diff options
| author | redmatrix <redmatrix@redmatrix.me> | 2015-05-20 18:46:23 -0700 |
|---|---|---|
| committer | redmatrix <redmatrix@redmatrix.me> | 2015-05-20 18:46:23 -0700 |
| commit | 6466774b6e6ed72ea1cc57cbc76e451205934aca (patch) | |
| tree | de1b5415812e3cc9b9ee8d1e7d481dd9bc26cc8f | |
| parent | fe00d29047da1cb99cbc06af938268ec9e6a8fcb (diff) | |
| download | volse-hubzilla-6466774b6e6ed72ea1cc57cbc76e451205934aca.tar.gz volse-hubzilla-6466774b6e6ed72ea1cc57cbc76e451205934aca.tar.bz2 volse-hubzilla-6466774b6e6ed72ea1cc57cbc76e451205934aca.zip | |
PRIVACY: possible privacy leakage under a defined set of circumstances
| -rwxr-xr-x | include/items.php | 13 | ||||
| -rw-r--r-- | include/security.php | 10 | ||||
| -rw-r--r-- | include/text.php | 10 | ||||
| -rw-r--r-- | mod/channel.php | 2 | ||||
| -rw-r--r-- | mod/editpost.php | 1 | ||||
| -rw-r--r-- | mod/item.php | 17 | ||||
| -rw-r--r-- | version.inc | 2 | ||||
| -rwxr-xr-x | view/tpl/jot.tpl | 3 |
8 files changed, 32 insertions, 26 deletions
diff --git a/include/items.php b/include/items.php index 1db3fab2b..245259e38 100755 --- a/include/items.php +++ b/include/items.php @@ -2527,6 +2527,7 @@ function item_store_update($arr,$allow_exec = false) { $arr['title'] = ((array_key_exists('title',$arr) && strlen($arr['title'])) ? trim($arr['title']) : ''); $arr['body'] = ((array_key_exists('body',$arr) && strlen($arr['body'])) ? trim($arr['body']) : ''); + $arr['attach'] = ((x($arr,'attach')) ? notags(trim($arr['attach'])) : $orig[0]['attach']); $arr['app'] = ((x($arr,'app')) ? notags(trim($arr['app'])) : $orig[0]['app']); // $arr['item_restrict'] = ((x($arr,'item_restrict')) ? intval($arr['item_restrict']) : $orig[0]['item_restrict'] ); @@ -4372,12 +4373,14 @@ function fetch_post_tags($items,$link = false) { -function zot_feed($uid,$observer_xchan,$arr) { +function zot_feed($uid,$observer_hash,$arr) { $result = array(); $mindate = null; $message_id = null; + require_once('include/security.php'); + if(array_key_exists('mindate',$arr)) { $mindate = datetime_convert('UTC','UTC',$arr['mindate']); } @@ -4395,14 +4398,14 @@ function zot_feed($uid,$observer_xchan,$arr) { if($message_id) logger('message_id: ' . $message_id,LOGGER_DEBUG); - if(! perm_is_allowed($uid,$observer_xchan,'view_stream')) { + if(! perm_is_allowed($uid,$observer_hash,'view_stream')) { logger('zot_feed: permission denied.'); return $result; } if(! is_sys_channel($uid)) { require_once('include/security.php'); - $sql_extra = item_permissions_sql($uid); + $sql_extra = item_permissions_sql($uid,$observer_hash); } $limit = " LIMIT 100 "; @@ -4416,6 +4419,7 @@ function zot_feed($uid,$observer_xchan,$arr) { $limit = ''; } + $items = array(); /** @FIXME fix this part for PostgreSQL */ @@ -4425,7 +4429,6 @@ function zot_feed($uid,$observer_xchan,$arr) { } if(is_sys_channel($uid)) { - require_once('include/security.php'); $r = q("SELECT parent, created, postopts from item WHERE uid != %d AND item_private = 0 AND item_restrict = 0 AND uid in (" . stream_perms_api_uids(PERMS_PUBLIC,10,1) . ") @@ -4633,7 +4636,7 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C //$start = dba_timer(); require_once('include/security.php'); - $sql_extra .= item_permissions_sql($channel['channel_id']); + $sql_extra .= item_permissions_sql($channel['channel_id'],$observer_hash); if ($arr['pages']) $item_restrict = " AND (item_restrict & " . ITEM_WEBPAGE . ") "; diff --git a/include/security.php b/include/security.php index c3b0e9763..91683cc98 100644 --- a/include/security.php +++ b/include/security.php @@ -148,7 +148,7 @@ function change_channel($change_channel) { * * @return string additional SQL where statement */ -function permissions_sql($owner_id, $remote_verified = false, $groups = null) { +function permissions_sql($owner_id, $remote_observer = null) { $local_channel = local_channel(); @@ -181,7 +181,7 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) { */ else { - $observer = get_observer_hash(); + $observer = (($remote_observer) ? $remote_observer : get_observer_hash()); if($observer) { $groups = init_groups_visitor($observer); @@ -217,7 +217,7 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) { * * @return string additional SQL where statement */ -function item_permissions_sql($owner_id, $remote_verified = false, $groups = null) { +function item_permissions_sql($owner_id, $remote_observer = null) { $local_channel = local_channel(); @@ -227,7 +227,7 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul * default permissions - anonymous user */ - $sql = " AND item_private=0 "; + $sql = " AND item_private = 0 "; /** * Profile owner - everything is visible @@ -246,7 +246,7 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul */ else { - $observer = get_observer_hash(); + $observer = (($remote_observer) ? $remote_observer : get_observer_hash()); if($observer) { $groups = init_groups_visitor($observer); diff --git a/include/text.php b/include/text.php index 6ed06e92a..d483424ec 100644 --- a/include/text.php +++ b/include/text.php @@ -1379,12 +1379,8 @@ function generate_named_map($location) { function prepare_body(&$item,$attach = false) { - if(get_config('system','item_cache') && $item['html']) - return $item['html']; - call_hooks('prepare_body_init', $item); - unobscure($item); $s = prepare_text($item['body'],$item['mimetype']); @@ -1452,12 +1448,6 @@ function prepare_body(&$item,$attach = false) { $prep_arr = array('item' => $item, 'html' => $s); call_hooks('prepare_body_final', $prep_arr); - if(get_config('system','item_cache')) - q("update item set html = '%s' where id = %d", - dbesc($prep_arr['html']), - intval($item['id']) - ); - return $prep_arr['html']; } diff --git a/mod/channel.php b/mod/channel.php index 022def2a8..b06602994 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -146,7 +146,7 @@ function channel_content(&$a, $update = 0, $load = false) { */ - $sql_extra = item_permissions_sql($a->profile['profile_uid'],$remote_contact,$groups); + $sql_extra = item_permissions_sql($a->profile['profile_uid']); if(get_pconfig($a->profile['profile_uid'],'system','channel_list_mode') && (! $mid)) $page_mode = 'list'; diff --git a/mod/editpost.php b/mod/editpost.php index 58ebe31cb..81bb91b2a 100644 --- a/mod/editpost.php +++ b/mod/editpost.php @@ -132,6 +132,7 @@ function editpost_content(&$a) { '$ptyp' => $itm[0]['type'], '$content' => undo_post_tagging($itm[0]['body']), '$post_id' => $post_id, + '$parent' => (($itm[0]['parent'] != $itm[0]['id']) ? $itm[0]['parent'] : ''), '$baseurl' => $a->get_baseurl(), '$defloc' => $channel['channel_location'], '$visitor' => false, diff --git a/mod/item.php b/mod/item.php index a732a9f81..cbbaa9e27 100644 --- a/mod/item.php +++ b/mod/item.php @@ -452,8 +452,6 @@ function item_post(&$a) { } } - $post_type = notags(trim($_REQUEST['type'])); - $mimetype = notags(trim($_REQUEST['mimetype'])); if(! $mimetype) $mimetype = 'text/bbcode'; @@ -659,8 +657,19 @@ function item_post(&$a) { $item_unseen = 1; - if($post_type === 'wall' || $post_type === 'wall-comment') - $item_flags = $item_flags | ITEM_WALL; + + // determine if this is a wall post + + if($parent) { + if($parent_item['item_flags'] & ITEM_WALL) { + $item_flags = $item_flags | ITEM_WALL; + } + } + else { + if(! $webpage) { + $item_flags = $item_flags | ITEM_WALL; + } + } if($origin) $item_flags = $item_flags | ITEM_ORIGIN; diff --git a/version.inc b/version.inc index acb250bd9..f2e8ff81c 100644 --- a/version.inc +++ b/version.inc @@ -1 +1 @@ -2015-05-19.1037 +2015-05-20.1038 diff --git a/view/tpl/jot.tpl b/view/tpl/jot.tpl index 2fcd4d59b..100dd15b9 100755 --- a/view/tpl/jot.tpl +++ b/view/tpl/jot.tpl @@ -1,5 +1,8 @@ <div id="profile-jot-wrapper"> <form id="profile-jot-form" action="{{$action}}" method="post"> + {{if $parent}} + <input type="hidden" name="parent" value="{{$parent}}" /> + {{/if}} <input type="hidden" name="type" value="{{$ptyp}}" /> <input type="hidden" name="profile_uid" value="{{$profile_uid}}" /> <input type="hidden" name="return" value="{{$return_path}}" /> |