From 77eb9bcfa04faee0fbf20a1d9fae90bdf0dcbcc3 Mon Sep 17 00:00:00 2001 From: Andrew Manning Date: Wed, 18 May 2016 21:32:23 -0400 Subject: Link new plugins when updating repos via admin/plugins --- Zotlabs/Module/Admin.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Zotlabs/Module/Admin.php b/Zotlabs/Module/Admin.php index 9b54a4081..cb843e212 100644 --- a/Zotlabs/Module/Admin.php +++ b/Zotlabs/Module/Admin.php @@ -1758,6 +1758,18 @@ class Admin extends \Zotlabs\Web\Controller { $git = new GitRepo('sys', null, false, $repoName, $repoDir); try { if ($git->pull()) { + $files = array_diff(scandir($repoDir), array('.', '..')); + foreach ($files as $file) { + if (is_dir($repoDir . '/' . $file) && $file !== '.git') { + $source = '../extend/addon/' . $repoName . '/' . $file; + $target = realpath(__DIR__ . '/../../addon/') . '/' . $file; + unlink($target); + if (!symlink($source, $target)) { + logger('Error linking addons to /addon'); + json_return_and_die(array('message' => 'Error linking addons to /addon', 'success' => false)); + } + } + } json_return_and_die(array('message' => 'Repo updated.', 'success' => true)); } else { json_return_and_die(array('message' => 'Error updating addon repo.', 'success' => false)); -- cgit v1.2.3 From f4b31dcb3a56789c9c96e982466b11fe472e1444 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Wed, 18 May 2016 20:36:03 -0700 Subject: Document what I know about the session regeneration issue. I'm really tired of fighting this darn thing. Sessions and cookies need to work. --- Zotlabs/Web/Session.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php index 2b058d379..63ccd91fe 100644 --- a/Zotlabs/Web/Session.php +++ b/Zotlabs/Web/Session.php @@ -82,6 +82,19 @@ class Session { $arr = session_get_cookie_params(); if($this->handler && $this->session_started) { + + // The session should be regenerated to prevent session fixation attacks. + // Traditionally this has been working well, but stopped working in Firefox + // recently (~46.0). It works well in other browsers. FF takes time for the + // new cookie to propagate and it appears to still use the old cookie for the + // next several requests. We don't have an easy way to flush the cookies and + // ensure the browser is using the right one. I've tried several methods including + // delayed cookie deletion and issuing a page reload just after authentication + // and none have been successful and all are hacks to work around what looks to be + // a browser issue. This is an important @FIXME. We should enable by default and let + // folks disable it if they have issues, except they can't login to change it if + // their sessions aren't working. + // session_regenerate_id(true); // force SessionHandler record creation with the new session_id -- cgit v1.2.3 From ada26dd2cbf99e7e8395b4e466a3f73245d004f1 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Wed, 18 May 2016 21:00:31 -0700 Subject: This explains it all. Don't set the domain when creating a cookie. You'll get a wildcard and sessions will break if you have multiple domains running hubzilla (or any php basic session based code). --- Zotlabs/Web/Session.php | 27 ++++++++++----------------- 1 file changed, 10 insertions(+), 17 deletions(-) diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php index 63ccd91fe..4f2a3f1f7 100644 --- a/Zotlabs/Web/Session.php +++ b/Zotlabs/Web/Session.php @@ -41,10 +41,15 @@ class Session { $arr = session_get_cookie_params(); + + // Note when setting cookies: set the domain to false which creates a single domain + // cookie. If you use a hostname it will create a .domain.com wildcard which will + // have some nasty side effects if you have any other subdomains running hubzilla. + session_set_cookie_params( ((isset($arr['lifetime'])) ? $arr['lifetime'] : 0), ((isset($arr['path'])) ? $arr['path'] : '/'), - (($arr['domain']) ? $arr['domain'] : \App::get_hostname()), + (($arr['domain']) ? $arr['domain'] : false), ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false), ((isset($arr['httponly'])) ? $arr['httponly'] : true) ); @@ -83,19 +88,7 @@ class Session { if($this->handler && $this->session_started) { - // The session should be regenerated to prevent session fixation attacks. - // Traditionally this has been working well, but stopped working in Firefox - // recently (~46.0). It works well in other browsers. FF takes time for the - // new cookie to propagate and it appears to still use the old cookie for the - // next several requests. We don't have an easy way to flush the cookies and - // ensure the browser is using the right one. I've tried several methods including - // delayed cookie deletion and issuing a page reload just after authentication - // and none have been successful and all are hacks to work around what looks to be - // a browser issue. This is an important @FIXME. We should enable by default and let - // folks disable it if they have issues, except they can't login to change it if - // their sessions aren't working. - - // session_regenerate_id(true); + session_regenerate_id(true); // force SessionHandler record creation with the new session_id // which occurs as a side effect of read() @@ -106,9 +99,9 @@ class Session { logger('no session handler'); if (x($_COOKIE, 'jsdisabled')) { - setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime, '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); + setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime, '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); } - setcookie(session_name(),session_id(),$newxtime, '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); + setcookie(session_name(),session_id(),$newxtime, '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); $arr = array('expire' => $xtime); call_hooks('new_cookie', $arr); @@ -124,7 +117,7 @@ class Session { $xtime = (($_SESSION['remember_me']) ? (60 * 60 * 24 * 365) : 0 ); if($xtime) - setcookie(session_name(),session_id(),(time() + $xtime), '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); + setcookie(session_name(),session_id(),(time() + $xtime), '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); $arr = array('expire' => $xtime); call_hooks('extend_cookie', $arr); -- cgit v1.2.3 From 3355210878c6af1d4ee1719d223e83dd9e086ddc Mon Sep 17 00:00:00 2001 From: redmatrix Date: Wed, 18 May 2016 22:03:43 -0700 Subject: explain what we're doing and where we're going with this. --- include/dba/dba_driver.php | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/include/dba/dba_driver.php b/include/dba/dba_driver.php index 498bfffa7..e15e107a8 100755 --- a/include/dba/dba_driver.php +++ b/include/dba/dba_driver.php @@ -32,6 +32,8 @@ function dba_factory($server, $port,$user,$pass,$db,$dbtype,$install = false) { if(is_null($port)) $set_port = 5432; $dba = new dba_postgres($server, $set_port, $user, $pass, $db, $install); } else { + +// Highly experimental at the present time. // require_once('include/dba/dba_pdo.php'); // $dba = new dba_pdo($server, $set_port,$user,$pass,$db,$install); // } @@ -42,13 +44,12 @@ function dba_factory($server, $port,$user,$pass,$db,$dbtype,$install = false) { $dba = new dba_mysqli($server, $set_port,$user,$pass,$db,$install); } } + + // Until we have a proper PDO driver, store the DB connection parameters for + // plugins/addons which use PDO natively (such as cdav). This is wasteful as + // it opens a separate connection to the DB, but saves a lot of effort re-writing + // third-party interfaces that are working and well tested. -// else { -// if (is_null($port)) $set_port = "3306"; -// require_once('include/dba/dba_mysql.php'); -// $dba = new dba_mysql($server, $set_port,$user,$pass,$db,$install); -// } -// } if(is_object($dba) && $dba->connected) { $dns = (($dbtype == DBTYPE_POSTGRES) ? 'postgres' : 'mysql') -- cgit v1.2.3 From 905432c7ae738ff69090bf8cc912c42d2cea5ab2 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Wed, 18 May 2016 22:53:43 -0700 Subject: text clarifications --- Zotlabs/Module/Dav.php | 1 + Zotlabs/Module/Settings.php | 4 ++-- Zotlabs/Storage/BasicAuth.php | 1 - 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Zotlabs/Module/Dav.php b/Zotlabs/Module/Dav.php index 549c992cc..d65ad3405 100644 --- a/Zotlabs/Module/Dav.php +++ b/Zotlabs/Module/Dav.php @@ -64,6 +64,7 @@ class Dav extends \Zotlabs\Web\Controller { $auth = new \Zotlabs\Storage\BasicAuth(); + $auth->setRealm(ucfirst(\Zotlabs\Project\System::get_platform_name()) . 'WebDAV'); // $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function($userName,$password) { // if(account_verify_password($userName,$password)) diff --git a/Zotlabs/Module/Settings.php b/Zotlabs/Module/Settings.php index a6293e842..1f5c55067 100644 --- a/Zotlabs/Module/Settings.php +++ b/Zotlabs/Module/Settings.php @@ -1062,11 +1062,11 @@ class Settings extends \Zotlabs\Web\Controller { '$lbl_p2macro' => t('Advanced Privacy Settings'), - '$expire' => array('expire',t('Expire other channel content after this many days'),$expire,sprintf( t('0 or blank to use the website limit. The website expires after %d days.'),intval($sys_expire))), + '$expire' => array('expire',t('Expire other channel content after this many days'),$expire, t('0 or blank to use the website limit.') . ' ' . ((intval($sys_expire)) ? sprintf( t('This website expires after %d days.'),intval($sys_expire)) : t('This website does not expire imported content.')) . ' ' . t('The website limit takes precedence if lower than your limit.')), '$maxreq' => array('maxreq', t('Maximum Friend Requests/Day:'), intval($channel['channel_max_friend_req']) , t('May reduce spam activity')), '$permissions' => t('Default Post Permissions'), '$permdesc' => t("\x28click to open/close\x29"), - '$aclselect' => populate_acl($perm_defaults, false, \PermissionDescription::fromDescription(t('Use my default audience setting for the type of post'))), + '$aclselect' => populate_acl($perm_defaults, false, \PermissionDescription::fromDescription(t('Use my default audience setting for the type of object published'))), '$suggestme' => $suggestme, '$group_select' => $group_select, '$role' => array('permissions_role' , t('Channel permissions category:'), $permissions_role, '', get_roles()), diff --git a/Zotlabs/Storage/BasicAuth.php b/Zotlabs/Storage/BasicAuth.php index 02c4117da..121a9c3a1 100644 --- a/Zotlabs/Storage/BasicAuth.php +++ b/Zotlabs/Storage/BasicAuth.php @@ -79,7 +79,6 @@ class BasicAuth extends DAV\Auth\Backend\AbstractBasic { /** * @brief Validates a username and password. * - * Guest access is granted with the password "+++". * * @see \Sabre\DAV\Auth\Backend\AbstractBasic::validateUserPass * @param string $username -- cgit v1.2.3 From 93a7df5a1b9ac260657ba789760cb9e4c11544a7 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Wed, 18 May 2016 22:57:23 -0700 Subject: one more text clarification --- Zotlabs/Module/Settings.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Zotlabs/Module/Settings.php b/Zotlabs/Module/Settings.php index 1f5c55067..f588e2824 100644 --- a/Zotlabs/Module/Settings.php +++ b/Zotlabs/Module/Settings.php @@ -1064,7 +1064,7 @@ class Settings extends \Zotlabs\Web\Controller { '$expire' => array('expire',t('Expire other channel content after this many days'),$expire, t('0 or blank to use the website limit.') . ' ' . ((intval($sys_expire)) ? sprintf( t('This website expires after %d days.'),intval($sys_expire)) : t('This website does not expire imported content.')) . ' ' . t('The website limit takes precedence if lower than your limit.')), '$maxreq' => array('maxreq', t('Maximum Friend Requests/Day:'), intval($channel['channel_max_friend_req']) , t('May reduce spam activity')), - '$permissions' => t('Default Post Permissions'), + '$permissions' => t('Default Post and Publish Permissions'), '$permdesc' => t("\x28click to open/close\x29"), '$aclselect' => populate_acl($perm_defaults, false, \PermissionDescription::fromDescription(t('Use my default audience setting for the type of object published'))), '$suggestme' => $suggestme, -- cgit v1.2.3 From 50d1d06b0324737ca6dc7dab43e42217ee9381b4 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Thu, 19 May 2016 00:56:51 -0700 Subject: issue #391 - htmlspecialchars_decode before firing up jot, which re-encodes --- Zotlabs/Module/Editpost.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Zotlabs/Module/Editpost.php b/Zotlabs/Module/Editpost.php index 43edf2c00..da859de3e 100644 --- a/Zotlabs/Module/Editpost.php +++ b/Zotlabs/Module/Editpost.php @@ -87,11 +87,11 @@ class Editpost extends \Zotlabs\Web\Controller { 'hide_location' => true, 'mimetype' => $itm[0]['mimetype'], 'ptyp' => $itm[0]['obj_type'], - 'body' => undo_post_tagging($itm[0]['body']), + 'body' => htmlspecialchars_decode(undo_post_tagging($itm[0]['body']),ENT_COMPAT), 'post_id' => $post_id, 'defloc' => $channel['channel_location'], 'visitor' => true, - 'title' => htmlspecialchars($itm[0]['title'],ENT_COMPAT,'UTF-8'), + 'title' => htmlspecialchars_decode($itm[0]['title'],ENT_COMPAT), 'category' => $category, 'showacl' => false, 'profile_uid' => $owner_uid, -- cgit v1.2.3