aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2014-02-16 14:13:26 -0800
committerfriendica <info@friendica.com>2014-02-16 14:13:26 -0800
commitebd52368bb134e57a54d853732b5b4970a8ce02b (patch)
tree3b950917be780242a2e5ae64c9b26f42e170a637
parentd9e4f634665ec4da69b5af230f45f2a0e9688a1b (diff)
downloadvolse-hubzilla-ebd52368bb134e57a54d853732b5b4970a8ce02b.tar.gz
volse-hubzilla-ebd52368bb134e57a54d853732b5b4970a8ce02b.tar.bz2
volse-hubzilla-ebd52368bb134e57a54d853732b5b4970a8ce02b.zip
strip hard-wired zids from posted links as they will have the wrong identity when somebody tries to view the link
-rwxr-xr-xinclude/items.php11
-rwxr-xr-xinclude/text.php5
-rwxr-xr-xindex.php2
-rw-r--r--mod/cloud.php4
-rw-r--r--mod/item.php8
-rw-r--r--version.inc2
6 files changed, 20 insertions, 12 deletions
diff --git a/include/items.php b/include/items.php
index 3c10b8f5c..9bcdd7d0b 100755
--- a/include/items.php
+++ b/include/items.php
@@ -145,7 +145,9 @@ function can_comment_on_post($observer_xchan,$item) {
* @function red_zrl_callback
* preg_match function when fixing 'naked' links in mod item.php
* Check if we've got a hubloc for the site and use a zrl if we do, a url if we don't.
- *
+ * Remove any existing zid= param which may have been pasted by mistake - and will have
+ * the author's credentials. zid's are dynamic and can't really be passed around like
+ * that.
*/
@@ -159,6 +161,13 @@ function red_zrl_callback($matches) {
if($r)
$zrl = true;
}
+
+ $t = strip_zids($matches[2]);
+ if($t !== $matches[2]) {
+ $zrl = true;
+ $matches[2] = $t;
+ }
+
if($matches[1] === '#^')
$matches[1] = '';
if($zrl)
diff --git a/include/text.php b/include/text.php
index 2b334068f..2f5accf6e 100755
--- a/include/text.php
+++ b/include/text.php
@@ -621,6 +621,11 @@ function get_tags($s) {
}
+function strip_zids($s) {
+ return preg_replace('/[\?&]zid=(.*?)(&|$)/ism','$2',$s);
+}
+
+
// quick and dirty quoted_printable encoding
diff --git a/index.php b/index.php
index 736918661..24d54d829 100755
--- a/index.php
+++ b/index.php
@@ -92,7 +92,7 @@ if((x($_SESSION,'language')) && ($_SESSION['language'] !== $lang)) {
}
if((x($_GET,'zid')) && (! $a->install)) {
- $a->query_string = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/is','',$a->query_string);
+ $a->query_string = strip_zids($a->query_string);
if(! local_user()) {
$_SESSION['my_address'] = $_GET['zid'];
zid_init($a);
diff --git a/mod/cloud.php b/mod/cloud.php
index 18b61f941..3606325bd 100644
--- a/mod/cloud.php
+++ b/mod/cloud.php
@@ -73,11 +73,11 @@ function cloud_init(&$a) {
$_SERVER['QUERY_STRING'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['QUERY_STRING']);
- $_SERVER['QUERY_STRING'] = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/ism','',$_SERVER['QUERY_STRING']);
+ $_SERVER['QUERY_STRING'] = strip_zids($_SERVER['QUERY_STRING']);
$_SERVER['QUERY_STRING'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['QUERY_STRING']);
$_SERVER['REQUEST_URI'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['REQUEST_URI']);
- $_SERVER['REQUEST_URI'] = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']);
+ $_SERVER['REQUEST_URI'] = strip_zids($_SERVER['REQUEST_URI']);
$_SERVER['REQUEST_URI'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']);
$rootDirectory = new RedDirectory('/',$auth);
diff --git a/mod/item.php b/mod/item.php
index 48f85f692..1c32a637a 100644
--- a/mod/item.php
+++ b/mod/item.php
@@ -423,19 +423,13 @@ function item_post(&$a) {
/**
* fix naked links by passing through a callback to see if this is a red site
* (already known to us) which will get a zrl, otherwise link with url, add bookmark tag to both.
- * First wrap any url which is part of link anchor text already in quotes so we don't double link it.
- * e.g. [url=http://foobar.com]something with http://elsewhere.com in it[/url]
- * becomes [url=http://foobar.com]something with "http://elsewhere.com" in it[/url]
- * otherwise http://elsewhere.com becomes #^[url=http://elsewhere.com]http://elsewhere.com[/url]
+ * First protect any url inside certain bbcode tags so we don't double link it.
*/
$body = preg_replace_callback('/\[code(.*?)\[\/(code)\]/ism','red_escape_codeblock',$body);
$body = preg_replace_callback('/\[url(.*?)\[\/(url)\]/ism','red_escape_codeblock',$body);
$body = preg_replace_callback('/\[zrl(.*?)\[\/(zrl)\]/ism','red_escape_codeblock',$body);
-// no longer needed
-// $body = preg_replace_callback('/\[([uz])rl(.*?)\](.*?)(https?\:\/\/[a-zA-Z0-9\:\/\-\?\&\;\.\=\@\_\~\#\%\$\!\+\,]+)(.*?)\[\/([uz])rl\]/ism','red_escape_zrl_callback',$body);
-
$body = preg_replace_callback("/([^\]\='".'"'."]|^|\#\^)(https?\:\/\/[a-zA-Z0-9\:\/\-\?\&\;\.\=\@\_\~\#\%\$\!\+\,]+)/ism", 'red_zrl_callback', $body);
$body = preg_replace_callback('/\[\$b64zrl(.*?)\[\/(zrl)\]/ism','red_unescape_codeblock',$body);
diff --git a/version.inc b/version.inc
index b73d1c3e6..cc21a24b6 100644
--- a/version.inc
+++ b/version.inc
@@ -1 +1 @@
-2014-02-14.588
+2014-02-16.590