diff options
| -rw-r--r-- | include/deliver.php | 2 | ||||
| -rw-r--r-- | include/poller.php | 2 | ||||
| -rw-r--r-- | include/zot.php | 27 | ||||
| -rw-r--r-- | mod/probe.php | 11 | ||||
| -rw-r--r-- | version.inc | 2 |
5 files changed, 33 insertions, 11 deletions
diff --git a/include/deliver.php b/include/deliver.php index 547d009cc..b1314ce39 100644 --- a/include/deliver.php +++ b/include/deliver.php @@ -26,7 +26,7 @@ function deliver_run($argv, $argc) { // If there is no outq_msg, this is a refresh_all message which does not require local handling if($r[0]['outq_msg']) { $msg = array('body' => json_encode(array('pickup' => array(array('notify' => json_decode($r[0]['outq_notify'],true),'message' => json_decode($r[0]['outq_msg'],true)))))); - zot_import($msg); + zot_import($msg,z_root()); $r = q("delete from outq where outq_hash = '%s' limit 1", dbesc($argv[$x]) ); diff --git a/include/poller.php b/include/poller.php index 05584a05d..95eb810a0 100644 --- a/include/poller.php +++ b/include/poller.php @@ -242,7 +242,7 @@ function poller_run($argv, $argc){ } if($dirmode == DIRECTORY_MODE_SECONDARY || $dirmode == DIRECTORY_MODE_PRIMARY) { - $r = q("select ud_id from updates where not ( ud_flags & %d ) and ( ud_last = '0000-00-00 00:00:00' OR ud_last > UTC_TIMESTAMP() - INTERVAL 7 DAYS) ", + $r = q("select ud_id from updates where not ( ud_flags & %d ) and ( ud_last = '0000-00-00 00:00:00' OR ud_last > UTC_TIMESTAMP() - INTERVAL 7 DAY ) ", intval(UPDATE_FLAGS_UPDATED) ); if($r) { diff --git a/include/zot.php b/include/zot.php index 33bb60c0f..71aa27a81 100644 --- a/include/zot.php +++ b/include/zot.php @@ -116,7 +116,7 @@ function zot_zot($url,$data) { */ -function zot_finger($webbie,$channel) { +function zot_finger($webbie,$channel,$autofallback = true) { if(strpos($webbie,'@') === false) { @@ -165,7 +165,7 @@ function zot_finger($webbie,$channel) { $result = z_post_url($url . $rhs,$postvars); - if(! $result['success']) { + if((! $result['success']) && ($autofallback)) { if($https) { logger('zot_finger: https failed. falling back to http'); $result = z_post_url('http://' . $host . $rhs,$postvars); @@ -176,7 +176,7 @@ function zot_finger($webbie,$channel) { $rhs .= '?f=&address=' . urlencode($address); $result = z_fetch_url($url . $rhs); - if(! $result['success']) { + if((! $result['success']) && ($autofallback)) { if($https) { logger('zot_finger: https failed. falling back to http'); $result = z_fetch_url('http://' . $host . $rhs); @@ -801,8 +801,7 @@ function zot_fetch($arr) { $datatosend = json_encode(aes_encapsulate(json_encode($data),$ret_hub['hubloc_sitekey'])); $fetch = zot_zot($url,$datatosend); - - $result = zot_import($fetch); + $result = zot_import($fetch, $arr['sender']['url']); return $result; } @@ -815,7 +814,7 @@ function zot_fetch($arr) { * The message types handled here are 'activity' (e.g. posts), 'mail' and 'profile' */ -function zot_import($arr) { +function zot_import($arr, $sender_url) { $data = json_decode($arr['body'],true); @@ -842,6 +841,13 @@ function zot_import($arr) { logger('zot_import: notify: ' . print_r($i['notify'],true), LOGGER_DATA); + $hub = zot_gethub($i['notify']['sender']); + if((! $hub) || ($hub['hubloc_url'] != $sender_url)) { + logger('zot_import: potential forgery: wrong site for sender: ' . $sender_url . ' != ' . print_r($i['notify'],true)); + continue; + } + + $i['notify']['sender']['hash'] = base64url_encode(hash('whirlpool',$i['notify']['sender']['guid'] . $i['notify']['sender']['guid_sig'], true)); $deliveries = null; @@ -1093,6 +1099,15 @@ function allowed_public_recips($msg) { function process_delivery($sender,$arr,$deliveries,$relay) { $result = array(); + + + // We've validated the sender. Now make sure that the sender is the owner or author + // This needs to be done in each process_xxxx function because the data arrays and conditions will be different. + + if($sender['hash'] != $arr['owner_xchan'] && $sender_hash != $arr['author_xchan']) { + logger('process_delivery: sender is not owner or author'); + return; + } foreach($deliveries as $d) { $r = q("select * from channel where channel_hash = '%s' limit 1", diff --git a/mod/probe.php b/mod/probe.php index 397f571c5..bd792d52e 100644 --- a/mod/probe.php +++ b/mod/probe.php @@ -15,9 +15,16 @@ function probe_content(&$a) { if(x($_GET,'addr')) { $channel = $a->get_channel(); $addr = trim($_GET['addr']); - $res = zot_finger($addr,$channel); + $res = zot_finger($addr,$channel,false); $o .= '<pre>'; - $j = json_decode($res['body'],true); + if($res['success']) + $j = json_decode($res['body'],true); + else { + $o .= "<strong>https connection failed. Trying again with auto failover to http.</strong>\r\n\r\n"; + $res = zot_finger($addr,$channel,true); + if($res['success']) + $j = json_decode($res['body'],true); + } if($j && $j['permissions'] && $j['permissions']['iv']) $j['permissions'] = json_decode(aes_unencapsulate($j['permissions'],$channel['channel_prvkey']),true); $o .= str_replace("\n",'<br />',print_r($j,true)); diff --git a/version.inc b/version.inc index f91c18185..bd22a63e0 100644 --- a/version.inc +++ b/version.inc @@ -1 +1 @@ -2013-10-01.453 +2013-10-02.454 |