diff options
Diffstat (limited to 'boot.php')
| -rwxr-xr-x | boot.php | 56 |
1 files changed, 48 insertions, 8 deletions
@@ -50,11 +50,11 @@ require_once('include/attach.php'); require_once('include/bbcode.php'); define ( 'PLATFORM_NAME', 'hubzilla' ); -define ( 'STD_VERSION', '3.5.8' ); +define ( 'STD_VERSION', '3.7.1' ); define ( 'ZOT_REVISION', '6.0a' ); -define ( 'DB_UPDATE_VERSION', 1215 ); +define ( 'DB_UPDATE_VERSION', 1217 ); define ( 'PROJECT_BASE', __DIR__ ); @@ -874,11 +874,14 @@ class App { } if((x($_SERVER,'QUERY_STRING')) && substr($_SERVER['QUERY_STRING'], 0, 2) === "q=") { - self::$query_string = escape_tags(substr($_SERVER['QUERY_STRING'], 2)); + self::$query_string = str_replace(['<','>'],['<','>'],substr($_SERVER['QUERY_STRING'], 2)); // removing trailing / - maybe a nginx problem if (substr(self::$query_string, 0, 1) == "/") self::$query_string = substr(self::$query_string, 1); + // change the first & to ? + self::$query_string = preg_replace('/&/','?',self::$query_string,1); } + if(x($_GET,'q')) self::$cmd = escape_tags(trim($_GET['q'],'/\\')); @@ -1720,7 +1723,7 @@ function can_view_public_stream() { if(observer_prohibited(true)) { return false; } - + if(! (intval(get_config('system','open_pubstream',1)))) { if(! get_observer_hash()) { return false; @@ -2069,8 +2072,8 @@ function load_pdl() { if (! count(App::$layout)) { $arr = [ - 'module' => App::$module, - 'layout' => '' + 'module' => App::$module, + 'layout' => '' ]; /** * @hooks load_pdl @@ -2090,6 +2093,16 @@ function load_pdl() { if((! $s) && (($p = theme_include($n)) != '')) $s = @file_get_contents($p); + elseif(file_exists('addon/'. App::$module . '/' . $n)) + $s = @file_get_contents('addon/'. App::$module . '/' . $n); + + $arr = [ + 'module' => App::$module, + 'layout' => $s + ]; + call_hooks('alter_pdl',$arr); + $s = $arr['layout']; + if($s) { App::$comanche->parse($s); App::$pdl = $s; @@ -2234,8 +2247,35 @@ function construct_page() { if(App::get_scheme() === 'https' && App::$config['system']['transport_security_header']) header("Strict-Transport-Security: max-age=31536000"); - if(App::$config['system']['content_security_policy']) - header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"); + if(App::$config['system']['content_security_policy']) { + $cspsettings = Array ( + 'script-src' => Array ("'self'","'unsafe-inline'","'unsafe-eval'"), + 'style-src' => Array ("'self'","'unsafe-inline'") + ); + call_hooks('content_security_policy',$cspsettings); + + // Legitimate CSP directives (cxref: https://content-security-policy.com/) + $validcspdirectives=Array( + "default-src", "script-src", "style-src", + "img-src", "connect-src", "font-src", + "object-src", "media-src", 'frame-src', + 'sandbox', 'report-uri', 'child-src', + 'form-action', 'frame-ancestors', 'plugin-types' + ); + $cspheader = "Content-Security-Policy:"; + foreach ($cspsettings as $cspdirective => $csp) { + if (!in_array($cspdirective,$validcspdirectives)) { + logger("INVALID CSP DIRECTIVE: ".$cspdirective,LOGGER_DEBUG); + continue; + } + $cspsettingsarray=array_unique($cspsettings[$cspdirective]); + $cspsetpolicy = implode(' ',$cspsettingsarray); + if ($cspsetpolicy) { + $cspheader .= " ".$cspdirective." ".$cspsetpolicy.";"; + } + } + header($cspheader); + } if(App::$config['system']['x_security_headers']) { header("X-Frame-Options: SAMEORIGIN"); |