aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Zotlabs/Module/Oep.php4
-rw-r--r--Zotlabs/Module/Zfinger.php3
-rw-r--r--Zotlabs/Web/HTTPSig.php13
-rw-r--r--Zotlabs/Zot/Auth.php1
-rw-r--r--Zotlabs/Zot/Finger.php23
-rw-r--r--include/bbcode.php7
-rw-r--r--include/channel.php4
-rw-r--r--include/text.php8
-rw-r--r--include/zot.php3
9 files changed, 45 insertions, 21 deletions
diff --git a/Zotlabs/Module/Oep.php b/Zotlabs/Module/Oep.php
index 9a1317142..5e06d3540 100644
--- a/Zotlabs/Module/Oep.php
+++ b/Zotlabs/Module/Oep.php
@@ -172,7 +172,7 @@ class Oep extends \Zotlabs\Web\Controller {
if(! perm_is_allowed($channel['channel_id'],get_observer_hash(),'view_pages'))
return $ret;
- $sql_extra = items_permissions_sql($channel['channel_id'],get_observer_hash());
+ $sql_extra = item_permissions_sql($channel['channel_id'],get_observer_hash());
$r = q("select * from iconfig where iconfig.cat = 'system' and iconfig.k = 'CARD' and iconfig.v = '%s' limit 1",
dbesc($res)
@@ -183,7 +183,7 @@ class Oep extends \Zotlabs\Web\Controller {
else {
return $ret;
}
-
+
$r = q("select * from item
where item.uid = %d and item_type = %d
$sql_extra order by item.created desc",
diff --git a/Zotlabs/Module/Zfinger.php b/Zotlabs/Module/Zfinger.php
index b978b9769..0f7f6a64b 100644
--- a/Zotlabs/Module/Zfinger.php
+++ b/Zotlabs/Module/Zfinger.php
@@ -25,7 +25,8 @@ class Zfinger extends \Zotlabs\Web\Controller {
if($chan) {
$hash = \Zotlabs\Web\HTTPSig::generate_digest($ret,false);
$headers['Digest'] = 'SHA-256=' . $hash;
- \Zotlabs\Web\HTTPSig::create_sig('',$headers,$chan['channel_prvkey'],z_root() . '/channel/' . $chan['channel_address'],true);
+ \Zotlabs\Web\HTTPSig::create_sig('',$headers,$chan['channel_prvkey'],
+ 'acct:' . $chan['channel_address'] . '@' . \App::get_hostname(),true);
}
else {
foreach($headers as $k => $v) {
diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php
index e9e262125..2b139a2a1 100644
--- a/Zotlabs/Web/HTTPSig.php
+++ b/Zotlabs/Web/HTTPSig.php
@@ -126,9 +126,16 @@ class HTTPSig {
function get_activitypub_key($id) {
- $x = q("select xchan_pubkey from xchan where xchan_hash = '%s' and xchan_network = 'activitypub' ",
- dbesc($id)
- );
+ if(strpos($id,'acct:') === 0) {
+ $x = q("select xchan_pubkey from xchan left join hubloc on xchan_hash = hubloc_hash where hubloc_addr = '%s' limit 1",
+ dbesc(str_replace('acct:','',$id))
+ );
+ }
+ else {
+ $x = q("select xchan_pubkey from xchan where xchan_hash = '%s' and xchan_network = 'activitypub' ",
+ dbesc($id)
+ );
+ }
if($x && $x[0]['xchan_pubkey']) {
return ($x[0]['xchan_pubkey']);
diff --git a/Zotlabs/Zot/Auth.php b/Zotlabs/Zot/Auth.php
index 44f01174e..8d198f506 100644
--- a/Zotlabs/Zot/Auth.php
+++ b/Zotlabs/Zot/Auth.php
@@ -167,7 +167,6 @@ class Auth {
dbesc($hubloc['hubloc_url'])
);
- // needs a nonce!!!!
$p = zot_build_packet($channel,$type = 'auth_check',
array(array('guid' => $hubloc['hubloc_guid'],'guid_sig' => $hubloc['hubloc_guid_sig'])),
$hubloc['hubloc_sitekey'], (($x) ? $x[0]['site_crypto'] : ''), $this->sec);
diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php
index 9871b5bbd..e205b136f 100644
--- a/Zotlabs/Zot/Finger.php
+++ b/Zotlabs/Zot/Finger.php
@@ -22,6 +22,7 @@ class Finger {
*
* @return zotinfo array (with 'success' => true) or array('success' => false);
*/
+
static public function run($webbie, $channel = null, $autofallback = true) {
$ret = array('success' => false);
@@ -84,18 +85,27 @@ class Finger {
'token' => self::$token
);
- $result = z_post_url($url . $rhs,$postvars);
+ $headers = [];
+ $headers['X-Zot-Channel'] = $channel['channel_address'] . '@' . \App::get_hostname();
+ $headers['X-Zot-Nonce'] = random_string();
+ $xhead = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'],
+ 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false);
+
+ $retries = 0;
+
+ $result = z_post_url($url . $rhs,$postvars,$retries, [ 'headers' => $xhead ]);
if ((! $result['success']) && ($autofallback)) {
if ($https) {
logger('zot_finger: https failed. falling back to http');
- $result = z_post_url('http://' . $host . $rhs,$postvars);
+ $result = z_post_url('http://' . $host . $rhs,$postvars, $retries, [ 'headers' => $xhead ]);
}
}
- } else {
+ }
+ else {
$rhs .= '?f=&address=' . urlencode($address) . '&token=' . self::$token;
- $result = z_fetch_url($url . $rhs);
+ $result = z_fetch_url($url . $rhs);
if((! $result['success']) && ($autofallback)) {
if($https) {
logger('zot_finger: https failed. falling back to http');
@@ -111,7 +121,10 @@ class Finger {
}
$x = json_decode($result['body'], true);
- if($x) {
+
+ $verify = \Zotlabs\Web\HTTPSig::verify($result,(($x) ? $x['key'] : '');
+
+ if($x && (! $verify['header_valid'])) {
$signed_token = ((is_array($x) && array_key_exists('signed_token', $x)) ? $x['signed_token'] : null);
if($signed_token) {
$valid = rsa_verify('token.' . self::$token, base64url_decode($signed_token), $x['key']);
diff --git a/include/bbcode.php b/include/bbcode.php
index 470854f06..9a2a6eb9b 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -327,11 +327,16 @@ function bb_ShareAttributes($match) {
if ($avatar != "")
$headline .= '<a href="' . zid($profile) . '" ><img src="' . $avatar . '" alt="' . $author . '" height="32" width="32" /></a>';
+ if(strpos($link,'/cards/'))
+ $type = t('card');
+ else
+ $type = t('post');
+
// Bob Smith wrote the following post 2 hours ago
$fmt = sprintf( t('%1$s wrote the following %2$s %3$s'),
'<a href="' . zid($profile) . '" >' . $author . '</a>',
- '<a href="' . zid($link) . '" >' . t('post') . '</a>',
+ '<a href="' . zid($link) . '" >' . $type . '</a>',
$reldate
);
diff --git a/include/channel.php b/include/channel.php
index faf28df28..41feca362 100644
--- a/include/channel.php
+++ b/include/channel.php
@@ -52,7 +52,7 @@ function identity_check_service_class($account_id) {
*
* This action is pluggable.
* We're currently only checking for an empty name or one that exceeds our
- * storage limit (255 chars). 255 chars is probably going to create a mess on
+ * storage limit (191 chars). 191 chars is probably going to create a mess on
* some pages.
* Plugins can set additional policies such as full name requirements, character
* sets, multi-byte length, etc.
@@ -67,7 +67,7 @@ function validate_channelname($name) {
if (! $name)
return t('Empty name');
- if (strlen($name) > 255)
+ if (mb_strlen($name) > 191)
return t('Name too long');
$arr = ['name' => $name];
diff --git a/include/text.php b/include/text.php
index ea21e2184..a3c2bbc08 100644
--- a/include/text.php
+++ b/include/text.php
@@ -1984,14 +1984,14 @@ function is_a_date_arg($s) {
}
function legal_webbie($s) {
- if(! strlen($s))
+ if(! $s)
return '';
- // WARNING: This regex will not work in a federated environment.
+ // WARNING: This regex may not work in a federated environment.
// You will probably want something like
// preg_replace('/([^a-z0-9\_])/','',strtolower($s));
- $r = preg_replace('/([^a-z0-9\-\_\.])/','',strtolower($s));
+ $r = preg_replace('/([^a-z0-9\-\_])/','',strtolower($s));
$x = [ 'input' => $s, 'output' => $r ];
call_hooks('legal_webbie',$x);
@@ -2003,7 +2003,7 @@ function legal_webbie_text() {
// WARNING: This will not work in a federated environment.
- $s = t('a-z, 0-9, -, _, and . only');
+ $s = t('a-z, 0-9, -, and _ only');
$x = [ 'text' => $s ];
call_hooks('legal_webbie_text',$x);
diff --git a/include/zot.php b/include/zot.php
index 56bd7d212..cb213eff3 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -137,7 +137,7 @@ function zot_build_packet($channel, $type = 'notify', $recipients = null, $remot
}
if ($secret) {
- $data['secret'] = $secret;
+ $data['secret'] = preg_replace('/[^0-9a-fA-F]/','',$secret);
$data['secret_sig'] = base64url_encode(rsa_sign($secret,$channel['channel_prvkey'],$sig_method));
}
@@ -4621,7 +4621,6 @@ function zot_reply_auth_check($data,$encrypted_packet) {
// First verify their signature. We will have obtained a zot-info packet from them as part of the sender
// verification.
- // needs a nonce!!!!
if ((! $y) || (! rsa_verify($data['secret'], base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) {
logger('mod_zot: auth_check: sender not found or secret_sig invalid.');
$ret['message'] .= 'sender not found or sig invalid ' . print_r($y,true) . EOL;