forks/tinytinyrss-fever-plugin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fixed bug wih escaping password before hashing it

Browse Source
This commit is contained in:
Torsten Stelling
2013-06-28 20:51:18 +02:00
parent b124f64191
commit 9db7b8e96a
3 changed files with 16 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@@ -11,6 +11,7 @@ This plugin is an open source module for TinyTinyRSS which simulates the Fever A
* <a href="#supported">Supported/Tested Clients</a> * <a href="#supported">Supported/Tested Clients</a>
* <a href="#installation">Installation</a> * <a href="#installation">Installation</a>
* <a href="#debug">Debugging</a> * <a href="#debug">Debugging</a>
* <a href="#error">Error reporting</a>
* <a href="#license">License</a> * <a href="#license">License</a>
* <a href="#changelog">Changelog</a> * <a href="#changelog">Changelog</a>
@@ -49,6 +50,12 @@ In the file ```fever_api.php``` there are two flags for debugging at the beginni
* ```DEBUG_USER``` - set this to the id (from ttrss_users) of your user you would like to always authenticate on your Tiny Tiny RSS installation. The authentication process is then skipped and the api gets always authentication. * ```DEBUG_USER``` - set this to the id (from ttrss_users) of your user you would like to always authenticate on your Tiny Tiny RSS installation. The authentication process is then skipped and the api gets always authentication.
* ```DEBUG_FILE``` - set this to a filename that suits you for debugging this plugin if you need to. * ```DEBUG_FILE``` - set this to a filename that suits you for debugging this plugin if you need to.
## <a name="error">Error reporting</a>
When you find an error you may post it in the plugin [thread](http://tt-rss.org/forum/viewtopic.php?f=22&t=1981) or here on github.com in the ```Issues``` section.
Please include your debug log which should be cleaned up. Please remove your username, password and apikey before posting it.
## <a name="license">License</a> ## <a name="license">License</a>
Licensed under GNU GPL version 2 (<- I think this is okay for this plugin…) Licensed under GNU GPL version 2 (<- I think this is okay for this plugin…)
@@ -84,3 +91,8 @@ v1.4.3 - 2013/6/28
* added ```DEBUG_FILE``` to debug configuration * added ```DEBUG_FILE``` to debug configuration
* changed authentication call from Mr.Reader so that the reply is also uppercase, since the API-KEY comes in uppercase from clients * changed authentication call from Mr.Reader so that the reply is also uppercase, since the API-KEY comes in uppercase from clients
* fixed debug output while authentication in Mr.Reader with displaying the email adress * fixed debug output while authentication in Mr.Reader with displaying the email adress
v1.4.4 - 2013/6/28
* updated the documentation
* changed some in saving the generated API-KEY - now its generated like in the Fever API documentation

6
fever/fever_api.php
View File

@@ -10,7 +10,7 @@ class FeverAPI extends Handler {
const STATUS_ERR = 0; const STATUS_ERR = 0;
// debugging only functions with JSON // debugging only functions with JSON
const DEBUG = false; // enable if you need some debug output in your tinytinyrss root const DEBUG = true; // enable if you need some debug output in your tinytinyrss root
const DEBUG_USER = 0; // your user id you need to debug - look it up in your mysql database and set it to a value bigger than 0 const DEBUG_USER = 0; // your user id you need to debug - look it up in your mysql database and set it to a value bigger than 0
const DEBUG_FILE = './debug_fever.txt'; // the file for debugging output const DEBUG_FILE = './debug_fever.txt'; // the file for debugging output
@@ -128,7 +128,7 @@ class FeverAPI extends Handler {
(isset($_REQUEST["password"]))) { (isset($_REQUEST["password"]))) {
$email = $_REQUEST["email"]; $email = $_REQUEST["email"];
$password = $_REQUEST["password"]; $password = $_REQUEST["password"];
$apikey = strtoupper(md5($email.":".db_escape_string($password))); $apikey = strtoupper(md5($email.":".$password));
setcookie('fever_auth',$apikey,time()+60*60*24*30); setcookie('fever_auth',$apikey,time()+60*60*24*30);
if (self::DEBUG) { if (self::DEBUG) {
// debug output // debug output
@@ -145,7 +145,7 @@ class FeverAPI extends Handler {
{ {
$result = $this->dbh->query("SELECT owner_uid $result = $this->dbh->query("SELECT owner_uid
FROM ttrss_plugin_storage FROM ttrss_plugin_storage
WHERE content = '" . db_escape_string('a:1:{s:8:"password";s:32:"') . db_escape_string(strtolower($apikey)) . db_escape_string('";}') . "'"); WHERE content = '".db_escape_string('a:1:{s:8:"password";s:32:"'.strtolower($apikey).'";}') . "'");
if ($this->dbh->num_rows($result) > 0) if ($this->dbh->num_rows($result) > 0)
{ {

2
fever/init.php
View File

@@ -69,7 +69,7 @@ class Fever extends Plugin {
$result = db_query("SELECT login FROM ttrss_users WHERE id = '" . db_escape_string($_SESSION["uid"]) . "'"); $result = db_query("SELECT login FROM ttrss_users WHERE id = '" . db_escape_string($_SESSION["uid"]) . "'");
if ($line = db_fetch_assoc($result)) if ($line = db_fetch_assoc($result))
{ {
$password = md5($line["login"] . ":" . db_escape_string($_POST["password"])); $password = md5($line["login"] . ":" . $_POST["password"]);
$this->host->set($this, "password", $password); $this->host->set($this, "password", $password);
echo __("Password saved."); echo __("Password saved.");
} }