[ticket/14838] Do not query full attachments table in feeds

The fetch_attachments() will also now throw a runtime exception if a feed
tries to do this nonetheless.

PHPBB3-14838

phpBB/phpbb/feed/attachments_base.php

@@ -25,8 +25,11 @@ abstract class attachments_base extends \phpbb\feed\base
 
 	/**
 	* Retrieve the list of attachments that may be displayed
+	*
+	* @param array $post_ids Specify for which post IDs to fetch the attachments (optional)
+	* @param array $topic_ids Specify for which topic IDs to fetch the attachments (optional)
 	*/
-	protected function fetch_attachments()
+	protected function fetch_attachments($post_ids = array(), $topic_ids = array())
 	{
 		$sql_array = array(
 			'SELECT'   => 'a.*',
@@ -37,7 +40,20 @@ abstract class attachments_base extends \phpbb\feed\base
 			'ORDER_BY' => 'a.filetime DESC, a.post_msg_id ASC',
 		);
 
-		if (isset($this->topic_id))
+		if (!empty($post_ids))
+		{
+			$sql_array['WHERE'] .= 'AND ' . $this->db->sql_in_set('a.post_msg_id', $post_ids);
+		}
+		else if (!empty($topic_ids))
+		{
+			if (isset($this->topic_id))
+			{
+				$topic_ids[] = $this->topic_id;
+			}
+
+			$sql_array['WHERE'] .= 'AND ' . $this->db->sql_in_set('a.topic_id', $topic_ids);
+		}
+		else if (isset($this->topic_id))
 		{
 			$sql_array['WHERE'] .= 'AND a.topic_id = ' . (int) $this->topic_id;
 		}
@@ -51,6 +67,11 @@ abstract class attachments_base extends \phpbb\feed\base
 			);
 			$sql_array['WHERE'] .= 'AND t.forum_id = ' . (int) $this->forum_id;
 		}
+		else
+		{
+			// Do not allow querying the full attachments table
+			throw new \RuntimeException($this->user->lang('INVALID_FEED_ATTACHMENTS'));
+		}
 
 		$sql = $this->db->sql_build_query('SELECT', $sql_array);
 		$result = $this->db->sql_query($sql);
@@ -69,7 +90,6 @@ abstract class attachments_base extends \phpbb\feed\base
 	public function open()
 	{
 		parent::open();
-		$this->fetch_attachments();
 	}
 
 	/**