aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorredmatrix <redmatrix@redmatrix.me>2015-05-20 18:46:23 -0700
committerredmatrix <redmatrix@redmatrix.me>2015-05-20 18:46:23 -0700
commit6466774b6e6ed72ea1cc57cbc76e451205934aca (patch)
treede1b5415812e3cc9b9ee8d1e7d481dd9bc26cc8f /include
parentfe00d29047da1cb99cbc06af938268ec9e6a8fcb (diff)
downloadvolse-hubzilla-6466774b6e6ed72ea1cc57cbc76e451205934aca.tar.gz
volse-hubzilla-6466774b6e6ed72ea1cc57cbc76e451205934aca.tar.bz2
volse-hubzilla-6466774b6e6ed72ea1cc57cbc76e451205934aca.zip
PRIVACY: possible privacy leakage under a defined set of circumstances
Diffstat (limited to 'include')
-rwxr-xr-xinclude/items.php13
-rw-r--r--include/security.php10
-rw-r--r--include/text.php10
3 files changed, 13 insertions, 20 deletions
diff --git a/include/items.php b/include/items.php
index 1db3fab2b..245259e38 100755
--- a/include/items.php
+++ b/include/items.php
@@ -2527,6 +2527,7 @@ function item_store_update($arr,$allow_exec = false) {
$arr['title'] = ((array_key_exists('title',$arr) && strlen($arr['title'])) ? trim($arr['title']) : '');
$arr['body'] = ((array_key_exists('body',$arr) && strlen($arr['body'])) ? trim($arr['body']) : '');
+
$arr['attach'] = ((x($arr,'attach')) ? notags(trim($arr['attach'])) : $orig[0]['attach']);
$arr['app'] = ((x($arr,'app')) ? notags(trim($arr['app'])) : $orig[0]['app']);
// $arr['item_restrict'] = ((x($arr,'item_restrict')) ? intval($arr['item_restrict']) : $orig[0]['item_restrict'] );
@@ -4372,12 +4373,14 @@ function fetch_post_tags($items,$link = false) {
-function zot_feed($uid,$observer_xchan,$arr) {
+function zot_feed($uid,$observer_hash,$arr) {
$result = array();
$mindate = null;
$message_id = null;
+ require_once('include/security.php');
+
if(array_key_exists('mindate',$arr)) {
$mindate = datetime_convert('UTC','UTC',$arr['mindate']);
}
@@ -4395,14 +4398,14 @@ function zot_feed($uid,$observer_xchan,$arr) {
if($message_id)
logger('message_id: ' . $message_id,LOGGER_DEBUG);
- if(! perm_is_allowed($uid,$observer_xchan,'view_stream')) {
+ if(! perm_is_allowed($uid,$observer_hash,'view_stream')) {
logger('zot_feed: permission denied.');
return $result;
}
if(! is_sys_channel($uid)) {
require_once('include/security.php');
- $sql_extra = item_permissions_sql($uid);
+ $sql_extra = item_permissions_sql($uid,$observer_hash);
}
$limit = " LIMIT 100 ";
@@ -4416,6 +4419,7 @@ function zot_feed($uid,$observer_xchan,$arr) {
$limit = '';
}
+
$items = array();
/** @FIXME fix this part for PostgreSQL */
@@ -4425,7 +4429,6 @@ function zot_feed($uid,$observer_xchan,$arr) {
}
if(is_sys_channel($uid)) {
- require_once('include/security.php');
$r = q("SELECT parent, created, postopts from item
WHERE uid != %d
AND item_private = 0 AND item_restrict = 0 AND uid in (" . stream_perms_api_uids(PERMS_PUBLIC,10,1) . ")
@@ -4633,7 +4636,7 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C
//$start = dba_timer();
require_once('include/security.php');
- $sql_extra .= item_permissions_sql($channel['channel_id']);
+ $sql_extra .= item_permissions_sql($channel['channel_id'],$observer_hash);
if ($arr['pages'])
$item_restrict = " AND (item_restrict & " . ITEM_WEBPAGE . ") ";
diff --git a/include/security.php b/include/security.php
index c3b0e9763..91683cc98 100644
--- a/include/security.php
+++ b/include/security.php
@@ -148,7 +148,7 @@ function change_channel($change_channel) {
*
* @return string additional SQL where statement
*/
-function permissions_sql($owner_id, $remote_verified = false, $groups = null) {
+function permissions_sql($owner_id, $remote_observer = null) {
$local_channel = local_channel();
@@ -181,7 +181,7 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) {
*/
else {
- $observer = get_observer_hash();
+ $observer = (($remote_observer) ? $remote_observer : get_observer_hash());
if($observer) {
$groups = init_groups_visitor($observer);
@@ -217,7 +217,7 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) {
*
* @return string additional SQL where statement
*/
-function item_permissions_sql($owner_id, $remote_verified = false, $groups = null) {
+function item_permissions_sql($owner_id, $remote_observer = null) {
$local_channel = local_channel();
@@ -227,7 +227,7 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul
* default permissions - anonymous user
*/
- $sql = " AND item_private=0 ";
+ $sql = " AND item_private = 0 ";
/**
* Profile owner - everything is visible
@@ -246,7 +246,7 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul
*/
else {
- $observer = get_observer_hash();
+ $observer = (($remote_observer) ? $remote_observer : get_observer_hash());
if($observer) {
$groups = init_groups_visitor($observer);
diff --git a/include/text.php b/include/text.php
index 6ed06e92a..d483424ec 100644
--- a/include/text.php
+++ b/include/text.php
@@ -1379,12 +1379,8 @@ function generate_named_map($location) {
function prepare_body(&$item,$attach = false) {
- if(get_config('system','item_cache') && $item['html'])
- return $item['html'];
-
call_hooks('prepare_body_init', $item);
-
unobscure($item);
$s = prepare_text($item['body'],$item['mimetype']);
@@ -1452,12 +1448,6 @@ function prepare_body(&$item,$attach = false) {
$prep_arr = array('item' => $item, 'html' => $s);
call_hooks('prepare_body_final', $prep_arr);
- if(get_config('system','item_cache'))
- q("update item set html = '%s' where id = %d",
- dbesc($prep_arr['html']),
- intval($item['id'])
- );
-
return $prep_arr['html'];
}