Merge upstream #45
Merged
Merge upstream #45
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was introduced in 46ba7a5 without any rationale being described. This, for example, broke phpactor until recently: https://www.github.com/phpactor/phpactor/issues/2749 Let’s just use the default path.
Slightly cleaner.
For the record, the `$attrib` has the following type:
array{
0: string, // whole match
1: string, // attribute name
2?: string, // double-quoted attribute value
3?: string, // single quoted attribute value
4?: string, // unquoted attribute value
}
https://curl.se/libcurl/c/libcurl-errors.html https://www.php.net/manual/en/curl.constants.php#constant.curle-bad-content-encoding https://www.php.net/manual/en/curl.constants.php#constant.curle-write-error
mf2 library uses implicit nullable types, which were deprecated in PHP 8.4: https://wiki.php.net/rfc/deprecate-implicitly-nullable-types This causes the response body of the HTTP mock server in tests to be polluted with the following warning: Deprecated: Mf2\Parser::parse(): Implicitly marking parameter $context as nullable is deprecated, the explicit nullable type must be used instead in vendor/mf2/mf2/Mf2/Parser.php on line 1373 This breaks tests in <simplepie#838> and <simplepie#919>. Until the upstream fix (microformats/php-mf2#264) is merged, let’s uninstall mf2 in PHP 8.4 CI. Works around: simplepie#921 Co-authored-by: Artur Weigandt <[email protected]>
This was artifact of copy paste in ae6665d
So that we can re-use it in integration tests.
ae6665d already introduced an unit test for `Parser` but let’s also check it is working properly in `SimplePie`.
`Locator::get_rel_link()` would return `null`, giving us a type error. Also drop redundant param arguments.
This needs to use a web server because links are only extracted from HTML files in `SimplePie::fetch_data()`, which is not called when `SimplePie::set_raw_data()` is used. And using `SimplePie::set_feed_url()` with local file will not work either because `Locator::is_feed()` returns `true` for local files.
…rays If header is present, it must have at least one header line. This will be needed to make PHPStan happy with `Response::with_header()` we are about to introduce.
This is similar to `Psr\Http\Message\MessageInterface::withHeader()` but does not preserve the casing of the header. It will be useful for storing metadata (e.g. WebSub link) in the response. We cannot use `static` as return type hint since it is only supported in PHP 8.0: https://php.watch/versions/8.0/static-return-type Nor can we use `self`, as that requires return covariance introduced in PHP 7.4: https://wiki.php.net/rfc/covariant-returns-and-contravariant-parameters
It would clear previous links by setting the header to comma instead of appending.
…in header As per <https://pubsubhubbub.github.io/PubSubHubbub/pubsubhubbub-core-0.4.html#discovery>: > In the absence of HTTP [RFC2616] Link headers, subscribers MAY fall back to other methods to discover the hub(s) and the canonical URI of the topic. […] Similarly, for HTML pages, it MAY use embedded link elements as described in Appendix A of Web Linking [RFC5988].
Previously, this only supported `File`, let’s prepare for other `Response` implementations.
It was introduced in 01eb2c5 and refactored in 426dc5b. However, according to chat log of a discussion between the writers of the PubSubHubbub specification, the consensus was that, due to a potential for injection attacks on poorly written websites, clients MUST NOT support `a[rel="hub"]`. See https://chat.indieweb.org/dev/2016-11-21#t1479767303222000 and https://www.github.com/w3c/websub/issues/67 We will thus remove support for it. Similar concerns apply to `link` elements in headers but per <https://www.w3.org/TR/websub/#x8-1-discovery>: > The decision about whether a subscriber should look for <link> elements inside a page's <body> (as well as the <head>) is not straightforward, and there is currently no clear consensus. So we will continue to support `link`s in `body`.
The specification is not completely clear on what should happen if there is `Link` header containing `rel=hub` link but `rel=self` is only present in `<link>` element: <https://w3c.github.io/websub/#discovery>: > The protocol currently supports the following discovery mechanisms. Publishers *MUST* implement at least one of them: > > - Link Headers [RFC5988]: the publisher *SHOULD* include at least one Link Header [RFC5988] with `rel=hub` (a hub link header) as well as exactly one Link Header [RFC5988] with `rel=self` (the self link header) > - If the topic is an XML based feed, publishers *SHOULD* use embedded link elements as described in Appendix B of Web Linking [RFC5988]. Similarly, for HTML pages, publishers *SHOULD* use embedded link elements as described in Appendix A of Web Linking [RFC5988]. Previously, if we found 'Link' header containing `rel=hub`, we would expect `rel=self` in a header as well. Let’s treat both `rel`s independently. As before, headers take precedence over HTML elements.
According to <https://www.w3.org/TR/websub/#x8-1-discovery>, there is no clear consensus about `link` elements in `body` but there are concerns about injection attacks on badly written websites: > The decision about whether a subscriber should look for `<link>` elements inside a page's `<body>` (as well as the `<head>`) is not straightforward, and there is currently no clear consensus. One reason to ignore the `<body>` during discovery is that some web sites might (perhaps accidentally) allow users to post content containing `<link>` elements, though the working group does not know of any specific examples of such sites. If WebSub discovery uses such `<link>` elements, a user contributing to such sites could potentially maliciously cause all subscribers to use an alternate hub which later delivers malicious content. Given this potential attack, it may be prudent to do discovery only in the `<head>` of HTML documents. Let’s be prudent and only look for `link`s in HTTP headers and the first `head` element.
Even though the intention in 399a46c was to allow any `callable`, in practice, `Sanitize` forced it to be a `string` by casting it to `string` anyway d374d21. We added a `?callable` type annotation to `set_cache_name_function` in a2ee1d7 (not yet released). Let’s change it to a narrower type to avoid growing the API surface of deprecated functions.
Follow SimplePie and narrow the type.
This is already ensured by `if(is_string(…))`.
Trimming final whitespace would mangle UTF-16BE encoded files ending with whitespace. For example a new-line (`\x00\x0A`), would be turned into half a code-point `\x00`. Let’s just trim at the beginning of the file. Similarly, trimming initial whitespace can be issue with UTF-16LE (`\x0A\x00` would again get mangled into `\x00`). Let’s ensure that the whitespace is immediately followed by `<`. The trim was introduced in 989645e since XML declaration cannot be preceded by anything other than BOM, and XML declaration starts with `<`, so the requirement should be fine. It might still mangle body of some weird-ass encoding but that is unlikely to be encountered nowadays. This is a follow-up to 458d746.
It was introduced in 989645e and further refined in the parent commit.
This is a regression test for 7206ab3.
* Get started on leveling up phpstan to 8 * Fix tests and code style issues. * Resolve more PHPStan issues. * Fix tests for now * Fix more PHPStan errors... * A couple fixes * Revert union type declarations * Move cast to top of loop * Revert last union type declaration * Missed this last union type... * Few more phpstan fixes * Disable phpdoc_to_param_type phpcs rule since we can't use union types. * Can't use mixed declaration in < PHP 8 * Knock out a few more PHPStan errors. * Explicitly check if end() returns false. * Only cast localName to string * Resolve a few more PHPStan errors. * Codesniffer fixes * Address a few more PHPStan errors. * Address a couple more errors * Adjust return definition of SimplePie::fetch_data() * Button up final items, leave notes for help wanted on last few PHPStan errors. * Final fixes for older PHP versions * Cleaner fix for strlen() type * Requested adjustments. * Explicitly check for null * Declare var instead of conditional check * Add assertInstanceOf() to testTitleRSS20WithImageTitleReversed test * More typing adjustments * Switch is_int() to is_numeric() * Even more typing fixes * Fix regex typehint * Add more asserts * php-cs-fixer: remove removed commented out rule This was improperly resolved merge conflict. * asserts * Revert get_class ignoreUnmatched Why is it needed? * Remove Revert get_class ignoreUnmatched Looks like it is not needed at all. * fixup locator * Remove another @var This will be redundant with the PHPStan extension. * More fixes and comments * More fixes * Parser followup * More follow ups * Sanitize: Throw exception of invalid xpath expression We do not use the $contextNode argument so that is really the only failure mode according to docs: https://www.php.net/manual/en/domxpath.query.php And these methods are internal but it is probably safer to throw an exception since the values might come from user config. * SimplePie: Adjust get_items return value * FileClientTest: Mock `File::$error` propery Since we switched from `File::$success` property to `File::$error !== null` to have `FileClient` detect failure, we need to inject the value to tests. Otherwise, PHPStan would not be able to detect if the `File::$error` property is set and thus will complain about it potentially being none when passing it to `ClientException` constructor. * Update src/Sanitize.php Co-authored-by: Artur Weigandt <[email protected]> --------- Co-authored-by: Jan Tojnar <[email protected]> Co-authored-by: Artur Weigandt <[email protected]>
Alkarex
added a commit
to Alkarex/FreshRSS
that referenced
this pull request
Aug 1, 2025
* FreshRSS/simplepie#45 SimplePie increased to PHPStan Level 8: * simplepie/simplepie#857
Alkarex
added a commit
to FreshRSS/FreshRSS
that referenced
this pull request
Aug 1, 2025
* Bump SimplePie with PHPStan Level 8 * FreshRSS/simplepie#45 SimplePie increased to PHPStan Level 8: * simplepie/simplepie#857 * Merge upstream Including my two PRs: * simplepie/simplepie#932 * simplepie/simplepie#933 * Resolve upstream sync of Expose HTTP status * FreshRSS/simplepie#47 Finalise merge, following: * simplepie/simplepie#905 (comment) * simplepie/simplepie#909 * #7038
Alkarex
added a commit
that referenced
this pull request
Aug 14, 2025
Fix regression (bad merge) from #45
Merged
Alkarex
added a commit
that referenced
this pull request
Aug 14, 2025
Fix regression (bad merge) from #45
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Aug 20, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [freshrss/freshrss](https://freshrss.org/) ([source](https://github.com/FreshRSS/FreshRSS)) | minor | `1.26.3` -> `1.27.0` | --- ### Release Notes <details> <summary>FreshRSS/FreshRSS (freshrss/freshrss)</summary> ### [`v1.27.0`](https://github.com/FreshRSS/FreshRSS/blob/HEAD/CHANGELOG.md#2025-08-18-FreshRSS-1270) [Compare Source](FreshRSS/FreshRSS@1.26.3...1.27.0) - Features - Implement support for HTTP `429 Too Many Requests` and `503 Service Unavailable`, obey `Retry-After` [#​7760](FreshRSS/FreshRSS#7760) - Add sort by category title, or by feed title [#​7702](FreshRSS/FreshRSS#7702) - Add search operator `c:` for categories like `c:23,34` or `!c:45,56` [#​7696](FreshRSS/FreshRSS#7696) - Custom feed favicons [#​7646](FreshRSS/FreshRSS#7646), [#​7704](FreshRSS/FreshRSS#7704), [#​7717](FreshRSS/FreshRSS#7717), [#​7792](FreshRSS/FreshRSS#7792) - Rework fetch favicons for fewer HTTP requests [#​7767](FreshRSS/FreshRSS#7767) - Add more unicity criteria based on title and/or content [#​7789](FreshRSS/FreshRSS#7789) - Automatically restore user configuration from backup [#​7682](FreshRSS/FreshRSS#7682) - API add support for states in `s` parameter of `streamId` [#​7695](FreshRSS/FreshRSS#7695) - Improve sharing via Print [#​7728](FreshRSS/FreshRSS#7728) - Redirect to the login page from bookmarklet instead of 403 [#​7782](FreshRSS/FreshRSS#7782) - Clean local cache more often, when refreshing feeds [#​7827](FreshRSS/FreshRSS#7827) - Security - Implement reauthentication (*sudo* mode) [#​7753](FreshRSS/FreshRSS#7753) - Add `Content-Security-Policy: frame-ancestors` [#​7677](FreshRSS/FreshRSS#7677) - Ensure CSP everywhere [#​7810](FreshRSS/FreshRSS#7810) - Show warning when unsafe CSP policy is in use [#​7804](FreshRSS/FreshRSS#7804) - Fix access rights when creating a new user [#​7783](FreshRSS/FreshRSS#7783) - Improve security of form for user details [#​7771](FreshRSS/FreshRSS#7771), [#​7786](FreshRSS/FreshRSS#7786) - Disallow setting non-existent theme [#​7722](FreshRSS/FreshRSS#7722) - Regenerate cookie ID after logging out [#​7762](FreshRSS/FreshRSS#7762) - Require current password when setting new password [#​7763](FreshRSS/FreshRSS#7763) - Add missing access checks for feed-related actions [#​7768](FreshRSS/FreshRSS#7768) - Strip more unsafe attributes such as `referrerpolicy`, `ping` [#​7770](FreshRSS/FreshRSS#7770) - Remove unneeded execution permissions [#​7802](FreshRSS/FreshRSS#7802) - Bug fixing - Fix redirections when scraping from HTML [#​7654](FreshRSS/FreshRSS#7654), [#​7741](FreshRSS/FreshRSS#7741) - Fix multiple authentication HTTP headers [#​7703](FreshRSS/FreshRSS#7703) - Fix HTML queries with a single feed [#​7730](FreshRSS/FreshRSS#7730) - WebSub: only perform a redirection when coming from WebSub [#​7738](FreshRSS/FreshRSS#7738) - Include enclosures in entries’ hash [#​7719](FreshRSS/FreshRSS#7719) - Negative side-effect: users of the option to *automatically mark updated articles as unread* will once have some articles with enclosures re-appear as unread - Fix cancellation of slider exit UI [#​7705](FreshRSS/FreshRSS#7705) - Honor *disable update* on update page [#​7733](FreshRSS/FreshRSS#7733) - Fix no registration limit setting [#​7751](FreshRSS/FreshRSS#7751) - Fix XML encoding of sharing functions [#​7822](FreshRSS/FreshRSS#7822) - SimplePie - Fix propagation of HTTP error codes [#​7670](FreshRSS/FreshRSS#7670) - Fix support for XML feeds with HTML entities [#​7689](FreshRSS/FreshRSS#7689), [simplepie#915](simplepie/simplepie#915) - Fix feeds encoded in UTF-16LE [#​7691](FreshRSS/FreshRSS#7691), [simplepie#916](simplepie/simplepie#916) - Various upstream contributions [simplepie#917](simplepie/simplepie#917), [simplepie#924](simplepie/simplepie#924), [simplepie#926](simplepie/simplepie#926), [simplepie#932](simplepie/simplepie#932), [simplepie#933](simplepie/simplepie#933) - Sync upstream [#​7706](FreshRSS/FreshRSS#7706), [FreshRSS/simplepie#45](FreshRSS/simplepie#45), [#​7775](FreshRSS/FreshRSS#7775), [FreshRSS/simplepie#50](FreshRSS/simplepie#50), [#​7824](FreshRSS/FreshRSS#7824), [#​7825](FreshRSS/FreshRSS#7825), - Fix regex *Backtrack limit was exhausted* in `clean_hash()` [#​7813](FreshRSS/FreshRSS#7813), [FreshRSS/simplepie#48](FreshRSS/simplepie#48) - Deployment - Docker default image (Debian 12 Bookworm) updated to PHP 8.2.29 [#​7805](FreshRSS/FreshRSS#7805) - Docker alternative image updated to Alpine 3.22 with PHP 8.4.11 and Apache 2.4.65 [#​7740](FreshRSS/FreshRSS#7740), [#​7740](FreshRSS/FreshRSS#7740), [#​7803](FreshRSS/FreshRSS#7803) - Start supporting PHP 8.5+ [#​7787](FreshRSS/FreshRSS#7787), [#​7826](FreshRSS/FreshRSS#7826) - Docker Alpine dev image `:newest` updated to PHP 8.5-alpha and Apache 2.4.65 [#​7773](FreshRSS/FreshRSS#7773) - Docker: interpolate `FRESHRSS_INSTALL` and `FRESHRSS_USER` variables [#​7725](FreshRSS/FreshRSS#7725) - Docker: Reduce how much data needs to be chown/chmod’ed on container startup [#​7793](FreshRSS/FreshRSS#7793) - Test for database PDO typing support during install (relevant for MySQL / MariaDB with obsolete driver) [#​7651](FreshRSS/FreshRSS#7651) - Extensions - Add API endpoint for extensions [#​7576](FreshRSS/FreshRSS#7576) - Expose the reading modes for extensions [#​7668](FreshRSS/FreshRSS#7668), [#​7688](FreshRSS/FreshRSS#7688) - New extension hook `before_login_btn` [#​7761](FreshRSS/FreshRSS#7761) - UI - Improve *mark as read* request showing popup due to `onbeforeunload` [#​7554](FreshRSS/FreshRSS#7554) - Fix lazy-loading for `<video poster="...">` and `<image>` [#​7636](FreshRSS/FreshRSS#7636) - Avoid styling `<code>` inside of `<pre>` [#​7797](FreshRSS/FreshRSS#7797) - Improve confirmation logic with `data-auto-leave-validation` [#​7785](FreshRSS/FreshRSS#7785) - Update `chart.js` to 4.5.0 [#​7752](FreshRSS/FreshRSS#7752), [#​7816](FreshRSS/FreshRSS#7816) - Various UI and style improvements: [#​7616](FreshRSS/FreshRSS#7616), [#​7811](FreshRSS/FreshRSS#7811) - I18n - Show translation status in README [#​7715](FreshRSS/FreshRSS#7715) - Improve Indonesian [#​7654](FreshRSS/FreshRSS#7654), [#​7721](FreshRSS/FreshRSS#7721) - Improve Persian [#​7795](FreshRSS/FreshRSS#7795) - Misc. - Improve PHP code [#​7642](FreshRSS/FreshRSS#7642), [#​7665](FreshRSS/FreshRSS#7665), [#​7761](FreshRSS/FreshRSS#7761), [#​7781](FreshRSS/FreshRSS#7781), [#​7794](FreshRSS/FreshRSS#7794) - Update dev dependencies [#​7708](FreshRSS/FreshRSS#7708), [#​7709](FreshRSS/FreshRSS#7709), [#​7710](FreshRSS/FreshRSS#7710), [#​7711](FreshRSS/FreshRSS#7711), [#​7776](FreshRSS/FreshRSS#7776), [#​7777](FreshRSS/FreshRSS#7777) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4zNS4wIiwidXBkYXRlZEluVmVyIjoiNDEuMzUuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiaW1hZ2UiXX0=--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1253 Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.