mirror of
https://github.com/FreshRSS/FreshRSS.git
synced 2026-06-29 09:45:30 -04:00
dcec27c69d
* Add SSRF mitigations using `filter_var` and `CURLOPT_RESOLVE`
The idea is to prevent FreshRSS from sending any HTTP requests to internal services, except for the ones that are explicitly allowed in the config.
Based on 6e82b46a48/lib/filelib.php (L3818) and https://github.com/symfony/symfony/blob/8.1/src/Symfony/Component/HttpClient/NoPrivateNetworkHttpClient.php
https://github.com/FreshRSS/simplepie/pull/76
https://github.com/FreshRSS/simplepie/pull/78
* Add allowlist setting in Web UI
* make readme
* Update app/i18n/fr/admin.php
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* make readme again
* make readme
* Further work
Still WIP and needs testing etc.
* Readd previous if check for domain combination allowlist
* Turn POST to GET after redirect
* Improve
* Update config.default.php
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
* make readme
* Skip SSRF check if `CURLOPT_PROXY` is set
* make readme
* Fix `!empty()` mistake
* Respect max redirects feed option when fetching with `httpGet()`
* Respect max redirects during SimplePie fetching + fix bypass
bypass fix: `CURLOPT_FOLLOWLOCATION` was moved below so that emulated redirects are enforced.
* Avoid FreshRSS and Minz code in SimplePie
https://github.com/FreshRSS/FreshRSS/pull/8400#discussion_r2935375980
* Corrected hook code
* phpdoc wrong return type
* Add CIDR support in allowlist
* Implement simple DNS caching
* Suppress `dns_get_record()` warnings
* A bit of proof-reading
* Minor typo
* Fix proxy logic
* Fix HTTP POST redirect logic
* Proofread checkCIDR
Add fixes for several situations
* Remove credentials from URL in logs
* Ensure `CURLOPT_FOLLOWLOCATION` is `false` by setting it at the end
* Fix codesniffer long line
* Fix potential bypass due to wrong return value
If there were no records returned by `dns_get_record()`, no overrides to `CURLOPT_RESOLVE` would get passed,
and a potential bypass could occur, when cURL would try to resolve the domain by itself.
* Put the URL at the end in logs
* Add documentation and environment variable support
* make readme
* Fix wrong behavior in case of IP
* Fix duplicate selector in CSS
* Minor type check change
* i18n fr, en
* Minor type check change
* Fix whitespace i18n fr
* make fix-all
* Fix `$ips_ok` not being returned after domain records were cached
* make readme
* PHPStan fix
* make readme
* Minor syntax in SimplePie
* Only return `null` if no allowed IPs were found
* Add wildcard *, help message
* Consistent docs with help message
* i18n: pl
* SimplePie compatibility PHP 7.2
* make fix-all
* Sync SimplePie
* https://github.com/FreshRSS/simplepie/pull/76
* 💥 Breaking change in the Changelog
* Document `INTERNAL_HOST_ALLOWLIST` in Docker docs
* Remove `Cookie` and `Authorization` headers in `httpGet()` during cross-origin redirect
* Minor whitespace
And same comment convention than below
* Remove authentication headers and change POST to GET on redirect in SimplePie
* Remove .local in Docker example
* Fill in default ports when comparing URL origins
* Remove .local from other places than the Docker example
* Rewrite WebSub subscribe to use `httpGet()`
* make fix-all
* Also unset `CURLOPT_USERPWD` during redirects
* phpcs fix
* Always unset `CURLOPT_FOLLOWLOCATION`
* Bump SimplePie
https://github.com/FreshRSS/simplepie/pull/78
* Update logic for CURLOPT_FOLLOWLOCATION
* Fix PHPStan
* Changelog fix security section
* Update most common RSS Bridge case
https://hub.docker.com/r/rssbridge/rss-bridge
* Replace misleading 127.0.0.1:8080 example for Docker
This does not make sense for a Docker container
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
- Read this document on github.com/FreshRSS/FreshRSS/ to get the correct links and pictures.
- Version française
FreshRSS
FreshRSS is a self-hosted RSS feed aggregator.
It is lightweight, easy to work with, powerful, customizable, and has been translated into many languages.
It is a multi-user application with an anonymous reading mode. It supports custom tags. There is an API for (mobile) clients, and a Command-Line Interface.
Thanks to the WebSub standard, FreshRSS is able to receive instant push notifications from compatible sources, such as Friendica, WordPress, Blogger, Medium, etc.
FreshRSS natively supports basic Web scraping, based on XPath, for Web sites not providing any RSS / Atom feed. Also supports JSON documents.
FreshRSS offers the ability to reshare selections of articles by HTML, RSS, and OPML.
Different login methods are supported: Web form (including an anonymous option), HTTP Authentication (compatible with proxy delegation), OpenID Connect.
Finally, FreshRSS supports extensions for further tuning.
- Official website: https://freshrss.org
- Demo: https://demo.freshrss.org
- License: GNU AGPL 3
Feedback and contributions
Feature requests, bug reports, and other contributions are welcome. The best way is to open an issue on GitHub. We are a friendly community.
To facilitate contributions, the following option is available:
Screenshot
Disclaimer
FreshRSS comes with absolutely no warranty.
Documentation
- User documentation, where you can discover all the possibilities offered by FreshRSS
- Administrator documentation for detailed installation and maintenance related tasks
- Developer documentation to guide you in the source code of FreshRSS and to help you if you want to contribute
- Contributor guidelines for those who want to help improve FreshRSS
- Check
AGENTS.mdfor coding conventions (both for humans and AI agents).
- Check
Requirements
- A recent browser like Firefox / IceCat, Edge, Chromium / Chrome, Opera, Safari.
- Works on mobile (except a few features)
- Light server running Linux or Windows
- It even works on Raspberry Pi 1 with response time under a second (tested with 150 feeds, 22k articles)
- A Web server: Apache2.4+ (recommended), nginx, lighttpd (not tested on others)
- PHP 8.1+
- Required extensions: cURL, DOM, JSON, XML, session, ctype
- Recommended extensions: PDO_SQLite (for export/import), GMP (for API access on 32-bit platforms), IDN (for Internationalized Domain Names), mbstring (for Unicode strings), iconv (for charset conversion), ZIP (for import/export), zlib (for compressed feeds)
- Extension for database: PDO_PGSQL or PDO_SQLite or PDO_MySQL
- PostgreSQL 10+ or SQLite or MariaDB 10.6+ or MySQL 8.0+
Installation
The latest stable release can be found on GitHub. New versions are released every two to three months.
If you want a rolling release with the newest features, or want to help testing or developing the next stable version, you can use the edge branch.
Automated install
 |
 |
 |
 |
 |
 |
 |
 |
Manual install
- Get FreshRSS with git or by downloading the archive
- Put the application somewhere on your server (expose only the
./p/folder to the Web) - Add write access to the
./data/folder for the webserver user - Access FreshRSS with your browser and follow the installation process
- or use the Command-Line Interface
- Everything should be working :) If you encounter any problems, feel free to contact us.
- Advanced configuration settings can be found in config.default.php and modified in
data/config.php. - When using Apache, enable
AllowEncodedSlashesfor better compatibility with mobile clients.
More detailed information about installation and server configuration can be found in our documentation.
Advice
- For better security, expose only the
./p/folder to the Web.- Be aware that the
./data/folder contains all personal data, so it is a bad idea to expose it.
- Be aware that the
- The
./constants.phpfile defines access to the application folder. If you want to customize your installation, look here first. - If you encounter any problem, logs are accessible from the interface or manually in
./data/users/*/log*.txtfiles.- The special folder
./data/users/_/contains the part of the logs that are shared by all users.
- The special folder
FAQ
- The date and time in the right-hand column is the date declared by the feed, not the time at which the article was received by FreshRSS, and it is not used for sorting.
- In particular, when importing a new feed, all of its articles will appear at the top of the feed list regardless of their declared date.
Extensions
FreshRSS supports further customizations by adding extensions on top of its core functionality. See the repository dedicated to those extensions.
Internationalization: 20+ languages. Translation progress
| Language | Progress | |
|---|---|---|
| Čeština (cs) | ■■■■■■■■・・ 81% | contribute |
| Deutsch (de) | ■■■■■■■■■・ 99% | contribute |
| Ελληνικά (el) | ■■■・・・・・・・ 38% | contribute |
| English (en) | ■■■■■■■■■■ 100% | contribute |
| English (United States) (en-US) | ■■■■■■■■■■ 100% | contribute |
| Español (es) | ■■■■■■■■■・ 99% | contribute |
| فارسی (fa) | ■■■■■■■■■・ 99% | contribute |
| Suomi (fi) | ■■■■■■■■■・ 92% | contribute |
| Français (fr) | ■■■■■■■■■■ 100% | contribute |
| עברית (he) | ■■■■・・・・・・ 41% | contribute |
| Magyar (hu) | ■■■■■■■■■・ 99% | contribute |
| Bahasa Indonesia (id) | ■■■■■■■■・・ 89% | contribute |
| Italiano (it) | ■■■■■■■■■・ 99% | contribute |
| 日本語 (ja) | ■■■■■■■■・・ 88% | contribute |
| 한국어 (ko) | ■■■■■■■■・・ 81% | contribute |
| Latviešu (lv) | ■■■■■■■■・・ 82% | contribute |
| Nederlands (nl) | ■■■■■■■■■・ 99% | contribute |
| Occitan (oc) | ■■■■■■■・・・ 74% | contribute |
| Polski (pl) | ■■■■■■■■■・ 99% | contribute |
| Português (Brasil) (pt-BR) | ■■■■■■■■■・ 99% | contribute |
| Português (Portugal) (pt-PT) | ■■■■■■■■・・ 81% | contribute |
| Русский (ru) | ■■■■■■■■■・ 99% | contribute |
| Slovenčina (sk) | ■■■■■■■■・・ 81% | contribute |
| Türkçe (tr) | ■■■■■■■■・・ 89% | contribute |
| Українська (uk) | ■■■■■■■■■・ 99% | contribute |
| 简体中文 (zh-CN) | ■■■■■■■■■・ 97% | contribute |
| 正體中文 (zh-TW) | ■■■■■■■■■・ 95% | contribute |
APIs & native apps
FreshRSS supports access from mobile / native apps for Linux, Android, iOS, Windows and macOS, via two distinct APIs: Google Reader API (best), and Fever API (limited features, less efficient, less safe).
| App | Platform | Free Software | Maintained & Developed | API | Works offline | Fast sync | Fetch more in individual views | Fetch read articles | Favourites | Labels | Podcasts | Manage feeds |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Capy Reader | Android | ✓ | ✓✓ | GReader | ✓ | ⭐⭐⭐ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Readrops | Android | ✓ | ✓✓ | GReader | ✓ | ⭐⭐⭐ | – | ✓ | ✓ | – | – | ✓ |
| FeedMe | Android | – | ✓✓ | GReader | ✓ | ⭐⭐ | – | – | ✓ | ✓ | ✓ | ✓ |
| FocusReader | Android | – | ✓✓ | GReader | ✓ | ⭐⭐ | – | – | ✓ | ✓ | ✓ | ✓ |
| Read You | Android | ✓ | ✓✓ | GReader | ✓ | ⭐⭐ | ✓ | ✓ | ✓ | – | – | ✓ |
| Your News | Android, iOS | – | ✓✓ | GReader | – | ⭐ | ✓ | ✓ | ✓ | – | – | – |
| Fluent Reader Lite | Android, iOS | ✓ | ✓ | GReader | ✓ | ⭐⭐ | – | – | ✓ | – | – | – |
| FeedFlow | Android, iOS, Linux, macOS, Windows | ✓ | ✓✓ | GReader | ✓ | ? | ? | ? | ✓ | ? | – | ✓ |
| FriRSS | Web (self-hosted) | ✓ | ✓✓ | GReader | – | ? | ✓ | ✓ | ✓ | ✓ | – | ✓ |
| App | Platform | Free Software | Maintained & Developed | API | Works offline | Fast sync | Fetch more in individual views | Fetch read articles | Favourites | Labels | Podcasts | Manage feeds |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Fluent Reader | Windows, Linux, macOS | ✓ | ✓✓ | GReader | ✓ | ⭐ | – | ✓ | ✓ | – | – | – |
| RSS Guard | Windows, GNU/Linux, macOS, OS/2 | ✓ | ✓✓ | GReader | ✓ | ⭐⭐ | – | ✓ | ✓ | ✓ | ✓ | ✓ |
| NewsFlash | GNU/Linux | ✓ | ✓✓ | GReader | – | ⭐⭐ | – | ✓ | ✓ | ✓ | – | – |
| Newsboat | GNU/Linux, macOS, FreeBSD | ✓ | ✓✓ | GReader | – | ⭐ | – | ✓ | ✓ | – | ✓ | – |
| FluentFlame Reader | Windows, Linux, macOS | ✓ | Work in progress | GReader | ✓ | ? | ? | ? | ✓ | – | – | – |
| App | Platform | Free Software | Maintained & Developed | API | Works offline | Fast sync | Fetch more in individual views | Fetch read articles | Favourites | Labels | Podcasts | Manage feeds |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Vienna RSS | macOS | ✓ | ✓✓ | GReader | ? | ? | ? | ? | ? | ? | ? | ? |
| Readkit | iOS, macOS | – | ✓✓ | GReader | ✓ | ⭐⭐⭐ | – | ✓ | ✓ | – | ✓ | $ |
| Reeder Classic | iOS, macOS | – | ✓✓ | GReader | ✓ | ⭐⭐⭐ | – | ✓ | ✓ | – | – | ✓ |
| lire | iOS, macOS | – | ✓✓ | GReader | ? | ? | ? | ? | ? | ? | ? | ? |
| Unread | iOS | – | ✓✓ | Fever | ✓ | ? | ? | ? | ✓ | – | – | – |
| Fiery Feeds | iOS | – | ✓✓ | Fever | ? | ? | ? | ? | ? | – | – | – |
| Netnewswire | iOS, macOS | ✓ | Work in progress | GReader | ✓ | ? | ? | ? | ✓ | – | ? | ✓ |
Included libraries
Additional credits
- Based on a modified version of the MINZ framework.
- Some icons come from the GNOME project
- Fonts: Open Sans, Lato, Spectral
Alternatives
If FreshRSS does not suit you for one reason or another, here are alternative solutions to consider:
- Kriss Feed
- Leed
- And more… (but if you like FreshRSS, give us a vote!)