diff options
5 files changed, 397 insertions, 7 deletions
diff --git a/doc/hooklist.bb b/doc/hooklist.bb
new file mode 100644
index 000000000..db61ce1a6
--- /dev/null
+++ b/doc/hooklist.bb
@@ -0,0 +1,372 @@
+ General purpose hook for any module, executed after mod_content(). Replace 'module' with module name, e.g. 'photos_mod_aftercontent'.
+ General purpose hook for any module, executed before mod_content(). Replace 'module' with module name, e.g. 'photos_mod_content'.
+ General purpose hook for any module, executed before mod_init(). Replace 'module' with module name, e.g. 'photos_mod_init'.
+ General purpose hook for any module, executed before mod_post(). Replace 'module' with module name, e.g. 'photos_mod_post'.
+ Called from the siteinfo page
+ Called when accepting a connection (friend request)
+ Called when an account has expired, indicating a potential downgrade to "basic" service class
+ Called when account settings have been saved
+ Called when an activity (post, comment, like, etc.) has been received from a zot source
+ Used to generate alternate labels for the affinity slider.
+ Called when perm_is_allowed() is executed from an API call.
+ Used to register plugins as apps
+ Called when generating an author or owner element for an Atom ActivityStream feed
+ Called when generating each item entry of an Atom ActivityStreams feed
+ Called when generating an Atom ActivityStreams feed
+ Called when generation of an Atom ActivityStreams feed is completed
+ Called when uploading a file
+ Can provide alternate authentication mechanisms
+ Used for "gravatar" or libravatar profile photo lookup.
+ called when converting bbcode to markdown
+ Called when converting bbcode to HTML
+ Called when removing a channel
+ Called to create a chat message.
+ Called when a chat message has been posted
+ Validate the email provided in an account registration
+ Validate an invitation code when using site invitations
+ Used to provide policy control over account passwords (minimum length, character set inclusion, etc.)
+ Called when connecting to a premium channel
+ Called when posting to the features/addon settings page
+ General purpose hook to provide content to certain page regions. Called when constructing the Comanche page.
+ Called when generating the sidebar "Connections" widget
+ Called when editing a connection via connedit
+ Called when posting to connedit
+ Deprecated/unused
+ Called in the beginning of rendering a conversation (message or message collection or stream)
+ Called when creating a channel
+ Called when scheduled tasks (poller) is executed
+ Called when daily scheduled tasks are executed
+ Called when weekly scheduled tasks are executed
+ Called when generating a directory listing for display
+ Called when performing a webfinger lookup
+ Used to validate the names used by a channel
+ Called when visiting the webfinger (RFC7033) service
+ Called when accessing the '.well-known' special site addresses
+ Called when adding the observer's zid to a URL
+ Called when authenticating a visitor who has used zid
+ Called when a zot-info packet has been requested (this is our webfinger discovery mechanism)
diff --git a/include/RedDAV/RedDirectory.php b/include/RedDAV/RedDirectory.php
index 507fde46f..87bdf8f13 100644
--- a/include/RedDAV/RedDirectory.php
+++ b/include/RedDAV/RedDirectory.php
@@ -251,7 +251,7 @@ class RedDirectory extends DAV\Node implements DAV\ICollection, DAV\IQuota {
- dbesc($this->os_path . '/' . $hash),
+ dbesc($f),
diff --git a/include/RedDAV/RedFile.php b/include/RedDAV/RedFile.php
index ec6871a69..5a1b3453a 100644
--- a/include/RedDAV/RedFile.php
+++ b/include/RedDAV/RedFile.php
@@ -126,7 +126,11 @@ class RedFile extends DAV\Node implements DAV\IFile {
$fname = dbunescbin($d[0]['data']);
- $f = 'store/' . $this->auth->owner_nick . '/' . (($fname) ? $fname : '');
+ if(strpos($fname,'store') === false)
+ $f = 'store/' . $this->auth->owner_nick . '/' . (($fname) ? $fname : '');
+ else
+ $f = $fname;
// @todo check return value and set $size directly
@file_put_contents($f, $data);
$size = @filesize($f);
@@ -226,7 +230,11 @@ class RedFile extends DAV\Node implements DAV\IFile {
if (intval($r[0]['os_storage'])) {
- $f = 'store/' . $this->auth->owner_nick . '/' . (($this->os_path) ? $this->os_path . '/' : '') . dbunescbin($r[0]['data']);
+ $x = dbunsecbin($r[0]['data']);
+ if(strpos($x,'store') === false)
+ $f = 'store/' . $this->auth->owner_nick . '/' . (($this->os_path) ? $this->os_path . '/' : '') . $x;
+ else
+ $f = $x;
return fopen($f, 'rb');
return dbunescbin($r[0]['data']);
diff --git a/include/attach.php b/include/attach.php
index 8a568d8e1..36b971712 100644
--- a/include/attach.php
+++ b/include/attach.php
@@ -1270,9 +1270,13 @@ function attach_delete($channel_id, $resource, $is_photo = 0) {
if($y) {
- $f = 'store/' . $channel_address . '/' . $y[0]['data'];
- if(is_dir($y[0]['data']))
- @rmdir($y[0]['data']);
+ if(strpos($y[0]['data'],'store') === false)
+ $f = 'store/' . $channel_address . '/' . $y[0]['data'];
+ else
+ $f = $y[0]['data'];
+ if(is_dir($f))
+ @rmdir($f);
diff --git a/include/bbcode.php b/include/bbcode.php
index 517f22bee..05802aa57 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -599,6 +599,7 @@ function bbcode($Text, $preserve_nl = false, $tryoembed = true, $cache = false)
$Text = preg_replace("/\[mail\=([$MAILSearchString]*)\](.*?)\[\/mail\]/", '<a href="mailto:$1" target="_newwin" >$2</a>', $Text);
// leave open the posibility of [map=something]
// this is replaced in prepare_body() which has knowledge of the item location
@@ -983,7 +984,12 @@ function bbcode($Text, $preserve_nl = false, $tryoembed = true, $cache = false)
$Text = preg_replace('/\[\&amp\;([#a-z0-9]+)\;\]/', '&$1;', $Text);
// fix any escaped ampersands that may have been converted into links
- $Text = preg_replace("/\<(.*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism", '<$1$2=$3&$4>', $Text);
+ if(strpos($Text,'&amp;') !== false)
+ $Text = preg_replace("/\<(.*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism", '<$1$2=$3&$4>', $Text);
+ // This is subtle - it's an XSS filter. It only accepts links with a protocol scheme and where
+ // the scheme begins with z (zhttp), h (http(s)), f (ftp), m (mailto), and named anchors.
$Text = preg_replace("/\<(.*?)(src|href)=\"[^zhfm#](.*?)\>/ism", '<$1$2="">', $Text);