Implements front end refresh button #257
Conversation
web/index.php
Outdated
|
|
||
| $input = new ArrayInput(array( | ||
| 'command' => 'update', | ||
| '--name' => $name |
There was a problem hiding this comment.
Maybe match against the slug in the DB first using a prepared statement? And then if slug exists run the command on the returned slug rather than the user input. I'm not sure it's safe to just pass the name here.
There was a problem hiding this comment.
Good idea, I've done that now
|
My general comment is that this is an OK approach. I wonder if we could make a simpler check by just looking at |
|
I think using the last_fetched wouldn't be quite right, as there are so many plugins it'd still be quite easy for an attacker to overload the server. The code could do with a tidy, that's for sure, but I just haven't got the time. |
|
@joaquimds You are right! Suggestion: Add a |
|
@khromov I've changed how the |
|
@joaquimds Cool! Only caveat with this is that writes lock the entire database on SQLite. I think this has improved on SQLite 3 though.* But it might introduce an additional "attack vector" in terms of DDOSing the database with write requests. |
|
Good catch. I think the limit of 10 requests per hour should prevent that to an extent, though. EDIT: Oh wait, no it won't! |
|
@joaquimds But the |
|
@khromov I've changed it so that the |
|
@joaquimds Awesome! 💯 🏆 🚢 |
Adds an /update action that runs the update command with the provided "name" parameter. Updates are limited by IP to 10 per hour.
Please check for security holes as we are dealing with client input!