From df4f3b2a520cb1cc7f32aa1f4b14bb100b94f07e Mon Sep 17 00:00:00 2001 From: Mathias Kresin Date: Tue, 11 Nov 2014 17:01:24 +0100 Subject: [PATCH] Fever API: Allow to select the database Utilize apaches mod_rewrite to append a database parameter to the fever api script based on the requested URL. Basically everything after /fever/ is treated as the desired database. E.g. using https://www.miniflux.net/fever/custom.sqlite/ as server url selects this database as sync source/target. The user supplied database parameter is compared with the output of Model\Database\get_all(), which ensures that only files within the DATA_DIRECTORY can be referenced (prevents File Inclusion/Directory Traversal vulnerabilities). I've tested it against Reeder on iOS. Note that Reeder does not allow the same user name to be used multiple times within the same domain name, even if the used URLs are different. --- fever/.htaccess | 13 +++++++++++++ fever/index.php | 4 ++++ 2 files changed, 17 insertions(+) create mode 100644 fever/.htaccess diff --git a/fever/.htaccess b/fever/.htaccess new file mode 100644 index 0000000..7084940 --- /dev/null +++ b/fever/.htaccess @@ -0,0 +1,13 @@ +RewriteEngine on + +RewriteBase / + +# only if the requested file does not exists +RewriteCond %{REQUEST_FILENAME} !-f + +# Store the current location in an environment variable CWD +RewriteCond $0#%{REQUEST_URI} ([^#]*)#(.*)\1$ +RewriteRule ^.*$ - [E=CWD:%2] + +# Just by prefixing the environment variable, we can safely rewrite anything now +RewriteRule ^([^/]*) %{ENV:CWD}index.php?database=$1 [QSA,L] \ No newline at end of file diff --git a/fever/index.php b/fever/index.php index cfa56b6..c8da528 100644 --- a/fever/index.php +++ b/fever/index.php @@ -29,6 +29,10 @@ function response(array $response) // Fever authentication function auth() { + if (!empty($_GET['database'])) { + Model\Database\select($_GET['database']); + } + $credentials = Database::get('db')->table('config') ->columns('username', 'fever_token') ->findOne();