diff options
Diffstat (limited to 'include/items.php')
-rwxr-xr-x | include/items.php | 68 |
1 files changed, 46 insertions, 22 deletions
diff --git a/include/items.php b/include/items.php index 382be2497..6e9c1c3d9 100755 --- a/include/items.php +++ b/include/items.php @@ -530,11 +530,6 @@ function get_item_elements($x,$allow_code = false) { $arr = array(); - if($allow_code) - $arr['body'] = $x['body']; - else - $arr['body'] = (($x['body']) ? htmlspecialchars($x['body'],ENT_COMPAT,'UTF-8',false) : ''); - $key = get_config('system','pubkey'); $maxlen = get_max_import_size(); @@ -647,7 +642,17 @@ function get_item_elements($x,$allow_code = false) { return array(); } + // Check signature on the body text received. + // This presents an issue that we aren't verifying the text that is actually displayed + // on this site. We are however verifying the received text was exactly as received. + // We have every right to strip content that poses a security risk. You are welcome to + // create a plugin to verify the content after filtering if this offends you. + if($arr['sig']) { + + // check the supplied signature against the supplied content. + // Note that we will purify the content which could change it. + $r = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1", dbesc($arr['author_xchan']) ); @@ -657,6 +662,14 @@ function get_item_elements($x,$allow_code = false) { logger('get_item_elements: message verification failed.'); } + // if the input is markdown, remove one level of html escaping. + // It will be re-applied in item_store() and/or item_store_update(). + // Do this after signature checking as the original signature + // was generated on the escaped content. + + if($arr['mimetype'] === 'text/markdown') + $arr['body'] = \Zotlabs\Lib\MarkdownSoap::unescape($arr['body']); + if(array_key_exists('revision',$x)) { // extended export encoding @@ -1525,14 +1538,20 @@ function item_store($arr, $allow_exec = false, $deliver = true) { $arr['lang'] = detect_language($arr['body']); // apply the input filter here - $arr['body'] = trim(z_input_filter($arr['body'],$arr['mimetype'],$allow_exec)); - - if(local_channel() && (local_channel() == $arr['uid'])) { - if(! $arr['sig']) { - $channel = App::get_channel(); - if($channel['channel_hash'] === $arr['author_xchan']) { - $arr['sig'] = base64url_encode(rsa_sign($arr['body'],$channel['channel_prvkey'])); - $arr['item_verified'] = 1; + + if(array_key_exists('input_filtered_signed',$arr)) { + unset($arr['input_filtered_signed']); + } + else { + $arr['body'] = trim(z_input_filter($arr['body'],$arr['mimetype'],$allow_exec)); + + if(local_channel() && (local_channel() == $arr['uid'])) { + if(! $arr['sig']) { + $channel = App::get_channel(); + if($channel['channel_hash'] === $arr['author_xchan']) { + $arr['sig'] = base64url_encode(rsa_sign($arr['body'],$channel['channel_prvkey'])); + $arr['item_verified'] = 1; + } } } } @@ -1946,17 +1965,22 @@ function item_store_update($arr,$allow_exec = false, $deliver = true) { return $ret; } - $arr['lang'] = detect_language($arr['body']); - // apply the input filter here - $arr['body'] = trim($arr['body'],$arr['mimetype'],$allow_exec); - - if(local_channel() && (local_channel() == $arr['uid']) && (! $arr['sig'])) { - $channel = App::get_channel(); - if($channel['channel_hash'] === $arr['author_xchan']) { - $arr['sig'] = base64url_encode(rsa_sign($arr['body'],$channel['channel_prvkey'])); - $arr['item_verified'] = 1; + if(array_key_exists('input_filtered_signed',$arr)) { + unset($arr['input_filtered_signed']); + } + else { + $arr['body'] = trim(z_input_filter($arr['body'],$arr['mimetype'],$allow_exec)); + + if(local_channel() && (local_channel() == $arr['uid'])) { + if(! $arr['sig']) { + $channel = App::get_channel(); + if($channel['channel_hash'] === $arr['author_xchan']) { + $arr['sig'] = base64url_encode(rsa_sign($arr['body'],$channel['channel_prvkey'])); + $arr['item_verified'] = 1; + } + } } } |