[fix] Better handling of illegal requests for RSS feeds.
This commit is contained in:
parent
2eca7aa004
commit
ba40bdd9f1
1
CHANGES
1
CHANGES
|
@ -52,6 +52,7 @@ v2.38 (Unreleased)
|
|||
[fix] A few warnings triggered by sql query failures
|
||||
[fix] PHP 8.1-related warnings
|
||||
[fix] Updated bug URLs.
|
||||
[fix] Deal with malformed feed requests
|
||||
|
||||
v2.37.1 (December 3, 2012)
|
||||
|
||||
|
|
65
src/feed.php
65
src/feed.php
|
@ -54,6 +54,7 @@ foreach ($_REQUEST as $key => $value) {
|
|||
}
|
||||
|
||||
$feedtype = isset($_REQUEST['type']) ? $_REQUEST['type'] : 'photos';
|
||||
$id = isset($_REQUEST['id']) ? $_REQUEST['id'] : -1;
|
||||
|
||||
switch ($feedtype) {
|
||||
case 'photos':
|
||||
|
@ -64,32 +65,32 @@ case 'photos':
|
|||
$size = isset($_REQUEST['size']) ? pg_escape_string($database, $_REQUEST['size']) : 2;
|
||||
}
|
||||
$global_args = array();
|
||||
$global_args['size'] = $size;
|
||||
$global_args['size'] = $size;
|
||||
|
||||
switch ($_REQUEST['subtype']) {
|
||||
case 'user':
|
||||
$user_id = pg_escape_string($database, $_REQUEST['id']);
|
||||
|
||||
$user_id = pg_escape_string($database, $id);
|
||||
|
||||
$rss->title = $site_title . " : " . disp_user_string($database, $user_id, FALSE);
|
||||
$rss->description = $rss->title;
|
||||
$rss->link = $base_url . generate_link('user', $user_id);
|
||||
|
||||
$froms = array();
|
||||
$froms = array();
|
||||
$master = "and photo_version.master = 't'"; //optional?
|
||||
$filter = "photo.users = '$user_id' $master";
|
||||
|
||||
break;
|
||||
|
||||
case 'folder':
|
||||
$folder_id = pg_escape_string($database, $_REQUEST['id']);
|
||||
|
||||
$folder_id = pg_escape_string($database, $id);
|
||||
|
||||
$path_to_folder = get_path_to($database, 'folder', $folder_id, FALSE);
|
||||
|
||||
|
||||
$rss->title = $site_title . " $path_to_folder ";
|
||||
$rss->description = $rss->title;
|
||||
$rss->link = $base_url . generate_link('folder', $folder_id);
|
||||
|
||||
$froms = array('folder');
|
||||
$froms = array('folder');
|
||||
$master = "and photo_version.master = 't'"; //optional?
|
||||
$filter = "photo.folder = '$folder_id'
|
||||
and folder.identifier = photo.folder $master";
|
||||
|
@ -97,25 +98,25 @@ case 'photos':
|
|||
break;
|
||||
|
||||
case 'album':
|
||||
$album_id = pg_escape_string($database, $_REQUEST['id']);
|
||||
|
||||
$album_id = pg_escape_string($database, $id);
|
||||
|
||||
$path_to_album = get_path_to($database, 'album', $album_id, FALSE);
|
||||
|
||||
|
||||
$rss->title = $site_title . " $path_to_album ";
|
||||
$rss->description = $rss->title;
|
||||
$rss->link = $base_url . generate_link('album', $album_id);
|
||||
|
||||
|
||||
$global_args['album'] = $album_id;
|
||||
|
||||
|
||||
$froms = array('album_content');
|
||||
$filter = "photo_version.identifier = album_content.version
|
||||
and photo.identifier = album_content.photo
|
||||
and album_content.album = $album_id";
|
||||
|
||||
|
||||
break;
|
||||
|
||||
case 'tag':
|
||||
$search_data = $_REQUEST['id']; // this is escaped later.
|
||||
$search_data = $id; // this is escaped later.
|
||||
$keywords = extract_keywords($search_data, $po_options['search_enable_stemming']);
|
||||
$sql_combined_search_string = build_sql_search_string_keywords($keywords);
|
||||
|
||||
|
@ -126,7 +127,7 @@ case 'photos':
|
|||
$froms = array();
|
||||
$master_args = "and photo_version.master = 't'";
|
||||
$filter = " ($sql_combined_search_string) $master_args";
|
||||
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
|
@ -145,10 +146,10 @@ case 'photos':
|
|||
|
||||
$item = new FeedItem();
|
||||
$item->title = $photo['caption'];
|
||||
|
||||
|
||||
$photo_args = $global_args;
|
||||
$photo_args['ver'] = $photo['version'];
|
||||
|
||||
|
||||
unset($photo_args['size']);
|
||||
$item->link = $base_url . generate_link('photo', $photo['identifier'], $photo_args);
|
||||
$item->guid = $item->link;
|
||||
|
@ -185,11 +186,11 @@ case 'folder':
|
|||
}
|
||||
|
||||
$sql_query_order_by_string = $folder_order_by_string[$order][0];
|
||||
$sql_query_access_rights_string = "can_access_folder(folder.identifier, $po_user[id], '{".$passwords."}')";
|
||||
$sql_query_access_rights_string = "can_access_folder(folder.identifier, $po_user[id], '{".$passwords."}')";
|
||||
|
||||
switch ($_REQUEST['subtype']) {
|
||||
case 'tag':
|
||||
$search_data = $_REQUEST['id']; // is escaped later
|
||||
$search_data = $id; // is escaped later
|
||||
|
||||
$keywords = extract_keywords($search_data, $po_options['search_enable_stemming']);
|
||||
$sql_search_string = build_sql_search_string($keywords, "folder.caption");
|
||||
|
@ -204,7 +205,7 @@ case 'folder':
|
|||
|
||||
break;
|
||||
case 'user':
|
||||
$user_id = pg_escape_string($database, $_REQUEST['id']);
|
||||
$user_id = pg_escape_string($database, $id);
|
||||
|
||||
$rss->title = $site_title . " : " . disp_user_string($database, $user_id, FALSE);
|
||||
$rss->description = $rss->title;
|
||||
|
@ -214,7 +215,7 @@ case 'folder':
|
|||
|
||||
break;
|
||||
default:
|
||||
$folder_id = pg_escape_string($database, $_REQUEST['id']);
|
||||
$folder_id = pg_escape_string($database, $id);
|
||||
|
||||
$path_to_folder = get_path_to($database, 'folder', $folder_id, FALSE);
|
||||
|
||||
|
@ -229,15 +230,15 @@ case 'folder':
|
|||
} else {
|
||||
$sql_search_string = " folder.parent_folder is null ";
|
||||
}
|
||||
|
||||
|
||||
// XXX restrict to single user?
|
||||
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
$search_result = pg_query($database,
|
||||
"select caption, folder.identifier, date_of_creation, folder.date_changed, folder.description,
|
||||
first_name, last_name, users.identifier as user_id,
|
||||
first_name, last_name, users.identifier as user_id,
|
||||
count_subfolders_by_folder(folder.identifier, $po_user[id], '{".$passwords."}') as subs,
|
||||
count_photos_by_folder(folder.identifier, $po_user[id], '{".$passwords."}') as photos, thumb_ver
|
||||
from folder, users
|
||||
|
@ -280,11 +281,11 @@ case 'album':
|
|||
}
|
||||
|
||||
$sql_query_order_by_string = $folder_order_by_string[$order][0];
|
||||
$sql_query_access_rights_string = "can_access_album(album.identifier, $po_user[id], '{".$passwords."}')";
|
||||
$sql_query_access_rights_string = "can_access_album(album.identifier, $po_user[id], '{".$passwords."}')";
|
||||
|
||||
switch ($_REQUEST['subtype']) {
|
||||
case 'tag':
|
||||
$search_data = $_REQUEST['id']; // is escaepd later
|
||||
$search_data = $id; // is escaepd later
|
||||
|
||||
$keywords = extract_keywords($search_data, $po_options['search_enable_stemming']);
|
||||
$sql_search_string = build_sql_search_string($keywords, "album.caption");
|
||||
|
@ -299,7 +300,7 @@ case 'album':
|
|||
|
||||
break;
|
||||
case 'user':
|
||||
$user_id = pg_escape_string($database, $_REQUEST['id']);
|
||||
$user_id = pg_escape_string($database, $id);
|
||||
|
||||
$rss->title = $site_title . " : " . disp_user_string($database, $user_id, FALSE);
|
||||
$rss->description = $rss->title;
|
||||
|
@ -309,7 +310,7 @@ case 'album':
|
|||
|
||||
break;
|
||||
default:
|
||||
$album_id = pg_escape_string($database, $_REQUEST['id']);
|
||||
$album_id = pg_escape_string($database, $id);
|
||||
|
||||
$path_to_album = get_path_to($database, 'album', $album_id, FALSE);
|
||||
|
||||
|
@ -324,15 +325,15 @@ case 'album':
|
|||
} else {
|
||||
$sql_search_string = " album.parent_album is null ";
|
||||
}
|
||||
|
||||
|
||||
// XXX restrict to single user?
|
||||
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
$search_result = pg_query($database,
|
||||
"select caption, album.identifier, date_of_creation, album.date_changed, album.description,
|
||||
first_name, last_name, users.identifier as user_id,
|
||||
first_name, last_name, users.identifier as user_id,
|
||||
count_subalbums_by_album(album.identifier, $po_user[id], '{".$passwords."}') as subs,
|
||||
count_photos_by_album(album.identifier, $po_user[id], '{".$passwords."}') as photos, thumb_ver
|
||||
from album, users
|
||||
|
|
Loading…
Reference in a new issue