class RPC extends Handler_Protected {
} }
function mark() { function mark() {
$mark = $_REQUEST["mark"]; $mark = clean($_REQUEST["mark"]);
$id = $_REQUEST["id"]; $id = clean($_REQUEST["id"]);
$sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET marked = ?, $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET marked = ?,
last_marked = NOW() last_marked = NOW()
@ -137,7 +137,7 @@ class RPC extends Handler_Protected {
} }
function delete() { function delete() {
$ids = explode(",", $_REQUEST["ids"]); $ids = explode(",", clean($_REQUEST["ids"]));
$ids_qmarks = arr_qmarks($ids); $ids_qmarks = arr_qmarks($ids);
$sth = $this->pdo->prepare("DELETE FROM ttrss_user_entries $sth = $this->pdo->prepare("DELETE FROM ttrss_user_entries
@ -150,7 +150,7 @@ class RPC extends Handler_Protected {
} }
function unarchive() { function unarchive() {
$ids = explode(",", $_REQUEST["ids"]); $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) { foreach ($ids as $id) {
$this->pdo->beginTransaction(); $this->pdo->beginTransaction();
@ -203,7 +203,7 @@ class RPC extends Handler_Protected {
} }
function archive() { function archive() {
$ids = explode(",", $_REQUEST["ids"]); $ids = explode(",", clean($_REQUEST["ids"]));
foreach ($ids as $id) { foreach ($ids as $id) {
$this->archive_article($id, $_SESSION["uid"]); $this->archive_article($id, $_SESSION["uid"]);
@ -257,8 +257,8 @@ class RPC extends Handler_Protected {
} }
function publ() { function publ() {
$pub = $_REQUEST["pub"]; $pub = clean($_REQUEST["pub"]);
$id = $_REQUEST["id"]; $id = clean($_REQUEST["id"]);
$sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET
published = ?, last_published = NOW() published = ?, last_published = NOW()
@ -270,7 +270,7 @@ class RPC extends Handler_Protected {
} }
function getAllCounters() { function getAllCounters() {
$last_article_id = (int) $_REQUEST["last_article_id"]; $last_article_id = (int) clean($_REQUEST["last_article_id"]);
$reply = array(); $reply = array();
@ -287,8 +287,8 @@ class RPC extends Handler_Protected {
/* GET["cmode"] = 0 - mark as read, 1 - as unread, 2 - toggle */ /* GET["cmode"] = 0 - mark as read, 1 - as unread, 2 - toggle */
function catchupSelected() { function catchupSelected() {
$ids = explode(",", $_REQUEST["ids"]); $ids = explode(",", clean($_REQUEST["ids"]));
$cmode = sprintf("%d", $_REQUEST["cmode"]); $cmode = sprintf("%d", clean($_REQUEST["cmode"]));
Article::catchupArticlesById($ids, $cmode); Article::catchupArticlesById($ids, $cmode);
@ -296,8 +296,8 @@ class RPC extends Handler_Protected {
} }
function markSelected() { function markSelected() {
$ids = explode(",", $_REQUEST["ids"]); $ids = explode(",", clean($_REQUEST["ids"]));
$cmode = (int)$_REQUEST["cmode"]; $cmode = (int)clean($_REQUEST["cmode"]);
$this->markArticlesById($ids, $cmode); $this->markArticlesById($ids, $cmode);
@ -305,8 +305,8 @@ class RPC extends Handler_Protected {
} }
function publishSelected() { function publishSelected() {
$ids = explode(",", $_REQUEST["ids"]); $ids = explode(",", clean($_REQUEST["ids"]));
$cmode = (int)$_REQUEST["cmode"]; $cmode = (int)clean($_REQUEST["cmode"]);
$this->publishArticlesById($ids, $cmode); $this->publishArticlesById($ids, $cmode);
@ -314,10 +314,10 @@ class RPC extends Handler_Protected {
} }
function sanityCheck() { function sanityCheck() {
$_SESSION["hasAudio"] = $_REQUEST["hasAudio"] === "true"; $_SESSION["hasAudio"] = clean($_REQUEST["hasAudio"]) === "true";
$_SESSION["hasSandbox"] = $_REQUEST["hasSandbox"] === "true"; $_SESSION["hasSandbox"] = clean($_REQUEST["hasSandbox"]) === "true";
$_SESSION["hasMp3"] = $_REQUEST["hasMp3"] === "true"; $_SESSION["hasMp3"] = clean($_REQUEST["hasMp3"]) === "true";
$_SESSION["clientTzOffset"] = $_REQUEST["clientTzOffset"]; $_SESSION["clientTzOffset"] = clean($_REQUEST["clientTzOffset"]);
$reply = array(); $reply = array();
@ -332,7 +332,7 @@ class RPC extends Handler_Protected {
} }
function completeLabels() { function completeLabels() {
$search = $_REQUEST["search"]; $search = clean($_REQUEST["search"]);
$sth = $this->pdo->prepare("SELECT DISTINCT caption FROM $sth = $this->pdo->prepare("SELECT DISTINCT caption FROM
ttrss_labels2 ttrss_labels2
@ -351,9 +351,9 @@ class RPC extends Handler_Protected {
function updateFeedBrowser() { function updateFeedBrowser() {
if (defined('_DISABLE_FEED_BROWSER') && _DISABLE_FEED_BROWSER) return; if (defined('_DISABLE_FEED_BROWSER') && _DISABLE_FEED_BROWSER) return;
$search = $_REQUEST["search"]; $search = clean($_REQUEST["search"]);
$limit = $_REQUEST["limit"]; $limit = clean($_REQUEST["limit"]);
$mode = (int) $_REQUEST["mode"]; $mode = (int) clean($_REQUEST["mode"]);
require_once "feedbrowser.php"; require_once "feedbrowser.php";
@ -365,8 +365,8 @@ class RPC extends Handler_Protected {
// Silent // Silent
function massSubscribe() { function massSubscribe() {
$payload = json_decode($_REQUEST["payload"], false); $payload = json_decode(clean($_REQUEST["payload"]), false);
$mode = $_REQUEST["mode"]; $mode = clean($_REQUEST["mode"]);
if (!$payload || !is_array($payload)) return; if (!$payload || !is_array($payload)) return;
@ -417,11 +417,11 @@ class RPC extends Handler_Protected {
} }
function catchupFeed() { function catchupFeed() {
$feed_id = $_REQUEST['feed_id']; $feed_id = clean($_REQUEST['feed_id']);
$is_cat = $_REQUEST['is_cat'] == "true"; $is_cat = clean($_REQUEST['is_cat']) == "true";
$mode = $_REQUEST['mode']; $mode = clean($_REQUEST['mode']);
$search_query = $_REQUEST['search_query']; $search_query = clean($_REQUEST['search_query']);
$search_lang = $_REQUEST['search_lang']; $search_lang = clean($_REQUEST['search_lang']);
Feeds::catchup_feed($feed_id, $is_cat, false, $mode, [$search_query, $search_lang]); Feeds::catchup_feed($feed_id, $is_cat, false, $mode, [$search_query, $search_lang]);
@ -429,7 +429,7 @@ class RPC extends Handler_Protected {
} }
function setpanelmode() { function setpanelmode() {
$wide = (int) $_REQUEST["wide"]; $wide = (int) clean($_REQUEST["wide"]);
setcookie("ttrss_widescreen", $wide, setcookie("ttrss_widescreen", $wide,
time() + COOKIE_LIFETIME_LONG); time() + COOKIE_LIFETIME_LONG);
@ -566,7 +566,7 @@ class RPC extends Handler_Protected {
} }
function getlinktitlebyid() { function getlinktitlebyid() {
$id = $_REQUEST['id']; $id = clean($_REQUEST['id']);
$sth = $this->pdo->prepare("SELECT link, title FROM ttrss_entries, ttrss_user_entries $sth = $this->pdo->prepare("SELECT link, title FROM ttrss_entries, ttrss_user_entries
WHERE ref_id = ? AND ref_id = id AND owner_uid = ?"); WHERE ref_id = ? AND ref_id = id AND owner_uid = ?");
@ -583,10 +583,10 @@ class RPC extends Handler_Protected {
} }
function log() { function log() {
$msg = $_REQUEST['msg']; $msg = clean($_REQUEST['msg']);
$file = basename($_REQUEST['file']); $file = basename(clean($_REQUEST['file']));
$line = (int) $_REQUEST['line']; $line = (int) clean($_REQUEST['line']);
$context = $_REQUEST['context']; $context = clean($_REQUEST['context']);
if ($msg) { if ($msg) {
Logger::get()->log_error(E_USER_WARNING, Logger::get()->log_error(E_USER_WARNING,

View file

@ -304,7 +304,7 @@ class RSSUtils {
*/ */
static function update_rss_feed($feed, $no_cache = false) { static function update_rss_feed($feed, $no_cache = false) {
$debug_enabled = defined('DAEMON_EXTENDED_DEBUG') || $_REQUEST['xdebug']; $debug_enabled = defined('DAEMON_EXTENDED_DEBUG') || clean($_REQUEST['xdebug']);
_debug_suppress(!$debug_enabled); _debug_suppress(!$debug_enabled);
_debug("start", $debug_enabled); _debug("start", $debug_enabled);
@ -591,7 +591,7 @@ class RSSUtils {
foreach ($items as $item) { foreach ($items as $item) {
$pdo->beginTransaction(); $pdo->beginTransaction();
if ($_REQUEST['xdebug'] == 3) { if (clean($_REQUEST['xdebug']) == 3) {
print_r($item); print_r($item);
} }
@ -640,7 +640,7 @@ class RSSUtils {
$entry_content = $item->get_content(); $entry_content = $item->get_content();
if (!$entry_content) $entry_content = $item->get_description(); if (!$entry_content) $entry_content = $item->get_description();
if ($_REQUEST["xdebug"] == 2) { if (clean($_REQUEST["xdebug"]) == 2) {
print "content: "; print "content: ";
print htmlspecialchars($entry_content); print htmlspecialchars($entry_content);
print "\n"; print "\n";
@ -749,7 +749,7 @@ class RSSUtils {
$entry_plugin_data .= mb_strtolower(get_class($plugin)) . ","; $entry_plugin_data .= mb_strtolower(get_class($plugin)) . ",";
} }
if ($_REQUEST["xdebug"] == 2) { if (clean($_REQUEST["xdebug"]) == 2) {
print "processed content: "; print "processed content: ";
print htmlspecialchars($article["content"]); print htmlspecialchars($article["content"]);
print "\n"; print "\n";

View file

@ -725,6 +725,17 @@
} }
} }
// this is used for user http parameters unless HTML code is actually needed
function clean($param) {
if (is_array($param)) {
return array_map(strip_tags, $param);
} else if (is_string($param)) {
return strip_tags($param);
} else {
return $param;
}
}
function make_password($length = 8) { function make_password($length = 8) {
$password = ""; $password = "";