aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/Contact.php25
-rw-r--r--include/account.php1
-rwxr-xr-xinclude/items.php81
-rw-r--r--include/menu.php258
-rw-r--r--include/notifier.php5
-rwxr-xr-xinclude/text.php16
-rw-r--r--include/zot.php9
7 files changed, 364 insertions, 31 deletions
diff --git a/include/Contact.php b/include/Contact.php
index b9ad1e4cb..992ed27e2 100644
--- a/include/Contact.php
+++ b/include/Contact.php
@@ -1,6 +1,31 @@
<?php /** @file */
+
+function rconnect_url($channel_id,$xchan) {
+
+ if(! $xchan)
+ return '';
+
+ $r = q("select abook_id from abook where abook_channel = %d and abook_xchan = '%s' limit 1",
+ intval($channel_id),
+ dbesc($xchan)
+ );
+
+ if($r)
+ return '';
+
+ $r = q("select hubloc_url from hubloc where hubloc_hash = '%s' and ( hubloc_flags & %d ) limit 1",
+ dbesc($xchan),
+ intval(HUBLOC_FLAGS_PRIMARY)
+ );
+
+ if($r)
+ return $r[0]['hubloc_url'];
+ return '';
+
+}
+
function abook_connections($channel_id, $sql_conditions = '') {
$r = q("select * from abook left join xchan on abook_xchan = xchan_hash where abook_channel = %d
and not ( abook_flags & %d ) $sql_conditions",
diff --git a/include/account.php b/include/account.php
index 6dfb5ae1e..ab442ab39 100644
--- a/include/account.php
+++ b/include/account.php
@@ -6,6 +6,7 @@ require_once('include/plugin.php');
require_once('include/text.php');
require_once('include/language.php');
require_once('include/datetime.php');
+require_once('include/crypto.php');
function check_account_email($email) {
diff --git a/include/items.php b/include/items.php
index e71fd0350..6d853323f 100755
--- a/include/items.php
+++ b/include/items.php
@@ -1342,7 +1342,7 @@ function encode_rel_links($links) {
return xmlify($o);
}
-function item_store($arr,$force_parent = false) {
+function item_store($arr,$allow_exec = false) {
if(! $arr['uid']) {
logger('item_store: no uid');
@@ -1357,6 +1357,13 @@ function item_store($arr,$force_parent = false) {
unset($arr['parent']);
$arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode');
+
+ if(($arr['mimetype'] == 'application/x-php') && (! $allow_exec)) {
+ logger('item_store: php mimetype but allow_exec is denied.');
+ return 0;
+ }
+
+
$arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : '');
$arr['body'] = ((x($arr,'body')) ? trim($arr['body']) : '');
@@ -1369,7 +1376,7 @@ function item_store($arr,$force_parent = false) {
// this is a bit messy - we really need an input filter chain that temporarily undoes obscuring
- if($arr['mimetype'] != 'text/html') {
+ if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') {
if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false))
$arr['body'] = escape_tags($arr['body']);
if((strpos($arr['title'],'<') !== false) || (strpos($arr['title'],'>') !== false))
@@ -1665,7 +1672,7 @@ function item_store($arr,$force_parent = false) {
-function item_store_update($arr,$force_parent = false) {
+function item_store_update($arr,$allow_exec = false) {
if(! intval($arr['uid'])) {
logger('item_store_update: no uid');
@@ -1696,24 +1703,35 @@ function item_store_update($arr,$force_parent = false) {
$arr = $translate['item'];
}
+ $arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode');
+
+ if(($arr['mimetype'] == 'application/x-php') && (! $allow_exec)) {
+ logger('item_store: php mimetype but allow_exec is denied.');
+ return 0;
+ }
+
+
// Shouldn't happen but we want to make absolutely sure it doesn't leak from a plugin.
- if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false))
- $arr['body'] = escape_tags($arr['body']);
+ if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') {
- if((x($arr,'object')) && is_array($arr['object'])) {
- activity_sanitise($arr['object']);
- $arr['object'] = json_encode($arr['object']);
- }
+ if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false))
+ $arr['body'] = escape_tags($arr['body']);
- if((x($arr,'target')) && is_array($arr['target'])) {
- activity_sanitise($arr['target']);
- $arr['target'] = json_encode($arr['target']);
- }
+ if((x($arr,'object')) && is_array($arr['object'])) {
+ activity_sanitise($arr['object']);
+ $arr['object'] = json_encode($arr['object']);
+ }
- if((x($arr,'attach')) && is_array($arr['attach'])) {
- activity_sanitise($arr['attach']);
- $arr['attach'] = json_encode($arr['attach']);
+ if((x($arr,'target')) && is_array($arr['target'])) {
+ activity_sanitise($arr['target']);
+ $arr['target'] = json_encode($arr['target']);
+ }
+
+ if((x($arr,'attach')) && is_array($arr['attach'])) {
+ activity_sanitise($arr['attach']);
+ $arr['attach'] = json_encode($arr['attach']);
+ }
}
$orig = q("select * from item where id = %d and uid = %d limit 1",
@@ -1740,7 +1758,6 @@ function item_store_update($arr,$force_parent = false) {
$arr['commented'] = datetime_convert();
$arr['received'] = datetime_convert();
$arr['changed'] = datetime_convert();
- $arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode');
$arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : '');
$arr['location'] = ((x($arr,'location')) ? notags(trim($arr['location'])) : '');
$arr['coord'] = ((x($arr,'coord')) ? notags(trim($arr['coord'])) : '');
@@ -2692,7 +2709,7 @@ function consume_feed($xml,$importer,&$contact, &$hub, $datedir = 0, $pass = 0)
}
}
- $r = item_store($datarray,$force_parent);
+ $r = item_store($datarray);
continue;
}
@@ -3127,21 +3144,28 @@ function item_expire($uid,$days) {
// and just expire conversations started by others
$expire_network_only = get_pconfig($uid,'expire','network_only');
- $sql_extra = ((intval($expire_network_only)) ? " AND wall = 0 " : "");
+ $sql_extra = ((intval($expire_network_only)) ? " AND not (item_flags & " . intval(ITEM_WALL) . ") " : "");
$r = q("SELECT * FROM `item`
WHERE `uid` = %d
AND `created` < UTC_TIMESTAMP() - INTERVAL %d DAY
AND `id` = `parent`
$sql_extra
- AND `deleted` = 0",
+ AND NOT (item_restrict & %d )
+ AND NOT (item_restrict & %d )
+ AND NOT (item_restrict & %d ) ",
intval($uid),
- intval($days)
+ intval($days),
+ intval(ITEM_DELETED),
+ intval(ITEM_WEBPAGE),
+ intval(ITEM_BUILDBLOCK)
);
- if(! count($r))
+ if(! $r)
return;
+ $r = fetch_post_tags($r,true);
+
$expire_items = get_pconfig($uid, 'expire','items');
$expire_items = (($expire_items===false)?1:intval($expire_items)); // default if not set: 1
@@ -3158,20 +3182,19 @@ function item_expire($uid,$days) {
foreach($r as $item) {
+
+
// don't expire filed items
- if(strpos($item['file'],'[') !== false)
+ $terms = get_terms_oftype($item['term'],TERM_FILE);
+ if($terms)
continue;
// Only expire posts, not photos and photo comments
- if($expire_photos==0 && strlen($item['resource_id']))
- continue;
- if($expire_starred==0 && intval($item['starred']))
- continue;
- if($expire_notes==0 && $item['type']=='note')
+ if($expire_photos==0 && ($item['resource_type'] === 'photo'))
continue;
- if($expire_items==0 && $item['type']!='note')
+ if($expire_starred==0 && ($item['item_flags'] & ITEM_STARRED))
continue;
drop_item($item['id'],false);
diff --git a/include/menu.php b/include/menu.php
new file mode 100644
index 000000000..8d4664385
--- /dev/null
+++ b/include/menu.php
@@ -0,0 +1,258 @@
+<?php /** @file */
+
+require_once('include/security.php');
+
+function menu_fetch($name,$uid,$observer_xchan) {
+
+ $sql_options = permissions_sql($uid);
+
+ $r = q("select * from menu where menu_channel_id = %d and menu_name = '%s' limit 1",
+ intval($uid),
+ dbesc($name)
+ );
+ if($r) {
+ $x = q("select * from menu_item where mitem_menu_id = %d and mitem_channel_id = %d
+ $sql_options
+ order by mitem_order asc, mitem_desc asc",
+ intval($r[0]['menu_id']),
+ intval($uid)
+ );
+ return array('menu' => $r[0], 'items' => $x );
+ }
+
+ return null;
+}
+
+
+function menu_render($menu) {
+ if(! $menu)
+ return '';
+ for($x = 0; $x < count($menu['items']); $x ++)
+ if($menu['items']['mitem_flags'] & MENU_ITEM_ZID)
+ $menu['items']['mitem_link'] = zid($menu['items']['mitem_link']);
+ if($menu['items']['mitem_flags'] & MENU_ITEM_NEWWIN)
+ $menu['items']['newwin'] = '1';
+
+ return replace_macros(get_markup_template('usermenu.tpl'),array(
+ '$menu' => $menu['menu'],
+ '$items' => $menu['items']
+ ));
+}
+
+
+function menu_fetch_id($menu_id,$channel_id) {
+
+ $r = q("select * from menu where menu_id = %d and menu_channel_id = %d limit 1",
+ intval($menu_id),
+ intval($channel_id)
+ );
+
+ return (($r) ? $r[0] : false);
+}
+
+
+
+function menu_create($arr) {
+
+
+ $menu_name = trim(escape_tags($arr['menu_name']));
+ $menu_desc = trim(escape_tags($arr['menu_desc']));
+
+ if(! $menu_desc)
+ $menu_desc = $menu_name;
+
+ if(! $menu_name)
+ return false;
+
+
+ $menu_channel_id = intval($arr['menu_channel_id']);
+
+ $r = q("select * from menu where menu_name = '%s' and menu_channel_id = %d limit 1",
+ dbesc($menu_name),
+ intval($menu_channel_id)
+ );
+
+ if($r)
+ return false;
+
+ $r = q("insert into menu ( menu_name, menu_desc, menu_channel_id )
+ values( '%s', '%s', %d )",
+ dbesc($menu_name),
+ dbesc($menu_desc),
+ intval($menu_channel_id)
+ );
+ if(! $r)
+ return false;
+
+ $r = q("select menu_id from menu where menu_name = '%s' and menu_channel_id = %d limit 1",
+ dbesc($menu_name),
+ intval($menu_channel_id)
+ );
+ if($r)
+ return $r[0]['menu_id'];
+ return false;
+
+}
+
+function menu_list($channel_id) {
+ $r = q("select * from menu where menu_channel_id = %d order by menu_name",
+ intval($channel_id)
+ );
+ return $r;
+}
+
+
+
+function menu_edit($arr) {
+
+ $menu_id = intval($arr['menu_id']);
+
+ $menu_name = trim(escape_tags($arr['menu_name']));
+ $menu_desc = trim(escape_tags($arr['menu_desc']));
+
+ if(! $menu_desc)
+ $menu_desc = $menu_name;
+
+ if(! $menu_name)
+ return false;
+
+
+ $r = q("select menu_id from menu where menu_name = '%s' and menu_channel_id = %d limit 1",
+ dbesc($menu_name),
+ intval($menu_channel_id)
+ );
+ if(($r) && ($r[0]['menu_id'] != $menu_id)) {
+ logger('menu_edit: duplicate menu name for channel ' . $menu_channel_id);
+ return false;
+ }
+
+
+
+ $menu_channel_id = intval($arr['menu_channel_id']);
+
+ $r = q("select * from menu where menu_id = %d and menu_channel_id = %d limit 1",
+ intval($menu_id),
+ intval($menu_channel_id)
+ );
+ if(! $r) {
+ logger('menu_edit: not found: ' . print_r($arr,true));
+ return false;
+ }
+
+
+ $r = q("select * from menu where menu_name = '%s' and menu_channel_id = %d limit 1",
+ dbesc($menu_name),
+ intval($menu_channel_id)
+ );
+
+ if($r)
+ return false;
+
+ return q("update menu set menu_name = '%s', menu_desc = '%s'
+ where menu_id = %d and menu_channel_id = %d limit 1",
+ dbesc($menu_name),
+ dbesc($menu_desc),
+ intval($menu_id),
+ intval($menu_channel_id)
+ );
+}
+
+function menu_delete($menu_name, $uid) {
+ $r = q("select menu_id from menu where menu_name = '%s' and menu_channel_id = %d limit 1",
+ dbesc($menu_name),
+ intval($uid)
+ );
+
+ if($r)
+ return menu_delete_id($r[0]['menu_id'],$uid);
+ return false;
+}
+
+function menu_delete_id($menu_id, $uid) {
+ $r = q("select menu_id from menu where menu_id = %d and menu_channel_id = %d limit 1",
+ intval($menu_id),
+ intval($uid)
+ );
+ if($r) {
+ $x = q("delete from menu_item where mitem_menu_id = %d and mitem_channel_id = %d",
+ intval($menu_id),
+ intval($uid)
+ );
+ return q("delete from menu where menu_id = %d and menu_channel_id = %d limit 1",
+ intval($menu_id),
+ intval($uid)
+ );
+ }
+ return false;
+}
+
+
+function menu_add_item($menu_id, $uid, $arr) {
+
+
+ $mitem_link = escape_tags($arr['mitem_link']);
+ $mitem_desc = escape_tags($arr['mitem_desc']);
+ $mitem_order = intval($arr['mitem_order']);
+ $mitem_flags = intval($arr['mitem_flags']);
+ $allow_cid = perms2str($arr['allow_cid']);
+ $allow_gid = perms2str($arr['allow_gid']);
+ $deny_cid = perms2str($arr['deny_cid']);
+ $deny_gid = perms2str($arr['deny_gid']);
+
+ $r = q("insert into menu_item ( mitem_link, mitem_desc, mitem_flags, allow_cid, allow_gid, deny_cid, deny_gid, mitem_channel_id, mitem_menu_id, mitem_order ) values ( '%s', '%s', %d, '%s', '%s', '%s', '%s', %d, %d, %d ) ",
+ dbesc($mitem_link),
+ dbesc($mitem_desc),
+ intval($mitem_flags),
+ dbesc($allow_cid),
+ dbesc($allow_gid),
+ dbesc($deny_cid),
+ dbesc($deny_gid),
+ intval($uid),
+ intval($menu_id),
+ intval($mitem_order)
+ );
+ return $r;
+
+}
+
+function menu_edit_item($menu_id, $uid, $arr) {
+
+
+ $mitem_id = intval($arr['mitem_id']);
+ $mitem_link = escape_tags($arr['mitem_link']);
+ $mitem_desc = escape_tags($arr['mitem_desc']);
+ $mitem_order = intval($arr['mitem_order']);
+ $mitem_flags = intval($arr['mitem_flags']);
+ $allow_cid = perms2str($arr['allow_cid']);
+ $allow_gid = perms2str($arr['allow_gid']);
+ $deny_cid = perms2str($arr['deny_cid']);
+ $deny_gid = perms2str($arr['deny_gid']);
+
+ $r = q("update menu_item set mitem_link = '%s', mitem_desc = '%s', mitem_flags = %d, allow_cid = '%s', allow_gid = '%s', deny_cid = '%s', deny_gid = '%s', mitem_order = %d where mitem_channel_id = %d and mitem_menu_id = %d and mitem_id = %d limit 1",
+ dbesc($mitem_link),
+ dbesc($mitem_desc),
+ intval($mitem_flags),
+ dbesc($allow_cid),
+ dbesc($allow_gid),
+ dbesc($deny_cid),
+ dbesc($deny_gid),
+ intval($mitem_order),
+ intval($uid),
+ intval($menu_id),
+ intval($mitem_id)
+ );
+ return $r;
+}
+
+
+
+
+function menu_del_item($menu_id,$uid,$item_id) {
+ $r = q("delete from menu_item where mitem_menu_id = %d and mitem_channel_id = %d and mitem_id = %d limit 1",
+ intval($menu_id),
+ intval($uid),
+ intval($item_id)
+ );
+ return $r;
+}
+
diff --git a/include/notifier.php b/include/notifier.php
index dea9d6072..a0c07200a 100644
--- a/include/notifier.php
+++ b/include/notifier.php
@@ -241,6 +241,11 @@ function notifier_run($argv, $argc){
return;
}
+ if($target_item['item_restrict'] & ITEM_BUILDBLOCK) {
+ logger('notifier: target item ITEM_BUILDBLOCK', LOGGER_DEBUG);
+ return;
+ }
+
$s = q("select * from channel where channel_id = %d limit 1",
intval($target_item['uid'])
diff --git a/include/text.php b/include/text.php
index 61b39cb59..99d5c9d78 100755
--- a/include/text.php
+++ b/include/text.php
@@ -1142,6 +1142,22 @@ function prepare_text($text,$content_type = 'text/bbcode') {
$s = Markdown($text);
break;
+ // No security checking is done here at display time - so we need to verify
+ // that the author is allowed to use PHP before storing. We also cannot allow
+ // importation of PHP text bodies from other sites. Therefore this content
+ // type is only valid for web pages (and profile details).
+
+ // It may be possible to provide a PHP message body which is evaluated on the
+ // sender's site before sending it elsewhere. In that case we will have a
+ // different content-type here.
+
+ case 'application/x-php':
+ ob_start();
+ eval($text);
+ $s = ob_get_contents();
+ ob_end_clean();
+ break;
+
case 'text/bbcode':
case '':
default:
diff --git a/include/zot.php b/include/zot.php
index d1bc03bc2..bddbc9bee 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -583,9 +583,14 @@ function import_xchan($arr) {
intval(HUBLOC_FLAGS_PRIMARY),
intval($r[0]['hubloc_id'])
);
+ update_modtime($xchan_hash);
+ $changed = true;
}
- update_modtime($xchan_hash);
- $changed = true;
+ continue;
+ }
+
+ if(! $location['sitekey']) {
+ logger('import_xchan: empty hubloc sitekey. ' . print_r($location,true));
continue;
}