aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2013-01-22 02:56:32 -0800
committerfriendica <info@friendica.com>2013-01-22 02:56:32 -0800
commitbeb3301d43c0d532bd6984ee745074479babdabb (patch)
treee1fb9a4ad9ef56456f6e06049053f2234ce79c63
parentbda4ca4c0d9f247675f4c241ecb0d402bb380d8f (diff)
downloadvolse-hubzilla-beb3301d43c0d532bd6984ee745074479babdabb.tar.gz
volse-hubzilla-beb3301d43c0d532bd6984ee745074479babdabb.tar.bz2
volse-hubzilla-beb3301d43c0d532bd6984ee745074479babdabb.zip
security fixes related to directory access and sites that are off the grid
-rw-r--r--include/zot.php15
-rw-r--r--mod/directory.php4
-rw-r--r--mod/dirsearch.php10
-rw-r--r--mod/search.php5
-rw-r--r--mod/zfinger.php3
5 files changed, 27 insertions, 10 deletions
diff --git a/include/zot.php b/include/zot.php
index 2623d68c4..f35c6f93e 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -536,11 +536,24 @@ function import_xchan($arr) {
if($r[0]['xchan_photo_date'] != $arr['photo_updated'])
$import_photos = true;
+ // if we import an entry from a site that's not ours and either or both of us is off the grid - hide the entry.
+ // TODO: check if we're the same directory realm, which would mean we are allowed to see it
+
+ $dirmode = get_config('system','directory_mode');
+
+ if((($arr['site']['directory_mode'] === 'standalone') || ($dirmode & DIRECTORY_MODE_STANDALONE))
+&& ($arr['site']['url'] != z_root()))
+ $arr['searchable'] = false;
+
+
+
+ // Be careful - XCHAN_FLAGS_HIDDEN should evaluate to 1
if(($r[0]['xchan_flags'] & XCHAN_FLAGS_HIDDEN) != $arr['searchable'])
$new_flags = $r[0]['xchan_flags'] ^ XCHAN_FLAGS_HIDDEN;
else
$new_flags = $r[0]['xchan_flags'];
-
+
+
if(($r[0]['xchan_name_date'] != $arr['name_updated']) || ($r[0]['xchan_connurl'] != $arr['connections_url']) || ($r[0]['xchan_flags'] != $new_flags)) {
$r = q("update xchan set xchan_name = '%s', xchan_name_date = '%s', xchan_connurl = '%s', xchan_flags = %d where xchan_hash = '%s' limit 1",
dbesc($arr['name']),
diff --git a/mod/directory.php b/mod/directory.php
index d9182d1bd..f2d9e1e02 100644
--- a/mod/directory.php
+++ b/mod/directory.php
@@ -56,6 +56,8 @@ function directory_content(&$a) {
$query = $url . '?f=' ;
if($search)
$query .= '&name=' . urlencode($search);
+ if(strpos($search,'@'))
+ $query .= '&address=' . urlencode($search);
if($a->pager['page'] != 1)
$query .= '&p=' . $a->pager['page'];
@@ -63,6 +65,8 @@ function directory_content(&$a) {
logger('mod_directory: query: ' . $query);
$x = z_fetch_url($query);
+ logger('directory: return from upstream: ' . print_r($x,true));
+
if($x['success']) {
$t = 0;
$j = json_decode($x['body'],true);
diff --git a/mod/dirsearch.php b/mod/dirsearch.php
index 57132519c..1dbe60499 100644
--- a/mod/dirsearch.php
+++ b/mod/dirsearch.php
@@ -14,16 +14,12 @@ function dirsearch_content(&$a) {
// If you've got a public directory server, you probably shouldn't block public access
- if((get_config('system','block_public')) && (! local_user()) && (! remote_user())) {
- $ret['message'] = t('Public access denied.');
- return;
- }
$dirmode = intval(get_config('system','directory_mode'));
if($dirmode == DIRECTORY_MODE_NORMAL) {
$ret['message'] = t('This site is not a directory server');
- return;
+ json_return_and_die($ret);
}
$name = ((x($_REQUEST,'name')) ? $_REQUEST['name'] : '');
@@ -75,7 +71,7 @@ function dirsearch_content(&$a) {
// By default we return one page (default 80 items maximum) and do not count total entries
$logic = ((strlen($sql_extra)) ? 0 : 1);
-
+dbg(1);
if($limit)
$qlimit = " LIMIT $limit ";
else {
@@ -95,7 +91,7 @@ function dirsearch_content(&$a) {
$r = q("SELECT xchan.*, xprof.* from xchan left join xprof on xchan_hash = xprof_hash where $logic $sql_extra and not ( xchan_flags & %d ) $order $qlimit ",
intval(XCHAN_FLAGS_HIDDEN)
);
-
+dbg(0);
$ret['page'] = $page + 1;
$ret['records'] = count($r);
diff --git a/mod/search.php b/mod/search.php
index a9f2df069..7a0f4205d 100644
--- a/mod/search.php
+++ b/mod/search.php
@@ -117,6 +117,11 @@ function search_content(&$a) {
goaway(z_root() . '/directory' . '?f=1&search=' . $search);
}
+ // look for a naked webbie
+ if(strpos($search,'@') !== false) {
+ goaway(z_root() . '/directory' . '?f=1&search=' . $search);
+ }
+
if(! $search)
return $o;
diff --git a/mod/zfinger.php b/mod/zfinger.php
index 2fb169ef1..b7a89b12b 100644
--- a/mod/zfinger.php
+++ b/mod/zfinger.php
@@ -75,7 +75,6 @@ function zfinger_init(&$a) {
if($e['xchan_flags'] & XCHAN_FLAGS_HIDDEN)
$searchable = false;
-
// This is for birthdays and keywords, but must check access permissions
$p = q("select * from profile where uid = %d and is_default = 1",
intval($e['channel_id'])
@@ -181,7 +180,7 @@ function zfinger_init(&$a) {
elseif($dirmode == DIRECTORY_MODE_STANDALONE)
$ret['site']['directory_mode'] = 'standalone';
if($dirmode != DIRECTORY_MODE_NORMAL)
- $ret['site']['directory_url'] = z_root() . '/dir';
+ $ret['site']['directory_url'] = z_root() . '/dirsearch';
json_return_and_die($ret);