]> git.wh0rd.org Git - tt-rss.git/commitdiff
prevent session modification in public/share
authorAndrew Dolgov <fox@madoka.volgo-balt.ru>
Thu, 7 Jun 2012 06:09:07 +0000 (10:09 +0400)
committerAndrew Dolgov <fox@madoka.volgo-balt.ru>
Thu, 7 Jun 2012 06:09:16 +0000 (10:09 +0400)
classes/public_handler.php
include/functions.php

index 7db341458bc89bcdd22e6f3c524563212ad12c6b..51ba48fed75d6312cb4c17da028ee694645c65ef 100644 (file)
@@ -256,9 +256,7 @@ class Public_Handler extends Handler {
                        $id = db_fetch_result($result, 0, "ref_id");
                        $owner_uid = db_fetch_result($result, 0, "owner_uid");
 
-                       $_SESSION["uid"] = $owner_uid;
-                       $article = format_article($this->link, $id, false, true);
-                       $_SESSION["uid"] = "";
+                       $article = format_article($this->link, $id, false, true, $owner_uid);
 
                        print_r($article['content']);
 
index 5eb5b97af591e4e1a2e351c313a6f7e440f06d62..3ad438d866f0d5862c8398783ee5bef07b61fad7 100644 (file)
 
                        if ($tag_cache === false) {
                                $result = db_query($link, "SELECT tag_cache FROM ttrss_user_entries
-                                       WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]);
+                                       WHERE ref_id = '$id' AND owner_uid = $owner_uid");
 
                                $tag_cache = db_fetch_result($result, 0, "tag_cache");
                        }
 
                                db_query($link, "UPDATE ttrss_user_entries
                                        SET tag_cache = '$tags_str' WHERE ref_id = '$id'
-                                       AND owner_uid = " . $_SESSION["uid"]);
+                                       AND owner_uid = $owner_uid");
                        }
 
                        if ($memcache) $memcache->add($obj_id, $tags, 0, 3600);
                return $entry;
        }
 
-       function format_article($link, $id, $mark_as_read = true, $zoom_mode = false) {
+       function format_article($link, $id, $mark_as_read = true, $zoom_mode = false, $owner_uid = false) {
+
+               if (!$owner_uid) $owner_uid = $_SESSION["uid"];
 
                $rv = array();
 
                //if (!$zoom_mode) { print "<article id='$id'><![CDATA["; };
 
                $result = db_query($link, "SELECT rtl_content, always_display_enclosures FROM ttrss_feeds
-                       WHERE id = '$feed_id' AND owner_uid = " . $_SESSION["uid"]);
+                       WHERE id = '$feed_id' AND owner_uid = $owner_uid");
 
                if (db_num_rows($result) == 1) {
                        $rtl_content = sql_bool_to_bool(db_fetch_result($result, 0, "rtl_content"));
                if ($mark_as_read) {
                        $result = db_query($link, "UPDATE ttrss_user_entries
                                SET unread = false,last_read = NOW()
-                               WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]);
+                               WHERE ref_id = '$id' AND owner_uid = $owner_uid");
 
-                       ccache_update($link, $feed_id, $_SESSION["uid"]);
+                       ccache_update($link, $feed_id, $owner_uid);
                }
 
                $result = db_query($link, "SELECT title,link,content,feed_id,comments,int_id,
                        orig_feed_id,
                        note
                        FROM ttrss_entries,ttrss_user_entries
-                       WHERE   id = '$id' AND ref_id = id AND owner_uid = " . $_SESSION["uid"]);
+                       WHERE   id = '$id' AND ref_id = id AND owner_uid = $owner_uid");
 
                if ($result) {
 
                        }
 
                        $parsed_updated = make_local_datetime($link, $line["updated"], true,
-                               false, true);
+                               $owner_uid, true);
 
                        $rv['content'] .= "<div class=\"postDate$rtl_class\">$parsed_updated</div>";
 
                        $tag_cache = $line["tag_cache"];
 
                        if (!$tag_cache)
-                               $tags = get_article_tags($link, $id);
+                               $tags = get_article_tags($link, $id, $owner_uid);
                        else
                                $tags = explode(",", $tag_cache);
 
 
                        $rv['content'] .= "<div class=\"postContent\">";
 
-                       $article_content = sanitize($link, $line["content"], false, false,
+                       $article_content = sanitize($link, $line["content"], false, $owner_uid,
                                $feed_site_url);
 
                        $rv['content'] .= $article_content;