news/README.md

12 KiB

ownCloud News app

Join the chat at https://gitter.im/owncloud/news

Build Status Scrutinizer Code Quality

The News app is an RSS/Atom feed aggregator. It offers a RESTful API for app developers. The source code is available on GitHub

For further developer and user documentation please visit the wiki

Maintainers

Sync Clients

are listed on the ownCloud apps overview

Dependencies

  • ownCloud >= 8.2
  • libxml >= 2.7.8 (2.9 recommended)
  • php-curl
  • iconv
  • SimpleXML
  • PHP >= 5.5

Supported Linux Distributions

Supported means that the distribution's default repository packages will work in conjunction with the News app and you won't have to add any 3rdparty repositories.

The following distros are supported:

  • Ubuntu 14.04
  • Debian 8 (Jessie)
  • Arch Linux

Supported Browsers

  • Newest Firefox (Desktop, Android, Firefox OS)
  • Newest Chrome/Chromium (Desktop, Android)

Supported Databases

  • PostgreSQL (recommended)
  • MySql
  • SQLite (discouraged)

Bugs

Please read the appropriate section in the contributing notices

Installation/Update

Before you install/update the News app

Before you install the app do the following:

Then proceed to install the app either from an archive (zip/tar.gz) or clone it from the repository using git

Installing from archive

  • Go to the ownCloud News GitHub releases page and download the latest release/archive to your server
  • On your server, check if there is a folder called owncloud/apps/news. If there is one, delete it.
  • Extract the downloaded archive to the owncloud/apps/ folder.
  • Remove the version from the extracted folder (e.g. rename owncloud/apps/news-4.0.3/ to owncloud/apps/news/
  • Activate the News app in the apps menu

Installing from Git (development version)

  • The master branch will always be stable in conjunction with the latest master branch from ownCloud

  • In your terminal go into the owncloud/apps/ directory and then run the following command:

      git clone https://github.com/owncloud/news.git
    
  • If you are using a stable ownCloud release, stay with the latest git tag release which is running on your version. To get an overview over all existing tags run:

      git tag
    

You can switch to a release which will be supported on your installation by running:

  git checkout tags/TAG

For instance to use the 5.2.8 release, run:

  git checkout tags/5.2.8
  • Activate the News app in the apps menu

To update the News app use change into the owncloud/apps/news/ directory using your terminal and then run:

git pull --rebase origin master

Performance Notices

Updating Notices

To receive notifications when a new News app version was released, simply add the following Atom feed in your currently installed News app:

https://github.com/owncloud/news/releases.atom

FAQ

My browser shows a mixed content warning (Connection is Not Secure)

If you are serving your ownCloud over HTTPS your browser will very likely warn you with a yellow warnings sign about your connection not being secure.

Chrome will show no green HTTPS lock sign, Firefox will show you the following image Mixed Passive Content

Note that this warning is not red and won't block the page like the following images which signal a serious issue:

Untrusted Cert Mixed Active Content

What is the cause of the (yellow) error message

This warning is caused by mixed passive content and means that your page loads passive resources from non HTTPS resources, such as:

  • Images
  • Video/Audio

This allows a possible attacker to perform a MITM (man-in-the-middle) attack by serving you different images or audio/video.

Why doesn't the News app fix it

The News app fully prevents mixed active content by only allowing HTTPS iframes from known locations; other possible mixed active content elements such as <script> are stripped from the feed. Because images and audio/video are an integral part of a feed, we can not simply strip them.

Since an attacker can not execute code in contrast to mixed active content, but only replace images/audio/video in your feed reader, this is not considered to be a security issue. If, for whatever reason (e.g. feed which would allow fishing), this is a security problem for you, contact the specific feed provider and ask him to serve his feed content over HTTPS.

Why don't you simply use an HTTPS image/audio/video proxy

For the same reason that we can't fix non HTTPS websites: It does not fix the underlying issue but only silences it. If you are using an image HTTPS proxy, an attacker can simply attack your image proxy since the proxy fetches insecure content. Even worse: if your image proxy serves these images from the same domain as your ownCloud installation you are vulnerable to XSS via SVG images. In addition people feel save when essentially they are not.

Since most people don't understand mixed content and don't have two domains and a standalone server for the image proxy, it is very likely they will choose to host it under the same domain.

Because we care about our users' security and don't want to hide security warnings, we won't fix (aka silence) this issue.

The only fix for this issue is that feed providers serve their content over HTTPS.

I am getting Exception: Some\Class does not exist erros in my owncloud.log

This is very often caused by missing or old files, e.g. by failing to upload all of the News app' files or errors during installation. Before you report a bug, please recheck if all files from the archive are in place and accessible.

How do I reset the News app

Delete the folder owncloud/apps/news/ and owncloud/data/news/, then connect to your database and run the following commands where oc_ is your table prefix (defaults to oc_)

DELETE FROM oc_appconfig WHERE appid = 'news';
DROP TABLE oc_news_items;
DROP TABLE oc_news_feeds;
DROP TABLE oc_news_folders;

App is stuck in maintenance mode after failed update

Check the owncloud/data/owncloud.log for hints why it failed. After the issues are fixed, turn off the maintenance mode by editing your owncloud/config/config.php by setting the maintenance key to false:

"maintenance" => false,

Feeds are not updated

  • Check if the cronjob exists with crontab -u www-data -e (replace www-data with your httpd user)
  • Check the file permissions of the cron.php file and if www-data (or whatever your httpd user is called like) can read and execute that script
  • Check if the cronjob is ever executed by placing an error_log('updating') in the background job file. If the cronjob runs, there should be an updating log statement in your httpd log.
  • If there is no updating statement in your logs check if your cronjob is executed by executing a different script
  • If your cron works fine but owncloud's cronjobs are never executed, file a bug in core
  • Try the updater script

Adding feeds that use self-signed certificates

If you want to add a feed that uses a self-signed certificate that is not signed by a trusted CA the request will fail with "SSL certficate is invalid". A common solution is to turn off the certificate verification which is wrong and makes your installation vulnerable to MITM attacks. Therefore turning off certificate verification is not supported.

If you have control over the feed in question, consider signing your certificate for free on one of the following providers:

If you do not have control over the chosen feed, you should download the certificate from the feed's website and add it to your server's trusted certificates. The exact procedure however may vary depending on your distribution.

Configuration

All configuration values are set inside owncloud/data/news/config/config.ini and can be edited in the admin panel.

The configuration is in INI format and looks like this:

autoPurgeMinimumInterval = 60
autoPurgeCount = 200
maxRedirects = 10
maxSize = 104857600
feedFetcherTimeout = 60
useCronUpdates = true
exploreUrl =
  • autoPurgeMinimumInterval: Minimum amount of seconds after deleted feeds and folders are removed from the database. Values below 60 seconds are ignored
  • autoPurgeCount: Defines the minimum amount of articles that can be unread per feed before they get deleted, a negative value will turn off deleting articles completely
  • maxRedirects: How many redirects the updater should follow
  • maxSize: Maximum feed size in bytes. If the RSS/Atom page is bigger than this value, the update will be aborted
  • feedFetcherTimeout: Maximum number of seconds to wait for an RSS or Atom feed to load. If a feed takes longer than that number of seconds to update, the update will be aborted
  • useCronUpdates: To use a custom update/cron script you need to disable the cronjob which is run by ownCloud by default by setting this to false
  • exploreUrl: If given that url will be contacted for fetching content for the explore feed