* update fat free php framework to newest versoin 3.0.6

* only allow update for localhost or loggedin users (thanks a lot to Tiouss)

README.md

@@ -63,6 +63,8 @@ Version 2.7-SNAPSHOT
 * Fix issues with refreshing the items list and slow ajax requests (thanks a lot to Sean Rand)
 * Don't leave behind sp-container divs when refreshing the tags (thanks a lot to Sean Rand)
 * Clean up orphaned items of deleted sources (thanks a lot to Sean Rand)
+* update fat free php framework to newest versoin 3.0.6
+* only allow update for localhost or loggedin users (thanks a lot to Tiouss)
 
 Version 2.6
 * fixed OPML import for other formats (thanks a lot to Remy Gardette)

controllers/Index.php

@@ -176,8 +176,14 @@ public function logout() {
      * @return void
      */
     public function update() {
+        // only allow access for localhost and loggedin users
+        if ($_SERVER['REMOTE_ADDR'] !== $_SERVER['SERVER_ADDR'] && $_SERVER['REMOTE_ADDR'] !== "127.0.0.1" && \F3::get('auth')->isLoggedin() != 1)
+            die("unallowed access");
+
+        // update feeds
         $loader = new \helpers\ContentLoader();
         $loader->update();
+
         echo "finished";
     }
 

libs/f3/audit.php

@@ -1,7 +1,7 @@
 <?php
 
 /*
-	Copyright (c) 2009-2012 F3::Factory/Bong Cosca, All rights reserved.
+	Copyright (c) 2009-2013 F3::Factory/Bong Cosca, All rights reserved.
 
 	This file is part of the Fat-Free Framework (http://fatfree.sf.net).
 
@@ -17,20 +17,20 @@
 class Audit extends Prefab {
 
 	/**
-		Return TRUE if string is a valid URL
-		@return bool
-		@param $str string
+	*	Return TRUE if string is a valid URL
+	*	@return bool
+	*	@param $str string
 	**/
 	function url($str) {
 		return is_string(filter_var($str,FILTER_VALIDATE_URL));
 	}
 
 	/**
-		Return TRUE if string is a valid e-mail address;
-		Check DNS MX records if specified
-		@return bool
-		@param $str string
-		@param $mx boolean
+	*	Return TRUE if string is a valid e-mail address;
+	*	Check DNS MX records if specified
+	*	@return bool
+	*	@param $str string
+	*	@param $mx boolean
 	**/
 	function email($str,$mx=TRUE) {
 		$hosts=array();
@@ -39,47 +39,47 @@ function email($str,$mx=TRUE) {
 	}
 
 	/**
-		Return TRUE if string is a valid IPV4 address
-		@return bool
-		@param $addr string
+	*	Return TRUE if string is a valid IPV4 address
+	*	@return bool
+	*	@param $addr string
 	**/
 	function ipv4($addr) {
 		return filter_var($addr,FILTER_VALIDATE_IP,FILTER_FLAG_IPV4);
 	}
 
 	/**
-		Return TRUE if string is a valid IPV6 address
-		@return bool
-		@param $addr string
+	*	Return TRUE if string is a valid IPV6 address
+	*	@return bool
+	*	@param $addr string
 	**/
 	function ipv6($addr) {
 		return (bool)filter_var($addr,FILTER_VALIDATE_IP,FILTER_FLAG_IPV6);
 	}
 
 	/**
-		Return TRUE if IP address is within private range
-		@return bool
-		@param $addr string
+	*	Return TRUE if IP address is within private range
+	*	@return bool
+	*	@param $addr string
 	**/
 	function isprivate($addr) {
 		return !(bool)filter_var($addr,FILTER_VALIDATE_IP,
 			FILTER_FLAG_IPV4|FILTER_FLAG_IPV6|FILTER_FLAG_NO_PRIV_RANGE);
 	}
 
 	/**
-		Return TRUE if IP address is within reserved range
-		@return bool
-		@param $addr string
+	*	Return TRUE if IP address is within reserved range
+	*	@return bool
+	*	@param $addr string
 	**/
 	function isreserved($addr) {
 		return !(bool)filter_var($addr,FILTER_VALIDATE_IP,
 			FILTER_FLAG_IPV4|FILTER_FLAG_IPV6|FILTER_FLAG_NO_RES_RANGE);
 	}
 
 	/**
-		Return TRUE if IP address is neither private nor reserved
-		@return bool
-		@param $addr string
+	*	Return TRUE if IP address is neither private nor reserved
+	*	@return bool
+	*	@param $addr string
 	**/
 	function ispublic($addr) {
 		return (bool)filter_var($addr,FILTER_VALIDATE_IP,
@@ -88,9 +88,9 @@ function ispublic($addr) {
 	}
 
 	/**
-		Return TRUE if specified ID has a valid (Luhn) Mod-10 check digit
-		@return bool
-		@param $id string
+	*	Return TRUE if specified ID has a valid (Luhn) Mod-10 check digit
+	*	@return bool
+	*	@param $id string
 	**/
 	function mod10($id) {
 		if (!ctype_digit($id))
@@ -103,9 +103,9 @@ function mod10($id) {
 	}
 
 	/**
-		Return credit card type if number is valid
-		@return string|FALSE
-		@param $id string
+	*	Return credit card type if number is valid
+	*	@return string|FALSE
+	*	@param $id string
 	**/
 	function card($id) {
 		$id=preg_replace('/[^\d]/','',$id);

libs/f3/auth.php

@@ -1,7 +1,7 @@
 <?php
 
 /*
-	Copyright (c) 2009-2012 F3::Factory/Bong Cosca, All rights reserved.
+	Copyright (c) 2009-2013 F3::Factory/Bong Cosca, All rights reserved.
 
 	This file is part of the Fat-Free Framework (http://fatfree.sf.net).
 
@@ -31,11 +31,11 @@ class Auth extends Prefab {
 		$args;
 
 	/**
-		Jig storage handler
-		@return bool
-		@param $id string
-		@param $pw string
-		@param $realm string
+	*	Jig storage handler
+	*	@return bool
+	*	@param $id string
+	*	@param $pw string
+	*	@param $realm string
 	**/
 	protected function _jig($id,$pw,$realm) {
 		return (bool)
@@ -57,11 +57,11 @@ protected function _jig($id,$pw,$realm) {
 	}
 
 	/**
-		MongoDB storage handler
-		@return bool
-		@param $id string
-		@param $pw string
-		@param $realm string
+	*	MongoDB storage handler
+	*	@return bool
+	*	@param $id string
+	*	@param $pw string
+	*	@param $realm string
 	**/
 	protected function _mongo($id,$pw,$realm) {
 		return (bool)
@@ -76,11 +76,11 @@ protected function _mongo($id,$pw,$realm) {
 	}
 
 	/**
-		SQL storage handler
-		@return bool
-		@param $id string
-		@param $pw string
-		@param $realm string
+	*	SQL storage handler
+	*	@return bool
+	*	@param $id string
+	*	@param $pw string
+	*	@param $realm string
 	**/
 	protected function _sql($id,$pw,$realm) {
 		return (bool)
@@ -102,10 +102,10 @@ protected function _sql($id,$pw,$realm) {
 	}
 
 	/**
-		LDAP storage handler
-		@return bool
-		@param $id string
-		@param $pw string
+	*	LDAP storage handler
+	*	@return bool
+	*	@param $id string
+	*	@param $pw string
 	**/
 	protected function _ldap($id,$pw) {
 		$dc=@ldap_connect($this->args['dc']);
@@ -125,10 +125,10 @@ protected function _ldap($id,$pw) {
 	}
 
 	/**
-		SMTP storage handler
-		@return bool
-		@param $id string
-		@param $pw string
+	*	SMTP storage handler
+	*	@return bool
+	*	@param $id string
+	*	@param $pw string
 	**/
 	protected function _smtp($id,$pw) {
 		$socket=@fsockopen(
@@ -172,22 +172,23 @@ protected function _smtp($id,$pw) {
 	}
 
 	/**
-		Login auth mechanism
-		@return bool
-		@param $id string
-		@param $pw string
-		@param $realm string
+	*	Login auth mechanism
+	*	@return bool
+	*	@param $id string
+	*	@param $pw string
+	*	@param $realm string
 	**/
 	function login($id,$pw,$realm=NULL) {
 		return $this->{'_'.$this->storage}($id,$pw,$realm);
 	}
 
 	/**
-		HTTP basic auth mechanism
-		@return bool
-		@param $func callback
+	*	HTTP basic auth mechanism
+	*	@return bool
+	*	@param $func callback
+	*	@param $halt bool
 	**/
-	function basic($func=NULL) {
+	function basic($func=NULL,$halt=TRUE) {
 		$fw=Base::instance();
 		$realm=$fw->get('REALM');
 		if (isset($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']) &&
@@ -201,14 +202,16 @@ function basic($func=NULL) {
 			return TRUE;
 		if (PHP_SAPI!='cli')
 			header('WWW-Authenticate: Basic realm="'.$realm.'"');
-		$fw->error(401);
+		if ($halt)
+			$fw->error(401);
+		return FALSE;
 	}
 
 	/**
-		Instantiate class
-		@return object
-		@param $storage string|object
-		@param $args array
+	*	Instantiate class
+	*	@return object
+	*	@param $storage string|object
+	*	@param $args array
 	**/
 	function __construct($storage,array $args=NULL) {
 		if (is_object($storage) && is_a($storage,'DB\Cursor')) {