aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2013-01-23 16:06:01 -0800
committerfriendica <info@friendica.com>2013-01-23 16:06:01 -0800
commitf63997f61877bf03b9c85cbfaa00b8300c8cb770 (patch)
treea6757907fbf13668e7e7d92cd66c241bd882c964
parent0b18dd15c5377da121f0fb781c0530ca0d328eb9 (diff)
downloadvolse-hubzilla-f63997f61877bf03b9c85cbfaa00b8300c8cb770.tar.gz
volse-hubzilla-f63997f61877bf03b9c85cbfaa00b8300c8cb770.tar.bz2
volse-hubzilla-f63997f61877bf03b9c85cbfaa00b8300c8cb770.zip
plug potential hole in magic auth, add link to chanview to view in dedicated window
-rw-r--r--include/Contact.php14
-rw-r--r--mod/chanview.php2
-rw-r--r--mod/connections.php2
-rw-r--r--mod/magic.php2
-rw-r--r--mod/post.php70
-rw-r--r--version.inc2
-rw-r--r--view/tpl/smarty3/jot-header.tpl14
-rw-r--r--view/tpl/smarty3/xchan_vcard.tpl5
-rw-r--r--view/tpl/xchan_vcard.tpl5
9 files changed, 77 insertions, 39 deletions
diff --git a/include/Contact.php b/include/Contact.php
index 14332c417..a2303803c 100644
--- a/include/Contact.php
+++ b/include/Contact.php
@@ -1,7 +1,7 @@
<?php
-function vcard_from_xchan($xchan) {
+function vcard_from_xchan($xchan, $observer = null, $mode = '') {
$connect = false;
if(local_user()) {
@@ -12,12 +12,20 @@ function vcard_from_xchan($xchan) {
if(! $r)
$connect = t('Connect');
}
-
+
+ $url = (($observer)
+ ? z_root() . '/magic?f=&dest=' . $xchan['xchan_url'] . '&addr=' . $xchan['xchan_addr']
+ : $xchan['xchan_url']
+ );
+
return replace_macros(get_markup_template('xchan_vcard.tpl'),array(
'$name' => $xchan['xchan_name'],
'$photo' => $xchan['xchan_photo_l'],
'$follow' => $xchan['xchan_addr'],
- '$connect' => $connect
+ '$connect' => $connect,
+ '$newwin' => (($mode === 'chanview') ? t('New window') : ''),
+ '$newtit' => t('Open the selected location in a different window or browser tab'),
+ '$url' => $url,
));
}
diff --git a/mod/chanview.php b/mod/chanview.php
index 92ed757f9..b01eab869 100644
--- a/mod/chanview.php
+++ b/mod/chanview.php
@@ -76,7 +76,7 @@ function chanview_content(&$a) {
}
if($xchan['xchan_hash'])
- $a->set_widget('vcard',vcard_from_xchan($xchan));
+ $a->set_widget('vcard',vcard_from_xchan($xchan,$observer,'chanview'));
$url = (($observer)
? z_root() . '/magic?f=&dest=' . $xchan['xchan_url'] . '&addr=' . $xchan['xchan_addr']
diff --git a/mod/connections.php b/mod/connections.php
index 0a2edb4cd..8a668ad2a 100644
--- a/mod/connections.php
+++ b/mod/connections.php
@@ -28,7 +28,7 @@ function connections_init(&$a) {
function connections_aside(&$a) {
if(x($a->data,'abook')) {
- $a->set_widget('vcard',vcard_from_xchan($a->data['abook']));
+ $a->set_widget('vcard',vcard_from_xchan($a->data['abook'],$a->get_observer()));
}
else {
$a->set_widget('follow', follow_widget());
diff --git a/mod/magic.php b/mod/magic.php
index c5aeb4c8e..d7a6674ee 100644
--- a/mod/magic.php
+++ b/mod/magic.php
@@ -85,7 +85,7 @@ function magic_init(&$a) {
dbesc('auth'),
intval($channel['channel_id']),
dbesc($token),
- dbesc($hubloc['hubloc_hash']),
+ dbesc($x[0]['hubloc_hash']),
dbesc(datetime_convert())
);
diff --git a/mod/post.php b/mod/post.php
index 36b2e1482..8171f1065 100644
--- a/mod/post.php
+++ b/mod/post.php
@@ -44,7 +44,7 @@ function post_init(&$a) {
);
if(! $c) {
logger('mod_zot: auth: unable to find channel ' . $webbie);
- // They'll get a notice when they hit the page, we don't need two.
+ // They'll get a notice when they hit the page, we don't need two of them.
goaway($desturl);
}
@@ -70,33 +70,39 @@ function post_init(&$a) {
// check credentials and access
- // Auth packets MUST use ultra top-secret hush-hush mode
+ // If they are already authenticated and haven't changed credentials,
+ // we can save an expensive network round trip and improve performance.
- $p = zot_build_packet($c[0],$type = 'auth_check',array(array('guid' => $x[0]['hubloc_guid'],'guid_sig' => $x[0]['hubloc_guid_sig'])), $x[0]['hubloc_sitekey'], $sec);
- $result = zot_zot($x[0]['hubloc_callback'],$p);
+ $remote = remote_user();
+ $result = null;
- if($result['success']) {
+ $already_authed = ((($remote) && ($x[0]['hubloc_hash'] == $remote)) ? true : false);
+
+ if(! $already_authed) {
+ // Auth packets MUST use ultra top-secret hush-hush mode
+ $p = zot_build_packet($c[0],$type = 'auth_check',
+ array(array('guid' => $x[0]['hubloc_guid'],'guid_sig' => $x[0]['hubloc_guid_sig'])),
+ $x[0]['hubloc_sitekey'], $sec);
+ $result = zot_zot($x[0]['hubloc_callback'],$p);
+ if(! $result['success'])
+ goaway($desturl);
$j = json_decode($result['body'],true);
- if($j['result']) {
- // everything is good... maybe
- if(local_user()) {
- notice( t('Remote authentication blocked. You are logged into this site locally. Please logout and retry') . EOL);
- goaway($desturl);
- }
- // log them in
- $_SESSION['authenticated'] = 1;
- $_SESSION['visitor_id'] = $x[0]['xchan_hash'];
- $a->set_observer($x[0]);
- require_once('include/security.php');
- $a->set_groups(init_groups_visitor($_SESSION['visitor_id']));
- info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name']));
- }
}
-
-
-
-
+ if($already_authed || $j['result']) {
+ // everything is good... maybe
+ if(local_user()) {
+ notice( t('Remote authentication blocked. You are logged into this site locally. Please logout and retry') . EOL);
+ goaway($desturl);
+ }
+ // log them in
+ $_SESSION['authenticated'] = 1;
+ $_SESSION['visitor_id'] = $x[0]['xchan_hash'];
+ $a->set_observer($x[0]);
+ require_once('include/security.php');
+ $a->set_groups(init_groups_visitor($_SESSION['visitor_id']));
+ info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name']));
+ }
goaway($desturl);
}
@@ -274,13 +280,22 @@ function post_post(&$a) {
$arr = $data['sender'];
$sender_hash = base64url_encode(hash('whirlpool',$arr['guid'] . $arr['guid_sig'], true));
+ // garbage collect any old unused notifications
+ q("delete from verify where type = 'auth' and created < UTC_TIMESTAMP() - INTERVAL 10 MINUTE");
+
$y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1",
dbesc($sender_hash)
);
+ // We created a unique hash in mod/magic.php when we invoked remote auth, and stored it in
+ // the verify table. It is now coming back to us as 'secret' and is signed by the other site.
+ // First verify their signature.
+
if((! $y) || (! rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) {
logger('mod_zot: auth_check: sender not found or secret_sig invalid.');
json_return_and_die($ret);
}
+
+ // There should be exactly one recipient
if($data['recipients']) {
$arr = $data['recipients'][0];
@@ -292,9 +307,14 @@ function post_post(&$a) {
logger('mod_zot: auth_check: recipient channel not found.');
json_return_and_die($ret);
}
- $z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' limit 1",
+
+ // This additionally checks for forged senders since we already stored the expected result in meta
+ // and we've already verified that this is them via zot_gethub() and that their key signed our token
+
+ $z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' and meta = '%s' limit 1",
intval($c[0]['channel_id']),
- dbesc($data['secret'])
+ dbesc($data['secret']),
+ dbesc($sender_hash)
);
if(! $z) {
logger('mod_zot: auth_check: verification key not found.');
diff --git a/version.inc b/version.inc
index 2e853b2e6..e0fd2ec91 100644
--- a/version.inc
+++ b/version.inc
@@ -1 +1 @@
-2013-01-22.208
+2013-01-23.209
diff --git a/view/tpl/smarty3/jot-header.tpl b/view/tpl/smarty3/jot-header.tpl
index 26c8f2a86..754597c14 100644
--- a/view/tpl/smarty3/jot-header.tpl
+++ b/view/tpl/smarty3/jot-header.tpl
@@ -134,7 +134,7 @@ function enableOnUser(){
var uploader = new window.AjaxUpload(
'wall-image-upload',
- { action: 'wall_upload/{{$nickname}}',
+ { action: '{{$baseurl}}/wall_upload/{{$nickname}}',
name: 'userfile',
onSubmit: function(file,ext) { $('#profile-rotator').show(); },
onComplete: function(file,response) {
@@ -145,7 +145,7 @@ function enableOnUser(){
);
var file_uploader = new window.AjaxUpload(
'wall-file-upload',
- { action: 'wall_attach/{{$nickname}}',
+ { action: '{{$baseurl}}/wall_attach/{{$nickname}}',
name: 'userfile',
onSubmit: function(file,ext) { $('#profile-rotator').show(); },
onComplete: function(file,response) {
@@ -181,7 +181,7 @@ function enableOnUser(){
if(reply && reply.length) {
reply = bin2hex(reply);
$('#profile-rotator').show();
- $.get('parse_url?binurl=' + reply, function(data) {
+ $.get('{{$baseurl}}/parse_url?binurl=' + reply, function(data) {
addeditortext(data);
$('#profile-rotator').hide();
});
@@ -214,7 +214,7 @@ function enableOnUser(){
if ($('#jot-popup').length != 0) $('#jot-popup').show();
$('#like-rotator-' + id).show();
- $.get('share/' + id, function(data) {
+ $.get('{{$baseurl}}/share/' + id, function(data) {
if (!editor) $("#profile-jot-text").val("");
initEditor(function(){
addeditortext(data);
@@ -238,7 +238,7 @@ function enableOnUser(){
if(reply && reply.length) {
reply = bin2hex(reply);
$('#profile-rotator').show();
- $.get('parse_url?binurl=' + reply, function(data) {
+ $.get('{{$baseurl}}/parse_url?binurl=' + reply, function(data) {
if (!editor) $("#profile-jot-text").val("");
initEditor(function(){
addeditortext(data);
@@ -257,7 +257,7 @@ function enableOnUser(){
commentBusy = true;
$('body').css('cursor', 'wait');
- $.get('tagger/' + id + '?term=' + reply);
+ $.get('{{$baseurl}}/tagger/' + id + '?term=' + reply);
if(timer) clearTimeout(timer);
timer = setTimeout(NavUpdate,3000);
liking = 1;
@@ -284,7 +284,7 @@ function enableOnUser(){
if(reply && reply.length) {
commentBusy = true;
$('body').css('cursor', 'wait');
- $.get('filer/' + id + '?term=' + reply, NavUpdate);
+ $.get('{{$baseurl}}/filer/' + id + '?term=' + reply, NavUpdate);
// if(timer) clearTimeout(timer);
// timer = setTimeout(NavUpdate,3000);
liking = 1;
diff --git a/view/tpl/smarty3/xchan_vcard.tpl b/view/tpl/smarty3/xchan_vcard.tpl
index 5d754356f..3dabdad95 100644
--- a/view/tpl/smarty3/xchan_vcard.tpl
+++ b/view/tpl/smarty3/xchan_vcard.tpl
@@ -10,6 +10,11 @@
{{if $connect}}
<li><a id="follow-link" href="follow?f=&url={{$follow}}">{{$connect}}</a></li>
{{/if}}
+{{if $newwin}}
+ <li><a id="visit-chan-link" href="{{$url}}" title="{{$newtit}}" target="_blank" >{{$newwin}}</a></li>
+{{/if}}
</ul>
+
+
</div>
diff --git a/view/tpl/xchan_vcard.tpl b/view/tpl/xchan_vcard.tpl
index 4e3f69b0c..f0b623927 100644
--- a/view/tpl/xchan_vcard.tpl
+++ b/view/tpl/xchan_vcard.tpl
@@ -10,6 +10,11 @@
{{ if $connect }}
<li><a id="follow-link" href="follow?f=&url=$follow">$connect</a></li>
{{ endif }}
+{{ if $newwin }}
+ <li><a id="visit-chan-link" href="$url" title="$newtit" target="_blank" >$newwin</a></li>
+{{ endif }}
</ul>
+
+
</div>