diff options
author | friendica <info@friendica.com> | 2013-01-23 16:06:01 -0800 |
---|---|---|
committer | friendica <info@friendica.com> | 2013-01-23 16:06:01 -0800 |
commit | f63997f61877bf03b9c85cbfaa00b8300c8cb770 (patch) | |
tree | a6757907fbf13668e7e7d92cd66c241bd882c964 | |
parent | 0b18dd15c5377da121f0fb781c0530ca0d328eb9 (diff) | |
download | volse-hubzilla-f63997f61877bf03b9c85cbfaa00b8300c8cb770.tar.gz volse-hubzilla-f63997f61877bf03b9c85cbfaa00b8300c8cb770.tar.bz2 volse-hubzilla-f63997f61877bf03b9c85cbfaa00b8300c8cb770.zip |
plug potential hole in magic auth, add link to chanview to view in dedicated window
-rw-r--r-- | include/Contact.php | 14 | ||||
-rw-r--r-- | mod/chanview.php | 2 | ||||
-rw-r--r-- | mod/connections.php | 2 | ||||
-rw-r--r-- | mod/magic.php | 2 | ||||
-rw-r--r-- | mod/post.php | 70 | ||||
-rw-r--r-- | version.inc | 2 | ||||
-rw-r--r-- | view/tpl/smarty3/jot-header.tpl | 14 | ||||
-rw-r--r-- | view/tpl/smarty3/xchan_vcard.tpl | 5 | ||||
-rw-r--r-- | view/tpl/xchan_vcard.tpl | 5 |
9 files changed, 77 insertions, 39 deletions
diff --git a/include/Contact.php b/include/Contact.php index 14332c417..a2303803c 100644 --- a/include/Contact.php +++ b/include/Contact.php @@ -1,7 +1,7 @@ <?php -function vcard_from_xchan($xchan) { +function vcard_from_xchan($xchan, $observer = null, $mode = '') { $connect = false; if(local_user()) { @@ -12,12 +12,20 @@ function vcard_from_xchan($xchan) { if(! $r) $connect = t('Connect'); } - + + $url = (($observer) + ? z_root() . '/magic?f=&dest=' . $xchan['xchan_url'] . '&addr=' . $xchan['xchan_addr'] + : $xchan['xchan_url'] + ); + return replace_macros(get_markup_template('xchan_vcard.tpl'),array( '$name' => $xchan['xchan_name'], '$photo' => $xchan['xchan_photo_l'], '$follow' => $xchan['xchan_addr'], - '$connect' => $connect + '$connect' => $connect, + '$newwin' => (($mode === 'chanview') ? t('New window') : ''), + '$newtit' => t('Open the selected location in a different window or browser tab'), + '$url' => $url, )); } diff --git a/mod/chanview.php b/mod/chanview.php index 92ed757f9..b01eab869 100644 --- a/mod/chanview.php +++ b/mod/chanview.php @@ -76,7 +76,7 @@ function chanview_content(&$a) { } if($xchan['xchan_hash']) - $a->set_widget('vcard',vcard_from_xchan($xchan)); + $a->set_widget('vcard',vcard_from_xchan($xchan,$observer,'chanview')); $url = (($observer) ? z_root() . '/magic?f=&dest=' . $xchan['xchan_url'] . '&addr=' . $xchan['xchan_addr'] diff --git a/mod/connections.php b/mod/connections.php index 0a2edb4cd..8a668ad2a 100644 --- a/mod/connections.php +++ b/mod/connections.php @@ -28,7 +28,7 @@ function connections_init(&$a) { function connections_aside(&$a) { if(x($a->data,'abook')) { - $a->set_widget('vcard',vcard_from_xchan($a->data['abook'])); + $a->set_widget('vcard',vcard_from_xchan($a->data['abook'],$a->get_observer())); } else { $a->set_widget('follow', follow_widget()); diff --git a/mod/magic.php b/mod/magic.php index c5aeb4c8e..d7a6674ee 100644 --- a/mod/magic.php +++ b/mod/magic.php @@ -85,7 +85,7 @@ function magic_init(&$a) { dbesc('auth'), intval($channel['channel_id']), dbesc($token), - dbesc($hubloc['hubloc_hash']), + dbesc($x[0]['hubloc_hash']), dbesc(datetime_convert()) ); diff --git a/mod/post.php b/mod/post.php index 36b2e1482..8171f1065 100644 --- a/mod/post.php +++ b/mod/post.php @@ -44,7 +44,7 @@ function post_init(&$a) { ); if(! $c) { logger('mod_zot: auth: unable to find channel ' . $webbie); - // They'll get a notice when they hit the page, we don't need two. + // They'll get a notice when they hit the page, we don't need two of them. goaway($desturl); } @@ -70,33 +70,39 @@ function post_init(&$a) { // check credentials and access - // Auth packets MUST use ultra top-secret hush-hush mode + // If they are already authenticated and haven't changed credentials, + // we can save an expensive network round trip and improve performance. - $p = zot_build_packet($c[0],$type = 'auth_check',array(array('guid' => $x[0]['hubloc_guid'],'guid_sig' => $x[0]['hubloc_guid_sig'])), $x[0]['hubloc_sitekey'], $sec); - $result = zot_zot($x[0]['hubloc_callback'],$p); + $remote = remote_user(); + $result = null; - if($result['success']) { + $already_authed = ((($remote) && ($x[0]['hubloc_hash'] == $remote)) ? true : false); + + if(! $already_authed) { + // Auth packets MUST use ultra top-secret hush-hush mode + $p = zot_build_packet($c[0],$type = 'auth_check', + array(array('guid' => $x[0]['hubloc_guid'],'guid_sig' => $x[0]['hubloc_guid_sig'])), + $x[0]['hubloc_sitekey'], $sec); + $result = zot_zot($x[0]['hubloc_callback'],$p); + if(! $result['success']) + goaway($desturl); $j = json_decode($result['body'],true); - if($j['result']) { - // everything is good... maybe - if(local_user()) { - notice( t('Remote authentication blocked. You are logged into this site locally. Please logout and retry') . EOL); - goaway($desturl); - } - // log them in - $_SESSION['authenticated'] = 1; - $_SESSION['visitor_id'] = $x[0]['xchan_hash']; - $a->set_observer($x[0]); - require_once('include/security.php'); - $a->set_groups(init_groups_visitor($_SESSION['visitor_id'])); - info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name'])); - } } - - - - + if($already_authed || $j['result']) { + // everything is good... maybe + if(local_user()) { + notice( t('Remote authentication blocked. You are logged into this site locally. Please logout and retry') . EOL); + goaway($desturl); + } + // log them in + $_SESSION['authenticated'] = 1; + $_SESSION['visitor_id'] = $x[0]['xchan_hash']; + $a->set_observer($x[0]); + require_once('include/security.php'); + $a->set_groups(init_groups_visitor($_SESSION['visitor_id'])); + info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name'])); + } goaway($desturl); } @@ -274,13 +280,22 @@ function post_post(&$a) { $arr = $data['sender']; $sender_hash = base64url_encode(hash('whirlpool',$arr['guid'] . $arr['guid_sig'], true)); + // garbage collect any old unused notifications + q("delete from verify where type = 'auth' and created < UTC_TIMESTAMP() - INTERVAL 10 MINUTE"); + $y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1", dbesc($sender_hash) ); + // We created a unique hash in mod/magic.php when we invoked remote auth, and stored it in + // the verify table. It is now coming back to us as 'secret' and is signed by the other site. + // First verify their signature. + if((! $y) || (! rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) { logger('mod_zot: auth_check: sender not found or secret_sig invalid.'); json_return_and_die($ret); } + + // There should be exactly one recipient if($data['recipients']) { $arr = $data['recipients'][0]; @@ -292,9 +307,14 @@ function post_post(&$a) { logger('mod_zot: auth_check: recipient channel not found.'); json_return_and_die($ret); } - $z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' limit 1", + + // This additionally checks for forged senders since we already stored the expected result in meta + // and we've already verified that this is them via zot_gethub() and that their key signed our token + + $z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' and meta = '%s' limit 1", intval($c[0]['channel_id']), - dbesc($data['secret']) + dbesc($data['secret']), + dbesc($sender_hash) ); if(! $z) { logger('mod_zot: auth_check: verification key not found.'); diff --git a/version.inc b/version.inc index 2e853b2e6..e0fd2ec91 100644 --- a/version.inc +++ b/version.inc @@ -1 +1 @@ -2013-01-22.208 +2013-01-23.209 diff --git a/view/tpl/smarty3/jot-header.tpl b/view/tpl/smarty3/jot-header.tpl index 26c8f2a86..754597c14 100644 --- a/view/tpl/smarty3/jot-header.tpl +++ b/view/tpl/smarty3/jot-header.tpl @@ -134,7 +134,7 @@ function enableOnUser(){ var uploader = new window.AjaxUpload( 'wall-image-upload', - { action: 'wall_upload/{{$nickname}}', + { action: '{{$baseurl}}/wall_upload/{{$nickname}}', name: 'userfile', onSubmit: function(file,ext) { $('#profile-rotator').show(); }, onComplete: function(file,response) { @@ -145,7 +145,7 @@ function enableOnUser(){ ); var file_uploader = new window.AjaxUpload( 'wall-file-upload', - { action: 'wall_attach/{{$nickname}}', + { action: '{{$baseurl}}/wall_attach/{{$nickname}}', name: 'userfile', onSubmit: function(file,ext) { $('#profile-rotator').show(); }, onComplete: function(file,response) { @@ -181,7 +181,7 @@ function enableOnUser(){ if(reply && reply.length) { reply = bin2hex(reply); $('#profile-rotator').show(); - $.get('parse_url?binurl=' + reply, function(data) { + $.get('{{$baseurl}}/parse_url?binurl=' + reply, function(data) { addeditortext(data); $('#profile-rotator').hide(); }); @@ -214,7 +214,7 @@ function enableOnUser(){ if ($('#jot-popup').length != 0) $('#jot-popup').show(); $('#like-rotator-' + id).show(); - $.get('share/' + id, function(data) { + $.get('{{$baseurl}}/share/' + id, function(data) { if (!editor) $("#profile-jot-text").val(""); initEditor(function(){ addeditortext(data); @@ -238,7 +238,7 @@ function enableOnUser(){ if(reply && reply.length) { reply = bin2hex(reply); $('#profile-rotator').show(); - $.get('parse_url?binurl=' + reply, function(data) { + $.get('{{$baseurl}}/parse_url?binurl=' + reply, function(data) { if (!editor) $("#profile-jot-text").val(""); initEditor(function(){ addeditortext(data); @@ -257,7 +257,7 @@ function enableOnUser(){ commentBusy = true; $('body').css('cursor', 'wait'); - $.get('tagger/' + id + '?term=' + reply); + $.get('{{$baseurl}}/tagger/' + id + '?term=' + reply); if(timer) clearTimeout(timer); timer = setTimeout(NavUpdate,3000); liking = 1; @@ -284,7 +284,7 @@ function enableOnUser(){ if(reply && reply.length) { commentBusy = true; $('body').css('cursor', 'wait'); - $.get('filer/' + id + '?term=' + reply, NavUpdate); + $.get('{{$baseurl}}/filer/' + id + '?term=' + reply, NavUpdate); // if(timer) clearTimeout(timer); // timer = setTimeout(NavUpdate,3000); liking = 1; diff --git a/view/tpl/smarty3/xchan_vcard.tpl b/view/tpl/smarty3/xchan_vcard.tpl index 5d754356f..3dabdad95 100644 --- a/view/tpl/smarty3/xchan_vcard.tpl +++ b/view/tpl/smarty3/xchan_vcard.tpl @@ -10,6 +10,11 @@ {{if $connect}} <li><a id="follow-link" href="follow?f=&url={{$follow}}">{{$connect}}</a></li> {{/if}} +{{if $newwin}} + <li><a id="visit-chan-link" href="{{$url}}" title="{{$newtit}}" target="_blank" >{{$newwin}}</a></li> +{{/if}} </ul> + + </div> diff --git a/view/tpl/xchan_vcard.tpl b/view/tpl/xchan_vcard.tpl index 4e3f69b0c..f0b623927 100644 --- a/view/tpl/xchan_vcard.tpl +++ b/view/tpl/xchan_vcard.tpl @@ -10,6 +10,11 @@ {{ if $connect }} <li><a id="follow-link" href="follow?f=&url=$follow">$connect</a></li> {{ endif }} +{{ if $newwin }} + <li><a id="visit-chan-link" href="$url" title="$newtit" target="_blank" >$newwin</a></li> +{{ endif }} </ul> + + </div> |