Merge remote-tracking branch 'upstream/master'

7 files changed, 364 insertions, 31 deletions

diff --git a/include/Contact.php b/include/Contact.php
index b9ad1e4cb..992ed27e2 100644
--- a/include/Contact.php
+++ b/include/Contact.php
@@ -1,6 +1,31 @@
 <?php /** @file */
 
 
+
+function rconnect_url($channel_id,$xchan) {
+
+	if(! $xchan)
+		return '';
+
+	$r = q("select abook_id from abook where abook_channel = %d and abook_xchan = '%s' limit 1",
+		intval($channel_id),
+		dbesc($xchan)
+	);
+
+	if($r)
+		return '';
+
+	$r = q("select hubloc_url from hubloc where hubloc_hash = '%s' and ( hubloc_flags & %d ) limit 1",
+		dbesc($xchan),
+		intval(HUBLOC_FLAGS_PRIMARY)
+	);
+
+	if($r)
+		return $r[0]['hubloc_url'];
+	return '';
+
+}
+
 function abook_connections($channel_id, $sql_conditions = '') {
 	$r = q("select * from abook left join xchan on abook_xchan = xchan_hash where abook_channel = %d
 		and not ( abook_flags & %d ) $sql_conditions",
diff --git a/include/account.php b/include/account.php
index 6dfb5ae1e..ab442ab39 100644
--- a/include/account.php
+++ b/include/account.php
@@ -6,6 +6,7 @@ require_once('include/plugin.php');
 require_once('include/text.php');
 require_once('include/language.php');
 require_once('include/datetime.php');
+require_once('include/crypto.php');
 
 
 function check_account_email($email) {
diff --git a/include/items.php b/include/items.php
index e71fd0350..6d853323f 100755
--- a/include/items.php
+++ b/include/items.php
@@ -1342,7 +1342,7 @@ function encode_rel_links($links) {
 	return xmlify($o);
 }
 
-function item_store($arr,$force_parent = false) {
+function item_store($arr,$allow_exec = false) {
 
 	if(! $arr['uid']) {
 		logger('item_store: no uid');
@@ -1357,6 +1357,13 @@ function item_store($arr,$force_parent = false) {
 		unset($arr['parent']);
 
 	$arr['mimetype']      = ((x($arr,'mimetype'))      ? notags(trim($arr['mimetype']))      : 'text/bbcode');
+
+	if(($arr['mimetype'] == 'application/x-php') && (! $allow_exec)) {
+		logger('item_store: php mimetype but allow_exec is denied.');
+		return 0;
+	}
+
+
 	$arr['title']         = ((x($arr,'title'))         ? notags(trim($arr['title']))         : '');
 	$arr['body']          = ((x($arr,'body'))          ? trim($arr['body'])                  : '');
 
@@ -1369,7 +1376,7 @@ function item_store($arr,$force_parent = false) {
 	
 	// this is a bit messy - we really need an input filter chain that temporarily undoes obscuring
 
-	if($arr['mimetype'] != 'text/html') {
+	if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') {
 		if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) 
 			$arr['body'] = escape_tags($arr['body']);
 		if((strpos($arr['title'],'<') !== false) || (strpos($arr['title'],'>') !== false)) 
@@ -1665,7 +1672,7 @@ function item_store($arr,$force_parent = false) {
 
 
 
-function item_store_update($arr,$force_parent = false) {
+function item_store_update($arr,$allow_exec = false) {
 
 	if(! intval($arr['uid'])) {
 		logger('item_store_update: no uid');
@@ -1696,24 +1703,35 @@ function item_store_update($arr,$force_parent = false) {
 		$arr = $translate['item'];
 	}
 
+	$arr['mimetype']      = ((x($arr,'mimetype'))      ? notags(trim($arr['mimetype']))      : 'text/bbcode');
+
+	if(($arr['mimetype'] == 'application/x-php') && (! $allow_exec)) {
+		logger('item_store: php mimetype but allow_exec is denied.');
+		return 0;
+	}
+
+
 	// Shouldn't happen but we want to make absolutely sure it doesn't leak from a plugin.
 
-	if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) 
-		$arr['body'] = escape_tags($arr['body']);
+	if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') {
 
-	if((x($arr,'object')) && is_array($arr['object'])) {
-		activity_sanitise($arr['object']);
-		$arr['object'] = json_encode($arr['object']);
-	}
+		if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) 
+			$arr['body'] = escape_tags($arr['body']);
 
-	if((x($arr,'target')) && is_array($arr['target'])) {
-		activity_sanitise($arr['target']);
-		$arr['target'] = json_encode($arr['target']);
-	}
+		if((x($arr,'object')) && is_array($arr['object'])) {
+			activity_sanitise($arr['object']);
+			$arr['object'] = json_encode($arr['object']);
+		}
 
-	if((x($arr,'attach')) && is_array($arr['attach'])) {
-		activity_sanitise($arr['attach']);
-		$arr['attach'] = json_encode($arr['attach']);
+		if((x($arr,'target')) && is_array($arr['target'])) {
+			activity_sanitise($arr['target']);
+			$arr['target'] = json_encode($arr['target']);
+		}
+
+		if((x($arr,'attach')) && is_array($arr['attach'])) {
+			activity_sanitise($arr['attach']);
+			$arr['attach'] = json_encode($arr['attach']);
+		}
 	}
 
 	$orig = q("select * from item where id = %d and uid = %d limit 1",
@@ -1740,7 +1758,6 @@ function item_store_update($arr,$force_parent = false) {
 	$arr['commented']     = datetime_convert();
 	$arr['received']      = datetime_convert();
 	$arr['changed']       = datetime_convert();
-	$arr['mimetype']      = ((x($arr,'mimetype'))      ? notags(trim($arr['mimetype']))      : 'text/bbcode');
 	$arr['title']         = ((x($arr,'title'))         ? notags(trim($arr['title']))         : '');
 	$arr['location']      = ((x($arr,'location'))      ? notags(trim($arr['location']))      : '');
 	$arr['coord']         = ((x($arr,'coord'))         ? notags(trim($arr['coord']))         : '');
@@ -2692,7 +2709,7 @@ function consume_feed($xml,$importer,&$contact, &$hub, $datedir = 0, $pass = 0)
 					}
 				}
 
-				$r = item_store($datarray,$force_parent);
+				$r = item_store($datarray);
 				continue;
 			}
 
@@ -3127,21 +3144,28 @@ function item_expire($uid,$days) {
 	// and just expire conversations started by others
 
 	$expire_network_only = get_pconfig($uid,'expire','network_only');
-	$sql_extra = ((intval($expire_network_only)) ? " AND wall = 0 " : "");
+	$sql_extra = ((intval($expire_network_only)) ? " AND not (item_flags & " . intval(ITEM_WALL) . ") " : "");
 
 	$r = q("SELECT * FROM `item` 
 		WHERE `uid` = %d 
 		AND `created` < UTC_TIMESTAMP() - INTERVAL %d DAY 
 		AND `id` = `parent` 
 		$sql_extra
-		AND `deleted` = 0",
+		AND NOT (item_restrict & %d )
+		AND NOT (item_restrict & %d )
+		AND NOT (item_restrict & %d ) ",
 		intval($uid),
-		intval($days)
+		intval($days),
+		intval(ITEM_DELETED),
+		intval(ITEM_WEBPAGE),
+		intval(ITEM_BUILDBLOCK)
 	);
 
-	if(! count($r))
+	if(! $r)
 		return;
 
+	$r = fetch_post_tags($r,true);
+
 	$expire_items = get_pconfig($uid, 'expire','items');
 	$expire_items = (($expire_items===false)?1:intval($expire_items)); // default if not set: 1
 	
@@ -3158,20 +3182,19 @@ function item_expire($uid,$days) {
 
 	foreach($r as $item) {
 
+
+
 		// don't expire filed items
 
-		if(strpos($item['file'],'[') !== false)
+		$terms = get_terms_oftype($item['term'],TERM_FILE);
+		if($terms)
 			continue;
 
 		// Only expire posts, not photos and photo comments
 
-		if($expire_photos==0 && strlen($item['resource_id']))
-			continue;
-		if($expire_starred==0 && intval($item['starred']))
-			continue;
-		if($expire_notes==0 && $item['type']=='note')
+		if($expire_photos==0 && ($item['resource_type'] === 'photo'))
 			continue;
-		if($expire_items==0 && $item['type']!='note')
+		if($expire_starred==0 && ($item['item_flags'] & ITEM_STARRED))
 			continue;
 
 		drop_item($item['id'],false);
diff --git a/include/menu.php b/include/menu.php
new file mode 100644
index 000000000..8d4664385
--- /dev/null
+++ b/include/menu.php
@@ -0,0 +1,258 @@
+<?php /** @file */
+
+require_once('include/security.php');
+
+function menu_fetch($name,$uid,$observer_xchan) {
+
+	$sql_options = permissions_sql($uid);
+
+	$r = q("select * from menu where menu_channel_id = %d and menu_name = '%s' limit 1",
+		intval($uid),
+		dbesc($name)
+	);
+	if($r) {
+		$x = q("select * from menu_item where mitem_menu_id = %d and mitem_channel_id = %d
+			$sql_options 
+			order by mitem_order asc, mitem_desc asc",
+			intval($r[0]['menu_id']),
+			intval($uid)
+		);
+		return array('menu' => $r[0], 'items' => $x );
+	}
+
+	return null;
+}
+	
+
+function menu_render($menu) {
+	if(! $menu)
+		return '';
+	for($x = 0; $x < count($menu['items']); $x ++)
+		if($menu['items']['mitem_flags'] & MENU_ITEM_ZID)
+			$menu['items']['mitem_link'] = zid($menu['items']['mitem_link']);
+		if($menu['items']['mitem_flags'] & MENU_ITEM_NEWWIN)
+			$menu['items']['newwin'] = '1';
+
+	return replace_macros(get_markup_template('usermenu.tpl'),array(
+		'$menu' => $menu['menu'],
+		'$items' => $menu['items']
+	));
+}
+
+
+function menu_fetch_id($menu_id,$channel_id) {
+
+	$r = q("select * from menu where menu_id = %d and menu_channel_id = %d limit 1",
+		intval($menu_id),
+		intval($channel_id)
+	);
+
+	return (($r) ? $r[0] : false);
+}
+
+
+
+function menu_create($arr) {
+
+
+	$menu_name = trim(escape_tags($arr['menu_name']));
+	$menu_desc = trim(escape_tags($arr['menu_desc']));
+
+	if(! $menu_desc)
+		$menu_desc = $menu_name;
+
+	if(! $menu_name)
+		return false;
+
+
+	$menu_channel_id = intval($arr['menu_channel_id']);
+
+	$r = q("select * from menu where menu_name = '%s' and menu_channel_id = %d limit 1",
+		dbesc($menu_name),
+		intval($menu_channel_id)
+	);
+
+	if($r)
+		return false;
+
+	$r = q("insert into menu ( menu_name, menu_desc, menu_channel_id ) 
+		values( '%s', '%s', %d )",
+ 		dbesc($menu_name),
+		dbesc($menu_desc),
+		intval($menu_channel_id)
+	);
+	if(! $r)
+		return false;
+
+	$r = q("select menu_id from menu where menu_name = '%s' and menu_channel_id = %d limit 1",
+		dbesc($menu_name),
+		intval($menu_channel_id)
+	);
+	if($r)
+		return $r[0]['menu_id'];
+	return false;
+
+}
+
+function menu_list($channel_id) {
+	$r = q("select * from menu where menu_channel_id = %d order by menu_name",
+		intval($channel_id)
+	);
+	return $r;
+}
+
+
+
+function menu_edit($arr) {
+
+	$menu_id   = intval($arr['menu_id']);
+
+	$menu_name = trim(escape_tags($arr['menu_name']));
+	$menu_desc = trim(escape_tags($arr['menu_desc']));
+
+	if(! $menu_desc)
+		$menu_desc = $menu_name;
+
+	if(! $menu_name)
+		return false;
+
+
+	$r = q("select menu_id from menu where menu_name = '%s' and menu_channel_id = %d limit 1",
+		dbesc($menu_name),
+		intval($menu_channel_id)
+	);
+	if(($r) && ($r[0]['menu_id'] != $menu_id)) {
+		logger('menu_edit: duplicate menu name for channel ' . $menu_channel_id);
+		return false;
+	}
+
+
+
+	$menu_channel_id = intval($arr['menu_channel_id']);
+
+	$r = q("select * from menu where menu_id = %d and menu_channel_id = %d limit 1",
+		intval($menu_id),
+		intval($menu_channel_id)
+	);
+	if(! $r) {
+		logger('menu_edit: not found: ' . print_r($arr,true));
+		return false;
+	}
+
+
+	$r = q("select * from menu where menu_name = '%s' and menu_channel_id = %d limit 1",
+		dbesc($menu_name),
+		intval($menu_channel_id)
+	);
+
+	if($r)
+		return false;
+
+	return q("update menu set menu_name = '%s', menu_desc = '%s' 
+		where menu_id = %d and menu_channel_id = %d limit 1", 
+ 		dbesc($menu_name),
+		dbesc($menu_desc),
+		intval($menu_id),
+		intval($menu_channel_id)
+	);
+}
+
+function menu_delete($menu_name, $uid) {
+	$r = q("select menu_id from menu where menu_name = '%s' and menu_channel_id = %d limit 1",
+		dbesc($menu_name),
+		intval($uid)
+	);
+
+	if($r)
+		return menu_delete_id($r[0]['menu_id'],$uid);
+	return false;
+}
+
+function menu_delete_id($menu_id, $uid) {
+	$r = q("select menu_id from menu where menu_id = %d and menu_channel_id = %d limit 1",
+		intval($menu_id),
+		intval($uid)
+	);
+	if($r) {
+		$x = q("delete from menu_item where mitem_menu_id = %d and mitem_channel_id = %d",
+			intval($menu_id),
+			intval($uid)
+		);
+		return q("delete from menu where menu_id = %d and menu_channel_id = %d limit 1",
+			intval($menu_id),
+			intval($uid)
+		);
+	}			
+	return false;
+}
+
+
+function menu_add_item($menu_id, $uid, $arr) {
+
+
+	$mitem_link = escape_tags($arr['mitem_link']);
+	$mitem_desc = escape_tags($arr['mitem_desc']);
+	$mitem_order = intval($arr['mitem_order']);	
+	$mitem_flags = intval($arr['mitem_flags']);
+	$allow_cid = perms2str($arr['allow_cid']);
+	$allow_gid = perms2str($arr['allow_gid']);
+	$deny_cid = perms2str($arr['deny_cid']);
+	$deny_gid = perms2str($arr['deny_gid']);
+
+	$r = q("insert into menu_item ( mitem_link, mitem_desc, mitem_flags, allow_cid, allow_gid, deny_cid, deny_gid, mitem_channel_id, mitem_menu_id, mitem_order ) values ( '%s', '%s', %d, '%s', '%s', '%s', '%s', %d, %d, %d ) ",
+		dbesc($mitem_link),
+		dbesc($mitem_desc),
+		intval($mitem_flags),
+		dbesc($allow_cid),
+		dbesc($allow_gid),
+		dbesc($deny_cid),
+		dbesc($deny_gid),
+		intval($uid),
+		intval($menu_id),
+		intval($mitem_order)
+	);
+	return $r;
+
+}
+
+function menu_edit_item($menu_id, $uid, $arr) {
+
+
+	$mitem_id = intval($arr['mitem_id']);
+	$mitem_link = escape_tags($arr['mitem_link']);
+	$mitem_desc = escape_tags($arr['mitem_desc']);
+	$mitem_order = intval($arr['mitem_order']);	
+	$mitem_flags = intval($arr['mitem_flags']);
+	$allow_cid = perms2str($arr['allow_cid']);
+	$allow_gid = perms2str($arr['allow_gid']);
+	$deny_cid = perms2str($arr['deny_cid']);
+	$deny_gid = perms2str($arr['deny_gid']);
+
+	$r = q("update menu_item set mitem_link = '%s', mitem_desc = '%s', mitem_flags = %d, allow_cid = '%s', allow_gid = '%s', deny_cid = '%s', deny_gid = '%s', mitem_order = %d  where mitem_channel_id = %d and mitem_menu_id = %d and mitem_id = %d limit 1",
+		dbesc($mitem_link),
+		dbesc($mitem_desc),
+		intval($mitem_flags),
+		dbesc($allow_cid),
+		dbesc($allow_gid),
+		dbesc($deny_cid),
+		dbesc($deny_gid),
+		intval($mitem_order),
+		intval($uid),
+		intval($menu_id),
+		intval($mitem_id)
+	);
+	return $r;
+}
+
+
+
+
+function menu_del_item($menu_id,$uid,$item_id) {
+	$r = q("delete from menu_item where mitem_menu_id = %d and mitem_channel_id = %d and mitem_id = %d limit 1",
+		intval($menu_id),
+		intval($uid),
+		intval($item_id)
+	);
+	return $r;
+}
+
diff --git a/include/notifier.php b/include/notifier.php
index dea9d6072..a0c07200a 100644
--- a/include/notifier.php
+++ b/include/notifier.php
@@ -241,6 +241,11 @@ function notifier_run($argv, $argc){
 			return;
 		}
 
+		if($target_item['item_restrict'] & ITEM_BUILDBLOCK) {
+			logger('notifier: target item ITEM_BUILDBLOCK', LOGGER_DEBUG);
+			return;
+		}
+
 
 		$s = q("select * from channel where channel_id = %d limit 1",
 			intval($target_item['uid'])
diff --git a/include/text.php b/include/text.php
index 61b39cb59..99d5c9d78 100755
--- a/include/text.php
+++ b/include/text.php
@@ -1142,6 +1142,22 @@ function prepare_text($text,$content_type = 'text/bbcode') {
 			$s = Markdown($text);
 			break;
 
+		// No security checking is done here at display time - so we need to verify 
+		// that the author is allowed to use PHP before storing. We also cannot allow 
+		// importation of PHP text bodies from other sites. Therefore this content 
+		// type is only valid for web pages (and profile details).
+
+		// It may be possible to provide a PHP message body which is evaluated on the 
+		// sender's site before sending it elsewhere. In that case we will have a 
+		// different content-type here.  
+
+		case 'application/x-php':
+			ob_start();
+			eval($text);
+			$s = ob_get_contents();
+			ob_end_clean();
+			break;
+
 		case 'text/bbcode':
 		case '':
 		default:
diff --git a/include/zot.php b/include/zot.php
index d1bc03bc2..bddbc9bee 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -583,9 +583,14 @@ function import_xchan($arr) {
 						intval(HUBLOC_FLAGS_PRIMARY),
 						intval($r[0]['hubloc_id'])
 					);
+					update_modtime($xchan_hash);
+					$changed = true;
 				}
-				update_modtime($xchan_hash);
-				$changed = true;
+				continue;
+			}
+
+			if(! $location['sitekey']) {
+				logger('import_xchan: empty hubloc sitekey. ' . print_r($location,true));
 				continue;
 			}