From bfe8c2e8574b14124efc266e26ae5c58dd951c32 Mon Sep 17 00:00:00 2001
From: Minami-o <minami-o@biboumail.fr>
Date: Fri, 31 Aug 2018 22:36:30 -0400
Subject: [PATCH] Add checkbox to enforce proxy usage, even for encrypted
 sources

---
 xExtension-ImageProxy/README.md       |  1 +
 xExtension-ImageProxy/configure.phtml |  4 ++++
 xExtension-ImageProxy/extension.php   | 21 ++++++++++++++-------
 xExtension-ImageProxy/i18n/en/ext.php |  3 +++
 xExtension-ImageProxy/i18n/fr/ext.php | 10 ++++++++++
 xExtension-ImageProxy/metadata.json   |  2 +-
 6 files changed, 33 insertions(+), 8 deletions(-)
 create mode 100644 xExtension-ImageProxy/i18n/fr/ext.php

diff --git a/xExtension-ImageProxy/README.md b/xExtension-ImageProxy/README.md
index 74f80bc..b487446 100644
--- a/xExtension-ImageProxy/README.md
+++ b/xExtension-ImageProxy/README.md
@@ -7,3 +7,4 @@ To use it, upload this entire directory to the FreshRSS `./extensions` directory
 ## Proxy Settings
 
 By default this extension will use the [images.weserv.nl](https://images.weserv.nl) image caching and resizing proxy, but instead you can supply your own proxy URL in the settings. The source code for the images.weserv.nl proxy can be found at [github.com/andrieslouw/imagesweserv](https://github.com/andrieslouw/imagesweserv), but of course other methods are available. For example, in Apache you could [use `mod_rewrite` to set up a simple proxy](https://httpd.apache.org/docs/2.2/rewrite/proxy.html) and similar methods are available in nginx and lighttpd. Alternatively you could use a simple PHP script, [along these lines](https://github.com/Alexxz/Simple-php-proxy-script). Keep in mind that too simple a proxy could introduce security risks, which is why the default proxy processes the images.
+By ticking the dedicated checkbox, you can also force the use of the proxy, even for images coming through an encrypted channel. This makes the server that hosts your FreshRSS instance the only point of entry for images, preventing your client from connecting directly to the RSS sources to recover them (which could be a privacy concern in extreme cases).
diff --git a/xExtension-ImageProxy/configure.phtml b/xExtension-ImageProxy/configure.phtml
index 090c455..cf0d47f 100644
--- a/xExtension-ImageProxy/configure.phtml
+++ b/xExtension-ImageProxy/configure.phtml
@@ -5,6 +5,10 @@
 		<div class="group-controls">
 			<input type="url" name="image_proxy_url" id="image_proxy_url" value="<?php echo FreshRSS_Context::$user_conf->image_proxy_url; ?>">
 		</div>
+		<label class="group-name" for="css-rules"><?php echo _t('ext.imageproxy.force'); ?></label>
+		<div class="group-controls">
+        <input type="checkbox" name="image_proxy_force" id="image_proxy_force" value="1" <?php echo (FreshRSS_Context::$user_conf->image_proxy_force ? 'data-leave-validation="1" checked="checked"' : 'data-leave-validation=""'); ?>>
+		</div>
 	</div>
 
 	<div class="form-group form-actions">
diff --git a/xExtension-ImageProxy/extension.php b/xExtension-ImageProxy/extension.php
index bccbaf0..1b9ba47 100644
--- a/xExtension-ImageProxy/extension.php
+++ b/xExtension-ImageProxy/extension.php
@@ -17,20 +17,27 @@ class ImageProxyExtension extends Minz_Extension {
 
 		if (Minz_Request::isPost()) {
 			FreshRSS_Context::$user_conf->image_proxy_url = Minz_Request::param('image_proxy_url', '');
+			FreshRSS_Context::$user_conf->image_proxy_force = Minz_Request::param('image_proxy_force', '');
 			FreshRSS_Context::$user_conf->save();
 		}
 	}
 
 	public static function getProxyImageUri($url) {
 		$parsed_url = parse_url($url);
-		if (isset($parsed_url['scheme']) && $parsed_url['scheme'] === 'http') {
-			$url = self::$proxy_url . rawurlencode(substr($url, strlen('http://')));
-		}
-		// oddly enough there are protocol-less IMG SRC attributes that don't actually work with HTTPS
-		// so I guess we should just run 'em all through the proxy
+        if (isset($parsed_url['scheme']) && $parsed_url['scheme'] === 'http') {
+		    $url = self::$proxy_url . rawurlencode(substr($url, strlen('http://')));
+	    }
+        // force proxy even with https, if set by the user
+        else if (isset($parsed_url['scheme']) &&
+                $parsed_url['scheme'] === 'https' &&
+                FreshRSS_Context::$user_conf->image_proxy_force) {
+			$url = self::$proxy_url . rawurlencode(substr($url, strlen('https://')));
+        }
+    	// oddly enough there are protocol-less IMG SRC attributes that don't actually work with HTTPS
+	    // so I guess we should just run 'em all through the proxy
 		else if (empty($parsed_url['scheme'])) {
-			$url = self::$proxy_url . rawurlencode($url);
-		}
+		    $url = self::$proxy_url . rawurlencode($url);
+        }
 
 		return $url;
 	}
diff --git a/xExtension-ImageProxy/i18n/en/ext.php b/xExtension-ImageProxy/i18n/en/ext.php
index f4fa9c3..e69d4e9 100644
--- a/xExtension-ImageProxy/i18n/en/ext.php
+++ b/xExtension-ImageProxy/i18n/en/ext.php
@@ -3,5 +3,8 @@
 return array(
 	'imageproxy' => array(
 		'proxy_url' => 'Proxy URL',
+		'force' => 'Force proxying, even for https',
+        'true' => 'On',
+        'false' => 'Off',
 	),
 );
diff --git a/xExtension-ImageProxy/i18n/fr/ext.php b/xExtension-ImageProxy/i18n/fr/ext.php
new file mode 100644
index 0000000..2433079
--- /dev/null
+++ b/xExtension-ImageProxy/i18n/fr/ext.php
@@ -0,0 +1,10 @@
+<?php
+
+return array(
+	'imageproxy' => array(
+		'proxy_url' => 'URL du proxy',
+		'force' => 'Toujours utiliser le proxy, même en https',
+        'true' => 'Oui',
+        'false' => 'Non',
+	),
+);
diff --git a/xExtension-ImageProxy/metadata.json b/xExtension-ImageProxy/metadata.json
index 4710b04..82aec32 100644
--- a/xExtension-ImageProxy/metadata.json
+++ b/xExtension-ImageProxy/metadata.json
@@ -2,7 +2,7 @@
 	"name": "Image Proxy",
 	"author": "Frans de Jonge",
 	"description": "No insecure content warnings or disappearing images.",
-	"version": 0.3,
+	"version": 0.4,
 	"entrypoint": "ImageProxy",
 	"type": "user"
 }