well, first of all, tt-rss doesn’t invoke methods “blindly”.
you need to be authenticated to invoke a subset of handler classes from backend.php from several paths (within tt-rss) where tt-rss autoloader looks for them. you can’t really load anything else, like, some other applications code from tt-rss or whatever, even if you’re authenticated.
there’s a separate host for unauthorized users (public.php) which deals with logging in, etc - you can’t load random classes from there, only specifically whitelisted public stuff.
i’m not sure if this person simply didn’t notice the restrictions (backend.php:48) or decided to ignore it for whatever unknown reasons. tt-rss routing code is absurdly primitive, by design, so i’m not sure how anyone would not be able to figure out how it works by simply skimming through the code for a bit.
anyway, you can certainly try calling some random classes via backend.php but it won’t get you very far while not being logged in, i.e.:
WORKPC:~:$ curl "https://fakecake.org/tt-rss/backend.php?op=feeds&method=index"
{"error":{"code":6,"message":"Request not authorized."}}
if you have a valid logged session and pass CSRF/etc checks then yes you can use the router to invoke classes. you need to do that for the application to actually function as intended.
some classes have further restrictions if required, for example stuff that deals with administrative tasks requres the caller to have a proper access level.
it’s possible that i’m missing something here but this seems like a sensationalist “the sky is falling” kind of situation or an attempt to misguide people.
that said, if someone has a proof of conсept exploit for tt-rss, router or otherwise, i’m all ears. i suggest contacting me via email or PM, which is the usual practice for responsible disclosure.
i’ve skimmed through the “discussion” on Reddit and it’s the same old mix of
let’s rewrite everything in (flavor of the month meme framework/language) because things are not modern enough
discussing me personally re: being a horrible human being because i don’t bother mollycoddling forum posters which is an unthinkable sin for the soyface.jpg generation
kids larping as software engineers while being incredibly obvious at it
i honestly don’t care if some subreddit hivemind suddenly decides tt-rss is inherently insecure - with zero proofs - but it’s not like i can stop you from posting things there.
e: holy shit the discussion there is cringe inducing.
i’ve pinned this topic in case people would come on this forum seeking further information because of that post.
e: re: that reddit post, i find it very amusing that people are talking about me not using git properly because it is decentralized while being seemingly incapable to deal with anything existing outside of github.
Alright, thanks for your very quick, precise and complete reply. Appreciate it.
I totally agree. It’s a bit disturbing to see a complete code rewritter pretender publicly reveals (deflated) security issues in a software installed on hundred or thousand of servers.
there was one valid issue pointed to me in the aforementioned reddit thread: constructor of an object instantiated by tt-rss router had been called before it has been identified as a handler.
this could lead to a theoretical vulnerability if authorized user requests a non-IHandler tt-rss class which does something leading to an exploit in its constructor. i’m not aware of any such classes but anything is possible, i suppose.
the following commit tweaks router to instantiate classes via reflection so constructor is called after resulting object has been verified as a handler:
I have been following the developments on reddit and your github lately.
I just wanna say that I appreciate your efforts to make ttrss more reliable and secure and I’m pretty sure the guys on this board do not represent the vast majority of ttrss users.
Then again I’m kinda disappointed by the fact that you registered here just to bitch about quality of code. Regardless of foxes attitude hhe is a foss developer dedicating his own free time to give us ttrss and I highly respect that.