Comments (4)
This makes it work: http://ix.io/3zhC
But that doesn't do any kind csrf protection, which I don't like too much.
If we modify TTRSS a little (I'm now working on current ttrss master, but I don't think anything relevant changed)
diff --git a/classes/pluginhandler.php b/classes/pluginhandler.php
index 75b823822..51d6df9c2 100644
--- a/classes/pluginhandler.php
+++ b/classes/pluginhandler.php
@@ -7,7 +7,7 @@ class PluginHandler extends Handler_Protected {
function catchall($method) {
$plugin_name = clean($_REQUEST["plugin"]);
$plugin = PluginHost::getInstance()->get_plugin($plugin_name);
- $csrf_token = ($_POST["csrf_token"] ?? "");
+ $csrf_token = ($_REQUEST["csrf_token"] ?? "");
if ($plugin) {
if (method_exists($plugin, $method)) {
We can kinda add CSRF stuff to the URL
diff --git a/init.php b/init.php
index 2e0f3ed..45171bf 100644
--- a/init.php
+++ b/init.php
@@ -93,7 +93,8 @@ EOF;
return "${_SERVER['REQUEST_SCHEME']}://${_SERVER['SERVER_NAME']}"
. "/backend.php?op=pluginhandler&method=redirect&plugin=af_refspoof"
. "&refspoof_url=" . urlencode($url)
- . '&refspoof_ref=' . urlencode($ref);
+ . '&refspoof_ref=' . urlencode($ref)
+ . "&csrf_token=${_SESSION["csrf_token"]}";
}
function hook_render_article_cdm($article)
I suspect there is a reason that CSRF stuff isn't put in the URL, so I'll go talk to the TTRSS folks and see what they suggest.
I removed the PhCURL because it was throwing some errors and I didn't care to trace why.
Some of the default settings you had might be important though, so I may still try to figure out why and put that back in, it looks a lot cleaner to use than the default php curl library...
Edit: https://github.com/mtfurlan/af_refspoof/tree/fix
from af_refspoof.
Thx @mtfurlan , god this is really old project of mine, I think I've stopped using ttrss about the same time as well.
from af_refspoof.
Would you like me to keep updating here or should I fork refspoof and maintain it there?
Apparently putting CSRF in the URL is bad for a few reasons, and I was suggested to see how https://git.tt-rss.org/fox/ttrss-api-resize does it.
Looks like it's caching the images locally.
from af_refspoof.
This project is somewhat still referenced around, so it would probably be better if the development continue to be here. If you want to, I can promote you to a maintainer, so you will be able to deal with PRs and merges
from af_refspoof.
Related Issues (3)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from af_refspoof.