diff options
author | zotlabs <mike@macgirvin.com> | 2018-07-18 17:48:23 -0700 |
---|---|---|
committer | zotlabs <mike@macgirvin.com> | 2018-07-18 17:48:23 -0700 |
commit | a05c8ff66bd8d09f69f6c59bc49b7627792f4109 (patch) | |
tree | a47e676f511adfdea1fd1924797d5c35f28c94fe | |
parent | 5ce50d0a2e15ae66765a68ba2785a87ecda57f6a (diff) | |
download | volse-hubzilla-a05c8ff66bd8d09f69f6c59bc49b7627792f4109.tar.gz volse-hubzilla-a05c8ff66bd8d09f69f6c59bc49b7627792f4109.tar.bz2 volse-hubzilla-a05c8ff66bd8d09f69f6c59bc49b7627792f4109.zip |
query filter was a bit greedy
-rw-r--r-- | Zotlabs/Module/Magic.php | 1 | ||||
-rwxr-xr-x | boot.php | 3 | ||||
-rw-r--r-- | include/channel.php | 2 |
3 files changed, 3 insertions, 3 deletions
diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php index e034f1cdf..be6866592 100644 --- a/Zotlabs/Module/Magic.php +++ b/Zotlabs/Module/Magic.php @@ -21,7 +21,6 @@ class Magic extends \Zotlabs\Web\Controller { $owa = ((x($_REQUEST,'owa')) ? intval($_REQUEST['owa']) : 0); $delegate = ((x($_REQUEST,'delegate')) ? $_REQUEST['delegate'] : ''); - if($bdest) $dest = hex2bin($bdest); @@ -874,11 +874,12 @@ class App { } if((x($_SERVER,'QUERY_STRING')) && substr($_SERVER['QUERY_STRING'], 0, 2) === "q=") { - self::$query_string = escape_tags(substr($_SERVER['QUERY_STRING'], 2)); + self::$query_string = str_replace(['<','>'],['<','>'],substr($_SERVER['QUERY_STRING'], 2); // removing trailing / - maybe a nginx problem if (substr(self::$query_string, 0, 1) == "/") self::$query_string = substr(self::$query_string, 1); } + if(x($_GET,'q')) self::$cmd = escape_tags(trim($_GET['q'],'/\\')); diff --git a/include/channel.php b/include/channel.php index 59dd60ea2..d7c5a2511 100644 --- a/include/channel.php +++ b/include/channel.php @@ -1710,7 +1710,7 @@ function zid_init() { // try to avoid recursion - but send them home to do a proper magic auth $query = App::$query_string; $query = str_replace(array('?zid=','&zid='),array('?rzid=','&rzid='),$query); - $dest = '/' . urlencode($query); + $dest = '/' . $query; if($r && ($r[0]['hubloc_url'] != z_root()) && (! strstr($dest,'/magic')) && (! strstr($dest,'/rmagic'))) { goaway($r[0]['hubloc_url'] . '/magic' . '?f=&rev=1&owa=1&bdest=' . bin2hex(z_root() . $dest)); } |