Merge branch 'master', remote-tracking branch 'remotes/upstream/master'

* remotes/upstream/master:
  sort inbox by recently replied conversations first
  file as widget and basic filing implementation for duepuntozero,slackr much more work needed - this is just for test/evaluation currently
  don't count self in number of contatcs
  invite potential connectees to the free social web
  In HTML2BBCode: fetch the URL of [EMBED] using JavaScript instead of an ajax-call to a php-script. Once there actually is embedded Code in the HTML, this function is called after every single keypress. Not only is making an ajax-call every keypress bandith intensive - it also made typing hard / slow. Making a lot of JavaScript-RegExp-Computation every keypress isn't exactly great either, but still performs better.
  Some security against XSRF-attacks
  A 'PHP Fatal error:  Call to a member function getElementsByTagName() on a non-object in mod/parse_url.php on line 191' occurred when the linked HTML-File doesn't have a HEAD. The HTML-file couln't be link to in the editor therefore.
  Mostly some checks in order to avoid Notices; 1 real bugfix in /mod/network.php
  Avoid notices
  contact.network is used later to check if a direct link or a redirect by /redir/contactid should be used
  wasn't actually changed before
  Avoid a notice
  Avoid a Notice
  Avoid a Notice
  Avoid a Notice

* master:

1 files changed, 46 insertions, 0 deletions

diff --git a/include/security.php b/include/security.php
index 8c536b656..6ea515bff 100755
--- a/include/security.php
+++ b/include/security.php
@@ -288,3 +288,49 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
 }
 
 
+/*
+ * Functions used to protect against Cross-Site Request Forgery
+ * The security token has to base on at least one value that an attacker can't know - here it's the session ID and the private key.
+ * In this implementation, a security token is reusable (if the user submits a form, goes back and resubmits the form, maybe with small changes;
+ * or if the security token is used for ajax-calls that happen several times), but only valid for a certain amout of time (3hours).
+ * The "typename" seperates the security tokens of different types of forms. This could be relevant in the following case:
+ *    A security token is used to protekt a link from CSRF (e.g. the "delete this profile"-link).
+ *    If the new page contains by any chance external elements, then the used security token is exposed by the referrer.
+ *    Actually, important actions should not be triggered by Links / GET-Requests at all, but somethimes they still are,
+ *    so this mechanism brings in some damage control (the attacker would be able to forge a request to a form of this type, but not to forms of other types).
+ */ 
+function get_form_security_token($typename = "") {
+	$a = get_app();
+	
+	$timestamp = time();
+	$sec_hash = hash('whirlpool', $a->user["guid"] . $a->user["prvkey"] . session_id() . $timestamp . $typename);
+	
+	return $timestamp . "." . $sec_hash;
+}
+
+function check_form_security_token($typename = "", $formname = 'form_security_token') {
+	if (!x($_REQUEST, $formname)) return false;
+	$hash = $_REQUEST[$formname];
+	
+	$max_livetime = 10800; // 3 hours
+	
+	$a = get_app();
+	
+	$x = explode(".", $hash);
+	if (time() > (IntVal($x[0]) + $max_livetime)) return false;
+	
+	$sec_hash = hash('whirlpool', $a->user["guid"] . $a->user["prvkey"] . session_id() . $x[0] . $typename);
+	
+	return ($sec_hash == $x[1]);
+}
+
+function check_form_security_std_err_msg() {
+	return t('The form security token was not correct. This probably happened because the form has been opened for too long (>3 hours) before subitting it.') . EOL;
+}
+function check_form_security_token_redirectOnErr($err_redirect, $typename = "", $formname = 'form_security_token') {
+	if (!check_form_security_token($typename, $formname)) {
+		$a = get_app();
+		notice( check_form_security_std_err_msg() );
+		goaway($a->get_baseurl() . $err_redirect );
+	}
+}