Doesn't work with semi-modern TTRSS about af_refspoof HOT 4 OPEN

This makes it work: http://ix.io/3zhC
But that doesn't do any kind csrf protection, which I don't like too much.

If we modify TTRSS a little (I'm now working on current ttrss master, but I don't think anything relevant changed)

diff --git a/classes/pluginhandler.php b/classes/pluginhandler.php
index 75b823822..51d6df9c2 100644
--- a/classes/pluginhandler.php
+++ b/classes/pluginhandler.php
@@ -7,7 +7,7 @@ class PluginHandler extends Handler_Protected {
    function catchall($method) {
        $plugin_name = clean($_REQUEST["plugin"]);
        $plugin = PluginHost::getInstance()->get_plugin($plugin_name);
-       $csrf_token = ($_POST["csrf_token"] ?? "");
+       $csrf_token = ($_REQUEST["csrf_token"] ?? "");
 
        if ($plugin) {
            if (method_exists($plugin, $method)) {

We can kinda add CSRF stuff to the URL

diff --git a/init.php b/init.php
index 2e0f3ed..45171bf 100644
--- a/init.php
+++ b/init.php
@@ -93,7 +93,8 @@ EOF;
         return "${_SERVER['REQUEST_SCHEME']}://${_SERVER['SERVER_NAME']}"
             . "/backend.php?op=pluginhandler&method=redirect&plugin=af_refspoof"
             . "&refspoof_url=" . urlencode($url)
-            . '&refspoof_ref=' . urlencode($ref);
+            . '&refspoof_ref=' . urlencode($ref)
+            . "&csrf_token=${_SESSION["csrf_token"]}";
     }
 
     function hook_render_article_cdm($article)

I suspect there is a reason that CSRF stuff isn't put in the URL, so I'll go talk to the TTRSS folks and see what they suggest.

I removed the PhCURL because it was throwing some errors and I didn't care to trace why.
Some of the default settings you had might be important though, so I may still try to figure out why and put that back in, it looks a lot cleaner to use than the default php curl library...

Edit: https://github.com/mtfurlan/af_refspoof/tree/fix

from af_refspoof.

Thx @mtfurlan , god this is really old project of mine, I think I've stopped using ttrss about the same time as well.

from af_refspoof.

Would you like me to keep updating here or should I fork refspoof and maintain it there?

Apparently putting CSRF in the URL is bad for a few reasons, and I was suggested to see how https://git.tt-rss.org/fox/ttrss-api-resize does it.
Looks like it's caching the images locally.

from af_refspoof.

This project is somewhat still referenced around, so it would probably be better if the development continue to be here. If you want to, I can promote you to a maintainer, so you will be able to deal with PRs and merges

from af_refspoof.