From: Andrew Dolgov Date: Sat, 13 Apr 2013 14:58:09 +0000 (+0400) Subject: fix double-escaping possible with encrypted passwords X-Git-Tag: 1.7.9~25^2~229 X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=41694a956d4cbe4da633a967c06908b69e942c17;p=tt-rss.git fix double-escaping possible with encrypted passwords --- diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php index 4a77ed8c..c57cccc4 100644 --- a/classes/pref/feeds.php +++ b/classes/pref/feeds.php @@ -932,7 +932,7 @@ class Pref_Feeds extends Handler_Protected { $feed_ids = db_escape_string($this->link, $_POST["ids"]); /* batchEditSave */ $cat_id = (int) db_escape_string($this->link, $_POST["cat_id"]); $auth_login = db_escape_string($this->link, trim($_POST["auth_login"])); - $auth_pass = db_escape_string($this->link, trim($_POST["auth_pass"])); + $auth_pass = trim($_POST["auth_pass"]); $private = checkbox_to_sql_bool(db_escape_string($this->link, $_POST["private"])); $include_in_digest = checkbox_to_sql_bool( db_escape_string($this->link, $_POST["include_in_digest"])); @@ -954,6 +954,8 @@ class Pref_Feeds extends Handler_Protected { $auth_pass_encrypted = 'false'; } + $auth_pass = db_escape_string($this->link, $auth_pass); + if (get_pref($this->link, 'ENABLE_FEED_CATS')) { if ($cat_id && $cat_id != 0) { $category_qpart = "cat_id = '$cat_id',"; @@ -1842,7 +1844,7 @@ class Pref_Feeds extends Handler_Protected { $cat_id = db_escape_string($this->link, $_REQUEST['cat']); $feeds = explode("\n", $_REQUEST['feeds']); $login = db_escape_string($this->link, $_REQUEST['login']); - $pass = db_escape_string($this->link, $_REQUEST['pass']); + $pass = trim($_REQUEST['pass']); foreach ($feeds as $feed) { $feed = db_escape_string($this->link, trim($feed)); @@ -1869,6 +1871,8 @@ class Pref_Feeds extends Handler_Protected { $auth_pass_encrypted = 'false'; } + $pass = db_escape_string($this->link, $pass); + if (db_num_rows($result) == 0) { $result = db_query($this->link, "INSERT INTO ttrss_feeds diff --git a/classes/rpc.php b/classes/rpc.php index 508dd8d4..1569a9a3 100644 --- a/classes/rpc.php +++ b/classes/rpc.php @@ -104,7 +104,7 @@ class RPC extends Handler_Protected { $feed = db_escape_string($this->link, $_REQUEST['feed']); $cat = db_escape_string($this->link, $_REQUEST['cat']); $login = db_escape_string($this->link, $_REQUEST['login']); - $pass = db_escape_string($this->link, $_REQUEST['pass']); + $pass = trim($_REQUEST['pass']); // escaped later $rc = subscribe_to_feed($this->link, $feed, $cat, $login, $pass); diff --git a/include/functions.php b/include/functions.php index 73ed97d0..1b6b3e82 100644 --- a/include/functions.php +++ b/include/functions.php @@ -1622,6 +1622,8 @@ $auth_pass_encrypted = 'false'; } + $auth_pass = db_escape_string($this->link, $auth_pass); + if (db_num_rows($result) == 0) { $result = db_query($link, "INSERT INTO ttrss_feeds