diff options
| author | Mario <mario@mariovavti.com> | 2023-12-20 12:20:04 +0000 |
|---|---|---|
| committer | Mario <mario@mariovavti.com> | 2023-12-20 12:20:04 +0000 |
| commit | c0d93bbcf4d7ed0d7aa363f3a748c742d5dbfdef (patch) | |
| tree | 024ac55e51ca55f29bfa57137a9ae8a9292cc342 | |
| parent | d372daff6029fe2453bc28330139eb873827b5ef (diff) | |
| parent | db941e70076a7fd5652946a5904652c6e6a2a77a (diff) | |
| download | volse-hubzilla-c0d93bbcf4d7ed0d7aa363f3a748c742d5dbfdef.tar.gz volse-hubzilla-c0d93bbcf4d7ed0d7aa363f3a748c742d5dbfdef.tar.bz2 volse-hubzilla-c0d93bbcf4d7ed0d7aa363f3a748c742d5dbfdef.zip | |
Merge branch 'dev'
| -rw-r--r-- | CHANGELOG | 5 | ||||
| -rw-r--r-- | Zotlabs/Lib/Config.php | 46 | ||||
| -rw-r--r-- | Zotlabs/Module/Siteinfo.php | 2 | ||||
| -rw-r--r-- | boot.php | 2 | ||||
| -rw-r--r-- | tests/unit/Lib/ConfigTest.php | 61 | ||||
| -rw-r--r-- | view/tpl/siteinfo.tpl | 20 |
6 files changed, 122 insertions, 14 deletions
@@ -1,3 +1,8 @@ +Hubzilla 8.8.4 (2023-12-20) + - Fix regression introduced in version 8.8.3 + - Add active addons and blocked sites to siteinfo + + Hubzilla 8.8.3 (2023-12-17) - Check return from Config::Load() and retry on failure - Libzot::import() do not prozess items where we could not fetch the author diff --git a/Zotlabs/Lib/Config.php b/Zotlabs/Lib/Config.php index c00b8efb6..267543963 100644 --- a/Zotlabs/Lib/Config.php +++ b/Zotlabs/Lib/Config.php @@ -20,15 +20,23 @@ class Config { if(! array_key_exists('config_loaded', \App::$config[$family])) { $r = q("SELECT * FROM config WHERE cat = '%s'", dbesc($family)); - if($r !== false) { - if($r) { - foreach($r as $rr) { - $k = $rr['k']; - \App::$config[$family][$k] = $rr['v']; - } + if ($r === false && !App::$install) { + sleep(3); + $recursionCounter ++; + if ($recursionCounter > 10) { + system_unavailable(); } \App::$config[$family]['config_loaded'] = true; } + elseif (is_array($r)) { + foreach ($r as $rr) { + $k = $rr['k']; + App::$config[$family][$k] = $rr['v']; + } + App::$config[$family]['config_loaded'] = true; + } + + } } @@ -48,7 +56,7 @@ class Config { */ static public function Set($family, $key, $value) { // manage array value - $dbvalue = ((is_array($value)) ? serialize($value) : $value); + $dbvalue = ((is_array($value)) ? 'json:' . json_encode($value) : $value); $dbvalue = ((is_bool($dbvalue)) ? intval($dbvalue) : $dbvalue); if(self::Get($family, $key) === false || (! self::get_from_storage($family, $key))) { @@ -96,18 +104,30 @@ class Config { * @param string $default (optional) default false * @return mixed Return value or false on error or if not set */ - static public function Get($family, $key, $default = false) { - if((! array_key_exists($family, \App::$config)) || (! array_key_exists('config_loaded', \App::$config[$family]))) + public static function Get($family, $key, $default = false) { + + if ((! array_key_exists($family, App::$config)) || (! array_key_exists('config_loaded', App::$config[$family]))) { self::Load($family); if(array_key_exists('config_loaded', \App::$config[$family])) { if(! array_key_exists($key, \App::$config[$family])) { return $default; } - return ((! is_array(\App::$config[$family][$key])) && (preg_match('|^a:[0-9]+:{.*}$|s', \App::$config[$family][$key])) - ? unserialize(\App::$config[$family][$key]) - : \App::$config[$family][$key] - ); + + $value = App::$config[$family][$key]; + + if (! is_array($value)) { + if (substr($value, 0, 5) == 'json:') { + return json_decode(substr($value, 5), true); + } else if (preg_match('|^a:[0-9]+:{.*}$|s', $value)) { + // Unserialize in inherently unsafe. Try to mitigate by not + // allowing unserializing objects. Only kept for backwards + // compatibility. JSON serialization should be prefered. + return unserialize($value, array('allowed_classes' => false)); + } else { + return $value; + } + } } return $default; diff --git a/Zotlabs/Module/Siteinfo.php b/Zotlabs/Module/Siteinfo.php index ac33747f8..18eb703a2 100644 --- a/Zotlabs/Module/Siteinfo.php +++ b/Zotlabs/Module/Siteinfo.php @@ -38,6 +38,8 @@ class Siteinfo extends \Zotlabs\Web\Controller { '$prj_srctxt' => t('Developer homepage'), '$prj_link' => \Zotlabs\Lib\System::get_project_link(), '$prj_src' => \Zotlabs\Lib\System::get_project_srclink(), + '$addons' => array( t('Active addons'), \App::$plugins ), + '$blocked_sites' => array( t('Blocked sites'), \Zotlabs\Lib\Config::Get('system', 'blacklisted_sites') ) ] ); @@ -1403,7 +1403,7 @@ function x($s, $k = null) { * @ref include/system_unavailable.php will handle everything further. */ function system_unavailable() { - include('include/system_unavailable.php'); + require_once('include/system_unavailable.php'); system_down(); killme(); } diff --git a/tests/unit/Lib/ConfigTest.php b/tests/unit/Lib/ConfigTest.php new file mode 100644 index 000000000..a8ae3631b --- /dev/null +++ b/tests/unit/Lib/ConfigTest.php @@ -0,0 +1,61 @@ +<?php +declare(strict_types=1); + +/** + * Tests for the Zotlabs\Lib\Config class. + * + * Until we have database testing in place, we can only test the Congig::Get + * method for now. This should be improved once the database test framework is + * merged. + */ +class ConfigTest extends Zotlabs\Tests\Unit\UnitTestCase { + /* + * Hardcode a config that we can test against, and that we can + * reuse in all the test cases. + */ + public function setUp(): void { + \App::$config = array( + 'test' => array ( + 'plain' => 'plain value', + 'php-array' => 'a:3:{i:0;s:3:"one";i:1;s:3:"two";i:2;s:5:"three";}', + 'json-array' => 'json:["one","two","three"]', + 'object-injection' => 'a:1:{i:0;O:18:"Zotlabs\Lib\Config":0:{}}', + 'config_loaded' => true, + ), + ); + } + + public function testGetPlainTextValue(): void { + $this->assertEquals( + Zotlabs\Lib\Config::Get('test', 'plain'), + 'plain value' + ); + } + + public function testGetJSONSerializedArray(): void { + $this->assertEquals( + Zotlabs\Lib\Config::Get('test', 'json-array'), + array('one', 'two', 'three') + ); + } + + /* + * Test that we can retreive old style serialized arrays that were + * serialized with th PHP `serialize()` function. + */ + public function testGetPHPSerializedArray(): void { + $this->assertEquals( + Zotlabs\Lib\Config::Get('test', 'php-array'), + array('one', 'two', 'three') + ); + } + + /* + * Make sure we're not vulnerable to PHP Object injection attacks when + * using the PHP `unserialize()` function. + */ + public function testGetMaliciousPHPSerializedArray(): void { + $value = Zotlabs\Lib\Config::Get('test', 'object-injection'); + $this->assertEquals($value[0]::class, '__PHP_Incomplete_Class'); + } +} diff --git a/view/tpl/siteinfo.tpl b/view/tpl/siteinfo.tpl index fef3b961e..6cf7da756 100644 --- a/view/tpl/siteinfo.tpl +++ b/view/tpl/siteinfo.tpl @@ -12,6 +12,26 @@ <div>{{if $admin_about}}{{$admin_about}}{{else}}--{{/if}}</div> +{{if $addons.1}} +<br> +<h3>{{$addons.0}}</h3> +<ul> + {{foreach $addons.1 as $addon}} + <li>{{$addon}}</li> + {{/foreach}} +</ul> +{{/if}} + +{{if $blocked_sites.1}} +<br> +<h3>{{$blocked_sites.0}}</h3> +<ul> + {{foreach $blocked_sites.1 as $site}} + <li>{{$site}}</li> + {{/foreach}} +</ul> +{{/if}} + <br><br> <div><a href="help/TermsOfService">{{$terms}}</a></div> |