[fix] Better handling of illegal requests for RSS feeds.

This commit is contained in:
Solomon Peachy 2024-11-04 22:00:14 -05:00
parent 2eca7aa004
commit ba40bdd9f1
2 changed files with 34 additions and 32 deletions

View file

@ -52,6 +52,7 @@ v2.38 (Unreleased)
[fix] A few warnings triggered by sql query failures
[fix] PHP 8.1-related warnings
[fix] Updated bug URLs.
[fix] Deal with malformed feed requests
v2.37.1 (December 3, 2012)

View file

@ -54,6 +54,7 @@ foreach ($_REQUEST as $key => $value) {
}
$feedtype = isset($_REQUEST['type']) ? $_REQUEST['type'] : 'photos';
$id = isset($_REQUEST['id']) ? $_REQUEST['id'] : -1;
switch ($feedtype) {
case 'photos':
@ -64,32 +65,32 @@ case 'photos':
$size = isset($_REQUEST['size']) ? pg_escape_string($database, $_REQUEST['size']) : 2;
}
$global_args = array();
$global_args['size'] = $size;
$global_args['size'] = $size;
switch ($_REQUEST['subtype']) {
case 'user':
$user_id = pg_escape_string($database, $_REQUEST['id']);
$user_id = pg_escape_string($database, $id);
$rss->title = $site_title . " : " . disp_user_string($database, $user_id, FALSE);
$rss->description = $rss->title;
$rss->link = $base_url . generate_link('user', $user_id);
$froms = array();
$froms = array();
$master = "and photo_version.master = 't'"; //optional?
$filter = "photo.users = '$user_id' $master";
break;
case 'folder':
$folder_id = pg_escape_string($database, $_REQUEST['id']);
$folder_id = pg_escape_string($database, $id);
$path_to_folder = get_path_to($database, 'folder', $folder_id, FALSE);
$rss->title = $site_title . " $path_to_folder ";
$rss->description = $rss->title;
$rss->link = $base_url . generate_link('folder', $folder_id);
$froms = array('folder');
$froms = array('folder');
$master = "and photo_version.master = 't'"; //optional?
$filter = "photo.folder = '$folder_id'
and folder.identifier = photo.folder $master";
@ -97,25 +98,25 @@ case 'photos':
break;
case 'album':
$album_id = pg_escape_string($database, $_REQUEST['id']);
$album_id = pg_escape_string($database, $id);
$path_to_album = get_path_to($database, 'album', $album_id, FALSE);
$rss->title = $site_title . " $path_to_album ";
$rss->description = $rss->title;
$rss->link = $base_url . generate_link('album', $album_id);
$global_args['album'] = $album_id;
$froms = array('album_content');
$filter = "photo_version.identifier = album_content.version
and photo.identifier = album_content.photo
and album_content.album = $album_id";
break;
case 'tag':
$search_data = $_REQUEST['id']; // this is escaped later.
$search_data = $id; // this is escaped later.
$keywords = extract_keywords($search_data, $po_options['search_enable_stemming']);
$sql_combined_search_string = build_sql_search_string_keywords($keywords);
@ -126,7 +127,7 @@ case 'photos':
$froms = array();
$master_args = "and photo_version.master = 't'";
$filter = " ($sql_combined_search_string) $master_args";
break;
default:
@ -145,10 +146,10 @@ case 'photos':
$item = new FeedItem();
$item->title = $photo['caption'];
$photo_args = $global_args;
$photo_args['ver'] = $photo['version'];
unset($photo_args['size']);
$item->link = $base_url . generate_link('photo', $photo['identifier'], $photo_args);
$item->guid = $item->link;
@ -185,11 +186,11 @@ case 'folder':
}
$sql_query_order_by_string = $folder_order_by_string[$order][0];
$sql_query_access_rights_string = "can_access_folder(folder.identifier, $po_user[id], '{".$passwords."}')";
$sql_query_access_rights_string = "can_access_folder(folder.identifier, $po_user[id], '{".$passwords."}')";
switch ($_REQUEST['subtype']) {
case 'tag':
$search_data = $_REQUEST['id']; // is escaped later
$search_data = $id; // is escaped later
$keywords = extract_keywords($search_data, $po_options['search_enable_stemming']);
$sql_search_string = build_sql_search_string($keywords, "folder.caption");
@ -204,7 +205,7 @@ case 'folder':
break;
case 'user':
$user_id = pg_escape_string($database, $_REQUEST['id']);
$user_id = pg_escape_string($database, $id);
$rss->title = $site_title . " : " . disp_user_string($database, $user_id, FALSE);
$rss->description = $rss->title;
@ -214,7 +215,7 @@ case 'folder':
break;
default:
$folder_id = pg_escape_string($database, $_REQUEST['id']);
$folder_id = pg_escape_string($database, $id);
$path_to_folder = get_path_to($database, 'folder', $folder_id, FALSE);
@ -229,15 +230,15 @@ case 'folder':
} else {
$sql_search_string = " folder.parent_folder is null ";
}
// XXX restrict to single user?
break;
}
$search_result = pg_query($database,
"select caption, folder.identifier, date_of_creation, folder.date_changed, folder.description,
first_name, last_name, users.identifier as user_id,
first_name, last_name, users.identifier as user_id,
count_subfolders_by_folder(folder.identifier, $po_user[id], '{".$passwords."}') as subs,
count_photos_by_folder(folder.identifier, $po_user[id], '{".$passwords."}') as photos, thumb_ver
from folder, users
@ -280,11 +281,11 @@ case 'album':
}
$sql_query_order_by_string = $folder_order_by_string[$order][0];
$sql_query_access_rights_string = "can_access_album(album.identifier, $po_user[id], '{".$passwords."}')";
$sql_query_access_rights_string = "can_access_album(album.identifier, $po_user[id], '{".$passwords."}')";
switch ($_REQUEST['subtype']) {
case 'tag':
$search_data = $_REQUEST['id']; // is escaepd later
$search_data = $id; // is escaepd later
$keywords = extract_keywords($search_data, $po_options['search_enable_stemming']);
$sql_search_string = build_sql_search_string($keywords, "album.caption");
@ -299,7 +300,7 @@ case 'album':
break;
case 'user':
$user_id = pg_escape_string($database, $_REQUEST['id']);
$user_id = pg_escape_string($database, $id);
$rss->title = $site_title . " : " . disp_user_string($database, $user_id, FALSE);
$rss->description = $rss->title;
@ -309,7 +310,7 @@ case 'album':
break;
default:
$album_id = pg_escape_string($database, $_REQUEST['id']);
$album_id = pg_escape_string($database, $id);
$path_to_album = get_path_to($database, 'album', $album_id, FALSE);
@ -324,15 +325,15 @@ case 'album':
} else {
$sql_search_string = " album.parent_album is null ";
}
// XXX restrict to single user?
break;
}
$search_result = pg_query($database,
"select caption, album.identifier, date_of_creation, album.date_changed, album.description,
first_name, last_name, users.identifier as user_id,
first_name, last_name, users.identifier as user_id,
count_subalbums_by_album(album.identifier, $po_user[id], '{".$passwords."}') as subs,
count_photos_by_album(album.identifier, $po_user[id], '{".$passwords."}') as photos, thumb_ver
from album, users