diff --git a/inc/3rdparty/PicoFarad/Request.php b/inc/3rdparty/PicoFarad/Request.php new file mode 100644 index 0000000..46c82bc --- /dev/null +++ b/inc/3rdparty/PicoFarad/Request.php @@ -0,0 +1,78 @@ + $_FILES[$field]['name'], + 'mimetype' => $_FILES[$field]['type'], + 'size' => $_FILES[$field]['size'], + ); + } + + return false; +} + + +function file_move($field, $destination) +{ + if (isset($_FILES[$field]) && ! file_exists($destination)) { + @mkdir(dirname($destination), 0777, true); + move_uploaded_file($_FILES[$field]['tmp_name'], $destination); + } +} \ No newline at end of file diff --git a/inc/3rdparty/PicoFarad/Response.php b/inc/3rdparty/PicoFarad/Response.php new file mode 100644 index 0000000..9114fde --- /dev/null +++ b/inc/3rdparty/PicoFarad/Response.php @@ -0,0 +1,156 @@ + $hosts) { + + if (is_array($hosts)) { + + $acl = ''; + + foreach ($hosts as &$host) { + + if ($host === '*' || $host === 'self' || strpos($host, 'http') === 0) { + $acl .= $host.' '; + } + } + } + else { + + $acl = $hosts; + } + + $values .= $policy.' '.trim($acl).'; '; + } + + header('Content-Security-Policy: '.$values); +} + + +function nosniff() +{ + header('X-Content-Type-Options: nosniff'); +} + + +function xss() +{ + header('X-XSS-Protection: 1; mode=block'); +} + + +function hsts() +{ + header('Strict-Transport-Security: max-age=31536000'); +} + + +function xframe($mode = 'DENY', array $urls = array()) +{ + header('X-Frame-Options: '.$mode.' '.implode(' ', $urls)); +} \ No newline at end of file diff --git a/inc/3rdparty/PicoFarad/Router.php b/inc/3rdparty/PicoFarad/Router.php new file mode 100644 index 0000000..b62b8e2 --- /dev/null +++ b/inc/3rdparty/PicoFarad/Router.php @@ -0,0 +1,157 @@ + 'value']); +function load() +{ + if (func_num_args() < 1 || func_num_args() > 2) { + die('Invalid template arguments'); + } + + if (! file_exists(PATH.func_get_arg(0).'.php')) { + die('Unable to load the template: "'.func_get_arg(0).'"'); + } + + if (func_num_args() === 2) { + + if (! is_array(func_get_arg(1))) { + die('Template variables must be an array'); + } + + extract(func_get_arg(1)); + } + + ob_start(); + include PATH.func_get_arg(0).'.php'; + return ob_get_clean(); +} + + +function layout($template_name, array $template_args = array(), $layout_name = 'layout') +{ + return load($layout_name, $template_args + array('content_for_layout' => load($template_name, $template_args))); +} diff --git a/inc/poche/Database.class.php b/inc/poche/Database.class.php index 9c1c028..8d74f2f 100755 --- a/inc/poche/Database.class.php +++ b/inc/poche/Database.class.php @@ -9,6 +9,7 @@ */ class Database { + var $handle; private $order = array( 'ia' => 'ORDER BY entries.id', @@ -42,11 +43,13 @@ class Database { Tools::logm('storage type ' . STORAGE); } - private function getHandle() { + private function getHandle() + { return $this->handle; } - private function _checkTags() { + private function _checkTags() + { if (STORAGE == 'sqlite') { $sql = ' @@ -110,7 +113,8 @@ class Database { $query = $this->executeQuery($sql, array()); } - public function install($login, $password) { + public function install($login, $password) + { $sql = 'INSERT INTO users ( username, password, name, email) VALUES (?, ?, ?, ?)'; $params = array($login, $password, $login, ' '); $query = $this->executeQuery($sql, $params); @@ -137,7 +141,8 @@ class Database { return TRUE; } - public function getConfigUser($id) { + public function getConfigUser($id) + { $sql = "SELECT * FROM users_config WHERE user_id = ?"; $query = $this->executeQuery($sql, array($id)); $result = $query->fetchAll(); @@ -150,7 +155,8 @@ class Database { return $user_config; } - public function userExists($username) { + public function userExists($username) + { $sql = "SELECT * FROM users WHERE username=?"; $query = $this->executeQuery($sql, array($username)); $login = $query->fetchAll(); @@ -161,7 +167,8 @@ class Database { } } - public function login($username, $password, $isauthenticated=false) { + public function login($username, $password, $isauthenticated = FALSE) + { if ($isauthenticated) { $sql = "SELECT * FROM users WHERE username=?"; $query = $this->executeQuery($sql, array($username)); @@ -191,7 +198,8 @@ class Database { $query = $this->executeQuery($sql_update, $params_update); } - public function updateUserConfig($userId, $key, $value) { + public function updateUserConfig($userId, $key, $value) + { $config = $this->getConfigUser($userId); if (! isset($config[$key])) { @@ -205,7 +213,8 @@ class Database { $query = $this->executeQuery($sql, $params); } - private function executeQuery($sql, $params) { + private function executeQuery($sql, $params) + { try { $query = $this->getHandle()->prepare($sql); @@ -219,28 +228,32 @@ class Database { } } - public function listUsers($username=null) { + public function listUsers($username = NULL) + { $sql = 'SELECT count(*) FROM users'.( $username ? ' WHERE username=?' : ''); $query = $this->executeQuery($sql, ( $username ? array($username) : array())); list($count) = $query->fetch(); return $count; } - public function getUserPassword($userID) { + public function getUserPassword($userID) + { $sql = "SELECT * FROM users WHERE id=?"; $query = $this->executeQuery($sql, array($userID)); $password = $query->fetchAll(); return isset($password[0]['password']) ? $password[0]['password'] : null; } - public function deleteUserConfig($userID) { + public function deleteUserConfig($userID) + { $sql_action = 'DELETE from users_config WHERE user_id=?'; $params_action = array($userID); $query = $this->executeQuery($sql_action, $params_action); return $query; } - public function deleteTagsEntriesAndEntries($userID) { + public function deleteTagsEntriesAndEntries($userID) + { $entries = $this->retrieveAll($userID); foreach($entries as $entryid) { $tags = $this->retrieveTagsByEntry($entryid); @@ -251,20 +264,23 @@ class Database { } } - public function deleteUser($userID) { + public function deleteUser($userID) + { $sql_action = 'DELETE from users WHERE id=?'; $params_action = array($userID); $query = $this->executeQuery($sql_action, $params_action); } - public function updateContentAndTitle($id, $title, $body, $user_id) { + public function updateContentAndTitle($id, $title, $body, $user_id) + { $sql_action = 'UPDATE entries SET content = ?, title = ? WHERE id=? AND user_id=?'; $params_action = array($body, $title, $id, $user_id); $query = $this->executeQuery($sql_action, $params_action); return $query; } - public function retrieveUnfetchedEntries($user_id, $limit) { + public function retrieveUnfetchedEntries($user_id, $limit) + { $sql_limit = "LIMIT 0,".$limit; if (STORAGE == 'postgres') { @@ -278,7 +294,8 @@ class Database { return $entries; } - public function retrieveUnfetchedEntriesCount($user_id) { + public function retrieveUnfetchedEntriesCount($user_id) + { $sql = "SELECT count(*) FROM entries WHERE (content = '' OR content IS NULL) AND title LIKE 'Untitled - Import%' AND user_id=?"; $query = $this->executeQuery($sql, array($user_id)); list($count) = $query->fetch(); @@ -286,7 +303,8 @@ class Database { return $count; } - public function retrieveAll($user_id) { + public function retrieveAll($user_id) + { $sql = "SELECT * FROM entries WHERE user_id=? ORDER BY id"; $query = $this->executeQuery($sql, array($user_id)); $entries = $query->fetchAll(); @@ -294,7 +312,8 @@ class Database { return $entries; } - public function retrieveOneById($id, $user_id) { + public function retrieveOneById($id, $user_id) + { $entry = NULL; $sql = "SELECT * FROM entries WHERE id=? AND user_id=?"; $params = array(intval($id), $user_id); @@ -304,7 +323,8 @@ class Database { return isset($entry[0]) ? $entry[0] : null; } - public function retrieveOneByURL($url, $user_id) { + public function retrieveOneByURL($url, $user_id) + { $entry = NULL; $sql = "SELECT * FROM entries WHERE url=? AND user_id=?"; $params = array($url, $user_id); @@ -314,13 +334,15 @@ class Database { return isset($entry[0]) ? $entry[0] : null; } - public function reassignTags($old_entry_id, $new_entry_id) { + public function reassignTags($old_entry_id, $new_entry_id) + { $sql = "UPDATE tags_entries SET entry_id=? WHERE entry_id=?"; $params = array($new_entry_id, $old_entry_id); $query = $this->executeQuery($sql, $params); } - public function getEntriesByView($view, $user_id, $limit = '', $tag_id = 0) { + public function getEntriesByView($view, $user_id, $limit = '', $tag_id = 0) + { switch ($view) { case 'archive': $sql = "SELECT * FROM entries WHERE user_id=? AND is_read=? "; @@ -348,9 +370,10 @@ class Database { $entries = $query->fetchAll(); return $entries; - } + } - public function getEntriesByViewCount($view, $user_id, $tag_id = 0) { + public function getEntriesByViewCount($view, $user_id, $tag_id = 0) + { switch ($view) { case 'archive': $sql = "SELECT count(*) FROM entries WHERE user_id=? AND is_read=? "; @@ -378,7 +401,8 @@ class Database { return $count; } - public function updateContent($id, $content, $user_id) { + public function updateContent($id, $content, $user_id) + { $sql_action = 'UPDATE entries SET content = ? WHERE id=? AND user_id=?'; $params_action = array($content, $id, $user_id); $query = $this->executeQuery($sql_action, $params_action); @@ -393,7 +417,8 @@ class Database { * @param integer $user_id * @return integer $id of inserted record */ - public function add($url, $title, $content, $user_id, $isFavorite=0, $isRead=0) { + public function add($url, $title, $content, $user_id, $isFavorite=0, $isRead=0) + { $sql_action = 'INSERT INTO entries ( url, title, content, user_id, is_fav, is_read ) VALUES (?, ?, ?, ?, ?, ?)'; $params_action = array($url, $title, $content, $user_id, $isFavorite, $isRead); @@ -406,36 +431,42 @@ class Database { return $id; } - public function deleteById($id, $user_id) { + public function deleteById($id, $user_id) + { $sql_action = "DELETE FROM entries WHERE id=? AND user_id=?"; $params_action = array($id, $user_id); $query = $this->executeQuery($sql_action, $params_action); return $query; } - public function favoriteById($id, $user_id) { + public function favoriteById($id, $user_id) + { $sql_action = "UPDATE entries SET is_fav=NOT is_fav WHERE id=? AND user_id=?"; $params_action = array($id, $user_id); $query = $this->executeQuery($sql_action, $params_action); } - public function archiveById($id, $user_id) { + public function archiveById($id, $user_id) + { $sql_action = "UPDATE entries SET is_read=NOT is_read WHERE id=? AND user_id=?"; $params_action = array($id, $user_id); $query = $this->executeQuery($sql_action, $params_action); } - public function archiveAll($user_id) { + public function archiveAll($user_id) + { $sql_action = "UPDATE entries SET is_read=? WHERE user_id=? AND is_read=?"; $params_action = array($user_id, 1, 0); $query = $this->executeQuery($sql_action, $params_action); } - public function getLastId($column = '') { + public function getLastId($column = '') + { return $this->getHandle()->lastInsertId($column); } - public function search($term, $user_id, $limit = '') { + public function search($term, $user_id, $limit = '') + { $search = '%'.$term.'%'; $sql_action = "SELECT * FROM entries WHERE user_id=? AND (content LIKE ? OR title LIKE ? OR url LIKE ?) "; //searches in content, title and URL $sql_action .= $this->getEntriesOrder().' ' . $limit; @@ -444,7 +475,8 @@ class Database { return $query->fetchAll(); } - public function retrieveAllTags($user_id, $term = null) { + public function retrieveAllTags($user_id, $term = NULL) + { $sql = "SELECT DISTINCT tags.*, count(entries.id) AS entriescount FROM tags LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id LEFT JOIN entries ON tags_entries.entry_id=entries.id @@ -458,7 +490,8 @@ class Database { return $tags; } - public function retrieveTag($id, $user_id) { + public function retrieveTag($id, $user_id) + { $tag = NULL; $sql = "SELECT DISTINCT tags.* FROM tags LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id @@ -468,10 +501,11 @@ class Database { $query = $this->executeQuery($sql, $params); $tag = $query->fetchAll(); - return isset($tag[0]) ? $tag[0] : null; + return isset($tag[0]) ? $tag[0] : NULL; } - public function retrieveEntriesByTag($tag_id, $user_id) { + public function retrieveEntriesByTag($tag_id, $user_id) + { $sql = "SELECT entries.* FROM entries LEFT JOIN tags_entries ON tags_entries.entry_id=entries.id @@ -482,7 +516,8 @@ class Database { return $entries; } - public function retrieveTagsByEntry($entry_id) { + public function retrieveTagsByEntry($entry_id) + { $sql = "SELECT tags.* FROM tags LEFT JOIN tags_entries ON tags_entries.tag_id=tags.id @@ -493,14 +528,16 @@ class Database { return $tags; } - public function removeTagForEntry($entry_id, $tag_id) { + public function removeTagForEntry($entry_id, $tag_id) + { $sql_action = "DELETE FROM tags_entries WHERE tag_id=? AND entry_id=?"; $params_action = array($tag_id, $entry_id); $query = $this->executeQuery($sql_action, $params_action); return $query; } - public function cleanUnusedTag($tag_id) { + public function cleanUnusedTag($tag_id) + { $sql_action = "SELECT tags.* FROM tags JOIN tags_entries ON tags_entries.tag_id=tags.id WHERE tags.id=?"; $query = $this->executeQuery($sql_action,array($tag_id)); $tagstokeep = $query->fetchAll(); @@ -519,7 +556,8 @@ class Database { } - public function retrieveTagByValue($value) { + public function retrieveTagByValue($value) + { $tag = NULL; $sql = "SELECT * FROM tags WHERE value=?"; $params = array($value); @@ -529,27 +567,29 @@ class Database { return isset($tag[0]) ? $tag[0] : null; } - public function createTag($value) { + public function createTag($value) + { $sql_action = 'INSERT INTO tags ( value ) VALUES (?)'; $params_action = array($value); $query = $this->executeQuery($sql_action, $params_action); return $query; } - public function setTagToEntry($tag_id, $entry_id) { + public function setTagToEntry($tag_id, $entry_id) + { $sql_action = 'INSERT INTO tags_entries ( tag_id, entry_id ) VALUES (?, ?)'; $params_action = array($tag_id, $entry_id); $query = $this->executeQuery($sql_action, $params_action); return $query; } - private function getEntriesOrder() { - if (isset($_SESSION['sort']) and array_key_exists($_SESSION['sort'], $this->order)) { - return $this->order[$_SESSION['sort']]; - } - else { - return $this->order['default']; - } + private function getEntriesOrder() + { + if (isset($_SESSION['sort']) and array_key_exists($_SESSION['sort'], $this->order)) { + return $this->order[$_SESSION['sort']]; } - + else { + return $this->order['default']; + } + } } diff --git a/inc/poche/Routing.class.php b/inc/poche/Routing.class.php index 7e259c2..6e2c046 100644 --- a/inc/poche/Routing.class.php +++ b/inc/poche/Routing.class.php @@ -11,8 +11,8 @@ class Routing { protected $wallabag; - protected $referer; - protected $view; + public $referer; + public $view; protected $action; protected $id; protected $url; @@ -55,7 +55,7 @@ class Routing # because messages can be added in $poche->action(), we have to add this entry now (we can add it before) $this->vars = array_merge($this->vars, array('messages' => $this->wallabag->messages->display('all', FALSE))); - $this->_render($this->file, $this->vars); + $this->render($this->file, $this->vars); } private function _defineTplInformation() @@ -142,7 +142,7 @@ class Routing } } - private function _render($file, $vars) + public function render($file, $vars) { echo $this->wallabag->tpl->render($file, $vars); } diff --git a/inc/poche/global.inc.php b/inc/poche/global.inc.php index 2c22c01..9d710b6 100755 --- a/inc/poche/global.inc.php +++ b/inc/poche/global.inc.php @@ -40,6 +40,12 @@ require_once INCLUDES . '/3rdparty/libraries/PHPePub/Logger.php'; require_once INCLUDES . '/3rdparty/libraries/PHPePub/EPub.php'; require_once INCLUDES . '/3rdparty/libraries/PHPePub/EPubChapterSplitter.php'; +require_once INCLUDES . '/3rdparty/PicoFarad/Request.php'; +require_once INCLUDES . '/3rdparty/PicoFarad/Response.php'; +require_once INCLUDES . '/3rdparty/PicoFarad/Router.php'; +require_once INCLUDES . '/3rdparty/PicoFarad/Session.php'; +require_once INCLUDES . '/3rdparty/PicoFarad/Template.php'; + # system configuration; database credentials et caetera require_once INCLUDES . '/poche/config.inc.php'; require_once INCLUDES . '/poche/config.inc.default.php'; @@ -50,4 +56,15 @@ if (DOWNLOAD_PICTURES) { if (!ini_get('date.timezone') || !@date_default_timezone_set(ini_get('date.timezone'))) { date_default_timezone_set('UTC'); -} \ No newline at end of file +} + +if (defined('ERROR_REPORTING')) { + error_reporting(ERROR_REPORTING); +} + +// Start session +Session::$sessionName = 'wallabag'; +Session::init(); + +// Let's rock ! +$wallabag = new Poche(); diff --git a/index.php b/index.php index 825e9d5..6f19051 100755 --- a/index.php +++ b/index.php @@ -12,14 +12,56 @@ define ('POCHE', '1.8.0'); require 'check_setup.php'; require_once 'inc/poche/global.inc.php'; -if (defined('ERROR_REPORTING')) { - error_reporting(ERROR_REPORTING); -} -// Start session -Session::$sessionName = 'wallabag'; -Session::init(); +use PicoFarad\Router; +use PicoFarad\Response; +use PicoFarad\Request; +use PicoFarad\Session; -// Let's rock ! -$wallabag = new Poche(); -$wallabag->run(); +// Called before each action +Router\before(function($action) { + + // Open a session only for the specified directory + Session\open(dirname($_SERVER['PHP_SELF'])); + + // HTTP secure headers + Response\csp(); + Response\xframe(); + Response\xss(); + Response\nosniff(); +}); + +// Show help +Router\get_action('unread', function() use ($wallabag) { + $view = 'home'; + $id = 0; + + $tpl_vars = array( + 'referer' => $wallabag->routing->referer, + 'view' => $wallabag->routing->view, + 'poche_url' => Tools::getPocheUrl(), + 'title' => _('wallabag, a read it later open source system'), + 'token' => \Session::getToken(), + 'theme' => $wallabag->tpl->getTheme(), + 'entries' => '', + 'page_links' => '', + 'nb_results' => '', + 'listmode' => (isset($_COOKIE['listmode']) ? true : false), + ); + + $count = $wallabag->store->getEntriesByViewCount($view, $wallabag->user->getId(), $id); + + if ($count > 0) { + $wallabag->pagination->set_total($count); + $page_links = str_replace(array('previous', 'next'), array(_('previous'), _('next')), + $wallabag->pagination->page_links('?view=' . $view . '&sort=' . $_SESSION['sort'] . (($id)?'&id='.$id:'') . '&' )); + $tpl_vars['entries'] = $wallabag->store->getEntriesByView($view, $wallabag->user->getId(), $wallabag->pagination->get_limit(), $id); + $tpl_vars['page_links'] = $page_links; + $tpl_vars['nb_results'] = $count; + } + + $wallabag->routing->render('home.twig', $tpl_vars); + + Tools::logm('display ' . $view . ' view'); + +});