aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Module/Item.php
diff options
context:
space:
mode:
authorMario Vavti <mario@mariovavti.com>2017-03-15 12:38:33 +0100
committerMario Vavti <mario@mariovavti.com>2017-03-15 12:39:34 +0100
commit62c921815fcc832d550c5c453284e911da10692f (patch)
tree90d72ffaf932791415a0ffaf353e93c6b951af72 /Zotlabs/Module/Item.php
parentbdfdd23b36cac0881ef4096180e1c9242753dd49 (diff)
downloadvolse-hubzilla-62c921815fcc832d550c5c453284e911da10692f.tar.gz
volse-hubzilla-62c921815fcc832d550c5c453284e911da10692f.tar.bz2
volse-hubzilla-62c921815fcc832d550c5c453284e911da10692f.zip
better handling of mimetype security
Diffstat (limited to 'Zotlabs/Module/Item.php')
-rw-r--r--Zotlabs/Module/Item.php22
1 files changed, 6 insertions, 16 deletions
diff --git a/Zotlabs/Module/Item.php b/Zotlabs/Module/Item.php
index 4725ecb38..6f54d3bb1 100644
--- a/Zotlabs/Module/Item.php
+++ b/Zotlabs/Module/Item.php
@@ -480,22 +480,12 @@ class Item extends \Zotlabs\Web\Controller {
$execflag = false;
- if($mimetype !== 'text/bbcode') {
- $z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1",
- intval($profile_uid)
- );
- if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) {
- if($uid && (get_account_id() == $z[0]['account_id'])) {
- $execflag = true;
- }
- else {
- notice( t('Executable content type not permitted to this channel.') . EOL);
- if($api_source)
- return ( [ 'success' => false, 'message' => 'forbidden content type' ] );
- if(x($_REQUEST,'return'))
- goaway(z_root() . "/" . $return_path );
- killme();
- }
+ $z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1",
+ intval($profile_uid)
+ );
+ if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) {
+ if($uid && (get_account_id() == $z[0]['account_id'])) {
+ $execflag = true;
}
}