diff options
| -rw-r--r-- | Zotlabs/Module/Channel.php | 33 | ||||
| -rw-r--r-- | include/text.php | 23 |
2 files changed, 36 insertions, 20 deletions
diff --git a/Zotlabs/Module/Channel.php b/Zotlabs/Module/Channel.php index 6fac610aa..d6daaa0ad 100644 --- a/Zotlabs/Module/Channel.php +++ b/Zotlabs/Module/Channel.php @@ -107,13 +107,11 @@ class Channel extends Controller { // Somebody may attempt an ActivityStreams fetch on one of our message permalinks // Make it do the right thing. - $mid = ((x($_REQUEST, 'mid')) ? $_REQUEST['mid'] : ''); - if ($mid && strpos($mid, 'b64.') === 0) { - $decoded = @base64url_decode(substr($mid, 4)); - if ($decoded) { - $mid = $decoded; - } + $mid = ((x($_REQUEST, 'mid')) ? unpack_link_id($_REQUEST['mid']) : ''); + if ($mid === false) { + http_status_exit(404, 'Not found'); } + if ($mid) { $obj = null; if (strpos($mid, z_root() . '/item/') === 0) { @@ -158,15 +156,19 @@ class Channel extends Controller { profile_load($which, $profile); // Add Opengraph markup - $mid = ((x($_REQUEST, 'mid')) ? $_REQUEST['mid'] : ''); - if (strpos($mid, 'b64.') === 0) - $mid = @base64url_decode(substr($mid, 4)); + $mid = ((x($_REQUEST, 'mid')) ? unpack_link_id($_REQUEST['mid']) : ''); - if ($mid) + if ($mid === false) { + notice(t('Malformed message id.') . EOL); + return; + } + + if ($mid) { $r = q("SELECT * FROM item WHERE mid = '%s' AND uid = %d AND item_private = 0 LIMIT 1", dbesc($mid), intval($channel['channel_id']) ); + } opengraph_add_meta((isset($r) && count($r) ? $r[0] : []), $channel); } @@ -177,12 +179,11 @@ class Channel extends Controller { $category = $datequery = $datequery2 = ''; - $mid = ((x($_REQUEST, 'mid')) ? $_REQUEST['mid'] : ''); - - if (strpos($mid, 'b64.') === 0) - $decoded = @base64url_decode(substr($mid, 4)); - if (isset($decoded)) - $mid = $decoded; + $mid = ((x($_REQUEST, 'mid')) ? unpack_link_id($_REQUEST['mid']) : ''); + if ($mid === false) { + notice(t('Malformed message id.') . EOL); + return; + } $datequery = ((x($_GET, 'dend') && is_a_date_arg($_GET['dend'])) ? notags($_GET['dend']) : ''); $datequery2 = ((x($_GET, 'dbegin') && is_a_date_arg($_GET['dbegin'])) ? notags($_GET['dbegin']) : ''); diff --git a/include/text.php b/include/text.php index e0910f83e..bd2df45aa 100644 --- a/include/text.php +++ b/include/text.php @@ -2156,12 +2156,12 @@ function base64url_encode($s, $strip_padding = true) { return $s; } -function base64url_decode($s) { +function base64url_decode($s, $strict = false) { if(is_array($s)) { logger('base64url_decode: illegal input: ' . print_r(debug_backtrace(), true)); return $s; } - return base64_decode(strtr($s,'-_','+/')); + return base64_decode(strtr($s,'-_','+/'), $strict); } @@ -2175,12 +2175,12 @@ function base64special_encode($s, $strip_padding = true) { return $s; } -function base64special_decode($s) { +function base64special_decode($s, $strict = false) { if(is_array($s)) { logger('base64url_decode: illegal input: ' . print_r(debug_backtrace(), true)); return $s; } - return base64_decode(strtr($s,',.','+/')); + return base64_decode(strtr($s,',.','+/'), $strict); } /** @@ -3589,6 +3589,21 @@ function gen_link_id($mid) { return $mid; } +/** + * @brief check if the provided string starts with 'b64.' and try to decode it if so. + * If it could be decoded return the decoded string or false if decoding failed. + * If the string does not start with 'b64.', return the string as is. + * + * @param string $mid + * @return string|boolean false + */ +function unpack_link_id($mid) { + if (is_string($mid) && strpos($mid, 'b64.') === 0) { + $mid = @base64url_decode(substr($mid, 4), true); + return $mid; + } + return $mid; +} // callback for array_walk |