Commit Graph

7 Commits

Author SHA1 Message Date
Frederic Guillot
cd1a0115c2 Minor cleanups 2015-01-17 18:53:40 -05:00
Mathias Kresin
cfd03efc01 Fix database hijacking
Check if a requested database can be selected. Error out if not.
This prevents automatic fallbacks to the default database.

Remove the authorized information from the session if a new database
gets selected.

Factor out logout function to reuse existing code.
2015-01-17 21:14:44 +01:00
Frédéric Guillot
c43d9dd773 Fix a bug for image proxy and update dependencies 2014-12-29 16:52:36 -05:00
Mathias Kresin
df4f3b2a52 Fever API: Allow to select the database
Utilize apaches mod_rewrite to append a database parameter to the fever
api script based on the requested URL. Basically everything after
/fever/ is treated as the desired database. E.g. using
https://www.miniflux.net/fever/custom.sqlite/ as server url selects this
database as sync source/target.

The user supplied database parameter is compared with the output of
Model\Database\get_all(), which ensures that only files within the
DATA_DIRECTORY can be referenced (prevents File Inclusion/Directory
Traversal vulnerabilities).

I've tested it against Reeder on iOS. Note that Reeder does not allow
the same user name to be used multiple times within the same domain
name, even if the used URLs are different.
2014-12-26 23:01:05 +01:00
Frédéric Guillot
4fa894925e Fix bug items sync for the Fever api 2014-11-08 22:33:50 -05:00
Mathias Kresin
b5b5e91bb0 Fever API - Fix Mark all as read for feed unread
Zero is a valid super group id according to the "mark the Kindling super group
as read" example in the Fever API docs. But the php function empty considers 0
as an empty value and the condition is never true.

The condition has been changed to accept -1 for the "Sparks" super group,
0 for the "Kindling" super group and any other positive integer (feed and
item id must be positive integers).

The group id Zero is used by Reeder for iOS for the virtual feed "unread".
2014-11-06 19:54:12 +01:00
Frédéric Guillot
5801258ace Add Fever API support 2014-10-29 21:28:23 -04:00