From 110ef6201e0a3731967a662afed1606b7077d0b0 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Sat, 16 Jan 2016 14:00:22 -0800 Subject: add $deliver flag to item_store() and item_store_update() [default true]. If false, do not send any notifications or process tag_deliver. This should avoid any network activity from happening as the result of a channel (actually item) import. Other minor fixes in the handling of the $allow_exec flag and further protecting CSS passed to widgets from rogue code and XSS. --- include/features.php | 2 +- include/import.php | 7 ++++--- include/items.php | 12 +++++++----- include/widgets.php | 8 ++++---- mod/import_items.php | 6 ------ mod/item.php | 2 +- version.inc | 2 +- 7 files changed, 18 insertions(+), 21 deletions(-) diff --git a/include/features.php b/include/features.php index 3cbbf5b7d..ffa8bf8ca 100644 --- a/include/features.php +++ b/include/features.php @@ -75,7 +75,7 @@ function get_features($filtered = true) { 'net_module' => array( t('Network and Stream Filtering'), array('archives', t('Search by Date'), t('Ability to select posts by date ranges'),false,get_config('feature_lock','archives')), - array('groups', t('Collections Filter'), t('Enable widget to display Network posts only from selected collections'),false,get_config('feature_lock','groups')), + array('groups', t('Collections (Privacy Groups)'), t('Enable widget to display Network posts only from selected collections'),false,get_config('feature_lock','groups')), array('savedsearch', t('Saved Searches'), t('Save search terms for re-use'),false,get_config('feature_lock','savedsearch')), array('personal_tab', t('Network Personal Tab'), t('Enable tab to display only Network posts that you\'ve interacted on'),false,get_config('feature_lock','personal_tab')), array('new_tab', t('Network New Tab'), t('Enable tab to display all new Network activity'),false,get_config('feature_lock','new_tab')), diff --git a/include/import.php b/include/import.php index ffaea6c1a..e208c3b00 100644 --- a/include/import.php +++ b/include/import.php @@ -496,6 +496,8 @@ function import_items($channel,$items) { } } + $deliver = false; // Don't deliver any messages or notifications when importing + foreach($items as $i) { $item = get_item_elements($i,$allow_code); if(! $item) @@ -509,16 +511,15 @@ function import_items($channel,$items) { if($item['edited'] > $r[0]['edited']) { $item['id'] = $r[0]['id']; $item['uid'] = $channel['channel_id']; - item_store_update($item); + item_store_update($item,$allow_code,$deliver); continue; } } else { $item['aid'] = $channel['channel_account_id']; $item['uid'] = $channel['channel_id']; - $item_result = item_store($item); + $item_result = item_store($item,$allow_code,$deliver); } - } } } diff --git a/include/items.php b/include/items.php index 44f9633a9..0e16f7b8a 100755 --- a/include/items.php +++ b/include/items.php @@ -2160,7 +2160,7 @@ function encode_rel_links($links) { * * \e boolean \b success * * \e int \b item_id */ -function item_store($arr, $allow_exec = false) { +function item_store($arr, $allow_exec = false, $deliver = true) { $d = array('item' => $arr, 'allow_exec' => $allow_exec); call_hooks('item_store', $d ); @@ -2537,7 +2537,7 @@ function item_store($arr, $allow_exec = false) { // so that we have an item in the DB that's marked deleted and won't store a fresh post // that isn't aware that we were already told to delete it. - if(! intval($arr['item_deleted'])) { + if(($deliver) && (! intval($arr['item_deleted']))) { send_status_notifications($current_post,$arr); tag_deliver($arr['uid'],$current_post); } @@ -2550,7 +2550,7 @@ function item_store($arr, $allow_exec = false) { -function item_store_update($arr,$allow_exec = false) { +function item_store_update($arr,$allow_exec = false, $deliver = true) { $d = array('item' => $arr, 'allow_exec' => $allow_exec); call_hooks('item_store_update', $d ); @@ -2780,9 +2780,11 @@ function item_store_update($arr,$allow_exec = false) { call_hooks('post_remote_update_end',$arr); - send_status_notifications($orig_post_id,$arr); + if($deliver) { + send_status_notifications($orig_post_id,$arr); + tag_deliver($uid,$orig_post_id); + } - tag_deliver($uid,$orig_post_id); $ret['success'] = true; $ret['item_id'] = $orig_post_id; diff --git a/include/widgets.php b/include/widgets.php index 7021ef49d..60605cb51 100644 --- a/include/widgets.php +++ b/include/widgets.php @@ -915,8 +915,8 @@ function widget_photo($arr) { // ensure they can't sneak in an eval(js) function - if(strpos($style,'(') !== false) - return ''; + if(strpbrk($style,'(\'"<>') !== false) + $style = ''; if(array_key_exists('zrl', $arr) && isset($arr['zrl'])) $zrl = (($arr['zrl']) ? true : false); @@ -956,8 +956,8 @@ function widget_cover_photo($arr) { // ensure they can't sneak in an eval(js) function - if(strpos($style,'(') !== false) - return ''; + if(strpbrk($style,'(\'"<>') !== false) + $style = ''; $c = get_cover_photo($channel_id,'html'); diff --git a/mod/import_items.php b/mod/import_items.php index 6b97939c9..f369ad780 100644 --- a/mod/import_items.php +++ b/mod/import_items.php @@ -86,14 +86,11 @@ function import_items_post(&$a) { $channel = $a->get_channel(); - $saved_notification_flags = notifications_off($channel['channel_id']); if(array_key_exists('item',$data) && $data['item']) { import_items($channel,$data['item']); } - notifications_on($channel['channel_id'],$saved_notification_flags); - if(array_key_exists('item_id',$data) && $data['item_id']) { import_item_ids($channel,$data['item_id']); } @@ -107,9 +104,6 @@ function import_items_post(&$a) { function import_items_content(&$a) { - - - if(! local_channel()) { notice( t('Permission denied') . EOL); return login(); diff --git a/mod/item.php b/mod/item.php index b6d00e030..f100c9dfe 100644 --- a/mod/item.php +++ b/mod/item.php @@ -446,7 +446,7 @@ function item_post(&$a) { $execflag = false; - if($mimetype === 'application/x-php') { + if($mimetype !== 'text/bbcode') { $z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1", intval($profile_uid) ); diff --git a/version.inc b/version.inc index e854f1c97..4c4d3ae66 100644 --- a/version.inc +++ b/version.inc @@ -1 +1 @@ -2016-01-15.1279H +2016-01-16.1280H -- cgit v1.2.3 From da9a8d54de70d290668da24a3ec930dd9230aab1 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Sun, 17 Jan 2016 00:17:23 -0800 Subject: minversion issue --- include/plugin.php | 4 ++-- version.inc | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/plugin.php b/include/plugin.php index 2bc363556..a47558b63 100755 --- a/include/plugin.php +++ b/include/plugin.php @@ -365,7 +365,7 @@ function check_plugin_versions($info) { return true; if(array_key_exists('minversion',$info)) { - if(version_compare(trim($info['minversion']),STD_VERSION, '>=')) { + if(! version_compare(STD_VERSION,trim($info['minversion']), '>=')) { logger('minversion limit: ' . $info['name'],LOGGER_NORMAL,LOG_WARNING); return false; } @@ -377,7 +377,7 @@ function check_plugin_versions($info) { } } if(array_key_exists('minphpversion',$info)) { - if(version_compare(trim($info['minphpversion']),PHP_VERSION, '>=')) { + if(! version_compare(PHP_VERSION,trim($info['minphpversion']), '>=')) { logger('minphpversion limit: ' . $info['name'],LOGGER_NORMAL,LOG_WARNING); return false; } diff --git a/version.inc b/version.inc index 4c4d3ae66..84bd44ea2 100644 --- a/version.inc +++ b/version.inc @@ -1 +1 @@ -2016-01-16.1280H +2016-01-17.1281H -- cgit v1.2.3 From 9b3b2efe9aa374565c0c67bbc67c36f9c99d3add Mon Sep 17 00:00:00 2001 From: redmatrix Date: Sun, 17 Jan 2016 01:05:32 -0800 Subject: call build_sync_packet() on pdledit updates --- mod/pdledit.php | 1 + 1 file changed, 1 insertion(+) diff --git a/mod/pdledit.php b/mod/pdledit.php index 93b8d52e6..f2a25566a 100644 --- a/mod/pdledit.php +++ b/mod/pdledit.php @@ -10,6 +10,7 @@ function pdledit_post(&$a) { goaway(z_root() . '/pdledit/' . $_REQUEST['module']); } set_pconfig(local_channel(),'system','mod_' . $_REQUEST['module'] . '.pdl',escape_tags($_REQUEST['content'])); + build_sync_packet(); info( t('Layout updated.') . EOL); goaway(z_root() . '/pdledit/' . $_REQUEST['module']); } -- cgit v1.2.3