prevent session modification in public/share
This commit is contained in:
parent
76428e4b02
commit
64436e1039
|
@ -256,9 +256,7 @@ class Public_Handler extends Handler {
|
||||||
$id = db_fetch_result($result, 0, "ref_id");
|
$id = db_fetch_result($result, 0, "ref_id");
|
||||||
$owner_uid = db_fetch_result($result, 0, "owner_uid");
|
$owner_uid = db_fetch_result($result, 0, "owner_uid");
|
||||||
|
|
||||||
$_SESSION["uid"] = $owner_uid;
|
$article = format_article($this->link, $id, false, true, $owner_uid);
|
||||||
$article = format_article($this->link, $id, false, true);
|
|
||||||
$_SESSION["uid"] = "";
|
|
||||||
|
|
||||||
print_r($article['content']);
|
print_r($article['content']);
|
||||||
|
|
||||||
|
|
|
@ -3102,7 +3102,7 @@
|
||||||
|
|
||||||
if ($tag_cache === false) {
|
if ($tag_cache === false) {
|
||||||
$result = db_query($link, "SELECT tag_cache FROM ttrss_user_entries
|
$result = db_query($link, "SELECT tag_cache FROM ttrss_user_entries
|
||||||
WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]);
|
WHERE ref_id = '$id' AND owner_uid = $owner_uid");
|
||||||
|
|
||||||
$tag_cache = db_fetch_result($result, 0, "tag_cache");
|
$tag_cache = db_fetch_result($result, 0, "tag_cache");
|
||||||
}
|
}
|
||||||
|
@ -3125,7 +3125,7 @@
|
||||||
|
|
||||||
db_query($link, "UPDATE ttrss_user_entries
|
db_query($link, "UPDATE ttrss_user_entries
|
||||||
SET tag_cache = '$tags_str' WHERE ref_id = '$id'
|
SET tag_cache = '$tags_str' WHERE ref_id = '$id'
|
||||||
AND owner_uid = " . $_SESSION["uid"]);
|
AND owner_uid = $owner_uid");
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($memcache) $memcache->add($obj_id, $tags, 0, 3600);
|
if ($memcache) $memcache->add($obj_id, $tags, 0, 3600);
|
||||||
|
@ -3251,7 +3251,9 @@
|
||||||
return $entry;
|
return $entry;
|
||||||
}
|
}
|
||||||
|
|
||||||
function format_article($link, $id, $mark_as_read = true, $zoom_mode = false) {
|
function format_article($link, $id, $mark_as_read = true, $zoom_mode = false, $owner_uid = false) {
|
||||||
|
|
||||||
|
if (!$owner_uid) $owner_uid = $_SESSION["uid"];
|
||||||
|
|
||||||
$rv = array();
|
$rv = array();
|
||||||
|
|
||||||
|
@ -3270,7 +3272,7 @@
|
||||||
//if (!$zoom_mode) { print "<article id='$id'><![CDATA["; };
|
//if (!$zoom_mode) { print "<article id='$id'><![CDATA["; };
|
||||||
|
|
||||||
$result = db_query($link, "SELECT rtl_content, always_display_enclosures FROM ttrss_feeds
|
$result = db_query($link, "SELECT rtl_content, always_display_enclosures FROM ttrss_feeds
|
||||||
WHERE id = '$feed_id' AND owner_uid = " . $_SESSION["uid"]);
|
WHERE id = '$feed_id' AND owner_uid = $owner_uid");
|
||||||
|
|
||||||
if (db_num_rows($result) == 1) {
|
if (db_num_rows($result) == 1) {
|
||||||
$rtl_content = sql_bool_to_bool(db_fetch_result($result, 0, "rtl_content"));
|
$rtl_content = sql_bool_to_bool(db_fetch_result($result, 0, "rtl_content"));
|
||||||
|
@ -3291,9 +3293,9 @@
|
||||||
if ($mark_as_read) {
|
if ($mark_as_read) {
|
||||||
$result = db_query($link, "UPDATE ttrss_user_entries
|
$result = db_query($link, "UPDATE ttrss_user_entries
|
||||||
SET unread = false,last_read = NOW()
|
SET unread = false,last_read = NOW()
|
||||||
WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]);
|
WHERE ref_id = '$id' AND owner_uid = $owner_uid");
|
||||||
|
|
||||||
ccache_update($link, $feed_id, $_SESSION["uid"]);
|
ccache_update($link, $feed_id, $owner_uid);
|
||||||
}
|
}
|
||||||
|
|
||||||
$result = db_query($link, "SELECT title,link,content,feed_id,comments,int_id,
|
$result = db_query($link, "SELECT title,link,content,feed_id,comments,int_id,
|
||||||
|
@ -3306,7 +3308,7 @@
|
||||||
orig_feed_id,
|
orig_feed_id,
|
||||||
note
|
note
|
||||||
FROM ttrss_entries,ttrss_user_entries
|
FROM ttrss_entries,ttrss_user_entries
|
||||||
WHERE id = '$id' AND ref_id = id AND owner_uid = " . $_SESSION["uid"]);
|
WHERE id = '$id' AND ref_id = id AND owner_uid = $owner_uid");
|
||||||
|
|
||||||
if ($result) {
|
if ($result) {
|
||||||
|
|
||||||
|
@ -3360,7 +3362,7 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
$parsed_updated = make_local_datetime($link, $line["updated"], true,
|
$parsed_updated = make_local_datetime($link, $line["updated"], true,
|
||||||
false, true);
|
$owner_uid, true);
|
||||||
|
|
||||||
$rv['content'] .= "<div class=\"postDate$rtl_class\">$parsed_updated</div>";
|
$rv['content'] .= "<div class=\"postDate$rtl_class\">$parsed_updated</div>";
|
||||||
|
|
||||||
|
@ -3378,7 +3380,7 @@
|
||||||
$tag_cache = $line["tag_cache"];
|
$tag_cache = $line["tag_cache"];
|
||||||
|
|
||||||
if (!$tag_cache)
|
if (!$tag_cache)
|
||||||
$tags = get_article_tags($link, $id);
|
$tags = get_article_tags($link, $id, $owner_uid);
|
||||||
else
|
else
|
||||||
$tags = explode(",", $tag_cache);
|
$tags = explode(",", $tag_cache);
|
||||||
|
|
||||||
|
@ -3472,7 +3474,7 @@
|
||||||
|
|
||||||
$rv['content'] .= "<div class=\"postContent\">";
|
$rv['content'] .= "<div class=\"postContent\">";
|
||||||
|
|
||||||
$article_content = sanitize($link, $line["content"], false, false,
|
$article_content = sanitize($link, $line["content"], false, $owner_uid,
|
||||||
$feed_site_url);
|
$feed_site_url);
|
||||||
|
|
||||||
$rv['content'] .= $article_content;
|
$rv['content'] .= $article_content;
|
||||||
|
|
Loading…
Reference in New Issue