X-Git-Url: https://git.wh0rd.org/?a=blobdiff_plain;f=classes%2Fapi.php;h=e505dcc915dd90f5d09feaab07d62da51970091b;hb=07fd4f8d9d4f301f5ad88ff9e80f042fc3eb0c36;hp=8ffa74d9e2f87914c17ca54f31fdf1d9e787f564;hpb=ab1960cf1325783aabe5118a58ca6d649fca672a;p=tt-rss.git diff --git a/classes/api.php b/classes/api.php old mode 100644 new mode 100755 index 8ffa74d9..e505dcc9 --- a/classes/api.php +++ b/classes/api.php @@ -8,6 +8,10 @@ class API extends Handler { private $seq; + static function param_to_bool($p) { + return $p && ($p !== "f" && $p !== "false"); + } + function before($method) { if (parent::before($method)) { header("Content-Type: text/json"); @@ -22,7 +26,7 @@ class API extends Handler { return false; } - $this->seq = (int) $_REQUEST['seq']; + $this->seq = (int) clean($_REQUEST['seq']); return true; } @@ -49,9 +53,9 @@ class API extends Handler { @session_destroy(); @session_start(); - $login = $_REQUEST["user"]; - $password = $_REQUEST["password"]; - $password_base64 = base64_decode($_REQUEST["password"]); + $login = clean($_REQUEST["user"]); + $password = clean($_REQUEST["password"]); + $password_base64 = base64_decode(clean($_REQUEST["password"])); if (SINGLE_USER_MODE) $login = "admin"; @@ -96,8 +100,8 @@ class API extends Handler { } function getUnread() { - $feed_id = $_REQUEST["feed_id"]; - $is_cat = $_REQUEST["is_cat"]; + $feed_id = clean($_REQUEST["feed_id"]); + $is_cat = clean($_REQUEST["is_cat"]); if ($feed_id) { $this->wrap(self::STATUS_OK, array("unread" => getFeedUnread($feed_id, $is_cat))); @@ -112,11 +116,11 @@ class API extends Handler { } function getFeeds() { - $cat_id = $_REQUEST["cat_id"]; - $unread_only = sql_bool_to_bool($_REQUEST["unread_only"]); - $limit = (int) $_REQUEST["limit"]; - $offset = (int) $_REQUEST["offset"]; - $include_nested = sql_bool_to_bool($_REQUEST["include_nested"]); + $cat_id = clean($_REQUEST["cat_id"]); + $unread_only = API::param_to_bool(clean($_REQUEST["unread_only"])); + $limit = (int) clean($_REQUEST["limit"]); + $offset = (int) clean($_REQUEST["offset"]); + $include_nested = API::param_to_bool(clean($_REQUEST["include_nested"])); $feeds = $this->api_get_feeds($cat_id, $unread_only, $limit, $offset, $include_nested); @@ -124,9 +128,9 @@ class API extends Handler { } function getCategories() { - $unread_only = sql_bool_to_bool($_REQUEST["unread_only"]); - $enable_nested = sql_bool_to_bool($_REQUEST["enable_nested"]); - $include_empty = sql_bool_to_bool($_REQUEST['include_empty']); + $unread_only = API::param_to_bool(clean($_REQUEST["unread_only"])); + $enable_nested = API::param_to_bool(clean($_REQUEST["enable_nested"])); + $include_empty = API::param_to_bool(clean($_REQUEST['include_empty'])); // TODO do not return empty categories, return Uncategorized and standard virtual cats @@ -181,39 +185,39 @@ class API extends Handler { } function getHeadlines() { - $feed_id = $_REQUEST["feed_id"]; - if ($feed_id != "") { + $feed_id = clean($_REQUEST["feed_id"]); + if ($feed_id !== "") { if (is_numeric($feed_id)) $feed_id = (int) $feed_id; - $limit = (int)$_REQUEST["limit"]; + $limit = (int)clean($_REQUEST["limit"]); if (!$limit || $limit >= 200) $limit = 200; - $offset = (int)$_REQUEST["skip"]; - $filter = $_REQUEST["filter"]; - $is_cat = sql_bool_to_bool($_REQUEST["is_cat"]); - $show_excerpt = sql_bool_to_bool($_REQUEST["show_excerpt"]); - $show_content = sql_bool_to_bool($_REQUEST["show_content"]); + $offset = (int)clean($_REQUEST["skip"]); + $filter = clean($_REQUEST["filter"]); + $is_cat = API::param_to_bool(clean($_REQUEST["is_cat"])); + $show_excerpt = API::param_to_bool(clean($_REQUEST["show_excerpt"])); + $show_content = API::param_to_bool(clean($_REQUEST["show_content"])); /* all_articles, unread, adaptive, marked, updated */ - $view_mode = $_REQUEST["view_mode"]; - $include_attachments = sql_bool_to_bool($_REQUEST["include_attachments"]); - $since_id = (int)$_REQUEST["since_id"]; - $include_nested = sql_bool_to_bool($_REQUEST["include_nested"]); + $view_mode = clean($_REQUEST["view_mode"]); + $include_attachments = API::param_to_bool(clean($_REQUEST["include_attachments"])); + $since_id = (int)clean($_REQUEST["since_id"]); + $include_nested = API::param_to_bool(clean($_REQUEST["include_nested"])); $sanitize_content = !isset($_REQUEST["sanitize"]) || - sql_bool_to_bool($_REQUEST["sanitize"]); - $force_update = sql_bool_to_bool($_REQUEST["force_update"]); - $has_sandbox = sql_bool_to_bool($_REQUEST["has_sandbox"]); - $excerpt_length = (int)$_REQUEST["excerpt_length"]; - $check_first_id = (int)$_REQUEST["check_first_id"]; - $include_header = sql_bool_to_bool($_REQUEST["include_header"]); + API::param_to_bool($_REQUEST["sanitize"]); + $force_update = API::param_to_bool(clean($_REQUEST["force_update"])); + $has_sandbox = API::param_to_bool(clean($_REQUEST["has_sandbox"])); + $excerpt_length = (int)clean($_REQUEST["excerpt_length"]); + $check_first_id = (int)clean($_REQUEST["check_first_id"]); + $include_header = API::param_to_bool(clean($_REQUEST["include_header"])); $_SESSION['hasSandbox'] = $has_sandbox; $skip_first_id_check = false; $override_order = false; - switch ($_REQUEST["order_by"]) { + switch (clean($_REQUEST["order_by"])) { case "title": $override_order = "ttrss_entries.title, date_entered, updated"; break; @@ -228,7 +232,7 @@ class API extends Handler { /* do not rely on params below */ - $search = $_REQUEST["search"]; + $search = clean($_REQUEST["search"]); list($headlines, $headlines_header) = $this->api_get_headlines($feed_id, $limit, $offset, $filter, $is_cat, $show_excerpt, $show_content, $view_mode, $override_order, @@ -246,10 +250,10 @@ class API extends Handler { } function updateArticle() { - $article_ids = explode(",", $_REQUEST["article_ids"]); - $mode = (int) $_REQUEST["mode"]; - $data = $_REQUEST["data"]; - $field_raw = (int)$_REQUEST["field"]; + $article_ids = explode(",", clean($_REQUEST["article_ids"])); + $mode = (int) clean($_REQUEST["mode"]); + $data = clean($_REQUEST["data"]); + $field_raw = (int)clean($_REQUEST["field"]); $field = ""; $set_to = ""; @@ -289,8 +293,8 @@ class API extends Handler { $article_qmarks = arr_qmarks($article_ids); - $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET - $field = $set_to $additional_fields + $sth = $this->pdo->prepare("UPDATE ttrss_user_entries SET + $field = $set_to $additional_fields WHERE ref_id IN ($article_qmarks) AND owner_uid = ?"); $sth->execute(array_merge($article_ids, [$_SESSION['uid']])); @@ -317,9 +321,9 @@ class API extends Handler { function getArticle() { - $article_ids = explode(",", $_REQUEST["article_id"]); + $article_ids = explode(",", clean($_REQUEST["article_id"])); $sanitize_content = !isset($_REQUEST["sanitize"]) || - sql_bool_to_bool($_REQUEST["sanitize"]); + API::param_to_bool($_REQUEST["sanitize"]); if ($article_ids) { @@ -348,9 +352,9 @@ class API extends Handler { "title" => $line["title"], "link" => $line["link"], "labels" => Article::get_article_labels($line['id']), - "unread" => sql_bool_to_bool($line["unread"]), - "marked" => sql_bool_to_bool($line["marked"]), - "published" => sql_bool_to_bool($line["published"]), + "unread" => API::param_to_bool($line["unread"]), + "marked" => API::param_to_bool($line["marked"]), + "published" => API::param_to_bool($line["published"]), "comments" => $line["comments"], "author" => $line["author"], "updated" => (int) strtotime($line["updated"]), @@ -365,7 +369,7 @@ class API extends Handler { if ($sanitize_content) { $article["content"] = sanitize( $line["content"], - sql_bool_to_bool($line['hide_images']), + API::param_to_bool($line['hide_images']), false, $line["site_url"], false, $line["id"]); } else { $article["content"] = $line["content"]; @@ -375,6 +379,8 @@ class API extends Handler { $article = $p->hook_render_article_api(array("article" => $article)); } + $article['content'] = rewrite_cached_urls($article['content']); + array_push($articles, $article); } @@ -403,7 +409,7 @@ class API extends Handler { } function updateFeed() { - $feed_id = (int) $_REQUEST["feed_id"]; + $feed_id = (int) clean($_REQUEST["feed_id"]); if (!ini_get("open_basedir")) { RSSUtils::update_rss_feed($feed_id); @@ -413,8 +419,8 @@ class API extends Handler { } function catchupFeed() { - $feed_id = $_REQUEST["feed_id"]; - $is_cat = $_REQUEST["is_cat"]; + $feed_id = clean($_REQUEST["feed_id"]); + $is_cat = clean($_REQUEST["is_cat"]); Feeds::catchup_feed($feed_id, $is_cat); @@ -422,13 +428,13 @@ class API extends Handler { } function getPref() { - $pref_name = $_REQUEST["pref_name"]; + $pref_name = clean($_REQUEST["pref_name"]); $this->wrap(self::STATUS_OK, array("value" => get_pref($pref_name))); } function getLabels() { - $article_id = (int)$_REQUEST['article_id']; + $article_id = (int)clean($_REQUEST['article_id']); $rv = array(); @@ -465,9 +471,9 @@ class API extends Handler { function setArticleLabel() { - $article_ids = explode(",", $_REQUEST["article_ids"]); - $label_id = (int) $_REQUEST['label_id']; - $assign = sql_bool_to_bool($_REQUEST['assign']); + $article_ids = explode(",", clean($_REQUEST["article_ids"])); + $label_id = (int) clean($_REQUEST['label_id']); + $assign = API::param_to_bool(clean($_REQUEST['assign'])); $label = Labels::find_caption(Labels::feed_to_label_id($label_id), $_SESSION["uid"]); @@ -506,9 +512,9 @@ class API extends Handler { } function shareToPublished() { - $title = strip_tags($_REQUEST["title"]); - $url = strip_tags($_REQUEST["url"]); - $content = strip_tags($_REQUEST["content"]); + $title = strip_tags(clean($_REQUEST["title"])); + $url = strip_tags(clean($_REQUEST["url"])); + $content = strip_tags(clean($_REQUEST["content"])); if (Article::create_published_article($title, $url, $content, "", $_SESSION["uid"])) { $this->wrap(self::STATUS_OK, array("status" => 'OK')); @@ -619,7 +625,7 @@ class API extends Handler { id, feed_url, cat_id, title, order_id, ". SUBSTRING_FOR_DATE."(last_updated,1,19) AS last_updated FROM ttrss_feeds WHERE - (cat_id = :cat OR (:cat = 0 AND cat_id IS NULL)) + (cat_id = :cat OR (:cat = 0 AND cat_id IS NULL)) AND owner_uid = :uid ORDER BY cat_id, title " . $limit_qpart); $sth->execute([":uid" => $_SESSION['uid'], ":cat" => $cat_id]); @@ -629,7 +635,7 @@ class API extends Handler { $unread = getFeedUnread($line["id"]); - $has_icon = feed_has_icon($line['id']); + $has_icon = Feeds::feedHasIcon($line['id']); if ($unread || !$unread_only) { @@ -672,7 +678,7 @@ class API extends Handler { if ($row = $sth->fetch()) { $last_updated = strtotime($row["last_updated"]); - $cache_images = sql_bool_to_bool($row["cache_images"]); + $cache_images = API::param_to_bool($row["cache_images"]); if (!$cache_images && time() - $last_updated > 120) { RSSUtils::update_rss_feed($feed_id, true); @@ -742,14 +748,14 @@ class API extends Handler { $headline_row = array( "id" => (int)$line["id"], "guid" => $line["guid"], - "unread" => sql_bool_to_bool($line["unread"]), - "marked" => sql_bool_to_bool($line["marked"]), - "published" => sql_bool_to_bool($line["published"]), + "unread" => API::param_to_bool($line["unread"]), + "marked" => API::param_to_bool($line["marked"]), + "published" => API::param_to_bool($line["published"]), "updated" => (int)strtotime($line["updated"]), "is_updated" => $is_updated, "title" => $line["title"], "link" => $line["link"], - "feed_id" => $line["feed_id"], + "feed_id" => $line["feed_id"] ? $line['feed_id'] : 0, "tags" => $tags, ); @@ -765,7 +771,7 @@ class API extends Handler { if ($sanitize_content) { $headline_row["content"] = sanitize( $line["content"], - sql_bool_to_bool($line['hide_images']), + API::param_to_bool($line['hide_images']), false, $line["site_url"], false, $line["id"]); } else { $headline_row["content"] = $line["content"]; @@ -783,7 +789,7 @@ class API extends Handler { $headline_row["comments_count"] = (int)$line["num_comments"]; $headline_row["comments_link"] = $line["comments"]; - $headline_row["always_display_attachments"] = sql_bool_to_bool($line["always_display_enclosures"]); + $headline_row["always_display_attachments"] = API::param_to_bool($line["always_display_enclosures"]); $headline_row["author"] = $line["author"]; @@ -795,6 +801,8 @@ class API extends Handler { $headline_row = $p->hook_render_article_api(array("headline" => $headline_row)); } + $headline_row['content'] = rewrite_cached_urls($headline_row['content']); + array_push($headlines, $headline_row); } } else if (is_numeric($result) && $result == -1) { @@ -805,7 +813,7 @@ class API extends Handler { } function unsubscribeFeed() { - $feed_id = (int) $_REQUEST["feed_id"]; + $feed_id = (int) clean($_REQUEST["feed_id"]); $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE id = ? AND owner_uid = ?"); @@ -820,10 +828,10 @@ class API extends Handler { } function subscribeToFeed() { - $feed_url = $_REQUEST["feed_url"]; - $category_id = (int) $_REQUEST["category_id"]; - $login = $_REQUEST["login"]; - $password = $_REQUEST["password"]; + $feed_url = clean($_REQUEST["feed_url"]); + $category_id = (int) clean($_REQUEST["category_id"]); + $login = clean($_REQUEST["login"]); + $password = clean($_REQUEST["password"]); if ($feed_url) { $rc = Feeds::subscribe_to_feed($feed_url, $category_id, $login, $password); @@ -835,7 +843,7 @@ class API extends Handler { } function getFeedTree() { - $include_empty = sql_bool_to_bool($_REQUEST['include_empty']); + $include_empty = API::param_to_bool(clean($_REQUEST['include_empty'])); $pf = new Pref_Feeds($_REQUEST);