aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/account.php65
-rw-r--r--include/auth.php7
-rw-r--r--include/bbcode.php58
-rw-r--r--include/event.php2
-rw-r--r--include/items.php23
-rw-r--r--include/network.php1
6 files changed, 102 insertions, 54 deletions
diff --git a/include/account.php b/include/account.php
index ad69b4d9a..0c07bd85f 100644
--- a/include/account.php
+++ b/include/account.php
@@ -17,10 +17,38 @@ require_once('include/crypto.php');
require_once('include/channel.php');
-function get_account_by_id($account_id) {
- $r = q("select * from account where account_id = %d",
- intval($account_id)
- );
+/**
+ * Returns the id of a locally logged in account or false.
+ *
+ * Returns the numeric account id of the current session if authenticated, or
+ * false otherwise.
+ *
+ * @note It is possible to be authenticated, and not connected to a channel.
+ *
+ * @return int|false Numeric account id or false.
+ */
+function get_account_id(): int|false {
+ if (isset($_SESSION['account_id'])) {
+ return intval($_SESSION['account_id']);
+ }
+
+ if (App::$account) {
+ return intval(App::$account['account_id']);
+ }
+
+ return false;
+}
+
+/**
+ * Get the account with the given id from the database.
+ *
+ * @param int $account_id The numeric id of the account to fetch.
+ *
+ * @return array|false An array containing the attributes of the requested
+ * account, or false if it could not be retreived.
+ */
+function get_account_by_id(int $account_id): array|false {
+ $r = q("select * from account where account_id = %d", $account_id);
return (($r) ? $r[0] : false);
}
@@ -117,11 +145,16 @@ function check_account_invite($invite_code) {
}
function check_account_admin($arr) {
- if(is_site_admin())
+ if (is_site_admin()) {
return true;
+ }
+
$admin_email = trim(Config::Get('system','admin_email'));
- if(strlen($admin_email) && $admin_email === trim($arr['email']))
+
+ if (strlen($admin_email) && $admin_email === trim($arr['reg_email'])) {
return true;
+ }
+
return false;
}
@@ -163,18 +196,18 @@ function create_account_from_register($arr) {
if($default_service_class === false)
$default_service_class = '';
- $roles = 0;
- // prevent form hackery
- if($roles & ACCOUNT_ROLE_ADMIN) {
- $admin_result = check_account_admin($arr);
- if(! $admin_result) {
- $roles = 0;
- }
+ // any accounts available ?
+ $total = q("SELECT COUNT(*) AS total FROM account");
+
+ if ($total && intval($total[0]['total']) === 0 && !check_account_admin($register[0])) {
+ logger('create_account: first account is not admin');
+ $result['message'] = t('First account is not admin.');
+ return $result;
}
- // any accounts available ?
- $isa = q("SELECT COUNT(*) AS isa FROM account");
- if ($isa && $isa[0]['isa'] == 0) {
+ $roles = 0;
+
+ if (check_account_admin($register[0])) {
$roles = ACCOUNT_ROLE_ADMIN;
}
diff --git a/include/auth.php b/include/auth.php
index 439f064e4..36a9043ce 100644
--- a/include/auth.php
+++ b/include/auth.php
@@ -353,9 +353,6 @@ else {
elseif($atoken) {
atoken_login($atoken);
}
- else {
- notice( t('Failed authentication') . EOL);
- }
if(! ($account || $atoken)) {
$error = 'authenticate: failed login attempt: ' . notags(trim($username)) . ' from IP ' . $_SERVER['REMOTE_ADDR'];
@@ -364,8 +361,8 @@ else {
$authlog = Config::Get('system', 'authlog');
if ($authlog)
@file_put_contents($authlog, datetime_convert() . ':' . session_id() . ' ' . $error . "\n", FILE_APPEND);
- notice( t('Login failed.') . EOL );
- goaway(z_root() . '/login');
+
+ goaway(z_root() . '/login?retry=1');
}
// If the user specified to remember the authentication, then change the cookie
diff --git a/include/bbcode.php b/include/bbcode.php
index 2c8ef3f20..d5e1bafd9 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -1190,7 +1190,7 @@ function bbcode($text, $options = []) {
$cache = ((array_key_exists('cache',$options)) ? $options['cache'] : false);
$newwin = ((array_key_exists('newwin',$options)) ? $options['newwin'] : true);
- $target = (($newwin) ? ' target="_blank" ' : '');
+ $target = (($newwin) ? 'target="_blank"' : '');
/**
* @hooks bbcode_filter
@@ -1332,21 +1332,31 @@ function bbcode($text, $options = []) {
$text = str_replace('[observer.photo]','', $text);
}
-
-
// Perform URL Search
-
$urlchars = '[a-zA-Z0-9\pL\:\/\-\?\&\;\.\=\_\~\#\%\$\!\+\,\@\(\)]';
if (strpos($text,'http') !== false) {
if($tryoembed) {
$text = preg_replace_callback("/([^\]\='".'"'."\;\/]|^|\#\^)(https?\:\/\/$urlchars+)/ismu", 'tryoembed', $text);
}
- // Is this still desired?
- // We already turn naked URLs into links during creation time cleanup_bbcode()
+
$text = preg_replace("/([^\]\='".'"'."\;\/]|^|\#\^)(https?\:\/\/$urlchars+)/ismu", '$1<a href="$2" ' . $target . ' rel="nofollow noopener">$2</a>', $text);
}
+ // Turn naked geo URIs into clickable links
+ if (str_contains($text, 'geo:')) {
+ $text = preg_replace_callback(
+ '/([^\]\=\'";\/]|^|\#\^)(geo:([A-Za-z0-9:.,;_+\-?&=%]+)(?:\(([^)]+)\))?)/ismu',
+ function ($matches) {
+ $before = $matches[1];
+ $geo_uri = $matches[2];
+ $label = ((!empty($matches[4])) ? '📍' . urldecode($matches[4]) : $geo_uri);
+ return $before . '<a href="' . htmlspecialchars($geo_uri) . '" target="_blank" rel="nofollow noopener">' . htmlspecialchars($label) . '</a>';
+ },
+ $text
+ );
+ }
+
$count = 0;
while (strpos($text,'[/share]') !== false && $count < 10) {
$text = preg_replace_callback("/\[share(.*?)\](.*?)\[\/share\]/ism", 'bb_ShareAttributes', $text);
@@ -1360,23 +1370,23 @@ function bbcode($text, $options = []) {
}
if (strpos($text,'[/url]') !== false) {
- $text = preg_replace("/\#\^\[url\]([$URLSearchString]*)\[\/url\]/ism", '<span class="bookmark-identifier">#^</span><a class="bookmark" href="$1" ' . $target . ' rel="nofollow noopener" >$1</a>', $text);
- $text = preg_replace("/\#\^\[url\=([$URLSearchString]*)\](.*?)\[\/url\]/ism", '<span class="bookmark-identifier">#^</span><a class="bookmark" href="$1" ' . $target . ' rel="nofollow noopener" >$2</a>', $text);
- $text = preg_replace("/\[url\]([$URLSearchString]*)\[\/url\]/ism", '<a href="$1" ' . $target . ' rel="nofollow noopener" >$1</a>', $text);
- $text = preg_replace("/\[url\=([$URLSearchString]*)\](.*?)\[\/url\]/ism", '<a href="$1" ' . $target . ' rel="nofollow noopener" >$2</a>', $text);
+ $text = preg_replace("/\#\^\[url\]([$URLSearchString]*)\[\/url\]/ism", '<span class="bookmark-identifier">#^</span><a class="bookmark" href="$1" ' . $target . ' rel="nofollow noopener">$1</a>', $text);
+ $text = preg_replace("/\#\^\[url\=([$URLSearchString]*)\](.*?)\[\/url\]/ism", '<span class="bookmark-identifier">#^</span><a class="bookmark" href="$1" ' . $target . ' rel="nofollow noopener">$2</a>', $text);
+ $text = preg_replace("/\[url\]([$URLSearchString]*)\[\/url\]/ism", '<a href="$1" ' . $target . ' rel="nofollow noopener">$1</a>', $text);
+ $text = preg_replace("/\[url\=([$URLSearchString]*)\](.*?)\[\/url\]/ism", '<a href="$1" ' . $target . ' rel="nofollow noopener">$2</a>', $text);
}
if (strpos($text,'[/zrl]') !== false) {
- $text = preg_replace("/\#\^\[zrl\]([$URLSearchString]*)\[\/zrl\]/ism", '<span class="bookmark-identifier">#^</span><a class="zrl bookmark" href="$1" ' . $target . ' rel="nofollow noopener" >$1</a>', $text);
- $text = preg_replace("/\#\^\[zrl\=([$URLSearchString]*)\](.*?)\[\/zrl\]/ism", '<span class="bookmark-identifier">#^</span><a class="zrl bookmark" href="$1" ' . $target . ' rel="nofollow noopener" >$2</a>', $text);
- $text = preg_replace("/\[zrl\]([$URLSearchString]*)\[\/zrl\]/ism", '<a class="zrl" href="$1" ' . $target . ' rel="nofollow noopener" >$1</a>', $text);
- $text = preg_replace("/\[zrl\=([$URLSearchString]*)\](.*?)\[\/zrl\]/ism", '<a class="zrl" href="$1" ' . $target . ' rel="nofollow noopener" >$2</a>', $text);
+ $text = preg_replace("/\#\^\[zrl\]([$URLSearchString]*)\[\/zrl\]/ism", '<span class="bookmark-identifier">#^</span><a class="zrl bookmark" href="$1" ' . $target . ' rel="nofollow noopener">$1</a>', $text);
+ $text = preg_replace("/\#\^\[zrl\=([$URLSearchString]*)\](.*?)\[\/zrl\]/ism", '<span class="bookmark-identifier">#^</span><a class="zrl bookmark" href="$1" ' . $target . ' rel="nofollow noopener">$2</a>', $text);
+ $text = preg_replace("/\[zrl\]([$URLSearchString]*)\[\/zrl\]/ism", '<a class="zrl" href="$1" ' . $target . ' rel="nofollow noopener">$1</a>', $text);
+ $text = preg_replace("/\[zrl\=([$URLSearchString]*)\](.*?)\[\/zrl\]/ism", '<a class="zrl" href="$1" ' . $target . ' rel="nofollow noopener">$2</a>', $text);
}
// Perform MAIL Search
if (strpos($text,'[/mail]') !== false) {
- $text = preg_replace("/\[mail\]([$MAILSearchString]*)\[\/mail\]/", '<a href="mailto:$1" ' . $target . ' rel="nofollow noopener" >$1</a>', $text);
- $text = preg_replace("/\[mail\=([$MAILSearchString]*)\](.*?)\[\/mail\]/", '<a href="mailto:$1" ' . $target . ' rel="nofollow noopener" >$2</a>', $text);
+ $text = preg_replace("/\[mail\]([$MAILSearchString]*)\[\/mail\]/", '<a href="mailto:$1" ' . $target . ' rel="nofollow noopener">$1</a>', $text);
+ $text = preg_replace("/\[mail\=([$MAILSearchString]*)\](.*?)\[\/mail\]/", '<a href="mailto:$1" ' . $target . ' rel="nofollow noopener">$2</a>', $text);
}
@@ -1737,17 +1747,17 @@ function bbcode($text, $options = []) {
// if video couldn't be embedded, link to it instead.
if (strpos($text,'[/video]') !== false) {
- $text = preg_replace("/\[video\](.*?)\[\/video\]/", '<a href="$1" ' . $target . ' rel="nofollow noopener" >$1</a>', $text);
+ $text = preg_replace("/\[video\](.*?)\[\/video\]/", '<a href="$1" ' . $target . ' rel="nofollow noopener">$1</a>', $text);
}
if (strpos($text,'[/audio]') !== false) {
- $text = preg_replace("/\[audio\](.*?)\[\/audio\]/", '<a href="$1" ' . $target . ' rel="nofollow noopener" >$1</a>', $text);
+ $text = preg_replace("/\[audio\](.*?)\[\/audio\]/", '<a href="$1" ' . $target . ' rel="nofollow noopener">$1</a>', $text);
}
if (strpos($text,'[/zvideo]') !== false) {
- $text = preg_replace("/\[zvideo\](.*?)\[\/zvideo\]/", '<a class="zid" href="$1" ' . $target . ' rel="nofollow noopener" >$1</a>', $text);
+ $text = preg_replace("/\[zvideo\](.*?)\[\/zvideo\]/", '<a class="zid" href="$1" ' . $target . ' rel="nofollow noopener">$1</a>', $text);
}
if (strpos($text,'[/zaudio]') !== false) {
- $text = preg_replace("/\[zaudio\](.*?)\[\/zaudio\]/", '<a class="zid" href="$1" ' . $target . ' rel="nofollow noopener" >$1</a>', $text);
+ $text = preg_replace("/\[zaudio\](.*?)\[\/zaudio\]/", '<a class="zid" href="$1" ' . $target . ' rel="nofollow noopener">$1</a>', $text);
}
// oembed tag
@@ -1813,9 +1823,13 @@ function bbcode($text, $options = []) {
$text = preg_replace("/\<(.*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism", '<$1$2=$3&$4>', $text);
// This is subtle - it's an XSS filter. It only accepts links with a protocol scheme and where
- // the scheme begins with z (zhttp), h (http(s)), f (ftp(s)), m (mailto), t (tel) and named anchors.
+ // the scheme begins with http:, https:, mailto:, tel:, geo: and named anchors.
- $text = preg_replace("/\<(.*?)(src|href)=\"[^zhfmt#](.*?)\>/ism", '<$1$2="">', $text);
+ $text = preg_replace(
+ '/(<[^>]*?\b(?:src|href)\s*=\s*([\'"])\s*)(?!https?:|geo:|mailto:|tel:|#)[^\'"]*?\2/iu',
+ '$1$2$2',
+ $text
+ );
$text = bb_replace_images($text, $saved_images);
diff --git a/include/event.php b/include/event.php
index b83a733b8..39d0c49c2 100644
--- a/include/event.php
+++ b/include/event.php
@@ -106,7 +106,7 @@ function format_event_obj($jobject) {
$title = $object['name'] ?? '';
$content = html2bbcode($object['content']);
- if (strpos($object['source']['content'], '[/event-description]') !== false) {
+ if (isset($object['source']['content']) && strpos($object['source']['content'], '[/event-description]') !== false) {
$bbdescription = [];
preg_match("/\[event\-description\](.*?)\[\/event\-description\]/ism", $object['source']['content'], $bbdescription);
$content = $bbdescription[1];
diff --git a/include/items.php b/include/items.php
index 9e448e39a..b80c5672b 100644
--- a/include/items.php
+++ b/include/items.php
@@ -4802,19 +4802,19 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C
return $items;
}
-function webpage_to_namespace($webpage) {
+function item_type_to_namespace($item_type) {
- if($webpage == ITEM_TYPE_WEBPAGE)
+ if($item_type == ITEM_TYPE_WEBPAGE)
$page_type = 'WEBPAGE';
- elseif($webpage == ITEM_TYPE_BLOCK)
+ elseif($item_type == ITEM_TYPE_BLOCK)
$page_type = 'BUILDBLOCK';
- elseif($webpage == ITEM_TYPE_PDL)
+ elseif($item_type == ITEM_TYPE_PDL)
$page_type = 'PDL';
- elseif($webpage == ITEM_TYPE_CARD)
+ elseif($item_type == ITEM_TYPE_CARD)
$page_type = 'CARD';
- elseif($webpage == ITEM_TYPE_ARTICLE)
+ elseif($item_type == ITEM_TYPE_ARTICLE)
$page_type = 'ARTICLE';
- elseif($webpage == ITEM_TYPE_DOC)
+ elseif($item_type == ITEM_TYPE_DOC)
$page_type = 'docfile';
else
$page_type = 'unknown';
@@ -4823,12 +4823,12 @@ function webpage_to_namespace($webpage) {
}
-function update_remote_id($channel,$post_id,$webpage,$pagetitle,$namespace,$remote_id,$mid) {
+function update_remote_id($channel,$post_id,$item_type,$pagetitle,$namespace,$remote_id,$mid) {
if(! intval($post_id))
return;
- $page_type = webpage_to_namespace($webpage);
+ $page_type = item_type_to_namespace($item_type);
if($page_type == 'unknown' && $namespace && $remote_id) {
$page_type = $namespace;
@@ -5761,8 +5761,13 @@ function get_recursive_thr_parents(array $item): array|null
dbesc($mid)
);
+ if (!$x) {
+ break;
+ }
+
$mid = $x[0]['thr_parent'];
$thr_parents[] = $x[0]['thr_parent'];
+
$i++;
}
diff --git a/include/network.php b/include/network.php
index cb5027922..83bb281a4 100644
--- a/include/network.php
+++ b/include/network.php
@@ -433,7 +433,6 @@ function as_return_and_die($obj, $channel = []) {
$headers['Content-Type'] = 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' ;
$headers['Date'] = datetime_convert('UTC','UTC', 'now', 'D, d M Y H:i:s \\G\\M\\T');
$headers['Digest'] = HTTPSig::generate_digest_header($ret);
- $headers['(request-target)'] = strtolower($_SERVER['REQUEST_METHOD']) . ' ' . $_SERVER['REQUEST_URI'];
if ($channel) {
$h = HTTPSig::create_sig($headers, $channel['channel_prvkey'], channel_url($channel));
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-29 23:09:00 +0000