aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2013-04-14 20:41:58 -0700
committerfriendica <info@friendica.com>2013-04-14 20:41:58 -0700
commite411a4bdc27cd443abf613a0044effb4604223f0 (patch)
treee3a501db8f394bd6fd56cd76bfd137f56008cacc
parent2942155797ed46be0d0bd71c89add14404a4bb47 (diff)
downloadvolse-hubzilla-e411a4bdc27cd443abf613a0044effb4604223f0.tar.gz
volse-hubzilla-e411a4bdc27cd443abf613a0044effb4604223f0.tar.bz2
volse-hubzilla-e411a4bdc27cd443abf613a0044effb4604223f0.zip
IMPORTANT: magic-auth protocol update, plus 'zrl' bbcode tag for the privacy-is-more-important-than-ease-of-use folks.
-rw-r--r--include/bbcode.php15
-rw-r--r--include/text.php29
-rw-r--r--mod/post.php12
-rw-r--r--util/messages.po8
-rw-r--r--version.inc2
5 files changed, 54 insertions, 12 deletions
diff --git a/include/bbcode.php b/include/bbcode.php
index 82d25ffc8..930337c5d 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -263,21 +263,24 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true) {
// Perform URL Search
- $Text = preg_replace("/([^\]\='".'"'."]|^)(https?\:\/\/[a-zA-Z0-9\:\/\-\?\&\;\.\=\_\~\#\%\$\!\+\,]+)/ism", '$1<a href="$2" >$2</a>', $Text);
+ $urlchars = '[a-zA-Z0-9\:\/\-\?\&\;\.\=\@\_\~\#\%\$\!\+\,]';
- if ($tryoembed)
- $Text = preg_replace_callback("/\[bookmark\=([^\]]*)\].*?\[\/bookmark\]/ism",'tryoembed',$Text);
- $Text = preg_replace("/\[bookmark\=([^\]]*)\](.*?)\[\/bookmark\]/ism",'[url=$1]$2[/url]',$Text);
+ $Text = preg_replace("/([^\]\='".'"'."]|^)(https?\:\/\/$urlchars+)/ism", '$1<a href="$2" >$2</a>', $Text);
+
+// $Text = preg_replace("/([^\]\='".'"'."]|^)(https?\:\/\/$urlchars+)\{zid\}($urlchars*)/ism", '$1<a class="zrl" href="$2$3" >$2$3</a>', $Text);
$Text = preg_replace_callback("/\[share(.*?)\](.*?)\[\/share\]/ism","bb_ShareAttributes",$Text);
- if ($tryoembed)
+ if($tryoembed)
$Text = preg_replace_callback("/\[url\]([$URLSearchString]*)\[\/url\]/ism",'tryoembed',$Text);
$Text = preg_replace("/\[url\]([$URLSearchString]*)\[\/url\]/ism", '<a href="$1" >$1</a>', $Text);
$Text = preg_replace("/\[url\=([$URLSearchString]*)\](.*?)\[\/url\]/ism", '<a href="$1" >$2</a>', $Text);
- //$Text = preg_replace("/\[url\=([$URLSearchString]*)\]([$URLSearchString]*)\[\/url\]/ism", '<a href="$1" target="_blank">$2</a>', $Text);
+
+
+ $Text = preg_replace("/\[zrl\]([$URLSearchString]*)\[\/zrl\]/ism", '<a class="zrl" href="$1" >$1</a>', $Text);
+ $Text = preg_replace("/\[zrl\=([$URLSearchString]*)\](.*?)\[\/zrl\]/ism", '<a class="zrl" href="$1" >$2</a>', $Text);
// Perform MAIL Search
$Text = preg_replace("/\[mail\]([$MAILSearchString]*)\[\/mail\]/", '<a href="mailto:$1">$1</a>', $Text);
diff --git a/include/text.php b/include/text.php
index a8d91fade..f0251494d 100644
--- a/include/text.php
+++ b/include/text.php
@@ -1108,6 +1108,7 @@ function prepare_text($text,$content_type = 'text/bbcode') {
$s = bbcode($text);
else
$s = smilies(bbcode($text));
+ $s = zidify_links($s);
break;
}
@@ -1116,6 +1117,34 @@ function prepare_text($text,$content_type = 'text/bbcode') {
/**
+ * zidify_callback() and zidify_links() work together to turn any HTML a tags with class="zrl" into zid links
+ * These will typically be generated by a bbcode '[zrl]' tag. This is done inside prepare_text() rather than bbcode()
+ * because the latter is used for general purpose conversions and the former is used only when preparing text for
+ * immediate display.
+ *
+ * Issues: Currently the order of HTML parameters in the text is somewhat rigid and inflexible.
+ * We assume it looks like <a class="zrl" href="xxxxxxxxxx"> and will not work if zrl and href appear in a different order.
+ */
+
+
+function zidify_callback($match) {
+ $replace = '<a' . $match[1] . 'class="zrl"' . $match[2] . ' href="' . zid($match[3]) . '"';
+
+ $x = str_replace($match[0],$replace,$match[0]);
+ return $x;
+}
+
+function zidify_links($s) {
+ $s = preg_replace_callback('/\<a(.*?)class\=\"zrl\"(.*?)href\=\"(.*?)\"/ism','zidify_callback',$s);
+ return $s;
+}
+
+
+
+
+
+
+/**
* return atom link elements for all of our hubs
*/
diff --git a/mod/post.php b/mod/post.php
index 5b002eb36..5919ed2b4 100644
--- a/mod/post.php
+++ b/mod/post.php
@@ -96,6 +96,13 @@ function post_init(&$a) {
}
if($already_authed || $j['success']) {
+ if($j['success']) {
+ // legit response, but we do need to check that this wasn't answered by a man-in-middle
+ if(! rsa_verify($sec . $x[0]['xchan_hash'],base64url_decode($j['confirm']),$x[0]['xchan_pubkey'])) {
+ logger('mod_zot: auth: final confirmation failed.');
+ goaway($desturl);
+ }
+ }
// everything is good... maybe
if(local_user()) {
@@ -386,7 +393,7 @@ function post_post(&$a) {
$arr = $data['recipients'][0];
$recip_hash = base64url_encode(hash('whirlpool',$arr['guid'] . $arr['guid_sig'], true));
- $c = q("select channel_id from channel where channel_hash = '%s' limit 1",
+ $c = q("select channel_id, channel_prvkey from channel where channel_hash = '%s' limit 1",
dbesc($recip_hash)
);
if(! $c) {
@@ -394,6 +401,8 @@ function post_post(&$a) {
json_return_and_die($ret);
}
+ $confirm = base64url_encode(rsa_sign($data['secret'] . $recip_hash,$c[0]['channel_prvkey']));
+
// This additionally checks for forged senders since we already stored the expected result in meta
// and we've already verified that this is them via zot_gethub() and that their key signed our token
@@ -412,6 +421,7 @@ function post_post(&$a) {
logger('mod_zot: auth_check: success', LOGGER_DEBUG);
$ret['success'] = true;
+ $ret['confirm'] = $confirm;
json_return_and_die($ret);
}
diff --git a/util/messages.po b/util/messages.po
index 06db522bc..449751f57 100644
--- a/util/messages.po
+++ b/util/messages.po
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: \n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2013-04-05 00:01-0700\n"
+"POT-Creation-Date: 2013-04-12 00:00-0700\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@@ -3546,7 +3546,7 @@ msgid "View Connnections"
msgstr ""
#: ../../mod/chanview.php:74 ../../mod/wall_upload.php:35
-#: ../../mod/magic.php:59 ../../mod/page.php:21
+#: ../../mod/magic.php:58 ../../mod/page.php:21
msgid "Channel not found."
msgstr ""
@@ -3592,13 +3592,13 @@ msgstr ""
msgid "Wall Photos"
msgstr ""
-#: ../../mod/post.php:107
+#: ../../mod/post.php:114
msgid ""
"Remote authentication blocked. You are logged into this site locally. Please "
"logout and retry."
msgstr ""
-#: ../../mod/post.php:117
+#: ../../mod/post.php:124
#, php-format
msgid "Welcome %s. Remote authentication successful."
msgstr ""
diff --git a/version.inc b/version.inc
index b3cdee116..c23d387ab 100644
--- a/version.inc
+++ b/version.inc
@@ -1 +1 @@
-2013-04-10.279
+2013-04-14.283