mirror of
https://github.com/moparisthebest/wallabag
synced 2024-11-23 09:32:15 -05:00
security issue
This commit is contained in:
parent
6da20812ce
commit
7dd8b5026d
@ -750,8 +750,8 @@ class Poche
|
|||||||
die(sprintf(_('User with this id (%d) does not exist.'), $user_id));
|
die(sprintf(_('User with this id (%d) does not exist.'), $user_id));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!in_array($type, $allowed_types) || $token != $config['token']) {
|
if (!in_array($type, $allowed_types) || !isset($config['token']) || $token != $config['token']) {
|
||||||
die(_('Uh, there is a problem while generating feeds.'));
|
die(_('Uh, there is a problem while generating feed. Wrong token used?'));
|
||||||
}
|
}
|
||||||
|
|
||||||
$feed = new FeedWriter(RSS2);
|
$feed = new FeedWriter(RSS2);
|
||||||
|
83
inc/poche/Routing.class.php
Normal file → Executable file
83
inc/poche/Routing.class.php
Normal file → Executable file
@ -97,50 +97,53 @@ class Routing
|
|||||||
|
|
||||||
private function _launchAction()
|
private function _launchAction()
|
||||||
{
|
{
|
||||||
if (isset($_GET['login'])) {
|
if (isset($_GET['login'])) {
|
||||||
// hello you
|
// hello to you
|
||||||
$this->wallabag->login($this->referer);
|
$this->wallabag->login($this->referer);
|
||||||
} elseif (isset($_GET['logout'])) {
|
} elseif (isset($_GET['feed']) && isset($_GET['user_id'])) {
|
||||||
// see you soon !
|
$tag_id = (isset($_GET['tag_id']) ? intval($_GET['tag_id']) : 0);
|
||||||
$this->wallabag->logout();
|
$this->wallabag->generateFeeds($_GET['token'], filter_var($_GET['user_id'],FILTER_SANITIZE_NUMBER_INT), $tag_id, $_GET['type']);
|
||||||
} elseif (isset($_GET['config'])) {
|
}
|
||||||
// update password
|
|
||||||
$this->wallabag->updatePassword($_POST['password'], $_POST['password_repeat']);
|
//allowed ONLY to logged in user
|
||||||
} elseif (isset($_GET['newuser'])) {
|
if ( \Session::isLogged() === true )
|
||||||
$this->wallabag->createNewUser($_POST['newusername'], $_POST['password4newuser']);
|
{
|
||||||
} elseif (isset($_GET['deluser'])) {
|
if (isset($_GET['logout'])) {
|
||||||
$this->wallabag->deleteUser($_POST['password4deletinguser']);
|
// see you soon !
|
||||||
} elseif (isset($_GET['epub'])) {
|
$this->wallabag->logout();
|
||||||
$epub = new WallabagEpub($this->wallabag, $_GET['method'], $_GET['id'], $_GET['value']);
|
} elseif (isset($_GET['config'])) {
|
||||||
$epub->run();
|
// update password
|
||||||
} elseif (isset($_GET['import'])) {
|
$this->wallabag->updatePassword($_POST['password'], $_POST['password_repeat']);
|
||||||
$import = $this->wallabag->import();
|
} elseif (isset($_GET['newuser'])) {
|
||||||
$tplVars = array_merge($this->vars, $import);
|
$this->wallabag->createNewUser($_POST['newusername'], $_POST['password4newuser']);
|
||||||
} elseif (isset($_GET['download'])) {
|
} elseif (isset($_GET['deluser'])) {
|
||||||
Tools::downloadDb();
|
$this->wallabag->deleteUser($_POST['password4deletinguser']);
|
||||||
} elseif (isset($_GET['empty-cache'])) {
|
} elseif (isset($_GET['epub'])) {
|
||||||
Tools::emptyCache();
|
$epub = new WallabagEpub($this->wallabag, $_GET['method'], $_GET['id'], $_GET['value']);
|
||||||
} elseif (isset($_GET['export'])) {
|
$epub->run();
|
||||||
$this->wallabag->export();
|
} elseif (isset($_GET['import'])) {
|
||||||
} elseif (isset($_GET['updatetheme'])) {
|
$import = $this->wallabag->import();
|
||||||
$this->wallabag->tpl->updateTheme($_POST['theme']);
|
$tplVars = array_merge($this->vars, $import);
|
||||||
} elseif (isset($_GET['updatelanguage'])) {
|
} elseif (isset($_GET['download'])) {
|
||||||
$this->wallabag->language->updateLanguage($_POST['language']);
|
Tools::downloadDb();
|
||||||
} elseif (isset($_GET['uploadfile'])) {
|
} elseif (isset($_GET['empty-cache'])) {
|
||||||
$this->wallabag->uploadFile();
|
Tools::emptyCache();
|
||||||
} elseif (isset($_GET['feed'])) {
|
} elseif (isset($_GET['export'])) {
|
||||||
if (isset($_GET['action']) && $_GET['action'] == 'generate') {
|
$this->wallabag->export();
|
||||||
|
} elseif (isset($_GET['updatetheme'])) {
|
||||||
|
$this->wallabag->tpl->updateTheme($_POST['theme']);
|
||||||
|
} elseif (isset($_GET['updatelanguage'])) {
|
||||||
|
$this->wallabag->language->updateLanguage($_POST['language']);
|
||||||
|
} elseif (isset($_GET['uploadfile'])) {
|
||||||
|
$this->wallabag->uploadFile();
|
||||||
|
} elseif (isset($_GET['feed']) && isset($_GET['action']) && $_GET['action'] == 'generate') {
|
||||||
$this->wallabag->updateToken();
|
$this->wallabag->updateToken();
|
||||||
}
|
}
|
||||||
else {
|
elseif (isset($_GET['plainurl']) && !empty($_GET['plainurl'])) {
|
||||||
$tag_id = (isset($_GET['tag_id']) ? intval($_GET['tag_id']) : 0);
|
$plainUrl = new Url(base64_encode($_GET['plainurl']));
|
||||||
$this->wallabag->generateFeeds($_GET['token'], filter_var($_GET['user_id'],FILTER_SANITIZE_NUMBER_INT), $tag_id, $_GET['type']);
|
$this->wallabag->action('add', $plainUrl);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
elseif (isset($_GET['plainurl']) && !empty($_GET['plainurl'])) {
|
|
||||||
$plainUrl = new Url(base64_encode($_GET['plainurl']));
|
|
||||||
$this->wallabag->action('add', $plainUrl);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public function _render($file, $vars)
|
public function _render($file, $vars)
|
||||||
|
Loading…
Reference in New Issue
Block a user