tinytinyrss/backend.php

<?php
	set_include_path(dirname(__FILE__) ."/include" . PATH_SEPARATOR .
		get_include_path());

	$op = $_REQUEST["op"];
	@$method = $_REQUEST['subop'] ? $_REQUEST['subop'] : $_REQUEST["method"];

	if (!$method)
		$method = 'index';
	else
		$method = strtolower($method);

	/* Public calls compatibility shim */

	$public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share");

	if (array_search($op, $public_calls) !== false) {
		header("Location: public.php?" . $_SERVER['QUERY_STRING']);
		return;
	}

	@$csrf_token = $_POST['csrf_token'];

	require_once "autoload.php";
	require_once "sessions.php";
	require_once "functions.php";
	require_once "config.php";
	require_once "db.php";
	require_once "db-prefs.php";

	startup_gettext();

	$script_started = microtime(true);

	if (!init_plugins()) return;

	header("Content-Type: text/json; charset=utf-8");

	if (ENABLE_GZIP_OUTPUT && function_exists("ob_gzhandler")) {
		ob_start("ob_gzhandler");
	}

	if (SINGLE_USER_MODE) {
		UserHelper::authenticate( "admin", null);
	}

	if ($_SESSION["uid"]) {
		if (!validate_session()) {
			header("Content-Type: text/json");
			print error_json(6);
			return;
		}
		UserHelper::load_user_plugins($_SESSION["uid"]);
	}

	$purge_intervals = array(
		0  => __("Use default"),
		-1 => __("Never purge"),
		7  => __("1 week old"),
		14 => __("2 weeks old"),
		31 => __("1 month old"),
		60 => __("2 months old"),
		90 => __("3 months old"));

	$update_intervals = array(
		0   => __("Default interval"),
		-1  => __("Disable updates"),
		15  => __("15 minutes"),
		30  => __("30 minutes"),
		60  => __("Hourly"),
		240 => __("4 hours"),
		720 => __("12 hours"),
		1440 => __("Daily"),
		10080 => __("Weekly"));

	$update_intervals_nodefault = array(
		-1  => __("Disable updates"),
		15  => __("15 minutes"),
		30  => __("30 minutes"),
		60  => __("Hourly"),
		240 => __("4 hours"),
		720 => __("12 hours"),
		1440 => __("Daily"),
		10080 => __("Weekly"));

	$access_level_names = array(
		0 => __("User"),
		5 => __("Power User"),
		10 => __("Administrator"));

	$op = str_replace("-", "_", $op);

	$override = PluginHost::getInstance()->lookup_handler($op, $method);

	if (class_exists($op) || $override) {

		if ($override) {
			$handler = $override;
		} else {
			$reflection = new ReflectionClass($op);
			$handler = $reflection->newInstanceWithoutConstructor();
		}

		if ($handler && implements_interface($handler, 'IHandler')) {
			$handler->__construct($_REQUEST);

			if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) {
				if ($handler->before($method)) {
					if ($method && method_exists($handler, $method)) {
						$reflection = new ReflectionMethod($handler, $method);

						if ($reflection->getNumberOfRequiredParameters() == 0) {
							$handler->$method();
						} else {
							header("Content-Type: text/json");
							print error_json(6);
						}
					} else {
						if (method_exists($handler, "catchall")) {
							$handler->catchall($method);
						}
					}
					$handler->after();
					return;
				} else {
					header("Content-Type: text/json");
					print error_json(6);
					return;
				}
			} else {
				header("Content-Type: text/json");
				print error_json(6);
				return;
			}
		}
	}

	header("Content-Type: text/json");
	print error_json(13);

?>
change short php tags to long ones 2006-08-19 09:04:45 +02:00			`<?php`
modify include path order (closes #514) 2012-12-09 10:41:22 +01:00			`set_include_path(dirname(__FILE__) ."/include" . PATH_SEPARATOR .`
			`get_include_path());`
overall directory tree cleanup 2011-12-11 20:59:25 +01:00
fix sharing for not logged in users 2011-10-04 12:03:16 +02:00			`$op = $_REQUEST["op"];`
add Public_Handler misc code cleanup 2011-12-13 11:49:11 +01:00			`@$method = $_REQUEST['subop'] ? $_REQUEST['subop'] : $_REQUEST["method"];`

experimental CSRF protection 2011-12-26 09:02:52 +01:00			`if (!$method)`
			`$method = 'index';`
			`else`
			`$method = strtolower($method);`

add Public_Handler misc code cleanup 2011-12-13 11:49:11 +01:00			`/* Public calls compatibility shim */`

public/logout: require valid CSRF token 2020-09-15 15:59:11 +02:00			`$public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share");`
add Public_Handler misc code cleanup 2011-12-13 11:49:11 +01:00
			`if (array_search($op, $public_calls) !== false) {`
			`header("Location: public.php?" . $_SERVER['QUERY_STRING']);`
			`return;`
			`}`
fix sharing for not logged in users 2011-10-04 12:03:16 +02:00
- backend: require CSRF token to be passed via POST - do not leak CSRF token via GET request in feed debugger - rework Article/redirect to use POST 2020-09-15 15:12:53 +02:00			`@$csrf_token = $_POST['csrf_token'];`
experimental CSRF protection 2011-12-26 09:02:52 +01:00
more work on singleton-based DB 2013-04-17 13:36:34 +02:00			`require_once "autoload.php";`
add Public_Handler misc code cleanup 2011-12-13 11:49:11 +01:00			`require_once "sessions.php";`
modify includes to init session before translations are applied 2013-01-04 22:28:07 +01:00			`require_once "functions.php";`
provide startup config.php value checking, report at D001 2006-03-27 18:08:51 +02:00			`require_once "config.php";`
better fatal error handling by frontend (remove error.php) 2006-03-31 07:18:55 +02:00			`require_once "db.php";`
			`require_once "db-prefs.php";`
provide startup config.php value checking, report at D001 2006-03-27 18:08:51 +02:00
config: remove ENABLE_TRANSLATIONS 2011-03-18 17:25:06 +01:00			`startup_gettext();`
no-cache fixes for safari 2007-03-02 12:34:34 +01:00
replace getmicrotime() wrapper with microtime(true) (2) 2013-02-27 19:20:14 +01:00			`$script_started = microtime(true);`
login system tweaks 2007-03-02 11:48:46 +01:00
remove $link 2013-04-17 14:23:15 +02:00			`if (!init_plugins()) return;`
implement tiny-OOP routing 2011-12-12 21:20:53 +01:00
use text/json content-type in a few more places 2013-01-12 13:02:37 +01:00			`header("Content-Type: text/json; charset=utf-8");`
automatically logout user when session expires 2005-11-19 15:46:23 +01:00
only enable ob_gzhandler if it exists 2012-03-20 11:45:43 +01:00			`if (ENABLE_GZIP_OUTPUT && function_exists("ob_gzhandler")) {`
backend/viewfeed: use JSON 2011-03-18 10:55:45 +01:00			`ob_start("ob_gzhandler");`
			`}`

backend: force login on init when in single user mode 2009-10-27 13:27:09 +01:00			`if (SINGLE_USER_MODE) {`
remove a lot of stuff from global context (functions.php), add a few helper classes instead 2020-09-22 08:04:33 +02:00			`UserHelper::authenticate( "admin", null);`
backend: force login on init when in single user mode 2009-10-27 13:27:09 +01:00			`}`

experimental support for per-user plugins (bump schema) 2012-12-24 21:45:10 +01:00			`if ($_SESSION["uid"]) {`
remove $link 2013-04-17 14:23:15 +02:00			`if (!validate_session()) {`
backend: add session validation check 2013-04-11 19:39:54 +02:00			`header("Content-Type: text/json");`
add a wrapper for standard error codes returned by backend, also add explanation to the error object if possible 2015-03-30 12:02:24 +02:00			`print error_json(6);`
backend: add session validation check 2013-04-11 19:39:54 +02:00			`return;`
			`}`
remove a lot of stuff from global context (functions.php), add a few helper classes instead 2020-09-22 08:04:33 +02:00			`UserHelper::load_user_plugins($_SESSION["uid"]);`
experimental support for per-user plugins (bump schema) 2012-12-24 21:45:10 +01:00			`}`

simplify update/purge interval selection 2006-03-20 15:30:51 +01:00			`$purge_intervals = array(`
change _() to __() (use php-gettext) 2007-03-05 09:45:38 +01:00			`0 => __("Use default"),`
			`-1 => __("Never purge"),`
purge_intervals global: set '1 week old' to mean 7 days instead of 5 (???) 2020-12-15 06:49:02 +01:00			`7 => __("1 week old"),`
change _() to __() (use php-gettext) 2007-03-05 09:45:38 +01:00			`14 => __("2 weeks old"),`
			`31 => __("1 month old"),`
			`60 => __("2 months old"),`
			`90 => __("3 months old"));`
simplify update/purge interval selection 2006-03-20 15:30:51 +01:00
			`$update_intervals = array(`
rework feed dialog layouts 2008-08-06 09:51:28 +02:00			`0 => __("Default interval"),`
change _() to __() (use php-gettext) 2007-03-05 09:45:38 +01:00			`-1 => __("Disable updates"),`
update intervals: use less broken english for a change 2015-07-15 15:39:16 +02:00			`15 => __("15 minutes"),`
			`30 => __("30 minutes"),`
pref-prefs: show default update interval as a dropdown 2010-01-20 11:20:20 +01:00			`60 => __("Hourly"),`
update intervals: use less broken english for a change 2015-07-15 15:39:16 +02:00			`240 => __("4 hours"),`
			`720 => __("12 hours"),`
pref-prefs: show default update interval as a dropdown 2010-01-20 11:20:20 +01:00			`1440 => __("Daily"),`
			`10080 => __("Weekly"));`

			`$update_intervals_nodefault = array(`
			`-1 => __("Disable updates"),`
update intervals: use less broken english for a change 2015-07-15 15:39:16 +02:00			`15 => __("15 minutes"),`
			`30 => __("30 minutes"),`
change _() to __() (use php-gettext) 2007-03-05 09:45:38 +01:00			`60 => __("Hourly"),`
update intervals: use less broken english for a change 2015-07-15 15:39:16 +02:00			`240 => __("4 hours"),`
			`720 => __("12 hours"),`
change _() to __() (use php-gettext) 2007-03-05 09:45:38 +01:00			`1440 => __("Daily"),`
			`10080 => __("Weekly"));`
simplify update/purge interval selection 2006-03-20 15:30:51 +01:00
user editor improved, some form parameter validation reimplemented for prototyped-forms 2006-05-20 16:26:00 +02:00			`$access_level_names = array(`
backend/view: use JSON instead of XML; backend: output session invalid error using JSON 2011-03-18 10:46:22 +01:00			`0 => __("User"),`
add new access level 5, show user's level in prefs 2008-04-04 05:46:51 +02:00			`5 => __("Power User"),`
change _() to __() (use php-gettext) 2007-03-05 09:45:38 +01:00			`10 => __("Administrator"));`
user editor improved, some form parameter validation reimplemented for prototyped-forms 2006-05-20 16:26:00 +02:00
add pref_feeds class 2011-12-13 06:29:22 +01:00			`$op = str_replace("-", "_", $op);`

make pluginhost a singleton 2013-04-18 10:27:34 +02:00			`$override = PluginHost::getInstance()->lookup_handler($op, $method);`
move update daemon code to common function, reorganize backend.php (patch from landure) 2008-01-26 06:33:59 +01:00
implement plugin routing masks, add example plugin 2012-12-23 20:05:51 +01:00			`if (class_exists($op) \|\| $override) {`

			`if ($override) {`
			`$handler = $override;`
			`} else {`
backend: load invoked classes via reflection so object constructor is called after it has been verified as an IHandler implementation. this should prevent a potential router vulnerability if non-IHandler autoloader-enabled class is requested by malicious authorized user and invoked class object does something insecurely in its constructor. 2019-12-20 12:39:38 +01:00			`$reflection = new ReflectionClass($op);`
			`$handler = $reflection->newInstanceWithoutConstructor();`
implement plugin routing masks, add example plugin 2012-12-23 20:05:51 +01:00			`}`

			`if ($handler && implements_interface($handler, 'IHandler')) {`
backend: load invoked classes via reflection so object constructor is called after it has been verified as an IHandler implementation. this should prevent a potential router vulnerability if non-IHandler autoloader-enabled class is requested by malicious authorized user and invoked class object does something insecurely in its constructor. 2019-12-20 12:39:38 +01:00			`$handler->__construct($_REQUEST);`

experimental CSRF protection 2011-12-26 09:02:52 +01:00			`if (validate_csrf($csrf_token) \|\| $handler->csrf_ignore($method)) {`
			`if ($handler->before($method)) {`
			`if ($method && method_exists($handler, $method)) {`
router: only allow functions without required parameters as handler methods 2020-09-22 08:34:39 +02:00			`$reflection = new ReflectionMethod($handler, $method);`

			`if ($reflection->getNumberOfRequiredParameters() == 0) {`
			`$handler->$method();`
			`} else {`
			`header("Content-Type: text/json");`
			`print error_json(6);`
			`}`
experimental new plugin system 2012-12-23 11:52:18 +01:00			`} else {`
			`if (method_exists($handler, "catchall")) {`
			`$handler->catchall($method);`
			`}`
experimental CSRF protection 2011-12-26 09:02:52 +01:00			`}`
			`$handler->after();`
			`return;`
login system fixes remove old-style session checking from backend.php move outside subscription endpoint to public.php, change subscription bookmarklet 2012-09-10 17:01:06 +02:00			`} else {`
use text/json content-type in a few more places 2013-01-12 13:02:37 +01:00			`header("Content-Type: text/json");`
add a wrapper for standard error codes returned by backend, also add explanation to the error object if possible 2015-03-30 12:02:24 +02:00			`print error_json(6);`
login system fixes remove old-style session checking from backend.php move outside subscription endpoint to public.php, change subscription bookmarklet 2012-09-10 17:01:06 +02:00			`return;`
add tiny-OOP style backend RPC 2011-12-12 20:32:29 +01:00			`}`
experimental CSRF protection 2011-12-26 09:02:52 +01:00			`} else {`
use text/json content-type in a few more places 2013-01-12 13:02:37 +01:00			`header("Content-Type: text/json");`
add a wrapper for standard error codes returned by backend, also add explanation to the error object if possible 2015-03-30 12:02:24 +02:00			`print error_json(6);`
implement tiny-OOP routing 2011-12-12 21:20:53 +01:00			`return;`
add tiny-OOP style backend RPC 2011-12-12 20:32:29 +01:00			`}`
			`}`
			`}`

use text/json content-type in a few more places 2013-01-12 13:02:37 +01:00			`header("Content-Type: text/json");`
add a wrapper for standard error codes returned by backend, also add explanation to the error object if possible 2015-03-30 12:02:24 +02:00			`print error_json(13);`
add tweet button to digest, misc digest fixes; rework article tweeting to use ajax loading of needed info 2010-11-25 10:58:29 +01:00
initial mockup 2005-08-21 12:13:10 +02:00			`?>`