diff options
| -rw-r--r-- | boot.php | 39 | ||||
| -rw-r--r-- | include/security.php | 8 | ||||
| -rw-r--r-- | tests/unit/Module/MagicTest.php | 8 | ||||
| -rw-r--r-- | tests/unit/includes/BBCodeTest.php | 7 |
4 files changed, 49 insertions, 13 deletions
@@ -2151,11 +2151,12 @@ function dba_timer() { } /** - * @brief Returns xchan_hash from the observer. + * Get the unique hash identifying the current observer. * * Observer can be a local or remote channel. * - * @return string xchan_hash from observer, otherwise empty string if no observer + * @return string Unique hash of observer, otherwise empty string if no + * observer */ function get_observer_hash() { $observer = App::get_observer(); @@ -2167,6 +2168,40 @@ function get_observer_hash() { } /** + * Get the guid of the current observer. + * + * Observer can be a local or remote channel. + * + * @return string The GUID of the observer, otherwise empty string if no + * observer + */ +function get_observer_guid() { + $observer = App::get_observer(); + if (is_array($observer)) { + return $observer['xchan_guid']; + } + + return ''; +} + +/** + * Get the name of the current observer. + * + * Observer can be a local or remote channel. + * + * @return string The name of the observer, otherwise empty string if no + * observer + */ +function get_observer_name() { + $observer = App::get_observer(); + if (is_array($observer)) { + return $observer['xchan_name']; + } + + return ''; +} + +/** * @brief Returns the complete URL of the current page, e.g.: http(s)://something.com/network * * Taken from http://webcheatsheet.com/php/get_current_page_url.php diff --git a/include/security.php b/include/security.php index 2e0497498..de85f45f6 100644 --- a/include/security.php +++ b/include/security.php @@ -607,7 +607,7 @@ function public_permissions_sql($observer_hash) { function get_form_security_token($typename = '') { $timestamp = time(); - $guid = App::$observer['xchan_guid'] ?? ''; + $guid = get_observer_guid(); $sec_hash = hash('whirlpool', $guid . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $timestamp . $typename); return $timestamp . '.' . $sec_hash; @@ -623,7 +623,7 @@ function check_form_security_token($typename = '', $formname = 'form_security_to if (time() > (IntVal($x[0]) + $max_livetime)) return false; - $sec_hash = hash('whirlpool', App::$observer['xchan_guid'] . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $x[0] . $typename); + $sec_hash = hash('whirlpool', get_observer_guid() . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $x[0] . $typename); return ($sec_hash == $x[1]); } @@ -635,7 +635,7 @@ function check_form_security_std_err_msg() { function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token') { if (!check_form_security_token($typename, $formname)) { - logger('check_form_security_token failed: user ' . App::$observer['xchan_name'] . ' - form element ' . $typename); + logger('check_form_security_token failed: user ' . get_observer_name() . ' - form element ' . $typename); logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA); notice(check_form_security_std_err_msg()); goaway(z_root() . $err_redirect); @@ -644,7 +644,7 @@ function check_form_security_token_redirectOnErr($err_redirect, $typename = '', function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'form_security_token') { if (!check_form_security_token($typename, $formname)) { - logger('check_form_security_token failed: user ' . App::$observer['xchan_name'] . ' - form element ' . $typename); + logger('check_form_security_token failed: user ' . get_observer_name() . ' - form element ' . $typename); logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA); header('HTTP/1.1 403 Forbidden'); killme(); diff --git a/tests/unit/Module/MagicTest.php b/tests/unit/Module/MagicTest.php index 4a03d9d57..2c426bf76 100644 --- a/tests/unit/Module/MagicTest.php +++ b/tests/unit/Module/MagicTest.php @@ -46,9 +46,9 @@ class MagicTest extends TestCase { App::set_baseurl($baseurl); - App::$observer = [ + App::set_observer([ 'xchan_hash' => 'the hash', - ]; + ]); // We pass a local URL, and have a valid observer, but as the // delegate param is not passed, nothing will be done except @@ -72,9 +72,9 @@ class MagicTest extends TestCase { App::$timezone = 'UTC'; // Simulate a foreign (to this hub) observer, - App::$observer = [ + App::set_observer([ 'xchan_hash' => 'foreign hash', - ]; + ]); // Create the channel the foreign observer wants to access $result = create_identity([ diff --git a/tests/unit/includes/BBCodeTest.php b/tests/unit/includes/BBCodeTest.php index 136fc6e0e..50475efea 100644 --- a/tests/unit/includes/BBCodeTest.php +++ b/tests/unit/includes/BBCodeTest.php @@ -23,6 +23,7 @@ namespace Zotlabs\Tests\Unit\includes; +use App; use Zotlabs\Tests\Unit\UnitTestCase; class BBCodeTest extends UnitTestCase { @@ -42,7 +43,7 @@ class BBCodeTest extends UnitTestCase { */ public function test_bbcode_observer(string $src, bool $logged_in, string $lang, string $expected): void { if ($logged_in) { - \App::$observer = [ + App::set_observer([ 'xchan_addr' => '', 'xchan_name' => '', 'xchan_connurl' => '', @@ -50,9 +51,9 @@ class BBCodeTest extends UnitTestCase { // port required in xchan url due to bug in get_rpost_path 'xchan_url' => 'https://example.com:666', - ]; + ]); } else { - \App::$observer = null; + App::set_observer(null); } \App::$language = $lang; |