diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/Contact.php | 25 | ||||
-rw-r--r-- | include/account.php | 1 | ||||
-rwxr-xr-x | include/items.php | 81 | ||||
-rw-r--r-- | include/menu.php | 258 | ||||
-rw-r--r-- | include/notifier.php | 5 | ||||
-rwxr-xr-x | include/text.php | 16 | ||||
-rw-r--r-- | include/zot.php | 9 |
7 files changed, 364 insertions, 31 deletions
diff --git a/include/Contact.php b/include/Contact.php index b9ad1e4cb..992ed27e2 100644 --- a/include/Contact.php +++ b/include/Contact.php @@ -1,6 +1,31 @@ <?php /** @file */ + +function rconnect_url($channel_id,$xchan) { + + if(! $xchan) + return ''; + + $r = q("select abook_id from abook where abook_channel = %d and abook_xchan = '%s' limit 1", + intval($channel_id), + dbesc($xchan) + ); + + if($r) + return ''; + + $r = q("select hubloc_url from hubloc where hubloc_hash = '%s' and ( hubloc_flags & %d ) limit 1", + dbesc($xchan), + intval(HUBLOC_FLAGS_PRIMARY) + ); + + if($r) + return $r[0]['hubloc_url']; + return ''; + +} + function abook_connections($channel_id, $sql_conditions = '') { $r = q("select * from abook left join xchan on abook_xchan = xchan_hash where abook_channel = %d and not ( abook_flags & %d ) $sql_conditions", diff --git a/include/account.php b/include/account.php index 6dfb5ae1e..ab442ab39 100644 --- a/include/account.php +++ b/include/account.php @@ -6,6 +6,7 @@ require_once('include/plugin.php'); require_once('include/text.php'); require_once('include/language.php'); require_once('include/datetime.php'); +require_once('include/crypto.php'); function check_account_email($email) { diff --git a/include/items.php b/include/items.php index e71fd0350..6d853323f 100755 --- a/include/items.php +++ b/include/items.php @@ -1342,7 +1342,7 @@ function encode_rel_links($links) { return xmlify($o); } -function item_store($arr,$force_parent = false) { +function item_store($arr,$allow_exec = false) { if(! $arr['uid']) { logger('item_store: no uid'); @@ -1357,6 +1357,13 @@ function item_store($arr,$force_parent = false) { unset($arr['parent']); $arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode'); + + if(($arr['mimetype'] == 'application/x-php') && (! $allow_exec)) { + logger('item_store: php mimetype but allow_exec is denied.'); + return 0; + } + + $arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : ''); $arr['body'] = ((x($arr,'body')) ? trim($arr['body']) : ''); @@ -1369,7 +1376,7 @@ function item_store($arr,$force_parent = false) { // this is a bit messy - we really need an input filter chain that temporarily undoes obscuring - if($arr['mimetype'] != 'text/html') { + if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') { if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) $arr['body'] = escape_tags($arr['body']); if((strpos($arr['title'],'<') !== false) || (strpos($arr['title'],'>') !== false)) @@ -1665,7 +1672,7 @@ function item_store($arr,$force_parent = false) { -function item_store_update($arr,$force_parent = false) { +function item_store_update($arr,$allow_exec = false) { if(! intval($arr['uid'])) { logger('item_store_update: no uid'); @@ -1696,24 +1703,35 @@ function item_store_update($arr,$force_parent = false) { $arr = $translate['item']; } + $arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode'); + + if(($arr['mimetype'] == 'application/x-php') && (! $allow_exec)) { + logger('item_store: php mimetype but allow_exec is denied.'); + return 0; + } + + // Shouldn't happen but we want to make absolutely sure it doesn't leak from a plugin. - if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) - $arr['body'] = escape_tags($arr['body']); + if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') { - if((x($arr,'object')) && is_array($arr['object'])) { - activity_sanitise($arr['object']); - $arr['object'] = json_encode($arr['object']); - } + if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) + $arr['body'] = escape_tags($arr['body']); - if((x($arr,'target')) && is_array($arr['target'])) { - activity_sanitise($arr['target']); - $arr['target'] = json_encode($arr['target']); - } + if((x($arr,'object')) && is_array($arr['object'])) { + activity_sanitise($arr['object']); + $arr['object'] = json_encode($arr['object']); + } - if((x($arr,'attach')) && is_array($arr['attach'])) { - activity_sanitise($arr['attach']); - $arr['attach'] = json_encode($arr['attach']); + if((x($arr,'target')) && is_array($arr['target'])) { + activity_sanitise($arr['target']); + $arr['target'] = json_encode($arr['target']); + } + + if((x($arr,'attach')) && is_array($arr['attach'])) { + activity_sanitise($arr['attach']); + $arr['attach'] = json_encode($arr['attach']); + } } $orig = q("select * from item where id = %d and uid = %d limit 1", @@ -1740,7 +1758,6 @@ function item_store_update($arr,$force_parent = false) { $arr['commented'] = datetime_convert(); $arr['received'] = datetime_convert(); $arr['changed'] = datetime_convert(); - $arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode'); $arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : ''); $arr['location'] = ((x($arr,'location')) ? notags(trim($arr['location'])) : ''); $arr['coord'] = ((x($arr,'coord')) ? notags(trim($arr['coord'])) : ''); @@ -2692,7 +2709,7 @@ function consume_feed($xml,$importer,&$contact, &$hub, $datedir = 0, $pass = 0) } } - $r = item_store($datarray,$force_parent); + $r = item_store($datarray); continue; } @@ -3127,21 +3144,28 @@ function item_expire($uid,$days) { // and just expire conversations started by others $expire_network_only = get_pconfig($uid,'expire','network_only'); - $sql_extra = ((intval($expire_network_only)) ? " AND wall = 0 " : ""); + $sql_extra = ((intval($expire_network_only)) ? " AND not (item_flags & " . intval(ITEM_WALL) . ") " : ""); $r = q("SELECT * FROM `item` WHERE `uid` = %d AND `created` < UTC_TIMESTAMP() - INTERVAL %d DAY AND `id` = `parent` $sql_extra - AND `deleted` = 0", + AND NOT (item_restrict & %d ) + AND NOT (item_restrict & %d ) + AND NOT (item_restrict & %d ) ", intval($uid), - intval($days) + intval($days), + intval(ITEM_DELETED), + intval(ITEM_WEBPAGE), + intval(ITEM_BUILDBLOCK) ); - if(! count($r)) + if(! $r) return; + $r = fetch_post_tags($r,true); + $expire_items = get_pconfig($uid, 'expire','items'); $expire_items = (($expire_items===false)?1:intval($expire_items)); // default if not set: 1 @@ -3158,20 +3182,19 @@ function item_expire($uid,$days) { foreach($r as $item) { + + // don't expire filed items - if(strpos($item['file'],'[') !== false) + $terms = get_terms_oftype($item['term'],TERM_FILE); + if($terms) continue; // Only expire posts, not photos and photo comments - if($expire_photos==0 && strlen($item['resource_id'])) - continue; - if($expire_starred==0 && intval($item['starred'])) - continue; - if($expire_notes==0 && $item['type']=='note') + if($expire_photos==0 && ($item['resource_type'] === 'photo')) continue; - if($expire_items==0 && $item['type']!='note') + if($expire_starred==0 && ($item['item_flags'] & ITEM_STARRED)) continue; drop_item($item['id'],false); diff --git a/include/menu.php b/include/menu.php new file mode 100644 index 000000000..8d4664385 --- /dev/null +++ b/include/menu.php @@ -0,0 +1,258 @@ +<?php /** @file */ + +require_once('include/security.php'); + +function menu_fetch($name,$uid,$observer_xchan) { + + $sql_options = permissions_sql($uid); + + $r = q("select * from menu where menu_channel_id = %d and menu_name = '%s' limit 1", + intval($uid), + dbesc($name) + ); + if($r) { + $x = q("select * from menu_item where mitem_menu_id = %d and mitem_channel_id = %d + $sql_options + order by mitem_order asc, mitem_desc asc", + intval($r[0]['menu_id']), + intval($uid) + ); + return array('menu' => $r[0], 'items' => $x ); + } + + return null; +} + + +function menu_render($menu) { + if(! $menu) + return ''; + for($x = 0; $x < count($menu['items']); $x ++) + if($menu['items']['mitem_flags'] & MENU_ITEM_ZID) + $menu['items']['mitem_link'] = zid($menu['items']['mitem_link']); + if($menu['items']['mitem_flags'] & MENU_ITEM_NEWWIN) + $menu['items']['newwin'] = '1'; + + return replace_macros(get_markup_template('usermenu.tpl'),array( + '$menu' => $menu['menu'], + '$items' => $menu['items'] + )); +} + + +function menu_fetch_id($menu_id,$channel_id) { + + $r = q("select * from menu where menu_id = %d and menu_channel_id = %d limit 1", + intval($menu_id), + intval($channel_id) + ); + + return (($r) ? $r[0] : false); +} + + + +function menu_create($arr) { + + + $menu_name = trim(escape_tags($arr['menu_name'])); + $menu_desc = trim(escape_tags($arr['menu_desc'])); + + if(! $menu_desc) + $menu_desc = $menu_name; + + if(! $menu_name) + return false; + + + $menu_channel_id = intval($arr['menu_channel_id']); + + $r = q("select * from menu where menu_name = '%s' and menu_channel_id = %d limit 1", + dbesc($menu_name), + intval($menu_channel_id) + ); + + if($r) + return false; + + $r = q("insert into menu ( menu_name, menu_desc, menu_channel_id ) + values( '%s', '%s', %d )", + dbesc($menu_name), + dbesc($menu_desc), + intval($menu_channel_id) + ); + if(! $r) + return false; + + $r = q("select menu_id from menu where menu_name = '%s' and menu_channel_id = %d limit 1", + dbesc($menu_name), + intval($menu_channel_id) + ); + if($r) + return $r[0]['menu_id']; + return false; + +} + +function menu_list($channel_id) { + $r = q("select * from menu where menu_channel_id = %d order by menu_name", + intval($channel_id) + ); + return $r; +} + + + +function menu_edit($arr) { + + $menu_id = intval($arr['menu_id']); + + $menu_name = trim(escape_tags($arr['menu_name'])); + $menu_desc = trim(escape_tags($arr['menu_desc'])); + + if(! $menu_desc) + $menu_desc = $menu_name; + + if(! $menu_name) + return false; + + + $r = q("select menu_id from menu where menu_name = '%s' and menu_channel_id = %d limit 1", + dbesc($menu_name), + intval($menu_channel_id) + ); + if(($r) && ($r[0]['menu_id'] != $menu_id)) { + logger('menu_edit: duplicate menu name for channel ' . $menu_channel_id); + return false; + } + + + + $menu_channel_id = intval($arr['menu_channel_id']); + + $r = q("select * from menu where menu_id = %d and menu_channel_id = %d limit 1", + intval($menu_id), + intval($menu_channel_id) + ); + if(! $r) { + logger('menu_edit: not found: ' . print_r($arr,true)); + return false; + } + + + $r = q("select * from menu where menu_name = '%s' and menu_channel_id = %d limit 1", + dbesc($menu_name), + intval($menu_channel_id) + ); + + if($r) + return false; + + return q("update menu set menu_name = '%s', menu_desc = '%s' + where menu_id = %d and menu_channel_id = %d limit 1", + dbesc($menu_name), + dbesc($menu_desc), + intval($menu_id), + intval($menu_channel_id) + ); +} + +function menu_delete($menu_name, $uid) { + $r = q("select menu_id from menu where menu_name = '%s' and menu_channel_id = %d limit 1", + dbesc($menu_name), + intval($uid) + ); + + if($r) + return menu_delete_id($r[0]['menu_id'],$uid); + return false; +} + +function menu_delete_id($menu_id, $uid) { + $r = q("select menu_id from menu where menu_id = %d and menu_channel_id = %d limit 1", + intval($menu_id), + intval($uid) + ); + if($r) { + $x = q("delete from menu_item where mitem_menu_id = %d and mitem_channel_id = %d", + intval($menu_id), + intval($uid) + ); + return q("delete from menu where menu_id = %d and menu_channel_id = %d limit 1", + intval($menu_id), + intval($uid) + ); + } + return false; +} + + +function menu_add_item($menu_id, $uid, $arr) { + + + $mitem_link = escape_tags($arr['mitem_link']); + $mitem_desc = escape_tags($arr['mitem_desc']); + $mitem_order = intval($arr['mitem_order']); + $mitem_flags = intval($arr['mitem_flags']); + $allow_cid = perms2str($arr['allow_cid']); + $allow_gid = perms2str($arr['allow_gid']); + $deny_cid = perms2str($arr['deny_cid']); + $deny_gid = perms2str($arr['deny_gid']); + + $r = q("insert into menu_item ( mitem_link, mitem_desc, mitem_flags, allow_cid, allow_gid, deny_cid, deny_gid, mitem_channel_id, mitem_menu_id, mitem_order ) values ( '%s', '%s', %d, '%s', '%s', '%s', '%s', %d, %d, %d ) ", + dbesc($mitem_link), + dbesc($mitem_desc), + intval($mitem_flags), + dbesc($allow_cid), + dbesc($allow_gid), + dbesc($deny_cid), + dbesc($deny_gid), + intval($uid), + intval($menu_id), + intval($mitem_order) + ); + return $r; + +} + +function menu_edit_item($menu_id, $uid, $arr) { + + + $mitem_id = intval($arr['mitem_id']); + $mitem_link = escape_tags($arr['mitem_link']); + $mitem_desc = escape_tags($arr['mitem_desc']); + $mitem_order = intval($arr['mitem_order']); + $mitem_flags = intval($arr['mitem_flags']); + $allow_cid = perms2str($arr['allow_cid']); + $allow_gid = perms2str($arr['allow_gid']); + $deny_cid = perms2str($arr['deny_cid']); + $deny_gid = perms2str($arr['deny_gid']); + + $r = q("update menu_item set mitem_link = '%s', mitem_desc = '%s', mitem_flags = %d, allow_cid = '%s', allow_gid = '%s', deny_cid = '%s', deny_gid = '%s', mitem_order = %d where mitem_channel_id = %d and mitem_menu_id = %d and mitem_id = %d limit 1", + dbesc($mitem_link), + dbesc($mitem_desc), + intval($mitem_flags), + dbesc($allow_cid), + dbesc($allow_gid), + dbesc($deny_cid), + dbesc($deny_gid), + intval($mitem_order), + intval($uid), + intval($menu_id), + intval($mitem_id) + ); + return $r; +} + + + + +function menu_del_item($menu_id,$uid,$item_id) { + $r = q("delete from menu_item where mitem_menu_id = %d and mitem_channel_id = %d and mitem_id = %d limit 1", + intval($menu_id), + intval($uid), + intval($item_id) + ); + return $r; +} + diff --git a/include/notifier.php b/include/notifier.php index dea9d6072..a0c07200a 100644 --- a/include/notifier.php +++ b/include/notifier.php @@ -241,6 +241,11 @@ function notifier_run($argv, $argc){ return; } + if($target_item['item_restrict'] & ITEM_BUILDBLOCK) { + logger('notifier: target item ITEM_BUILDBLOCK', LOGGER_DEBUG); + return; + } + $s = q("select * from channel where channel_id = %d limit 1", intval($target_item['uid']) diff --git a/include/text.php b/include/text.php index 61b39cb59..99d5c9d78 100755 --- a/include/text.php +++ b/include/text.php @@ -1142,6 +1142,22 @@ function prepare_text($text,$content_type = 'text/bbcode') { $s = Markdown($text); break; + // No security checking is done here at display time - so we need to verify + // that the author is allowed to use PHP before storing. We also cannot allow + // importation of PHP text bodies from other sites. Therefore this content + // type is only valid for web pages (and profile details). + + // It may be possible to provide a PHP message body which is evaluated on the + // sender's site before sending it elsewhere. In that case we will have a + // different content-type here. + + case 'application/x-php': + ob_start(); + eval($text); + $s = ob_get_contents(); + ob_end_clean(); + break; + case 'text/bbcode': case '': default: diff --git a/include/zot.php b/include/zot.php index d1bc03bc2..bddbc9bee 100644 --- a/include/zot.php +++ b/include/zot.php @@ -583,9 +583,14 @@ function import_xchan($arr) { intval(HUBLOC_FLAGS_PRIMARY), intval($r[0]['hubloc_id']) ); + update_modtime($xchan_hash); + $changed = true; } - update_modtime($xchan_hash); - $changed = true; + continue; + } + + if(! $location['sitekey']) { + logger('import_xchan: empty hubloc sitekey. ' . print_r($location,true)); continue; } |