- remove code to manually archive/unarchive articles
- remove ttrss_archived_feeds/orig_feed_id handling - the whole thing was implemented for
this data to be kept indefinitely; it doesn't make a lot of sense to deal with this stuff
now that it is expired after one month anyway (same reasons as feed browser being removed - privacy)
- remove "originally from"-related stuff because of the above
- also remove unused remaining frontend/backend code related to feed browser (rip)
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
Because of browser form auto-completion, the hidden field login and
password can be automatically filled when adding a feed. It would
enable feed authentication even if the user doesn't click on need_auth
button.
+ static function catchupArticlesById($ids, $cmode, $owner_uid = false) {
+ static function getLastArticleId() {
+ static function queryFeedHeadlines($params) {
+ static function getParentCategories($cat, $owner_uid) {
+ static function getChildCategories($cat, $owner_uid) {
move the rest of functions2.php back to functions.php as it is of more manageable size, remove the former
The undocumented _DISABLE_FEED_BROWSER option added in commit
c39befacb2 turns off the UI for looking
at which feeds other users are subscribed to, but it did not prevent
you from manually constructing an RPC call to get the same data. This
was a privacy risk for those who consider _DISABLE_FEED_BROWSER
important.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Andrew Dolgov