Fever API: Allow to select the database

Utilize apaches mod_rewrite to append a database parameter to the fever
api script based on the requested URL. Basically everything after
/fever/ is treated as the desired database. E.g. using
https://www.miniflux.net/fever/custom.sqlite/ as server url selects this
database as sync source/target.

The user supplied database parameter is compared with the output of
Model\Database\get_all(), which ensures that only files within the
DATA_DIRECTORY can be referenced (prevents File Inclusion/Directory
Traversal vulnerabilities).

I've tested it against Reeder on iOS. Note that Reeder does not allow
the same user name to be used multiple times within the same domain
name, even if the used URLs are different.
This commit is contained in:
Mathias Kresin 2014-11-11 17:01:24 +01:00
parent 0aa5252c85
commit df4f3b2a52
2 changed files with 17 additions and 0 deletions

13
fever/.htaccess Normal file
View File

@ -0,0 +1,13 @@
RewriteEngine on
RewriteBase /
# only if the requested file does not exists
RewriteCond %{REQUEST_FILENAME} !-f
# Store the current location in an environment variable CWD
RewriteCond $0#%{REQUEST_URI} ([^#]*)#(.*)\1$
RewriteRule ^.*$ - [E=CWD:%2]
# Just by prefixing the environment variable, we can safely rewrite anything now
RewriteRule ^([^/]*) %{ENV:CWD}index.php?database=$1 [QSA,L]

View File

@ -29,6 +29,10 @@ function response(array $response)
// Fever authentication
function auth()
{
if (!empty($_GET['database'])) {
Model\Database\select($_GET['database']);
}
$credentials = Database::get('db')->table('config')
->columns('username', 'fever_token')
->findOne();