From 211cda540dc158d6e8ad3835de8ee8fdae570fe4 Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Wed, 15 Mar 2017 12:38:33 +0100 Subject: better handling of mimetype security --- Zotlabs/Module/Editwebpage.php | 2 -- Zotlabs/Module/Item.php | 22 ++++++---------------- 2 files changed, 6 insertions(+), 18 deletions(-) diff --git a/Zotlabs/Module/Editwebpage.php b/Zotlabs/Module/Editwebpage.php index 3d4af107d..97f4a32ff 100644 --- a/Zotlabs/Module/Editwebpage.php +++ b/Zotlabs/Module/Editwebpage.php @@ -130,8 +130,6 @@ class Editwebpage extends \Zotlabs\Web\Controller { $layout = $itm[0]['layout_mid']; - $tpl = get_markup_template("jot.tpl"); - $rp = 'webpages/' . $which; $x = array( diff --git a/Zotlabs/Module/Item.php b/Zotlabs/Module/Item.php index 4725ecb38..6f54d3bb1 100644 --- a/Zotlabs/Module/Item.php +++ b/Zotlabs/Module/Item.php @@ -480,22 +480,12 @@ class Item extends \Zotlabs\Web\Controller { $execflag = false; - if($mimetype !== 'text/bbcode') { - $z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1", - intval($profile_uid) - ); - if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) { - if($uid && (get_account_id() == $z[0]['account_id'])) { - $execflag = true; - } - else { - notice( t('Executable content type not permitted to this channel.') . EOL); - if($api_source) - return ( [ 'success' => false, 'message' => 'forbidden content type' ] ); - if(x($_REQUEST,'return')) - goaway(z_root() . "/" . $return_path ); - killme(); - } + $z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1", + intval($profile_uid) + ); + if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) { + if($uid && (get_account_id() == $z[0]['account_id'])) { + $execflag = true; } } -- cgit v1.2.3