aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Module/Item.php
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2017-03-12 21:55:24 -0700
committerzotlabs <mike@macgirvin.com>2017-03-12 21:55:24 -0700
commitfc533107ed49735aad5ba39bf02b87ed7ac870b6 (patch)
tree9122edfb24f8d24d5baf1f024d9715e895cff3d1 /Zotlabs/Module/Item.php
parent1ee76cb5066870db9ea427e00e5c18edfb292496 (diff)
downloadvolse-hubzilla-fc533107ed49735aad5ba39bf02b87ed7ac870b6.tar.gz
volse-hubzilla-fc533107ed49735aad5ba39bf02b87ed7ac870b6.tar.bz2
volse-hubzilla-fc533107ed49735aad5ba39bf02b87ed7ac870b6.zip
better handling of mimetype security
Diffstat (limited to 'Zotlabs/Module/Item.php')
-rw-r--r--Zotlabs/Module/Item.php23
1 files changed, 7 insertions, 16 deletions
diff --git a/Zotlabs/Module/Item.php b/Zotlabs/Module/Item.php
index 4725ecb38..afac1542d 100644
--- a/Zotlabs/Module/Item.php
+++ b/Zotlabs/Module/Item.php
@@ -480,22 +480,13 @@ class Item extends \Zotlabs\Web\Controller {
$execflag = false;
- if($mimetype !== 'text/bbcode') {
- $z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1",
- intval($profile_uid)
- );
- if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) {
- if($uid && (get_account_id() == $z[0]['account_id'])) {
- $execflag = true;
- }
- else {
- notice( t('Executable content type not permitted to this channel.') . EOL);
- if($api_source)
- return ( [ 'success' => false, 'message' => 'forbidden content type' ] );
- if(x($_REQUEST,'return'))
- goaway(z_root() . "/" . $return_path );
- killme();
- }
+ $z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id
+ where channel_id = %d limit 1",
+ intval($profile_uid)
+ );
+ if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) {
+ if($uid && (intval(get_account_id()) == intval($z[0]['account_id']))) {
+ $execflag = true;
}
}