diff options
| author | friendica <info@friendica.com> | 2014-02-16 14:13:26 -0800 |
|---|---|---|
| committer | friendica <info@friendica.com> | 2014-02-16 14:13:26 -0800 |
| commit | ebd52368bb134e57a54d853732b5b4970a8ce02b (patch) | |
| tree | 3b950917be780242a2e5ae64c9b26f42e170a637 | |
| parent | d9e4f634665ec4da69b5af230f45f2a0e9688a1b (diff) | |
| download | volse-hubzilla-ebd52368bb134e57a54d853732b5b4970a8ce02b.tar.gz volse-hubzilla-ebd52368bb134e57a54d853732b5b4970a8ce02b.tar.bz2 volse-hubzilla-ebd52368bb134e57a54d853732b5b4970a8ce02b.zip | |
strip hard-wired zids from posted links as they will have the wrong identity when somebody tries to view the link
| -rwxr-xr-x | include/items.php | 11 | ||||
| -rwxr-xr-x | include/text.php | 5 | ||||
| -rwxr-xr-x | index.php | 2 | ||||
| -rw-r--r-- | mod/cloud.php | 4 | ||||
| -rw-r--r-- | mod/item.php | 8 | ||||
| -rw-r--r-- | version.inc | 2 |
6 files changed, 20 insertions, 12 deletions
diff --git a/include/items.php b/include/items.php index 3c10b8f5c..9bcdd7d0b 100755 --- a/include/items.php +++ b/include/items.php @@ -145,7 +145,9 @@ function can_comment_on_post($observer_xchan,$item) { * @function red_zrl_callback * preg_match function when fixing 'naked' links in mod item.php * Check if we've got a hubloc for the site and use a zrl if we do, a url if we don't. - * + * Remove any existing zid= param which may have been pasted by mistake - and will have + * the author's credentials. zid's are dynamic and can't really be passed around like + * that. */ @@ -159,6 +161,13 @@ function red_zrl_callback($matches) { if($r) $zrl = true; } + + $t = strip_zids($matches[2]); + if($t !== $matches[2]) { + $zrl = true; + $matches[2] = $t; + } + if($matches[1] === '#^') $matches[1] = ''; if($zrl) diff --git a/include/text.php b/include/text.php index 2b334068f..2f5accf6e 100755 --- a/include/text.php +++ b/include/text.php @@ -621,6 +621,11 @@ function get_tags($s) { } +function strip_zids($s) { + return preg_replace('/[\?&]zid=(.*?)(&|$)/ism','$2',$s); +} + + // quick and dirty quoted_printable encoding @@ -92,7 +92,7 @@ if((x($_SESSION,'language')) && ($_SESSION['language'] !== $lang)) { } if((x($_GET,'zid')) && (! $a->install)) { - $a->query_string = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/is','',$a->query_string); + $a->query_string = strip_zids($a->query_string); if(! local_user()) { $_SESSION['my_address'] = $_GET['zid']; zid_init($a); diff --git a/mod/cloud.php b/mod/cloud.php index 18b61f941..3606325bd 100644 --- a/mod/cloud.php +++ b/mod/cloud.php @@ -73,11 +73,11 @@ function cloud_init(&$a) { $_SERVER['QUERY_STRING'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['QUERY_STRING']); - $_SERVER['QUERY_STRING'] = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/ism','',$_SERVER['QUERY_STRING']); + $_SERVER['QUERY_STRING'] = strip_zids($_SERVER['QUERY_STRING']); $_SERVER['QUERY_STRING'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['QUERY_STRING']); $_SERVER['REQUEST_URI'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['REQUEST_URI']); - $_SERVER['REQUEST_URI'] = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']); + $_SERVER['REQUEST_URI'] = strip_zids($_SERVER['REQUEST_URI']); $_SERVER['REQUEST_URI'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']); $rootDirectory = new RedDirectory('/',$auth); diff --git a/mod/item.php b/mod/item.php index 48f85f692..1c32a637a 100644 --- a/mod/item.php +++ b/mod/item.php @@ -423,19 +423,13 @@ function item_post(&$a) { /** * fix naked links by passing through a callback to see if this is a red site * (already known to us) which will get a zrl, otherwise link with url, add bookmark tag to both. - * First wrap any url which is part of link anchor text already in quotes so we don't double link it. - * e.g. [url=http://foobar.com]something with http://elsewhere.com in it[/url] - * becomes [url=http://foobar.com]something with "http://elsewhere.com" in it[/url] - * otherwise http://elsewhere.com becomes #^[url=http://elsewhere.com]http://elsewhere.com[/url] + * First protect any url inside certain bbcode tags so we don't double link it. */ $body = preg_replace_callback('/\[code(.*?)\[\/(code)\]/ism','red_escape_codeblock',$body); $body = preg_replace_callback('/\[url(.*?)\[\/(url)\]/ism','red_escape_codeblock',$body); $body = preg_replace_callback('/\[zrl(.*?)\[\/(zrl)\]/ism','red_escape_codeblock',$body); -// no longer needed -// $body = preg_replace_callback('/\[([uz])rl(.*?)\](.*?)(https?\:\/\/[a-zA-Z0-9\:\/\-\?\&\;\.\=\@\_\~\#\%\$\!\+\,]+)(.*?)\[\/([uz])rl\]/ism','red_escape_zrl_callback',$body); - $body = preg_replace_callback("/([^\]\='".'"'."]|^|\#\^)(https?\:\/\/[a-zA-Z0-9\:\/\-\?\&\;\.\=\@\_\~\#\%\$\!\+\,]+)/ism", 'red_zrl_callback', $body); $body = preg_replace_callback('/\[\$b64zrl(.*?)\[\/(zrl)\]/ism','red_unescape_codeblock',$body); diff --git a/version.inc b/version.inc index b73d1c3e6..cc21a24b6 100644 --- a/version.inc +++ b/version.inc @@ -1 +1 @@ -2014-02-14.588 +2014-02-16.590 |