diff options
Diffstat (limited to 'Zotlabs/Module')
-rw-r--r-- | Zotlabs/Module/Activity.php | 2 | ||||
-rw-r--r-- | Zotlabs/Module/Cdav.php | 34 | ||||
-rw-r--r-- | Zotlabs/Module/Display.php | 21 | ||||
-rw-r--r-- | Zotlabs/Module/Follow.php | 4 | ||||
-rw-r--r-- | Zotlabs/Module/Item.php | 9 | ||||
-rw-r--r-- | Zotlabs/Module/Oep.php | 1 | ||||
-rw-r--r-- | Zotlabs/Module/Sse_bs.php | 24 | ||||
-rw-r--r-- | Zotlabs/Module/Wall_upload.php | 22 |
8 files changed, 57 insertions, 60 deletions
diff --git a/Zotlabs/Module/Activity.php b/Zotlabs/Module/Activity.php index 2fbc35274..4ddfe602d 100644 --- a/Zotlabs/Module/Activity.php +++ b/Zotlabs/Module/Activity.php @@ -182,7 +182,7 @@ class Activity extends Controller { return; } - $ob_authorise = false; + $ob_authorize = false; $item_uid = 0; $bear = ZlibActivity::token_from_request(); diff --git a/Zotlabs/Module/Cdav.php b/Zotlabs/Module/Cdav.php index e68b2e5b4..8e77515ce 100644 --- a/Zotlabs/Module/Cdav.php +++ b/Zotlabs/Module/Cdav.php @@ -332,9 +332,9 @@ class Cdav extends Controller { } while ($duplicate == true); $properties = [ - '{DAV:}displayname' => $_REQUEST['{DAV:}displayname'], - '{http://apple.com/ns/ical/}calendar-color' => $_REQUEST['color'], - '{urn:ietf:params:xml:ns:caldav}calendar-description' => $channel['channel_name'] + '{DAV:}displayname' => escape_tags($_REQUEST['{DAV:}displayname']), + '{http://apple.com/ns/ical/}calendar-color' => escape_tags($_REQUEST['color']), + '{urn:ietf:params:xml:ns:caldav}calendar-description' => escape_tags($channel['channel_name']) ]; $id = $caldavBackend->createCalendar($principalUri, $calendarUri, $properties); @@ -366,7 +366,7 @@ class Cdav extends Controller { $allday = $_REQUEST['allday']; - $title = $_REQUEST['title']; + $title = escape_tags($_REQUEST['title']); $start = datetime_convert('UTC', 'UTC', $_REQUEST['dtstart']); $dtstart = new \DateTime($start); @@ -374,8 +374,8 @@ class Cdav extends Controller { $end = datetime_convert('UTC', 'UTC', $_REQUEST['dtend']); $dtend = new \DateTime($end); } - $description = $_REQUEST['description']; - $location = $_REQUEST['location']; + $description = escape_tags($_REQUEST['description']); + $location = escape_tags($_REQUEST['location']); do { $duplicate = false; @@ -441,8 +441,8 @@ class Cdav extends Controller { $cdavdata = $this->get_cdav_data($id[0], 'calendarinstances'); $mutations = [ - '{DAV:}displayname' => $_REQUEST['{DAV:}displayname'], - '{http://apple.com/ns/ical/}calendar-color' => $_REQUEST['color'] + '{DAV:}displayname' => escape_tags($_REQUEST['{DAV:}displayname']), + '{http://apple.com/ns/ical/}calendar-color' => escape_tags($_REQUEST['color']) ]; $patch = new \Sabre\DAV\PropPatch($mutations); @@ -471,18 +471,18 @@ class Cdav extends Controller { $timezone = ((x($_POST,'timezone_select')) ? escape_tags(trim($_POST['timezone_select'])) : ''); $tz = (($timezone) ? $timezone : date_default_timezone_get()); - $allday = $_REQUEST['allday']; + $allday = intval($_REQUEST['allday']); - $uri = $_REQUEST['uri']; - $title = $_REQUEST['title']; + $uri = escape_tags($_REQUEST['uri']); + $title = escape_tags($_REQUEST['title']); $start = datetime_convert('UTC', 'UTC', $_REQUEST['dtstart']); $dtstart = new \DateTime($start); if($_REQUEST['dtend']) { $end = datetime_convert('UTC', 'UTC', $_REQUEST['dtend']); $dtend = new \DateTime($end); } - $description = $_REQUEST['description']; - $location = $_REQUEST['location']; + $description = escape_tags($_REQUEST['description']); + $location = escape_tags($_REQUEST['location']); $object = $caldavBackend->getCalendarObject($id, $uri); @@ -654,7 +654,7 @@ class Cdav extends Controller { $duplicate = true; } while ($duplicate == true); - $properties = ['{DAV:}displayname' => $_REQUEST['{DAV:}displayname']]; + $properties = ['{DAV:}displayname' => escape_tags($_REQUEST['{DAV:}displayname'])]; $carddavBackend->createAddressBook($principalUri, $addressbookUri, $properties); @@ -668,9 +668,9 @@ class Cdav extends Controller { } //edit addressbook - if($_REQUEST['{DAV:}displayname'] && $_REQUEST['edit'] && intval($_REQUEST['id'])) { + if($_REQUEST['{DAV:}displayname'] && $_REQUEST['edit'] && $_REQUEST['id']) { - $id = $_REQUEST['id']; + $id = intval($_REQUEST['id']); if(! cdav_perms($id,$addressbooks)) return; @@ -678,7 +678,7 @@ class Cdav extends Controller { $cdavdata = $this->get_cdav_data($id, 'addressbooks'); $mutations = [ - '{DAV:}displayname' => $_REQUEST['{DAV:}displayname'] + '{DAV:}displayname' => escape_tags($_REQUEST['{DAV:}displayname']) ]; $patch = new \Sabre\DAV\PropPatch($mutations); diff --git a/Zotlabs/Module/Display.php b/Zotlabs/Module/Display.php index 0aac96f4a..1a1c09d7c 100644 --- a/Zotlabs/Module/Display.php +++ b/Zotlabs/Module/Display.php @@ -213,27 +213,27 @@ class Display extends \Zotlabs\Web\Controller { $observer_hash = get_observer_hash(); $item_normal = item_normal(); $item_normal_update = item_normal_update(); - - $sql_extra = ((local_channel()) ? EMPTY_STR : item_permissions_sql(0, $observer_hash)); + $sql_extra = ''; + $r = []; if($noscript_content || $load) { - require_once('include/channel.php'); $sys = get_sys_channel(); // in case somebody turned off public access to sys channel content using permissions // make that content unsearchable by ensuring the owner uid can't match $sys_id = perm_is_allowed($sys['channel_id'], $observer_hash, 'view_stream') ? $sys['channel_id'] : 0; - $r = null; - if(local_channel()) { $r = q("SELECT item.id AS item_id FROM item WHERE uid = %d AND mid = '%s' $item_normal LIMIT 1", intval(local_channel()), dbesc($target_item['parent_mid']) ); + } - if($r === null) { + if(!$r) { + $sql_extra = item_permissions_sql(0, $observer_hash); + $r = q("SELECT item.id AS item_id FROM item WHERE ((mid = '%s' AND (((( item.allow_cid = '' AND item.allow_gid = '' AND item.deny_cid = '' @@ -257,7 +257,6 @@ class Display extends \Zotlabs\Web\Controller { // make that content unsearchable by ensuring the owner uid can't match $sys_id = perm_is_allowed($sys['channel_id'], $observer_hash, 'view_stream') ? $sys['channel_id'] : 0; - $r = null; if(local_channel()) { $r = q("SELECT item.parent AS item_id from item WHERE uid = %d @@ -270,7 +269,9 @@ class Display extends \Zotlabs\Web\Controller { ); } - if($r === null) { + if(!$r) { + $sql_extra = item_permissions_sql(0, $observer_hash); + $r = q("SELECT item.id as item_id from item WHERE ((parent_mid = '%s' AND (((( item.allow_cid = '' AND item.allow_gid = '' AND item.deny_cid = '' @@ -287,10 +288,6 @@ class Display extends \Zotlabs\Web\Controller { } } - else { - $r = []; - } - if($r) { $parents_str = ids_to_querystr($r,'item_id'); if($parents_str) { diff --git a/Zotlabs/Module/Follow.php b/Zotlabs/Module/Follow.php index 54e29c492..f8bfc11f3 100644 --- a/Zotlabs/Module/Follow.php +++ b/Zotlabs/Module/Follow.php @@ -70,12 +70,12 @@ class Follow extends Controller { } $uid = local_channel(); - $url = notags(trim(punify($_REQUEST['url']))); + $url = notags(punify(trim($_REQUEST['url']))); $return_url = $_SESSION['return_url']; $interactive = $_REQUEST['interactive'] ?? 1; $channel = App::get_channel(); - $result = Connect::connect($channel,$url); + $result = Connect::connect($channel, $url); if ($result['success'] == false) { if ($result['message']) { diff --git a/Zotlabs/Module/Item.php b/Zotlabs/Module/Item.php index a5e7b31ea..8e6106e79 100644 --- a/Zotlabs/Module/Item.php +++ b/Zotlabs/Module/Item.php @@ -393,7 +393,7 @@ class Item extends Controller { $owner_hash = null; - $message_id = ((x($_REQUEST, 'message_id') && $api_source) ? strip_tags($_REQUEST['message_id']) : ''); + $message_id = ((x($_REQUEST, 'message_id') && $api_source) ? strip_tags($_REQUEST['message_id']) : null); $created = ((x($_REQUEST, 'created')) ? datetime_convert(date_default_timezone_get(), 'UTC', $_REQUEST['created']) : datetime_convert()); $post_id = ((x($_REQUEST, 'post_id')) ? intval($_REQUEST['post_id']) : 0); $app = ((x($_REQUEST, 'source')) ? strip_tags($_REQUEST['source']) : ''); @@ -710,6 +710,7 @@ class Item extends Controller { $expires = $orig_post['expires']; $comments_closed = $orig_post['comments_closed']; $mid = $orig_post['mid']; + $uuid = $orig_post['uuid']; $thr_parent = $orig_post['thr_parent']; $parent_mid = $orig_post['parent_mid']; $plink = $orig_post['plink']; @@ -1000,10 +1001,8 @@ class Item extends Controller { $notify_type = (($parent) ? 'comment-new' : 'wall-new'); - $uuid = (($message_id) ? $message_id : item_message_id()); - - $mid = $mid ?? z_root() . '/item/' . $uuid; - + $uuid = $uuid ?? $message_id ?? item_message_id(); + $mid = $mid ?? z_root() . '/item/' . $uuid; if ($is_poll) { $poll = [ diff --git a/Zotlabs/Module/Oep.php b/Zotlabs/Module/Oep.php index d3ef05e16..bf17e6436 100644 --- a/Zotlabs/Module/Oep.php +++ b/Zotlabs/Module/Oep.php @@ -343,6 +343,7 @@ class Oep extends \Zotlabs\Web\Controller { if(! ($chn && $res)) return; + $c = q("select * from channel where channel_address = '%s' limit 1", dbesc($chn) ); diff --git a/Zotlabs/Module/Sse_bs.php b/Zotlabs/Module/Sse_bs.php index 3a4e4e09e..4aabcafcb 100644 --- a/Zotlabs/Module/Sse_bs.php +++ b/Zotlabs/Module/Sse_bs.php @@ -205,18 +205,18 @@ class Sse_bs extends Controller { } - $r = q("SELECT count(id) as total FROM item + $r = q("SELECT id FROM item WHERE uid = %d and item_unseen = 1 AND item_wall = 0 AND item_private IN (0, 1) AND obj_type NOT IN ('Document', 'Video', 'Audio', 'Image') AND author_xchan != '%s' $item_normal - $sql_extra", + $sql_extra LIMIT 100", intval(self::$uid), dbesc(self::$ob_hash) ); if($r) - $result['network']['count'] = intval($r[0]['total']); + $result['network']['count'] = count($r); return $result; } @@ -285,17 +285,17 @@ class Sse_bs extends Controller { } - $r = q("SELECT count(id) as total FROM item + $r = q("SELECT id FROM item WHERE uid = %d and item_unseen = 1 AND item_private = 2 $item_normal $sql_extra - AND author_xchan != '%s'", + AND author_xchan != '%s' LIMIT 100", intval(self::$uid), dbesc(self::$ob_hash) ); if($r) - $result['dm']['count'] = intval($r[0]['total']); + $result['dm']['count'] = count($r); return $result; } @@ -365,17 +365,17 @@ class Sse_bs extends Controller { } - $r = q("SELECT count(id) as total FROM item + $r = q("SELECT id FROM item WHERE uid = %d and item_unseen = 1 AND item_wall = 1 AND item_private IN (0, 1) $item_normal $sql_extra - AND author_xchan != '%s'", + AND author_xchan != '%s' LIMIT 100", intval(self::$uid), dbesc(self::$ob_hash) ); if($r) - $result['home']['count'] = intval($r[0]['total']); + $result['home']['count'] = count($r); return $result; } @@ -458,19 +458,19 @@ class Sse_bs extends Controller { } - $r = q("SELECT count(id) as total FROM item + $r = q("SELECT id FROM item WHERE uid = %d AND item_unseen = 1 AND created > '%s' $item_normal $sql_extra - AND author_xchan != '%s'", + AND author_xchan != '%s' LIMIT 100", intval($sys['channel_id']), dbescdate($_SESSION['static_loadtime']), dbesc(self::$ob_hash) ); if($r) - $result['pubs']['count'] = intval($r[0]['total']); + $result['pubs']['count'] = count($r); return $result; } diff --git a/Zotlabs/Module/Wall_upload.php b/Zotlabs/Module/Wall_upload.php index 6d58e4032..3e979588c 100644 --- a/Zotlabs/Module/Wall_upload.php +++ b/Zotlabs/Module/Wall_upload.php @@ -11,10 +11,10 @@ require_once('include/photos.php'); class Wall_upload extends \Zotlabs\Web\Controller { function post() { - - - $using_api = ((x($_FILES,'media')) ? true : false); - + + + $using_api = ((x($_FILES,'media')) ? true : false); + if($using_api) { require_once('include/api.php'); if(api_user()) @@ -24,32 +24,32 @@ class Wall_upload extends \Zotlabs\Web\Controller { if(argc() > 1) $channel = channelx_by_nick(argv(1)); } - + if(! $channel) { if($using_api) return; notice( t('Channel not found.') . EOL); killme(); } - + $observer = \App::get_observer(); - + $args = array( 'source' => 'editor', 'visible' => 0, 'contact_allow' => array($channel['channel_hash'])); - + $ret = photo_upload($channel,$observer,$args); - + if(! $ret['success']) { if($using_api) return; notice($ret['message']); killme(); } - + if($using_api) return("\n\n" . $ret['body'] . "\n\n"); else echo "\n\n" . $ret['body'] . "\n\n"; killme(); } - + } |