From 800868e27ea9cb73b889537be6ff35c88fb9e443 Mon Sep 17 00:00:00 2001 From: Maryana Rozhankivska Date: Thu, 24 Jul 2014 17:47:23 +0300 Subject: [PATCH 1/2] security fix --- index.php | 82 +++++++++++++++++++++++++++---------------------------- 1 file changed, 41 insertions(+), 41 deletions(-) diff --git a/index.php b/index.php index 481841e..2c532c0 100755 --- a/index.php +++ b/index.php @@ -63,54 +63,54 @@ if (! empty($notInstalledMessage)) { # poche actions if (isset($_GET['login'])) { - # hello you + # hello to you $poche->login($referer); -} elseif (isset($_GET['logout'])) { - # see you soon ! - $poche->logout(); -} elseif (isset($_GET['config'])) { - # Update password - $poche->updatePassword(); -} elseif (isset($_GET['newuser'])) { - $poche->createNewUser(); -} elseif (isset($_GET['deluser'])) { - $poche->deleteUser(); -} elseif (isset($_GET['epub'])) { - $poche->createEpub(); -} elseif (isset($_GET['import'])) { - $import = $poche->import(); - $tpl_vars = array_merge($tpl_vars, $import); -} elseif (isset($_GET['download'])) { - Tools::download_db(); -} elseif (isset($_GET['empty-cache'])) { - $poche->emptyCache(); -} elseif (isset($_GET['export'])) { - $poche->export(); -} elseif (isset($_GET['updatetheme'])) { - $poche->updateTheme(); -} elseif (isset($_GET['updatelanguage'])) { - $poche->updateLanguage(); -} elseif (isset($_GET['uploadfile'])) { - $poche->uploadFile(); -} elseif (isset($_GET['feed'])) { - if (isset($_GET['action']) && $_GET['action'] == 'generate') { - $poche->generateToken(); - } - else { - $tag_id = (isset($_GET['tag_id']) ? intval($_GET['tag_id']) : 0); - $poche->generateFeeds($_GET['token'], filter_var($_GET['user_id'],FILTER_SANITIZE_NUMBER_INT), $tag_id, $_GET['type']); - } -} - -elseif (isset($_GET['plainurl']) && !empty($_GET['plainurl'])) { - $plain_url = new Url(base64_encode($_GET['plainurl'])); - $poche->action('add', $plain_url); +} elseif (isset($_GET['feed']) && isset($_GET['user_id'])) { + $tag_id = (isset($_GET['tag_id']) ? intval($_GET['tag_id']) : 0); + $poche->generateFeeds($_GET['token'], filter_var($_GET['user_id'],FILTER_SANITIZE_NUMBER_INT), $tag_id, $_GET['type']); } if (Session::isLogged()) { + + if (isset($_GET['logout'])) { + # see you soon ! + $poche->logout(); + } elseif (isset($_GET['config'])) { + # Update password + $poche->updatePassword(); + } elseif (isset($_GET['newuser'])) { + $poche->createNewUser(); + } elseif (isset($_GET['deluser'])) { + $poche->deleteUser(); + } elseif (isset($_GET['epub'])) { + $poche->createEpub(); + } elseif (isset($_GET['import'])) { + $import = $poche->import(); + $tpl_vars = array_merge($tpl_vars, $import); + } elseif (isset($_GET['download'])) { + Tools::download_db(); + } elseif (isset($_GET['empty-cache'])) { + $poche->emptyCache(); + } elseif (isset($_GET['export'])) { + $poche->export(); + } elseif (isset($_GET['updatetheme'])) { + $poche->updateTheme(); + } elseif (isset($_GET['updatelanguage'])) { + $poche->updateLanguage(); + } elseif (isset($_GET['uploadfile'])) { + $poche->uploadFile(); + } elseif (isset($_GET['feed']) && isset($_GET['action']) && $_GET['action'] == 'generate') { + $poche->generateToken(); + } + elseif (isset($_GET['plainurl']) && !empty($_GET['plainurl'])) { + $plain_url = new Url(base64_encode($_GET['plainurl'])); + $poche->action('add', $plain_url); + } + $poche->action($action, $url, $id); $tpl_file = Tools::getTplFile($view); $tpl_vars = array_merge($tpl_vars, $poche->displayView($view, $id)); + } elseif(isset($_SERVER['PHP_AUTH_USER'])) { if($poche->store->userExists($_SERVER['PHP_AUTH_USER'])) { $poche->login($referer); From 38cf3413dfe156ced4f5f3a8c792cef69e2735f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= Date: Thu, 24 Jul 2014 21:41:01 +0200 Subject: [PATCH 2/2] 1.7.2 --- index.php | 68 +++++++++++++++++++++++++++---------------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/index.php b/index.php index 2c532c0..b2ab146 100755 --- a/index.php +++ b/index.php @@ -8,7 +8,7 @@ * @license http://www.wtfpl.net/ see COPYING file */ -define ('POCHE', '1.7.1'); +define ('POCHE', '1.7.2'); require 'check_setup.php'; require_once 'inc/poche/global.inc.php'; @@ -72,39 +72,39 @@ if (isset($_GET['login'])) { if (Session::isLogged()) { - if (isset($_GET['logout'])) { - # see you soon ! - $poche->logout(); - } elseif (isset($_GET['config'])) { - # Update password - $poche->updatePassword(); - } elseif (isset($_GET['newuser'])) { - $poche->createNewUser(); - } elseif (isset($_GET['deluser'])) { - $poche->deleteUser(); - } elseif (isset($_GET['epub'])) { - $poche->createEpub(); - } elseif (isset($_GET['import'])) { - $import = $poche->import(); - $tpl_vars = array_merge($tpl_vars, $import); - } elseif (isset($_GET['download'])) { - Tools::download_db(); - } elseif (isset($_GET['empty-cache'])) { - $poche->emptyCache(); - } elseif (isset($_GET['export'])) { - $poche->export(); - } elseif (isset($_GET['updatetheme'])) { - $poche->updateTheme(); - } elseif (isset($_GET['updatelanguage'])) { - $poche->updateLanguage(); - } elseif (isset($_GET['uploadfile'])) { - $poche->uploadFile(); - } elseif (isset($_GET['feed']) && isset($_GET['action']) && $_GET['action'] == 'generate') { - $poche->generateToken(); - } - elseif (isset($_GET['plainurl']) && !empty($_GET['plainurl'])) { - $plain_url = new Url(base64_encode($_GET['plainurl'])); - $poche->action('add', $plain_url); + if (isset($_GET['logout'])) { + # see you soon ! + $poche->logout(); + } elseif (isset($_GET['config'])) { + # Update password + $poche->updatePassword(); + } elseif (isset($_GET['newuser'])) { + $poche->createNewUser(); + } elseif (isset($_GET['deluser'])) { + $poche->deleteUser(); + } elseif (isset($_GET['epub'])) { + $poche->createEpub(); + } elseif (isset($_GET['import'])) { + $import = $poche->import(); + $tpl_vars = array_merge($tpl_vars, $import); + } elseif (isset($_GET['download'])) { + Tools::download_db(); + } elseif (isset($_GET['empty-cache'])) { + $poche->emptyCache(); + } elseif (isset($_GET['export'])) { + $poche->export(); + } elseif (isset($_GET['updatetheme'])) { + $poche->updateTheme(); + } elseif (isset($_GET['updatelanguage'])) { + $poche->updateLanguage(); + } elseif (isset($_GET['uploadfile'])) { + $poche->uploadFile(); + } elseif (isset($_GET['feed']) && isset($_GET['action']) && $_GET['action'] == 'generate') { + $poche->generateToken(); + } + elseif (isset($_GET['plainurl']) && !empty($_GET['plainurl'])) { + $plain_url = new Url(base64_encode($_GET['plainurl'])); + $poche->action('add', $plain_url); } $poche->action($action, $url, $id);