Skip to content

Improve SimplePie redirects (POST to GET, remove authentication cross-origin)#78

Open
Inverle wants to merge 10 commits into
FreshRSS:freshrssfrom
Inverle:improve-sp-redirects
Open

Improve SimplePie redirects (POST to GET, remove authentication cross-origin)#78
Inverle wants to merge 10 commits into
FreshRSS:freshrssfrom
Inverle:improve-sp-redirects

Conversation

@Inverle

@Inverle Inverle commented May 30, 2026

Copy link
Copy Markdown
Member

@Inverle Inverle mentioned this pull request May 30, 2026
Draft
Alkarex
Alkarex reviewed May 30, 2026
View reviewed changes
Comment thread src/File.php
@Inverle Inverle requested a review from Alkarex June 2, 2026 21:59
@Alkarex

Alkarex commented Jun 5, 2026

Copy link
Copy Markdown
Member

Is it correctly understood that passing CURLOPT_FOLLOWLOCATION as a cURL option will allow skipping this new code?
I am interested in keeping an option to let cURL perform the work rather than using our or SimplePie's re-implementation

@Alkarex

Alkarex commented Jun 5, 2026

Copy link
Copy Markdown
Member

Although we only use the cURL path in FreshRSS, the fsockopen path further below should probably be updated in the same manner

@Inverle

Inverle commented Jun 5, 2026

Copy link
Copy Markdown
Member Author

Is it correctly understood that passing CURLOPT_FOLLOWLOCATION as a cURL option will allow skipping this new code? I am interested in keeping an option to let cURL perform the work rather than using our or SimplePie's re-implementation

Not yet, because CURLOPT_FOLLOWLOCATION is forced to false:

simplepie/src/File.php

Line 525 in 843cc8b

curl_setopt($fp, CURLOPT_FOLLOWLOCATION, false); // FreshRSS

@Alkarex

Alkarex commented Jun 11, 2026

Copy link
Copy Markdown
Member

I have tried to apply the same logic to the fsockopen path. But not tested. Checks welcome

@Inverle

Inverle commented Jun 13, 2026

Copy link
Copy Markdown
Member Author

I have tried to apply the same logic to the fsockopen path. But not tested. Checks welcome

Testing with a patch like this in FreshRSS, I can confirm the auth headers are removed correctly after a redirect:

diff --git a/app/Models/SimplePieFetch.php b/app/Models/SimplePieFetch.php
index 1a0737b3d..2e41d87d7 100644
--- a/app/Models/SimplePieFetch.php
+++ b/app/Models/SimplePieFetch.php
@@ -31,7 +31,13 @@ final class FreshRSS_SimplePieFetch extends \SimplePie\File
                } elseif ($redirects < 0) {
                        $redirects = -1; // infinite redirects
                }
-               parent::__construct($url, $timeout, $redirects, $headers, $useragent, $force_fsockopen, $curl_options);
+               if (!isset($GLOBALS['fsockopen_test'])) {
+                       $GLOBALS['fsockopen_test'] = 1;
+                       $headers['Cookie'] = 'test=123';
+                       $headers['Authorization'] = 'test';
+                       $headers['X-SomeOtherHeader'] = '123';
+               }
+               parent::__construct($url, $timeout, $redirects, $headers, $useragent, true, $curl_options);
        }
 
        #[\Override]

@Alkarex

Alkarex commented Jun 13, 2026

Copy link
Copy Markdown
Member

If possible, I would still like a way, for instance by passing a CURLOPT_FOLLOWLOCATION, to use the native cURL handing of redirections

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Alkarex Alkarex Awaiting requested review from Alkarex

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Inverle @Alkarex