aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorredmatrix <git@macgirvin.com>2016-01-16 14:00:22 -0800
committerredmatrix <git@macgirvin.com>2016-01-16 14:00:22 -0800
commit110ef6201e0a3731967a662afed1606b7077d0b0 (patch)
treeab940bb7e966d94520bc5bf5fe74ff0b5dd0f938
parentf66c6bfebfd48274c9b29cd62b1fac933c6530e4 (diff)
downloadvolse-hubzilla-110ef6201e0a3731967a662afed1606b7077d0b0.tar.gz
volse-hubzilla-110ef6201e0a3731967a662afed1606b7077d0b0.tar.bz2
volse-hubzilla-110ef6201e0a3731967a662afed1606b7077d0b0.zip
add $deliver flag to item_store() and item_store_update() [default true]. If false, do not send any notifications or process tag_deliver. This should avoid any network activity from happening as the result of a channel (actually item) import. Other minor fixes in the handling of the $allow_exec flag and further protecting CSS passed to widgets from rogue code and XSS.
-rw-r--r--include/features.php2
-rw-r--r--include/import.php7
-rwxr-xr-xinclude/items.php12
-rw-r--r--include/widgets.php8
-rw-r--r--mod/import_items.php6
-rw-r--r--mod/item.php2
-rw-r--r--version.inc2
7 files changed, 18 insertions, 21 deletions
diff --git a/include/features.php b/include/features.php
index 3cbbf5b7d..ffa8bf8ca 100644
--- a/include/features.php
+++ b/include/features.php
@@ -75,7 +75,7 @@ function get_features($filtered = true) {
'net_module' => array(
t('Network and Stream Filtering'),
array('archives', t('Search by Date'), t('Ability to select posts by date ranges'),false,get_config('feature_lock','archives')),
- array('groups', t('Collections Filter'), t('Enable widget to display Network posts only from selected collections'),false,get_config('feature_lock','groups')),
+ array('groups', t('Collections (Privacy Groups)'), t('Enable widget to display Network posts only from selected collections'),false,get_config('feature_lock','groups')),
array('savedsearch', t('Saved Searches'), t('Save search terms for re-use'),false,get_config('feature_lock','savedsearch')),
array('personal_tab', t('Network Personal Tab'), t('Enable tab to display only Network posts that you\'ve interacted on'),false,get_config('feature_lock','personal_tab')),
array('new_tab', t('Network New Tab'), t('Enable tab to display all new Network activity'),false,get_config('feature_lock','new_tab')),
diff --git a/include/import.php b/include/import.php
index ffaea6c1a..e208c3b00 100644
--- a/include/import.php
+++ b/include/import.php
@@ -496,6 +496,8 @@ function import_items($channel,$items) {
}
}
+ $deliver = false; // Don't deliver any messages or notifications when importing
+
foreach($items as $i) {
$item = get_item_elements($i,$allow_code);
if(! $item)
@@ -509,16 +511,15 @@ function import_items($channel,$items) {
if($item['edited'] > $r[0]['edited']) {
$item['id'] = $r[0]['id'];
$item['uid'] = $channel['channel_id'];
- item_store_update($item);
+ item_store_update($item,$allow_code,$deliver);
continue;
}
}
else {
$item['aid'] = $channel['channel_account_id'];
$item['uid'] = $channel['channel_id'];
- $item_result = item_store($item);
+ $item_result = item_store($item,$allow_code,$deliver);
}
-
}
}
}
diff --git a/include/items.php b/include/items.php
index 44f9633a9..0e16f7b8a 100755
--- a/include/items.php
+++ b/include/items.php
@@ -2160,7 +2160,7 @@ function encode_rel_links($links) {
* * \e boolean \b success
* * \e int \b item_id
*/
-function item_store($arr, $allow_exec = false) {
+function item_store($arr, $allow_exec = false, $deliver = true) {
$d = array('item' => $arr, 'allow_exec' => $allow_exec);
call_hooks('item_store', $d );
@@ -2537,7 +2537,7 @@ function item_store($arr, $allow_exec = false) {
// so that we have an item in the DB that's marked deleted and won't store a fresh post
// that isn't aware that we were already told to delete it.
- if(! intval($arr['item_deleted'])) {
+ if(($deliver) && (! intval($arr['item_deleted']))) {
send_status_notifications($current_post,$arr);
tag_deliver($arr['uid'],$current_post);
}
@@ -2550,7 +2550,7 @@ function item_store($arr, $allow_exec = false) {
-function item_store_update($arr,$allow_exec = false) {
+function item_store_update($arr,$allow_exec = false, $deliver = true) {
$d = array('item' => $arr, 'allow_exec' => $allow_exec);
call_hooks('item_store_update', $d );
@@ -2780,9 +2780,11 @@ function item_store_update($arr,$allow_exec = false) {
call_hooks('post_remote_update_end',$arr);
- send_status_notifications($orig_post_id,$arr);
+ if($deliver) {
+ send_status_notifications($orig_post_id,$arr);
+ tag_deliver($uid,$orig_post_id);
+ }
- tag_deliver($uid,$orig_post_id);
$ret['success'] = true;
$ret['item_id'] = $orig_post_id;
diff --git a/include/widgets.php b/include/widgets.php
index 7021ef49d..60605cb51 100644
--- a/include/widgets.php
+++ b/include/widgets.php
@@ -915,8 +915,8 @@ function widget_photo($arr) {
// ensure they can't sneak in an eval(js) function
- if(strpos($style,'(') !== false)
- return '';
+ if(strpbrk($style,'(\'"<>') !== false)
+ $style = '';
if(array_key_exists('zrl', $arr) && isset($arr['zrl']))
$zrl = (($arr['zrl']) ? true : false);
@@ -956,8 +956,8 @@ function widget_cover_photo($arr) {
// ensure they can't sneak in an eval(js) function
- if(strpos($style,'(') !== false)
- return '';
+ if(strpbrk($style,'(\'"<>') !== false)
+ $style = '';
$c = get_cover_photo($channel_id,'html');
diff --git a/mod/import_items.php b/mod/import_items.php
index 6b97939c9..f369ad780 100644
--- a/mod/import_items.php
+++ b/mod/import_items.php
@@ -86,14 +86,11 @@ function import_items_post(&$a) {
$channel = $a->get_channel();
- $saved_notification_flags = notifications_off($channel['channel_id']);
if(array_key_exists('item',$data) && $data['item']) {
import_items($channel,$data['item']);
}
- notifications_on($channel['channel_id'],$saved_notification_flags);
-
if(array_key_exists('item_id',$data) && $data['item_id']) {
import_item_ids($channel,$data['item_id']);
}
@@ -107,9 +104,6 @@ function import_items_post(&$a) {
function import_items_content(&$a) {
-
-
-
if(! local_channel()) {
notice( t('Permission denied') . EOL);
return login();
diff --git a/mod/item.php b/mod/item.php
index b6d00e030..f100c9dfe 100644
--- a/mod/item.php
+++ b/mod/item.php
@@ -446,7 +446,7 @@ function item_post(&$a) {
$execflag = false;
- if($mimetype === 'application/x-php') {
+ if($mimetype !== 'text/bbcode') {
$z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1",
intval($profile_uid)
);
diff --git a/version.inc b/version.inc
index e854f1c97..4c4d3ae66 100644
--- a/version.inc
+++ b/version.inc
@@ -1 +1 @@
-2016-01-15.1279H
+2016-01-16.1280H