ttrss/classes/pluginhandler.php

<?php
class PluginHandler extends Handler_Protected {
	function csrf_ignore(string $method): bool {
		return true;
	}

	function catchall(string $method): void {
		$plugin_name = clean($_REQUEST["plugin"]);
		$plugin = PluginHost::getInstance()->get_plugin($plugin_name);
		$csrf_token = ($_POST["csrf_token"] ?? "");

		if ($plugin) {
			if (method_exists($plugin, $method)) {
				if (validate_csrf($csrf_token) || $plugin->csrf_ignore($method)) {
					$plugin->$method();
				} else {
					user_error("Rejected {$plugin_name}->{$method}(): invalid CSRF token.", E_USER_WARNING);
					print Errors::to_json(Errors::E_UNAUTHORIZED);
				}
			} else {
				user_error("Rejected {$plugin_name}->{$method}(): unknown method.", E_USER_WARNING);
				print Errors::to_json(Errors::E_UNKNOWN_METHOD);
			}
		} else {
			user_error("Rejected {$plugin_name}->{$method}(): unknown plugin.", E_USER_WARNING);
			print Errors::to_json(Errors::E_UNKNOWN_PLUGIN);
		}
	}
}
experimental new plugin system 2012-12-23 11:52:18 +01:00			`<?php`
			`class PluginHandler extends Handler_Protected {`
Update signature of handler 'csrf_ignore' to include types. 2021-11-12 03:01:31 +01:00			`function csrf_ignore(string $method): bool {`
experimental new plugin system 2012-12-23 11:52:18 +01:00			`return true;`
			`}`

Address PHPStan warnings in 'classes/mailer.php', 'classes/opml.php', and 'classes/pluginhandler.php'. 2021-11-12 07:16:18 +01:00			`function catchall(string $method): void {`
af_readability: add missing file 2019-08-16 14:29:24 +02:00			`$plugin_name = clean($_REQUEST["plugin"]);`
			`$plugin = PluginHost::getInstance()->get_plugin($plugin_name);`
pluginhandlers: post notice if pluginmethod is requested without CSRF token 2021-02-17 12:05:12 +01:00			`$csrf_token = ($_POST["csrf_token"] ?? "");`
experimental new plugin system 2012-12-23 11:52:18 +01:00
pluginhandler: better error reporting 2013-03-16 09:26:14 +01:00			`if ($plugin) {`
			`if (method_exists($plugin, $method)) {`
* add (disabled) shortcut syntax for plugin methods * add controls shortcut for pluginhandler tags * add similar shortcut for frontend * allow plugins to selectively exclude their methods from CSRF checking 2021-02-17 19:44:21 +01:00			`if (validate_csrf($csrf_token) \|\| $plugin->csrf_ignore($method)) {`
pluginhandlers: post notice if pluginmethod is requested without CSRF token 2021-02-17 12:05:12 +01:00			`$plugin->$method();`
			`} else {`
Address upcoming string interpolation deprecation. https://wiki.php.net/rfc/deprecate_dollar_brace_string_interpolation 2022-11-12 17:20:59 +01:00			`user_error("Rejected {$plugin_name}->{$method}(): invalid CSRF token.", E_USER_WARNING);`
drop errors.php and simplify error handling 2021-02-23 20:26:07 +01:00			`print Errors::to_json(Errors::E_UNAUTHORIZED);`
pluginhandlers: post notice if pluginmethod is requested without CSRF token 2021-02-17 12:05:12 +01:00			`}`
pluginhandler: better error reporting 2013-03-16 09:26:14 +01:00			`} else {`
Address upcoming string interpolation deprecation. https://wiki.php.net/rfc/deprecate_dollar_brace_string_interpolation 2022-11-12 17:20:59 +01:00			`user_error("Rejected {$plugin_name}->{$method}(): unknown method.", E_USER_WARNING);`
drop errors.php and simplify error handling 2021-02-23 20:26:07 +01:00			`print Errors::to_json(Errors::E_UNKNOWN_METHOD);`
pluginhandler: better error reporting 2013-03-16 09:26:14 +01:00			`}`
			`} else {`
Address upcoming string interpolation deprecation. https://wiki.php.net/rfc/deprecate_dollar_brace_string_interpolation 2022-11-12 17:20:59 +01:00			`user_error("Rejected {$plugin_name}->{$method}(): unknown plugin.", E_USER_WARNING);`
drop errors.php and simplify error handling 2021-02-23 20:26:07 +01:00			`print Errors::to_json(Errors::E_UNKNOWN_PLUGIN);`
experimental new plugin system 2012-12-23 11:52:18 +01:00			`}`
			`}`
			`}`