]> git.wh0rd.org - tt-rss.git/commitdiff
git.wh0rd.org / tt-rss.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c30f5e1)
rpc: addfeed: gets login and pass only if need_auth is checked.
authorColin Vidal <colin@cvidal.org>
Sun, 14 Jan 2018 19:55:39 +0000 (20:55 +0100)
committerColin Vidal <colin@cvidal.org>
Sun, 14 Jan 2018 19:55:39 +0000 (20:55 +0100)
Because of browser form auto-completion, the hidden field login and
password can be automatically filled when adding a feed. It would
enable feed authentication even if the user doesn't click on need_auth
button.

classes/rpc.php patch | blob | blame | history

diff --git a/classes/rpc.php b/classes/rpc.php
index f8cf7a828be9bd344c3cf1febae69febc770aee7..bd4337fbe64ae8bf58729441c5ea3e026cf7b12c 100755 (executable)
--- a/classes/rpc.php
+++ b/classes/rpc.php
@@ -97,8 +97,9 @@ class RPC extends Handler_Protected {
        function addfeed() {
                $feed = clean($_REQUEST['feed']);
                $cat = clean($_REQUEST['cat']);
-               $login = clean($_REQUEST['login']);
-               $pass = trim(clean($_REQUEST['pass']));
+               $need_auth = isset($_REQUEST['need_auth']);
+               $login = $need_auth ? clean($_REQUEST['login']) : '';
+               $pass = $need_auth ? trim(clean($_REQUEST['pass'])) : '';
 
                $rc = Feeds::subscribe_to_feed($feed, $cat, $login, $pass);
 
web-based news feed (RSS/Atom) reader and aggregator; see https://tt-rss.org/