diff options
author | friendica <info@friendica.com> | 2013-12-23 15:13:09 -0800 |
---|---|---|
committer | friendica <info@friendica.com> | 2013-12-23 15:13:09 -0800 |
commit | 63a42480c7eb36bdc8b63b31b2a4d222ba5751cd (patch) | |
tree | b0bd80b8f114e2711152ce0374783a7106e068b1 | |
parent | 4517bdcff1aa75c5389f9fb29947012fca5df4e1 (diff) | |
download | volse-hubzilla-63a42480c7eb36bdc8b63b31b2a4d222ba5751cd.tar.gz volse-hubzilla-63a42480c7eb36bdc8b63b31b2a4d222ba5751cd.tar.bz2 volse-hubzilla-63a42480c7eb36bdc8b63b31b2a4d222ba5751cd.zip |
add account_level, is_foreigner and is_member functions; convert all e2ee user input and prompts to hex to avoid javascipt's lame handling of quotes. !!This breaks all prior encrypted posts.!!
-rwxr-xr-x | boot.php | 2 | ||||
-rw-r--r-- | include/bbcode.php | 11 | ||||
-rw-r--r-- | include/identity.php | 32 | ||||
-rw-r--r-- | install/database.sql | 4 | ||||
-rw-r--r-- | install/update.php | 11 | ||||
-rw-r--r-- | js/crypto.js | 10 | ||||
-rw-r--r-- | js/main.js | 9 | ||||
-rw-r--r-- | mod/chanview.php | 12 | ||||
-rw-r--r-- | mod/post.php | 5 |
9 files changed, 80 insertions, 16 deletions
@@ -46,7 +46,7 @@ define ( 'RED_PLATFORM', 'Red Matrix' ); define ( 'RED_VERSION', trim(file_get_contents('version.inc')) . 'R'); define ( 'ZOT_REVISION', 1 ); -define ( 'DB_UPDATE_VERSION', 1086 ); +define ( 'DB_UPDATE_VERSION', 1087 ); define ( 'EOL', '<br />' . "\r\n" ); define ( 'ATOM_TIME', 'Y-m-d\TH:i:s\Z' ); diff --git a/include/bbcode.php b/include/bbcode.php index 271cace73..6374675f1 100644 --- a/include/bbcode.php +++ b/include/bbcode.php @@ -105,21 +105,24 @@ function bb_parse_crypt($match) { $attributes = $match[1]; $algorithm = ""; + preg_match("/alg='(.*?)'/ism", $attributes, $matches); if ($matches[1] != "") - $algorithm = html_entity_decode($matches[1],ENT_QUOTES,'UTF-8'); + $algorithm = $matches[1]; preg_match("/alg=\"\;(.*?)\"\;/ism", $attributes, $matches); if ($matches[1] != "") - $algorithm = html_entity_decode($matches[1],ENT_QUOTES,'UTF-8'); + $algorithm = $matches[1]; $hint = ""; + + preg_match("/hint='(.*?)'/ism", $attributes, $matches); if ($matches[1] != "") - $hint = html_entity_decode($matches[1],ENT_QUOTES,'UTF-8'); + $hint = $matches[1]; preg_match("/hint=\"\;(.*?)\"\;/ism", $attributes, $matches); if ($matches[1] != "") - $hint = html_entity_decode($matches[1],ENT_QUOTES,'UTF-8'); + $hint = $matches[1]; $x = random_string(); diff --git a/include/identity.php b/include/identity.php index be4e4be93..63b05f4bb 100644 --- a/include/identity.php +++ b/include/identity.php @@ -1138,3 +1138,35 @@ function get_default_profile_photo($size = 175) { $scheme = 'rainbow_man'; return 'images/default_profile_photos/' . $scheme . '/' . $size . '.jpg'; } + + +/** + * + * @function is_foreigner($s) + * Test whether a given identity is NOT a member of the Red Matrix + * @param string $s; + * xchan_hash of the identity in question + * + * @returns boolean true or false + * + */ + +function is_foreigner($s) { + return((strpbrk($s,':@')) ? true : false); +} + + +/** + * + * @function is_member($s) + * Test whether a given identity is a member of the Red Matrix + * @param string $s; + * xchan_hash of the identity in question + * + * @returns boolean true or false + * + */ + +function is_member($s) { + return((is_foreigner($s)) ? false : true); +}
\ No newline at end of file diff --git a/install/database.sql b/install/database.sql index f73460937..cb332c75b 100644 --- a/install/database.sql +++ b/install/database.sql @@ -54,6 +54,7 @@ CREATE TABLE IF NOT EXISTS `account` ( `account_expires` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', `account_expire_notified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', `account_service_class` char(32) NOT NULL DEFAULT '', + `account_level` int(10) unsigned NOT NULL DEFAULT 0, PRIMARY KEY (`account_id`), KEY `account_email` (`account_email`), KEY `account_service_class` (`account_service_class`), @@ -63,7 +64,8 @@ CREATE TABLE IF NOT EXISTS `account` ( KEY `account_lastlog` (`account_lastlog`), KEY `account_expires` (`account_expires`), KEY `account_default_channel` (`account_default_channel`), - KEY `account_external` (`account_external`) + KEY `account_external` (`account_external`), + KEY `account_level` (`account_level`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8; CREATE TABLE IF NOT EXISTS `addon` ( diff --git a/install/update.php b/install/update.php index 817e4b6bc..c731eab06 100644 --- a/install/update.php +++ b/install/update.php @@ -1,6 +1,6 @@ <?php -define( 'UPDATE_VERSION' , 1086 ); +define( 'UPDATE_VERSION' , 1087 ); /** * @@ -948,3 +948,12 @@ function update_r1085() { return UPDATE_FAILED; } + +function update_r1086() { + $r = q("ALTER TABLE `account` ADD `account_level` INT UNSIGNED NOT NULL DEFAULT '0', +ADD INDEX ( `account_level` )"); + if($r) + return UPDATE_SUCCESS; + return UPDATE_FAILED; +} + diff --git a/js/crypto.js b/js/crypto.js index a144e03ea..2e6402c62 100644 --- a/js/crypto.js +++ b/js/crypto.js @@ -43,7 +43,7 @@ function red_encrypt(alg, elem,text) { // key and hint need to be localised - var enc_key = prompt(aStr['passphrase']); + var enc_key = bin2hex(prompt(aStr['passphrase'])); // If you don't provide a key you get rot13, which doesn't need a key // but consequently isn't secure. @@ -59,7 +59,7 @@ function red_encrypt(alg, elem,text) { // This is the prompt we're going to use when the receiver tries to open it. // Maybe "Grandma's maiden name" or "our secret place" or something. - var enc_hint = prompt(aStr['passhint']); + var enc_hint = bin2hex(prompt(aStr['passhint'])); enc_text = CryptoJS.AES.encrypt(text,enc_key); @@ -72,7 +72,7 @@ function red_encrypt(alg, elem,text) { // This is the prompt we're going to use when the receiver tries to open it. // Maybe "Grandma's maiden name" or "our secret place" or something. - var enc_hint = prompt(aStr['passhint']); + var enc_hint = bin2hex(prompt(aStr['passhint'])); enc_text = CryptoJS.Rabbit.encrypt(text,enc_key); encrypted = enc_text.toString(); @@ -84,7 +84,7 @@ function red_encrypt(alg, elem,text) { // This is the prompt we're going to use when the receiver tries to open it. // Maybe "Grandma's maiden name" or "our secret place" or something. - var enc_hint = prompt(aStr['passhint']); + var enc_hint = bin2hex(prompt(aStr['passhint'])); enc_text = CryptoJS.TripleDES.encrypt(text,enc_key); encrypted = enc_text.toString(); @@ -135,7 +135,7 @@ function red_decrypt(alg,hint,text,elem) { if(alg == 'rot13' || alg == 'triple-rot13') dec_text = str_rot13(text); else { - var enc_key = prompt((hint.length) ? hint : aStr['passphrase']); + var enc_key = bin2hex(prompt((hint.length) ? hex2bin(hint) : aStr['passphrase'])); } if(alg == 'aes256') { diff --git a/js/main.js b/js/main.js index 70d11bfd3..c8e9fc9a2 100644 --- a/js/main.js +++ b/js/main.js @@ -873,6 +873,15 @@ function updateConvItems(mode,data) { return a.join(''); } + function hex2bin(hex) { + var bytes = [], str; + + for(var i=0; i< hex.length-1; i+=2) + bytes.push(parseInt(hex.substr(i, 2), 16)); + + return String.fromCharCode.apply(String, bytes); + } + function groupChangeMember(gid, cid, sec_token) { $('body .fakelink').css('cursor', 'wait'); $.get('group/' + gid + '/' + cid + "?t=" + sec_token, function(data) { diff --git a/mod/chanview.php b/mod/chanview.php index 55f7e95d6..c4942b938 100644 --- a/mod/chanview.php +++ b/mod/chanview.php @@ -78,10 +78,14 @@ function chanview_content(&$a) { return; } - $url = (($observer) - ? z_root() . '/magic?f=&dest=' . $a->poi['xchan_url'] . '&addr=' . $a->poi['xchan_addr'] - : $a->poi['xchan_url'] - ); + if(is_foreigner($a->poi['xchan_hash'])) + $url = $a->poi['xchan_url']; + else { + $url = (($observer) + ? z_root() . '/magic?f=&dest=' . $a->poi['xchan_url'] . '&addr=' . $a->poi['xchan_addr'] + : $a->poi['xchan_url'] + ); + } // let somebody over-ride the iframed viewport presentation diff --git a/mod/post.php b/mod/post.php index 7f495140e..965ba09a3 100644 --- a/mod/post.php +++ b/mod/post.php @@ -69,6 +69,7 @@ function post_init(&$a) { * "success":1, * "confirm":"q0Ysovd1u..." * "service_class":(optional) + * "level":(optional) * } * * 'confirm' in this case is the base64url encoded RSA signature of the concatenation of 'secret' with the @@ -150,6 +151,7 @@ function post_init(&$a) { $remote = remote_user(); $result = null; $remote_service_class = ''; + $remote_level = 0; $remote_hub = $x[0]['hubloc_url']; // Also check that they are coming from the same site as they authenticated with originally. @@ -210,6 +212,8 @@ function post_init(&$a) { } if(array_key_exists('service_class',$j)) $remote_service_class = $j['service_class']; + if(array_key_exists('level',$j)) + $remote_level = $j['level']; } // everything is good... maybe if(local_user()) { @@ -241,6 +245,7 @@ function post_init(&$a) { $_SESSION['visitor_id'] = $x[0]['xchan_hash']; $_SESSION['my_address'] = $address; $_SESSION['remote_service_class'] = $remote_service_class; + $_SESSION['remote_level'] = $remote_level; $_SESSION['remote_hub'] = $remote_hub; $arr = array('xchan' => $x[0], 'url' => $desturl, 'session' => $_SESSION); |