mirror/FreshRSS
0
0
Fork 0
mirror of https://github.com/FreshRSS/FreshRSS.git synced 2026-05-15 10:43:55 -04:00
Code Issues Packages Projects Releases Wiki Activity
6,828 Commits 3 Branches 85 Tags
baf84575d4aa3fa7a73950cd2e91059b5f651906
Commit Graph

311 Commits

Author SHA1 Message Date
dependabot[bot]
f1c91c84dd Bump phpstan/phpstan from 2.1.29 to 2.1.31 (#8156) 
* Bump phpstan/phpstan from 2.1.29 to 2.1.31

Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan-phar-composer-source) from 2.1.29 to 2.1.31.
- [Commits](https://github.com/phpstan/phpstan-phar-composer-source/commits)

---
updated-dependencies:
- dependency-name: phpstan/phpstan
  dependency-version: 2.1.31
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Fixes

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
 2025-10-25 11:21:28 +02:00
Alexandre Alapetite
20ecbeb09c Fix drag&drop of user query losing information (#8113) 
* Fix drag&drop of user query losing information
Information about RSS sharing was lost after a drag&drop

* Fix related type cast
 2025-10-14 11:01:23 +02:00
Alexandre Alapetite
49c96fe3ec Fix SimplePie support of HTTP trailer headers (#7983) 
* Fix SimplePie support of HTTP trailer headers
fix https://github.com/FreshRSS/FreshRSS/discussions/7981
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Trailer
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Server-Timing
We need to use content-length to know where the body stops, but content-length is wrong is any compression was used.
So let cURL perform the separation of HTTP headers and body instead of using the SimplePie parser.

* Minor whitespace

* Same change for lib_rss

* Move changes to SimplePie repo
https://github.com/FreshRSS/simplepie/pull/55
https://github.com/FreshRSS/simplepie/pull/57
 2025-10-01 23:07:38 +02:00
Inverle
9dd30f03ec Improve restriction of curl params (#8009) 
Rework #7979 
Forgot to change `httpGet()`, which is used in multiple places
 2025-09-25 22:50:21 +02:00
Inverle
067479a9f1 Lazy-load <track src> (#7997) 
Follow-up of #7636

I found it's the only missing element that needs to be lazy loaded by putting HTML of https://github.com/cure53/HTTPLeaks/blob/main/leak.html into a feed
 2025-09-23 22:12:44 +02:00
Alexandre Alapetite
92a73a2c4f Minor forgotten str_starts_with (#7991) 
A couple of places, which have been forgotten when we moved to using `str_starts_with()` instead of `strpos()`.
 2025-09-21 19:06:06 +02:00
Alexandre Alapetite
bc3e4c8fa4 Add option for CSP frame-ancestors (#7857) 
* Add option for CSP frame-ancestors
https://github.com/FreshRSS/FreshRSS/discussions/7856

* Revert contentSelectorPreviewAction

* Same for f.php and api

* Fix double init in f.php

* No sandbox for API page
 2025-09-21 13:29:58 +02:00
Inverle
055342118f Restrict allowed curl parameters (#7979) 
For additional safety, also making sure in this PR that [`CURLOPT_COOKIEFILE`](https://curl.se/libcurl/c/CURLOPT_COOKIEFILE.html) is only allowed as an empty string during import.
 2025-09-18 23:43:04 +02:00
Alexis Degrugillier
23ba48c71f Change how files are included (#7916) 
1. `include`, `include_once`, `require` and `require_once` are expressions not functions, parentheses are not necessary.
2. to move up the directory tree, it's better to use the `dirname` function instead of relying on `/..`.
 2025-09-05 15:56:46 +02:00
Inverle
43248b461d Fix curl response parsing (#7866) 
* Fix curl response parsing

* Specify redirect count with `\SimplePie\HTTP\Parser::prepareHeaders()` instead

Simply notify SimplePie of the redirect count before parsing

* Better error check

* Simplify
 2025-08-30 15:13:10 +02:00
Alexandre Alapetite
ade9ba8817 Call cleanCache when refreshing feeds (#7827) 
Otherwise, it is only called when calling `httpGet()` which can be rare for users not using Web Scraping.
https://github.com/FreshRSS/FreshRSS/discussions/7784#discussioncomment-14109207
 2025-08-15 09:37:00 +02:00
Alexandre Alapetite
ddb9e91bf2 Fix some PHP 8.5 deprecations (#7826) 
https://github.com/php/php-src/blob/php-8.5.0beta1/NEWS
https://php.net/function.curl-close
> This function has no effect. Prior to PHP 8.0.0, this function was used to close the resource.
 2025-08-15 09:36:45 +02:00
Alexandre Alapetite
62f32ccadf PHPStan: finalise strictArrayFilter (#7794) 
As well as reportPossiblyNonexistentConstantArrayOffset.
And disable PHPStan-next from GitHub Action, since the work is completed for now.
 2025-08-07 22:19:45 +02:00
Alexandre Alapetite
e915ebe46e Rework fetch favicons (#7767) 
* Use main function `httpGet()` instead of local one;
* Use HTTP cache, also between users;
* Do not default to feed URL when there is no website URL

TODO for later: consider supporting Atom's `<icon>` and RSS 2.0's `<image>` https://github.com/FreshRSS/FreshRSS/issues/7774
 2025-08-01 08:30:49 +02:00
Inverle
c952256564 Strip more unsafe attributes e.g. referrerpolicy (#7770) 2025-07-31 17:04:47 +02:00
Alexandre Alapetite
7a0c423357 Implement support for HTTP 429 Too Many Requests (#7760) 
* Implement support for HTTP 429 Too Many Requests
Will obey the corresponding HTTP `Retry-After` header at domain level.

* Implement 503 Service Unavailable

* Sanitize Retry-After

* Reduce default value when Retry-After is absent
And make configuration parameter

* Retry-After also for favicons
 2025-07-31 09:17:42 +02:00
Sam Edwards
5bbd299c7e Call DOMNode::insertBefore() on the parent of it's $child (#7741) 
Follow-up to https://github.com/FreshRSS/FreshRSS/pull/7654#discussion_r2208901108

Changes proposed in this pull request:

- `DOMNode::insertBefore()` needs to be called on an element that is the parent of the `$child` param being passed
- Update code to call this on `$doc->documentElement` instead of directly on the `$doc` (`DOMDocument`)

How to test the feature manually:

1. Set up an HTML + XPath feed for a URL that contains partial HTML content (eg. https://victoria.citified.ca/modules/blog/news.php?n=7&c=8)
1. Observe that the feed is processed successfully without error, and that the `<base>` is still inserted
 2025-07-17 01:44:10 +02:00
Inverle
7d9fc0ce0c Fix multiple auth headers bug (#7703) 
Fix https://github.com/FreshRSS/FreshRSS/issues/7699
 2025-06-30 09:51:31 +02:00
Inverle
18b5c8ec6d Handle redirects when scraping feed from HTML (#7654) 
* Handle redirects when scraping feed from HTML

* pass codesniffer

* pass PHPStan

* Optimize

* Another approach relying on HTML base
Standard way to save an HTML document with relative references

* Fix case of existing HTML base
which should not be overriden

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
 2025-06-22 00:09:18 +02:00
Inverle
a6948218fb frame-ancestors CSP (#7677) 2025-06-18 22:20:17 +02:00
Inverle
dd5ea7ab4e Include remaining tags/attributes for lazy loading (#7636) 
* Include remaining tags/attributes for lazy loading

* Suggested change
 2025-06-03 00:14:50 +02:00
Alexandre Alapetite
5f45df3168 Strip more styles attributes (#7606) 
Strip `bgcolor`, `text`, `background`, `link`, `alink`, `vlink`
fix https://github.com/FreshRSS/FreshRSS/issues/7604
 2025-05-23 22:12:05 +02:00
Alexandre Alapetite
532d229d33 Fix newest articles not shown (#7577) 
* Fix newest articles not shown
Case when processing was faster than 1 second.
fix https://github.com/FreshRSS/FreshRSS/issues/7412
Regression from https://github.com/FreshRSS/FreshRSS/pull/7149

* Simplify uTimeString()
PHPStan has become a bit smarter
 2025-05-10 23:17:25 +02:00
Alexandre Alapetite
3f187395ea Move PHP minimum version check (#7560) 
It is too late to check for minimum version check in `lib_rss.php` because that file already contains some relatively new PHP language constructs, which will lead to a syntax error - when running with an old PHP version - instead of the expected error message.
Moved to `constants.php` for now.

Example of syntax error with PHP 7.4:
```
PHP Parse error:  syntax error, unexpected '|', expecting '{' in /var/www/FreshRSS/lib/lib_rss.php on line 166
```

Should help users like in:
* https://github.com/FreshRSS/FreshRSS/discussions/7539
* https://github.com/FreshRSS/FreshRSS/issues/7557
 2025-05-07 10:47:09 +02:00
Inverle
4568111c00 Fix file serving for symlinked extensions (#7545) 
* Fix file serving for symlinked extensions from ext.php

* Don't resolve symlink when deleting extension

* Minor syntax

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
 2025-05-02 09:47:57 +02:00
Alexandre Alapetite
6bb8680ae0 HTTP Auth disallow multiple headers (#7528) 
When using HTTP Auth methods (including OpenID Connect), exactly 1 HTTP header should be received, not more.
 2025-04-28 22:51:54 +02:00
Alexandre Alapetite
f58dea6a5a SimplePie forbit formaction attribute (#7506) 
Sanitize buttons with a form or formaction attribute.
 2025-04-13 00:01:09 +02:00
Alexandre Alapetite
d3d9acca9f Web scraping forbid security headers in cURL (#7496) 
Prevent using `Remote-User`, `X-WebAuth-User` during Web scraping.
 2025-04-07 08:33:13 +02:00
Alexandre Alapetite
54e2f9107d Disallow iframe srcdoc for now (#7494) 
We do not sanitize this attribute well enough, so striped for now.
It is rarely used: I have not seen any use of it in any of my many test feeds.
Can be added back when we can handle its inherent security issues better.
 2025-04-06 00:47:45 +02:00
maTh
1f624bc5e2 Referrer-Policy: same-origin (#6303) 
* Referrer-Policy: same-origin

* same-origin for our own images

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
 2025-04-01 12:23:56 +02:00
Alexandre Alapetite
d7ca2f8768 Doc force-https (#7259) 
* Doc force-https
https://github.com/FreshRSS/FreshRSS/discussions/7252#discussioncomment-11951183

* Forgotten ^

* More proper support for comments
 2025-01-26 23:19:44 +01:00
Alexandre Alapetite
22b74b0a57 Improve cURL proxy options (#7231) 
3 is now used for CURLPROXY_HTTPS2
f07612cd9a/include/curl/curl.h (L789)
Related to https://github.com/FreshRSS/FreshRSS/issues/7209
 2025-01-25 09:14:08 +01:00
Alexandre Alapetite
50adb55982 Add some missing PHP native types (#7191) 
* Add some missing PHP native types
Replaces https://github.com/FreshRSS/FreshRSS/pull/7184

* Clean some types
 2025-01-08 13:26:09 +01:00
Alexandre Alapetite
b1d24fbdb7 PHPStan 2.0 (#7131) 
* PHPStan 2.0
fix https://github.com/FreshRSS/FreshRSS/issues/6989
https://github.com/phpstan/phpstan/releases/tag/2.0.0
https://github.com/phpstan/phpstan/blob/2.0.x/UPGRADING.md

* More

* More

* Done

* fix i18n CLI

* Restore a PHPStan Next test
For work towards PHPStan Level 10

* 4 more on Level 10

* fix getTagsForEntry

* API at Level 10

* More Level 10

* Finish Minz at Level 10

* Finish CLI at Level 10

* Finish Controllers at Level 10

* More Level 10

* More

* Pass bleedingEdge

* Clean PHPStan options and add TODOs

* Level 10 for main config

* More

* Consitency array vs. list

* Sanitize themes get_infos

* Simplify TagDAO->getTagsForEntries()

* Finish reportAnyTypeWideningInVarTag

* Prepare checkBenevolentUnionTypes and checkImplicitMixed

* Fixes

* Refix

* Another fix

* Casing of __METHOD__ constant
 2024-12-27 12:12:49 +01:00
Luc SANCHEZ
15745d42b7 Upgrade code to php 8.1 (#6748) 
* revert
Fix code indentation
Fix code

Upgrade code to php 8.1

* fix remarques

* code review

* code review

* code review

* Apply suggestions from code review

* code review

* Fixes

* Many remainging updates of array syntax

* Lost case 'reading-list'

* Uneeded PHPDoc

---------

Co-authored-by: Luc Sanchez <l.sanchez-prestataire@alptis.fr>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
 2024-11-28 17:11:04 +01:00
Alexandre Alapetite
ffc3d393e5 SimplePie support for HTTP cache policies (#6812) 
* SimplePie support for HTTP cache policies
Discussion in https://github.com/FreshRSS/simplepie/pull/26

* Bump SimplePie commit

* Typos

* Typos

* Simpler logic

* Explicitly disable cache for non-GET flows

* Bump SimplePie commit

* Bump SimplePie commit

* Bump SimplePie commit

* Bump SimplePie commit
 2024-09-20 23:25:38 +02:00
Artur Weigandt
882deab455 Allow SimplePie updates with composer (#4374) 
* rename lib/SimplePie to lib/CustomSimplePie

* add test for autoloading SimplePie with PSR-0

* install SimplePie 1.6.0

* Add SimplePie CHANGELOG.md, ignore irrelevant files

* remove unmodified custom classes

* rename all customized SimplePie classes

* Add autoloading for SimplePie PSR-0 and CustomSimplePie classes

* let CustomSimplePie extends SimplePie, remove unchanged code

* let CustomSimplePieMisc extends SimplePie\Misc, remove unchanged code

* Add tests for autoloading

* let CustomSimplePieContentTypeSniffer extends Sniffer, remove unchanged code

* remove unchanged CustomSimplePieEnclosure class

The fixed typos are commited to SimplePie
See 133eac158c

* let CustomSimplePieFile extends SimplePie\File, remove unchanged code

* let CustomSimplePieParser extends SimplePie\Parser, remove unchanged code

* let CustomSimplePieSanitize extends SimplePie\Sanitize, remove unchanged code

* let CustomSimplePieHttpParser extends SimplePie\HTTP\Parser, remove unchanged code

* Remove CustomSimplePie

* Switch SimplePie repo to https://github.com/FreshRSS/simplepie.git

* move to latest branch, update all SimplePie source files

* Use namespaced SimplePie classes, remove SimplePie library folder

* Update to latest SimplePie version with FreshRSS modifications

* Bump SimplePie
Tests expected to fail due to missing a backport of functionalities

* Add fork-specific readme

* Re-implement initial syslog SimplePie GET
https://github.com/FreshRSS/FreshRSS/pull/815
Lacks https://github.com/FreshRSS/FreshRSS/pull/6061

* Closer backport of syslog SimplePie GET
https://github.com/FreshRSS/FreshRSS/pull/6061
But the requests logs will be in the wrong order in case of redirections

* Fixes

* lib update

* SimplePie include a few more files

* Try with cache-hash branch

* Point to newer commit

* Point to newer commit

* Finalise logs

* Finalise

* Bump SimplePie commit

* Bump SimplePie commit

* Readme SimplePie fork

* Bump SimplePie commit

* Better logging

* Bump SimplePie commit

* Reworked approach to work with SimplePie cache
Simpler FreshRSS patches

* Bump SimplePie commit
https://github.com/FreshRSS/simplepie/pull/22

* Simplepie846
https://github.com/FreshRSS/simplepie/pull/23
And additional fixes

* Remove log

* Cherry pick relevant unmerged SimplePie PRs

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
 2024-09-14 23:11:10 +02:00
Alexandre Alapetite
dfac9f5813 PHPStan booleansInConditions (#6793) 
* PHPStan booleansInConditions

* Uniformisation
 2024-09-11 17:14:53 +02:00
Alexandre Alapetite
a81656c3ed Upgrade to PHP 8.1 (#6711) 
* Upgrade to PHP 8.1
As discussed in https://github.com/FreshRSS/FreshRSS/discussions/5474

https://www.php.net/releases/8.0/en.php
https://www.php.net/releases/8.1/en.php

Upgrade to available native type declarations
https://php.net/language.types.declarations

Upgrade to https://phpunit.de/announcements/phpunit-10.html which requires PHP 8.1+ (good timing, as version 9 was not maintained anymore)

Upgrade `:oldest` Docker dev image to oldest Alpine version supporting PHP 8.1: Alpine 3.16, which includes PHP 8.1.22.

* Include 6736
https://github.com/FreshRSS/FreshRSS/pull/6736
 2024-09-06 09:06:46 +02:00
Alexandre Alapetite
c480e57161 Fix HTTP cache of user queries (#6718) 
fix https://github.com/FreshRSS/FreshRSS/issues/6717
 2024-08-16 22:40:56 +02:00
Alexandre Alapetite
d2247221bb Minor update whitespace PHPCS rules (#6666) 
* Minor update whitespace PHPCS rules
To simplify our configuration, apply more rules, and be clearer about what is added or removed compared with PSR12.
Does not change our current conventions, but just a bit more consistent.

* Forgotten *.phtml

* Sort exclusion patterns + add a few for Extensions repo

* Relaxed some rules
 2024-08-01 20:31:40 +02:00
Alexandre Alapetite
5b28a35003 Pass PHPStan level 9 (#6544) 
* More PHPStan

* More, passing

* 4 more files

* Update to PHPStan 1.11.4
Needed for fixed bug: Consider numeric-string types after string concat
https://github.com/phpstan/phpstan/releases/tag/1.11.4

* Pass PHPStan level 9
Start tracking booleansInConditions

* Fix mark as read

* Fix doctype

* ctype_digit
 2024-06-09 20:32:12 +02:00
Alexandre Alapetite
3cd90a2b1f Fix HTTP GET curl options (#6492) 
fix https://github.com/FreshRSS/FreshRSS/issues/6491
Regression from https://github.com/FreshRSS/FreshRSS/pull/6177
 2024-05-25 18:27:12 +02:00
Alexandre Alapetite
2d17c020b6 PHPStan 1.11 + minor update dev dependencies (#6459) 
* PHPStan 1.11 + minor update dev dependencies
https://github.com/phpstan/phpstan/releases/tag/1.11.0

* Comment style
 2024-05-15 08:57:58 +02:00
Alexandre Alapetite
7aaed6092f SimplePie replace iframe allow attribute (#6274) 
* SimplePie strip iframe allow attribute
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#allow

Besides security, the `allow autoplay` atttribute is especially problematic on mobile (Firefox on Android) as it asks to open the YouTube app as soon as the article is opened.

Example of code before:

```html
<iframe data-original="https://www.youtube.com/embed/??????feature=oembed" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen="" sandbox="allow-scripts allow-same-origin"></iframe>
```

* Replace allow attribute

* Allow more
 2024-04-11 08:48:50 +02:00
Alexandre Alapetite
e3c86a164d HTTP Get allow UTF-8 even when charset is far from top (#6271) 
* HTTP Get allow UTF-8 even when charset is far from top
fix https://github.com/FreshRSS/FreshRSS/issues/5586

The case was an HTML document with 15k whitespace then 1.2k of scripts before the `<meta charset="utf-8">` (far from the 1024 bytes suggested by the spec..., and too far for DOMDocument)

* Rewording

* Trim also vertical tab + comment
 2024-04-06 23:02:50 +02:00
Alexandre Alapetite
d0072b9fb7 Refactor some cURL options and use CURLOPT_USERPWD (#6177) 
* Refactor some cURL options and use CURLOPT_USERPWD
fix https://github.com/FreshRSS/FreshRSS/issues/6176

* Fixes
 2024-03-10 23:04:17 +01:00
Alexandre Alapetite
5e54d5bc58 Reduce API memory consumption (#6137) 
`echo json_encode(...)` is very memory demanding for large responses, so optimised.
Contributes to https://github.com/FreshRSS/FreshRSS/issues/6136
https://github.com/FreshRSS/FreshRSS/pull/6013#discussion_r1506779881
 2024-03-01 10:08:25 +01:00
Alexandre Alapetite
7d6a64a522 Web scraping support encodings such as EUC-JP (#6112) 
* Web scraping support encodings such as EUC-JP
fix https://github.com/FreshRSS/FreshRSS/issues/6106

* Typo
 2024-02-18 10:53:44 +01:00
Alexandre Alapetite
06570b30f0 composer update (#6075) 
Update PHPStan, fixing some bugs needed for https://github.com/FreshRSS/FreshRSS/pull/6052
(One syntax fix caught by new version)
Update also PHPUnit
 2024-01-30 12:57:14 +01:00