aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2013-08-11 16:56:06 -0700
committerfriendica <info@friendica.com>2013-08-11 16:56:06 -0700
commitd7a9db10881b8d9de1b5f7e2a2dfae3df396fb45 (patch)
tree1687d18e67706b14acc31d38cfabcf39e5bbc501 /include
parent5aa508dba77ed69e1aa8810623e75d15ad15c2ad (diff)
downloadvolse-hubzilla-d7a9db10881b8d9de1b5f7e2a2dfae3df396fb45.tar.gz
volse-hubzilla-d7a9db10881b8d9de1b5f7e2a2dfae3df396fb45.tar.bz2
volse-hubzilla-d7a9db10881b8d9de1b5f7e2a2dfae3df396fb45.zip
important bits we need to allow php executable content. These must be explicitly allowed - but only if the account has ACCOUNT_ROLE_ALLOWCODE and *only* for web pages and profile fields. This content cannot be transmitted to other sites.
Diffstat (limited to 'include')
-rwxr-xr-xinclude/items.php53
-rwxr-xr-xinclude/text.php16
2 files changed, 51 insertions, 18 deletions
diff --git a/include/items.php b/include/items.php
index e71fd0350..7662f7823 100755
--- a/include/items.php
+++ b/include/items.php
@@ -1342,7 +1342,7 @@ function encode_rel_links($links) {
return xmlify($o);
}
-function item_store($arr,$force_parent = false) {
+function item_store($arr,$allow_exec = false) {
if(! $arr['uid']) {
logger('item_store: no uid');
@@ -1357,6 +1357,13 @@ function item_store($arr,$force_parent = false) {
unset($arr['parent']);
$arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode');
+
+ if(($arr['mimetype'] == 'application/x-php') && (! $allow_exec)) {
+ logger('item_store: php mimetype but allow_exec is denied.');
+ return 0;
+ }
+
+
$arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : '');
$arr['body'] = ((x($arr,'body')) ? trim($arr['body']) : '');
@@ -1369,7 +1376,7 @@ function item_store($arr,$force_parent = false) {
// this is a bit messy - we really need an input filter chain that temporarily undoes obscuring
- if($arr['mimetype'] != 'text/html') {
+ if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') {
if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false))
$arr['body'] = escape_tags($arr['body']);
if((strpos($arr['title'],'<') !== false) || (strpos($arr['title'],'>') !== false))
@@ -1665,7 +1672,7 @@ function item_store($arr,$force_parent = false) {
-function item_store_update($arr,$force_parent = false) {
+function item_store_update($arr,$allow_exec = false) {
if(! intval($arr['uid'])) {
logger('item_store_update: no uid');
@@ -1696,24 +1703,35 @@ function item_store_update($arr,$force_parent = false) {
$arr = $translate['item'];
}
+ $arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode');
+
+ if(($arr['mimetype'] == 'application/x-php') && (! $allow_exec)) {
+ logger('item_store: php mimetype but allow_exec is denied.');
+ return 0;
+ }
+
+
// Shouldn't happen but we want to make absolutely sure it doesn't leak from a plugin.
- if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false))
- $arr['body'] = escape_tags($arr['body']);
+ if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') {
- if((x($arr,'object')) && is_array($arr['object'])) {
- activity_sanitise($arr['object']);
- $arr['object'] = json_encode($arr['object']);
- }
+ if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false))
+ $arr['body'] = escape_tags($arr['body']);
- if((x($arr,'target')) && is_array($arr['target'])) {
- activity_sanitise($arr['target']);
- $arr['target'] = json_encode($arr['target']);
- }
+ if((x($arr,'object')) && is_array($arr['object'])) {
+ activity_sanitise($arr['object']);
+ $arr['object'] = json_encode($arr['object']);
+ }
- if((x($arr,'attach')) && is_array($arr['attach'])) {
- activity_sanitise($arr['attach']);
- $arr['attach'] = json_encode($arr['attach']);
+ if((x($arr,'target')) && is_array($arr['target'])) {
+ activity_sanitise($arr['target']);
+ $arr['target'] = json_encode($arr['target']);
+ }
+
+ if((x($arr,'attach')) && is_array($arr['attach'])) {
+ activity_sanitise($arr['attach']);
+ $arr['attach'] = json_encode($arr['attach']);
+ }
}
$orig = q("select * from item where id = %d and uid = %d limit 1",
@@ -1740,7 +1758,6 @@ function item_store_update($arr,$force_parent = false) {
$arr['commented'] = datetime_convert();
$arr['received'] = datetime_convert();
$arr['changed'] = datetime_convert();
- $arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode');
$arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : '');
$arr['location'] = ((x($arr,'location')) ? notags(trim($arr['location'])) : '');
$arr['coord'] = ((x($arr,'coord')) ? notags(trim($arr['coord'])) : '');
@@ -2692,7 +2709,7 @@ function consume_feed($xml,$importer,&$contact, &$hub, $datedir = 0, $pass = 0)
}
}
- $r = item_store($datarray,$force_parent);
+ $r = item_store($datarray);
continue;
}
diff --git a/include/text.php b/include/text.php
index 61b39cb59..99d5c9d78 100755
--- a/include/text.php
+++ b/include/text.php
@@ -1142,6 +1142,22 @@ function prepare_text($text,$content_type = 'text/bbcode') {
$s = Markdown($text);
break;
+ // No security checking is done here at display time - so we need to verify
+ // that the author is allowed to use PHP before storing. We also cannot allow
+ // importation of PHP text bodies from other sites. Therefore this content
+ // type is only valid for web pages (and profile details).
+
+ // It may be possible to provide a PHP message body which is evaluated on the
+ // sender's site before sending it elsewhere. In that case we will have a
+ // different content-type here.
+
+ case 'application/x-php':
+ ob_start();
+ eval($text);
+ $s = ob_get_contents();
+ ob_end_clean();
+ break;
+
case 'text/bbcode':
case '':
default: