From 0c38dc84561da4ab97c6463e4214cd9c5ea68319 Mon Sep 17 00:00:00 2001 From: Jacek Tomasiak Date: Tue, 11 May 2021 09:35:39 +0200 Subject: [PATCH 1/4] Improve missing token check Avoid "E_NOTICE (8) (classes/userhelper.php:78) Undefined index: csrf_token" in logs. --- classes/userhelper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/userhelper.php b/classes/userhelper.php index 0bf67243e..1cdd320a1 100644 --- a/classes/userhelper.php +++ b/classes/userhelper.php @@ -75,7 +75,7 @@ class UserHelper { $_SESSION["auth_module"] = false; - if (!$_SESSION["csrf_token"]) + if (empty($_SESSION["csrf_token"])) $_SESSION["csrf_token"] = bin2hex(get_random_bytes(16)); $_SESSION["ip_address"] = UserHelper::get_user_ip(); From e3c4724dc1a44956e301897995c5edca03477a16 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Tue, 11 May 2021 19:21:53 +0300 Subject: [PATCH 2/4] use database-backed sessions in single user mode --- include/sessions.php | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/include/sessions.php b/include/sessions.php index 9044c609b..7f61f6dbe 100644 --- a/include/sessions.php +++ b/include/sessions.php @@ -106,13 +106,11 @@ } if (\Config::get_schema_version() >= 0) { - if (!\Config::get(\Config::SINGLE_USER_MODE)) { - session_set_save_handler('\Sessions\ttrss_open', - '\Sessions\ttrss_close', '\Sessions\ttrss_read', - '\Sessions\ttrss_write', '\Sessions\ttrss_destroy', - '\Sessions\ttrss_gc'); - register_shutdown_function('session_write_close'); - } + session_set_save_handler('\Sessions\ttrss_open', + '\Sessions\ttrss_close', '\Sessions\ttrss_read', + '\Sessions\ttrss_write', '\Sessions\ttrss_destroy', + '\Sessions\ttrss_gc'); + register_shutdown_function('session_write_close'); if (!defined('NO_SESSION_AUTOSTART')) { if (isset($_COOKIE[session_name()])) { From b5a559a1a7315b66768b38fe78eb49663636db8c Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Tue, 11 May 2021 19:36:25 +0300 Subject: [PATCH 3/4] sanity check: in single user mode, only test for admin user if migrations have been completed --- classes/config.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/classes/config.php b/classes/config.php index 6e8d4533f..1386b553a 100644 --- a/classes/config.php +++ b/classes/config.php @@ -484,7 +484,8 @@ class Config { array_push($errors, "Data export cache is not writable (chmod -R 777 ".self::get(Config::CACHE_DIR)."/export)"); } - if (self::get(Config::SINGLE_USER_MODE) && class_exists("PDO")) { + // ttrss_users won't be there on initial startup (before migrations are done) + if (!Config::is_migration_needed() && self::get(Config::SINGLE_USER_MODE) && class_exists("PDO")) { if (UserHelper::get_login_by_id(1) != "admin") { array_push($errors, "SINGLE_USER_MODE is enabled but default admin account (ID: 1) is not found."); } From f423874e0585699dfc239c8e4187b53a9a3c02da Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Tue, 11 May 2021 19:37:31 +0300 Subject: [PATCH 4/4] checking for PDO there is rather useless --- classes/config.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/config.php b/classes/config.php index 1386b553a..4ae4a2407 100644 --- a/classes/config.php +++ b/classes/config.php @@ -485,7 +485,7 @@ class Config { } // ttrss_users won't be there on initial startup (before migrations are done) - if (!Config::is_migration_needed() && self::get(Config::SINGLE_USER_MODE) && class_exists("PDO")) { + if (!Config::is_migration_needed() && self::get(Config::SINGLE_USER_MODE)) { if (UserHelper::get_login_by_id(1) != "admin") { array_push($errors, "SINGLE_USER_MODE is enabled but default admin account (ID: 1) is not found."); }