aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMario Vavti <mario@mariovavti.com>2018-07-19 09:12:33 +0200
committerMario Vavti <mario@mariovavti.com>2018-07-19 09:12:33 +0200
commitfe0e00f8f8c6b94389ee28c84dfabd80ac988ac9 (patch)
tree700ad3d11c0a1720bc776004d68fda3b3a68dddf
parentdfbdeafa39da8605c124f47d811ebca2330d9169 (diff)
parentec852b0c8d6c8e566b2a5fb279ed359630afb5ee (diff)
downloadvolse-hubzilla-fe0e00f8f8c6b94389ee28c84dfabd80ac988ac9.tar.gz
volse-hubzilla-fe0e00f8f8c6b94389ee28c84dfabd80ac988ac9.tar.bz2
volse-hubzilla-fe0e00f8f8c6b94389ee28c84dfabd80ac988ac9.zip
Merge remote-tracking branch 'mike/master' into dev
-rw-r--r--Zotlabs/Module/Magic.php6
-rw-r--r--Zotlabs/Module/Manage.php2
-rw-r--r--Zotlabs/Module/Nojs.php4
-rw-r--r--Zotlabs/Module/Rmagic.php10
-rw-r--r--Zotlabs/Web/CheckJS.php2
-rwxr-xr-xboot.php3
-rw-r--r--include/channel.php4
-rw-r--r--include/connections.php2
-rw-r--r--include/text.php4
-rw-r--r--util/typo.php16
10 files changed, 28 insertions, 25 deletions
diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php
index 25c318f30..be6866592 100644
--- a/Zotlabs/Module/Magic.php
+++ b/Zotlabs/Module/Magic.php
@@ -14,15 +14,15 @@ class Magic extends \Zotlabs\Web\Controller {
logger('mod_magic: args: ' . print_r($_REQUEST,true),LOGGER_DATA);
$addr = ((x($_REQUEST,'addr')) ? $_REQUEST['addr'] : '');
+ $bdest = ((x($_REQUEST,'bdest')) ? $_REQUEST['bdest'] : '');
$dest = ((x($_REQUEST,'dest')) ? $_REQUEST['dest'] : '');
$test = ((x($_REQUEST,'test')) ? intval($_REQUEST['test']) : 0);
$rev = ((x($_REQUEST,'rev')) ? intval($_REQUEST['rev']) : 0);
$owa = ((x($_REQUEST,'owa')) ? intval($_REQUEST['owa']) : 0);
$delegate = ((x($_REQUEST,'delegate')) ? $_REQUEST['delegate'] : '');
- // Apache(?) appears to perform an htmlentities() operation on this variable
-
- $dest = html_entity_decode($dest);
+ if($bdest)
+ $dest = hex2bin($bdest);
$parsed = parse_url($dest);
if(! $parsed) {
diff --git a/Zotlabs/Module/Manage.php b/Zotlabs/Module/Manage.php
index 9c5c32294..2c88a4df0 100644
--- a/Zotlabs/Module/Manage.php
+++ b/Zotlabs/Module/Manage.php
@@ -156,7 +156,7 @@ class Manage extends \Zotlabs\Web\Controller {
if($delegates) {
for($x = 0; $x < count($delegates); $x ++) {
- $delegates[$x]['link'] = 'magic?f=&dest=' . urlencode($delegates[$x]['xchan_url'])
+ $delegates[$x]['link'] = 'magic?f=&bdest=' . bin2hex($delegates[$x]['xchan_url'])
. '&delegate=' . urlencode($delegates[$x]['xchan_addr']);
$delegates[$x]['channel_name'] = $delegates[$x]['xchan_name'];
$delegates[$x]['delegate'] = 1;
diff --git a/Zotlabs/Module/Nojs.php b/Zotlabs/Module/Nojs.php
index 6fd6d8106..5f3d80ecd 100644
--- a/Zotlabs/Module/Nojs.php
+++ b/Zotlabs/Module/Nojs.php
@@ -7,8 +7,8 @@ class Nojs extends \Zotlabs\Web\Controller {
function init() {
$n = ((argc() > 1) ? intval(argv(1)) : 1);
setcookie('jsdisabled', $n, 0, '/');
- $p = $_GET['redir'];
- $hasq = strpos($p,'?');
+ $p = hex2bin($_GET['redir']);
+ $hasq = strpbrk($p,'?&');
goaway(z_root() . (($p) ? '/' . $p : '') . (($hasq) ? '' : '?f=' ) . '&jsdisabled=' . $n);
}
diff --git a/Zotlabs/Module/Rmagic.php b/Zotlabs/Module/Rmagic.php
index bfc03f6ec..33a6689ca 100644
--- a/Zotlabs/Module/Rmagic.php
+++ b/Zotlabs/Module/Rmagic.php
@@ -17,8 +17,8 @@ class Rmagic extends \Zotlabs\Web\Controller {
if($r) {
if($r[0]['hubloc_url'] === z_root())
goaway(z_root() . '/login');
- $dest = z_root() . '/' . str_replace(['rmagic','zid='],['','zid_='],\App::$query_string);
- goaway($r[0]['hubloc_url'] . '/magic' . '?f=&owa=1&dest=' . $dest);
+ $dest = bin2hex(z_root() . '/' . str_replace(['rmagic','zid='],['','zid_='],\App::$query_string));
+ goaway($r[0]['hubloc_url'] . '/magic' . '?f=&owa=1&bdest=' . $dest);
}
}
}
@@ -59,11 +59,11 @@ class Rmagic extends \Zotlabs\Web\Controller {
if($url) {
if($_SESSION['return_url'])
- $dest = urlencode(z_root() . '/' . str_replace('zid=','zid_=',$_SESSION['return_url']));
+ $dest = bin2hex(z_root() . '/' . str_replace('zid=','zid_=',$_SESSION['return_url']));
else
- $dest = urlencode(z_root() . '/' . str_replace([ 'rmagic', 'zid=' ] ,[ '', 'zid_='],\App::$query_string));
+ $dest = bin2hex(z_root() . '/' . str_replace([ 'rmagic', 'zid=' ] ,[ '', 'zid_='],\App::$query_string));
- goaway($url . '/magic' . '?f=&owa=1&dest=' . $dest);
+ goaway($url . '/magic' . '?f=&owa=1&bdest=' . $dest);
}
}
}
diff --git a/Zotlabs/Web/CheckJS.php b/Zotlabs/Web/CheckJS.php
index 8179ceb15..c8547b6dd 100644
--- a/Zotlabs/Web/CheckJS.php
+++ b/Zotlabs/Web/CheckJS.php
@@ -18,7 +18,7 @@ class CheckJS {
$this->jsdisabled = 0;
if(! $this->jsdisabled) {
- $page = urlencode(\App::$query_string);
+ $page = bin2hex(\App::$query_string);
if($test) {
$this->jsdisabled = 1;
diff --git a/boot.php b/boot.php
index b22de22a8..3d2b95ef8 100755
--- a/boot.php
+++ b/boot.php
@@ -874,11 +874,12 @@ class App {
}
if((x($_SERVER,'QUERY_STRING')) && substr($_SERVER['QUERY_STRING'], 0, 2) === "q=") {
- self::$query_string = escape_tags(substr($_SERVER['QUERY_STRING'], 2));
+ self::$query_string = str_replace(['<','>'],['&lt;','&gt;'],substr($_SERVER['QUERY_STRING'], 2));
// removing trailing / - maybe a nginx problem
if (substr(self::$query_string, 0, 1) == "/")
self::$query_string = substr(self::$query_string, 1);
}
+
if(x($_GET,'q'))
self::$cmd = escape_tags(trim($_GET['q'],'/\\'));
diff --git a/include/channel.php b/include/channel.php
index d26056171..d7c5a2511 100644
--- a/include/channel.php
+++ b/include/channel.php
@@ -1710,9 +1710,9 @@ function zid_init() {
// try to avoid recursion - but send them home to do a proper magic auth
$query = App::$query_string;
$query = str_replace(array('?zid=','&zid='),array('?rzid=','&rzid='),$query);
- $dest = '/' . urlencode($query);
+ $dest = '/' . $query;
if($r && ($r[0]['hubloc_url'] != z_root()) && (! strstr($dest,'/magic')) && (! strstr($dest,'/rmagic'))) {
- goaway($r[0]['hubloc_url'] . '/magic' . '?f=&rev=1&owa=1&dest=' . z_root() . $dest);
+ goaway($r[0]['hubloc_url'] . '/magic' . '?f=&rev=1&owa=1&bdest=' . bin2hex(z_root() . $dest));
}
else
logger('No hubloc found.');
diff --git a/include/connections.php b/include/connections.php
index 20f7c24ff..807d07220 100644
--- a/include/connections.php
+++ b/include/connections.php
@@ -120,7 +120,7 @@ function vcard_from_xchan($xchan, $observer = null, $mode = '') {
App::$profile_uid = $xchan['channel_id'];
$url = (($observer)
- ? z_root() . '/magic?f=&owa=1&dest=' . $xchan['xchan_url'] . '&addr=' . $xchan['xchan_addr']
+ ? z_root() . '/magic?f=&owa=1&bdest=' . bin2hex($xchan['xchan_url']) . '&addr=' . $xchan['xchan_addr']
: $xchan['xchan_url']
);
diff --git a/include/text.php b/include/text.php
index 122605443..e894c5ce5 100644
--- a/include/text.php
+++ b/include/text.php
@@ -1018,7 +1018,7 @@ function chanlink_cid($d) {
function magiclink_url($observer,$myaddr,$url) {
return (($observer)
- ? z_root() . '/magic?f=&owa=1&dest=' . $url . '&addr=' . $myaddr
+ ? z_root() . '/magic?f=&owa=1&bdest=' . bin2hex($url) . '&addr=' . $myaddr
: $url
);
}
@@ -1454,7 +1454,7 @@ function theme_attachments(&$item) {
if(is_foreigner($item['author_xchan']))
$url = $r['href'];
else
- $url = z_root() . '/magic?f=&owa=1&hash=' . $item['author_xchan'] . '&dest=' . $r['href'] . '/' . $r['revision'];
+ $url = z_root() . '/magic?f=&owa=1&hash=' . $item['author_xchan'] . '&bdest=' . bin2hex($r['href'] . '/' . $r['revision']);
//$s .= '<a href="' . $url . '" title="' . $title . '" class="attachlink" >' . $icon . '</a>';
$attaches[] = array('label' => $label, 'url' => $url, 'icon' => $icon, 'title' => $title);
diff --git a/util/typo.php b/util/typo.php
index e25e57601..bed5fa5f6 100644
--- a/util/typo.php
+++ b/util/typo.php
@@ -12,25 +12,27 @@
App::init();
+ $cmd = ((x(App::$config,'system')) && (x(App::$config['system'],'php_path')) && (strlen(App::$config['system']['php_path'])) ? App::$config['system']['php_path'] : 'php') . ' -l ';
+
echo "Directory: include\n";
$files = glob('include/*.php');
foreach($files as $file) {
- echo $file . "\n";
+ echo exec($cmd . $file) . "\n";
include_once($file);
}
echo "Directory: include/dba\n";
$files = glob('include/dba/*.php');
foreach($files as $file) {
- echo $file . "\n";
+ echo exec($cmd . $file) . "\n";
include_once($file);
}
echo "Directory: include/photo\n";
$files = glob('include/photo/*.php');
foreach($files as $file) {
- echo $file . "\n";
+ echo exec($cmd . $file) . "\n";
include_once($file);
}
@@ -39,7 +41,7 @@
$files = glob('Zotlabs/*/*.php');
foreach($files as $file) {
if((strpos($file,'SiteModule') === false) || (strpos($file,'SiteWidget') === false)) {
- echo $file . "\n";
+ echo exec($cmd . $file) . "\n";
include_once($file);
}
}
@@ -47,7 +49,7 @@
echo "Directory: Zotlabs/Module (sub-modules)\n";
$files = glob('Zotlabs/Module/*/*.php');
foreach($files as $file) {
- echo $file . "\n";
+ echo exec($cmd . $file) . "\n";
include_once($file);
}
@@ -58,7 +60,7 @@
$addon = basename($dir);
$files = glob($dir . '/' . $addon . '.php');
foreach($files as $file) {
- echo $file . "\n";
+ echo exec($cmd . $file) . "\n";
include_once($file);
}
}
@@ -77,6 +79,6 @@
$files = glob('view/*/hstrings.php');
foreach($files as $file) {
- echo $file . "\n";
+ echo exec($cmd . $file) . "\n";
passthru($phpath . ' util/typohelper.php ' . $file);
}