From cd518625bf561f1ed42db0b78030b74c32435136 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Sun, 1 May 2016 19:19:17 -0700 Subject: some much needed work on oembed security --- Zotlabs/Module/Admin.php | 29 +++++--- Zotlabs/Module/Oep.php | 2 +- include/identity.php | 62 ++++++++++++++++ include/oembed.php | 177 ++++++++++++++++++++++++++++++-------------- include/text.php | 31 +++++++- version.inc | 2 +- view/tpl/admin_security.tpl | 12 +++ view/tpl/zcard_embed.tpl | 8 ++ 8 files changed, 255 insertions(+), 68 deletions(-) create mode 100644 view/tpl/zcard_embed.tpl diff --git a/Zotlabs/Module/Admin.php b/Zotlabs/Module/Admin.php index 1d37b41bc..b22931b1a 100644 --- a/Zotlabs/Module/Admin.php +++ b/Zotlabs/Module/Admin.php @@ -568,25 +568,25 @@ class Admin extends \Zotlabs\Web\Controller { $block_public = ((x($_POST,'block_public')) ? True : False); set_config('system','block_public',$block_public); - $ws = trim_array_elems(explode("\n",$_POST['whitelisted_sites'])); + $ws = $this->trim_array_elems(explode("\n",$_POST['whitelisted_sites'])); set_config('system','whitelisted_sites',$ws); - $bs = trim_array_elems(explode("\n",$_POST['blacklisted_sites'])); + $bs = $this->trim_array_elems(explode("\n",$_POST['blacklisted_sites'])); set_config('system','blacklisted_sites',$bs); - $wc = trim_array_elems(explode("\n",$_POST['whitelisted_channels'])); + $wc = $this->trim_array_elems(explode("\n",$_POST['whitelisted_channels'])); set_config('system','whitelisted_channels',$wc); - $bc = trim_array_elems(explode("\n",$_POST['blacklisted_channels'])); + $bc = $this->trim_array_elems(explode("\n",$_POST['blacklisted_channels'])); set_config('system','blacklisted_channels',$bc); $embed_coop = ((x($_POST,'embed_coop')) ? True : False); set_config('system','embed_coop',$embed_coop); - $we = trim_array_elems(explode("\n",$_POST['embed_allow'])); + $we = $this->trim_array_elems(explode("\n",$_POST['embed_allow'])); set_config('system','embed_allow',$we); - $be = trim_array_elems(explode("\n",$_POST['embed_deny'])); + $be = $this->trim_array_elems(explode("\n",$_POST['embed_deny'])); set_config('system','embed_deny',$be); goaway(z_root() . '/admin/security'); @@ -708,9 +708,13 @@ class Admin extends \Zotlabs\Web\Controller { $embed_coop = intval(get_config('system','embed_coop')); - // wait to implement this until we have a co-op in place. - // if((! $whiteembeds) && (! $blackembeds) && (! $embed_coop)) - // $whiteembeds_str = "youtube.com\nyoutu.be\ntwitter.com\nvimeo.com\nsoundcloud.com\nwikipedia.com"; + if((! $whiteembeds) && (! $blackembeds)) { + $embedhelp1 = t("By default, unfiltered HTML is allowed in embedded media. This is inherently insecure."); + } + + $embedhelp2 = t("The recommended setting is to only allow unfiltered HTML from the following sites:"); + $embedhelp3 = t("youtube.com
youtu.be
twitter.com
vimeo.com
soundcloud.com
wikipedia.com
"); + $embedhelp4 = t("All other embedded content will be filtered, unless embedded content from that site is explicitly blocked."); $t = get_markup_template('admin_security.tpl'); return replace_macros($t, array( @@ -722,10 +726,15 @@ class Admin extends \Zotlabs\Web\Controller { '$blacklisted_sites' => array('blacklisted_sites', t('Block communications from these sites'), $blacksites_str, ''), '$whitelisted_channels' => array('whitelisted_channels', t('Allow communications only from these channels'), $whitechannels_str, t('One channel (hash) per line. Leave empty to allow from any channel by default')), '$blacklisted_channels' => array('blacklisted_channels', t('Block communications from these channels'), $blackchannels_str, ''), - '$embed_allow' => array('embed_allow', t('Allow embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')), + '$embed_allow' => array('embed_allow', t('Allow unfiltered embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')), '$embed_deny' => array('embed_deny', t('Block embedded HTML from these domains'), $blackembeds_str, ''), // '$embed_coop' => array('embed_coop', t('Cooperative embed security'), $embed_coop, t('Enable to share embed security with other compatible sites/hubs')), + '$embedhelp1' => $embedhelp1, + '$embedhelp2' => $embedhelp2, + '$embedhelp3' => $embedhelp3, + '$embedhelp4' => $embedhelp4, + '$submit' => t('Submit') )); } diff --git a/Zotlabs/Module/Oep.php b/Zotlabs/Module/Oep.php index f36a452e8..638ea7e2d 100644 --- a/Zotlabs/Module/Oep.php +++ b/Zotlabs/Module/Oep.php @@ -220,7 +220,7 @@ class Oep extends \Zotlabs\Web\Controller { $ret['width'] = intval($width); $ret['height'] = intval($height); - $ret['html'] = get_zcard($c,get_observer_hash(),array('width' => $width, 'height' => $height)); + $ret['html'] = get_zcard_embed($c,get_observer_hash(),array('width' => $width, 'height' => $height)); return $ret; diff --git a/include/identity.php b/include/identity.php index 1c899048a..f50c497cd 100644 --- a/include/identity.php +++ b/include/identity.php @@ -1878,3 +1878,65 @@ function get_zcard($channel,$observer_hash = '',$args = array()) { return $o; } + + +function get_zcard_embed($channel,$observer_hash = '',$args = array()) { + + logger('get_zcard_embed'); + + $maxwidth = (($args['width']) ? intval($args['width']) : 0); + $maxheight = (($args['height']) ? intval($args['height']) : 0); + + + if(($maxwidth > 1200) || ($maxwidth < 1)) + $maxwidth = 1200; + + if($maxwidth <= 425) { + $width = 425; + $size = 'hz_small'; + $cover_size = PHOTO_RES_COVER_425; + $pphoto = array('type' => $channel['xchan_photo_mimetype'], 'width' => 80 , 'height' => 80, 'href' => $channel['xchan_photo_m']); + } + elseif($maxwidth <= 900) { + $width = 900; + $size = 'hz_medium'; + $cover_size = PHOTO_RES_COVER_850; + $pphoto = array('type' => $channel['xchan_photo_mimetype'], 'width' => 160 , 'height' => 160, 'href' => $channel['xchan_photo_l']); + } + elseif($maxwidth <= 1200) { + $width = 1200; + $size = 'hz_large'; + $cover_size = PHOTO_RES_COVER_1200; + $pphoto = array('type' => $channel['xchan_photo_mimetype'], 'width' => 300 , 'height' => 300, 'href' => $channel['xchan_photo_l']); + } + + $channel['channel_addr'] = $channel['channel_address'] . '@' . App::get_hostname(); + $zcard = array('chan' => $channel); + + $r = q("select height, width, resource_id, scale, type from photo where uid = %d and scale = %d and photo_usage = %d", + intval($channel['channel_id']), + intval($cover_size), + intval(PHOTO_COVER) + ); + + if($r) { + $cover = $r[0]; + $cover['href'] = z_root() . '/photo/' . $r[0]['resource_id'] . '-' . $r[0]['scale']; + } + else { + $cover = $pphoto; + } + + $o .= replace_macros(get_markup_template('zcard_embed.tpl'),array( + '$maxwidth' => $maxwidth, + '$scale' => $scale, + '$translate' => $translate, + '$size' => $size, + '$cover' => $cover, + '$pphoto' => $pphoto, + '$zcard' => $zcard + )); + + return $o; + +} diff --git a/include/oembed.php b/include/oembed.php index 3994af0fb..356b9f961 100755 --- a/include/oembed.php +++ b/include/oembed.php @@ -3,67 +3,117 @@ function oembed_replacecb($matches){ $embedurl=$matches[1]; + $action = oembed_action($embedurl); + if($action === 'block') { + return '' . $embedurl . ''; + } + + $j = oembed_fetch_url($embedurl); + $s = oembed_format_object($j); + return $s; +} + + +function oembed_action($embedurl) { + + $host = ''; + + $action = 'allow'; + + // The default action is 'allow'. This is insecure. We might want to + // change this to 'filter' except it will be a support burden because + // then youtube videos won't work out of the box and will need to be + // explicitly enabled. + + $embedurl = str_replace('&','&', $embedurl); + + logger('oembed_action: ' . $embedurl); + + $p = parse_url($embedurl); + + if($p) + $host = $p['host']; + + // These media files should now be caught in bbcode.php + // left here as a fallback in case this is called from another source + + $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus"); + $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION); + // site white/black list if(($x = get_config('system','embed_deny'))) { - $l = explode("\n",$x); - if($l) { - foreach($l as $ll) { - if(trim($ll) && strpos($embedurl,trim($ll)) !== false) - return '' . $embedurl . ''; + if(($x) && (! is_array($x))) + $x = explode("\n",$x); + if($x) { + foreach($x as $ll) { + $t = trim($ll); + + // don't allow somebody to provide a url like https://foobar.com/something/youtube + // to bypass a block or allow of youtube + + if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) { + $action = 'block'; + break; + } } } } + + $found = false; + if(($x = get_config('system','embed_allow'))) { - $found = false; - $l = explode("\n",$x); - if($l) { - foreach($l as $ll) { - if(trim($ll) && strpos($embedurl,trim($ll)) !== false) { + if(($x) && (! is_array($x))) + $x = explode("\n",$x); + if($x) { + foreach($x as $ll) { + $t = trim($ll); + + // don't allow somebody to provide a url like https://foobar.com/something/youtube + // to bypass a block or allow of youtube + + if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) { $found = true; + $action = 'allow'; break; } } } - if(! $found) { - return '' . $embedurl . ''; + if((! $found) && ($action !== 'block')) { + $action = 'filter'; } } - // implements a personal embed white/black list for logged in members + // allow individual members to block something that wasn't blocked already. + // They cannot over-ride the site to allow or change the filtering on an + // embed that is not allowed by the site. + if(local_channel()) { if(($x = get_pconfig(local_channel(),'system','embed_deny'))) { - $l = explode("\n",$x); - if($l) { - foreach($l as $ll) { - if(trim($ll) && strpos($embedurl,trim($ll)) !== false) - return '' . $embedurl . ''; - } - } - } - if(($x = get_pconfig(local_channel(),'system','embed_allow'))) { - $found = false; - $l = explode("\n",$x); - if($l) { - foreach($l as $ll) { - if(trim($ll) && strpos($embedurl,trim($ll)) !== false) { - $found = true; + if(($x) && (! is_array($x))) + $x = explode("\n",$x); + if($x) { + foreach($x as $ll) { + $t = trim($ll); + + // don't allow somebody to provide a url like https://foobar.com/something/youtube + // to bypass a block or allow of youtube + + if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) { + $action = 'block'; break; } } } - if(! $found) { - return '' . $embedurl . ''; - } } } - $j = oembed_fetch_url($embedurl); - $s = oembed_format_object($j); - return $s; -} + logger('action: ' . $action . ' url: ' . $embedurl, LOGGER_DEBUG,LOG_DEBUG); + return $action; + +} // if the url is embeddable with oembed, return the bbcode link. @@ -79,42 +129,48 @@ function oembed_process($url) { function oembed_fetch_url($embedurl){ - $a = get_app(); + // These media files should now be caught in bbcode.php + // left here as a fallback in case this is called from another source + + $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus"); + $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION); + + $action = oembed_action($embedurl); $embedurl = str_replace('&','&', $embedurl); -// logger('fetch: ' . $embedurl); + $txt = null; - $txt = Cache::get(App::$videowidth . $embedurl); + if($action !== 'block') { + $txt = Cache::get(App::$videowidth . $embedurl); - if(strstr($txt,'youtu') && strstr(z_root(),'https:')) { - $txt = str_replace('http:','https:',$txt); + if(strstr($txt,'youtu') && strstr(z_root(),'https:')) { + $txt = str_replace('http:','https:',$txt); + } } + + if(is_null($txt)) { - // These media files should now be caught in bbcode.php - // left here as a fallback in case this is called from another source - - $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus"); - $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION); - - - if(is_null($txt)){ $txt = ""; - - if (in_array($ext, $noexts)) { + $furl = $embedurl; + $zrl = false; + + if(local_channel()) { require_once('include/hubloc.php'); - $zrl = is_matrix_url($embedurl); + $zrl = is_matrix_url($furl); if($zrl) - $embedurl = zid($embedurl); + $furl = zid($furl); } - else { + + + if (! in_array($ext, $noexts) && $action !== 'block') { // try oembed autodiscovery $redirects = 0; - $result = z_fetch_url($embedurl, false, $redirects, array('timeout' => 15, 'accept_content' => "text/*", 'novalidate' => true )); + $result = z_fetch_url($furl, false, $redirects, array('timeout' => 15, 'accept_content' => "text/*", 'novalidate' => true )); if($result['success']) $html_text = $result['body']; - if($html_text){ + if($html_text) { $dom = @DOMDocument::loadHTML($html_text); if ($dom){ $xpath = new DOMXPath($dom); @@ -149,6 +205,7 @@ function oembed_fetch_url($embedurl){ } $txt=trim($txt); + if ($txt[0]!="{") $txt='{"type":"error"}'; //save in cache @@ -160,6 +217,16 @@ function oembed_fetch_url($embedurl){ $j = json_decode($txt); + + if($j->html && $action === 'filter') { + $orig = $j->html; + $allow_position = (($zrl) ? true : false); + $j->html = purify_html($j->html,$allow_position); + if($j->html != $orig) { + logger('oembed html was purified. original: ' . $orig . ' purified: ' . $j->html, LOGGER_DEBUG, LOG_INFO); + } + } + $j->embedurl = $embedurl; // logger('fetch return: ' . print_r($j,true)); diff --git a/include/text.php b/include/text.php index c61c5fbd4..cf2f777aa 100644 --- a/include/text.php +++ b/include/text.php @@ -122,7 +122,7 @@ function z_input_filter($channel_id,$s,$type = 'text/bbcode') { -function purify_html($s) { +function purify_html($s, $allow_position) { require_once('library/HTMLPurifier.auto.php'); require_once('include/html2bbcode.php'); @@ -202,6 +202,35 @@ function purify_html($s) { $def->addElement('header', 'Block', 'Flow', 'Common'); $def->addElement('footer', 'Block', 'Flow', 'Common'); + + if($allow_position) { + $cssDefinition = $config->getCSSDefinition(); + + $cssDefinition->info['position'] = new HTMLPurifier_AttrDef_Enum(array('absolute', 'fixed', 'relative', 'static', 'inherit'), false); + + $cssDefinition->info['left'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_CSS_Length(), + new HTMLPurifier_AttrDef_CSS_Percentage() + )); + + $cssDefinition->info['right'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_CSS_Length(), + new HTMLPurifier_AttrDef_CSS_Percentage() + )); + + $cssDefinition->info['top'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_CSS_Length(), + new HTMLPurifier_AttrDef_CSS_Percentage() + )); + + $cssDefinition->info['bottom'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_CSS_Length(), + new HTMLPurifier_AttrDef_CSS_Percentage() + )); + + } + + $purifier = new HTMLPurifier($config); return $purifier->purify($s); diff --git a/version.inc b/version.inc index 8c803549a..aec5959ca 100644 --- a/version.inc +++ b/version.inc @@ -1 +1 @@ -2016-04-29.1381H +2016-05-01.1383H diff --git a/view/tpl/admin_security.tpl b/view/tpl/admin_security.tpl index 3823d8235..39f389e54 100755 --- a/view/tpl/admin_security.tpl +++ b/view/tpl/admin_security.tpl @@ -15,6 +15,18 @@ {{include file="field_textarea.tpl" field=$whitelisted_channels}} {{include file="field_textarea.tpl" field=$blacklisted_channels}} + {{if $embedhelp1}} +
{{$embedhelp1}}
+ {{/if}} + +
+
{{$embedhelp2}}
+
+
{{$embedhelp3}}
+
+
{{$embedhelp4}}
+
+ {{include file="field_textarea.tpl" field=$embed_allow}} {{include file="field_textarea.tpl" field=$embed_deny}} diff --git a/view/tpl/zcard_embed.tpl b/view/tpl/zcard_embed.tpl new file mode 100644 index 000000000..7981e3b0b --- /dev/null +++ b/view/tpl/zcard_embed.tpl @@ -0,0 +1,8 @@ +
+
{{$zcard.chan.xchan_name}} +
{{$zcard.chan.xchan_name}}
+
{{$zcard.chan.channel_addr}}
+
+
{{$zcard.chan.xchan_name}}
+
+ -- cgit v1.2.3 From f284558007583c7b882071fa995f994661bb97cc Mon Sep 17 00:00:00 2001 From: redmatrix Date: Sun, 1 May 2016 19:29:30 -0700 Subject: use only the std_version --- Zotlabs/Module/Admin.php | 2 +- Zotlabs/Project/System.php | 23 +++++++++-------------- boot.php | 1 - include/api.php | 2 +- include/identity.php | 2 +- include/zot.php | 2 +- version.inc | 1 - 7 files changed, 13 insertions(+), 20 deletions(-) delete mode 100644 version.inc diff --git a/Zotlabs/Module/Admin.php b/Zotlabs/Module/Admin.php index b22931b1a..5eaede6a6 100644 --- a/Zotlabs/Module/Admin.php +++ b/Zotlabs/Module/Admin.php @@ -221,7 +221,7 @@ class Admin extends \Zotlabs\Web\Controller { '$pending' => array( t('Pending registrations'), $pending), '$channels' => array( t('Registered channels'), $channels), '$plugins' => array( t('Active plugins'), $plugins ), - '$version' => array( t('Version'), RED_VERSION), + '$version' => array( t('Version'), STD_VERSION), '$build' => get_config('system', 'db_version') )); } diff --git a/Zotlabs/Project/System.php b/Zotlabs/Project/System.php index a67742db5..f61313da0 100644 --- a/Zotlabs/Project/System.php +++ b/Zotlabs/Project/System.php @@ -4,56 +4,51 @@ namespace Zotlabs\Project; class System { - function get_platform_name() { + static public function get_platform_name() { if(is_array(\App::$config) && is_array(\App::$config['system']) && \App::$config['system']['platform_name']) return \App::$config['system']['platform_name']; return PLATFORM_NAME; } - function get_site_name() { + static public function get_site_name() { if(is_array(\App::$config) && is_array(\App::$config['system']) && \App::$config['system']['sitename']) return \App::$config['system']['sitename']; return ''; } - function get_project_version() { + static public function get_project_version() { if(is_array(\App::$config) && is_array(\App::$config['system']) && \App::$config['system']['hide_version']) return ''; - return RED_VERSION; + return self::get_std_version(); } - function get_update_version() { + static public function get_update_version() { if(is_array(\App::$config) && is_array(\App::$config['system']) && \App::$config['system']['hide_version']) return ''; return DB_UPDATE_VERSION; } - function get_notify_icon() { + static public function get_notify_icon() { if(is_array(\App::$config) && is_array(\App::$config['system']) && \App::$config['system']['email_notify_icon_url']) return \App::$config['system']['email_notify_icon_url']; return z_root() . '/images/hz-white-32.png'; } - function get_site_icon() { + static public function get_site_icon() { if(is_array(\App::$config) && is_array(\App::$config['system']) && \App::$config['system']['site_icon_url']) return \App::$config['system']['site_icon_url']; return z_root() . '/images/hz-32.png'; } - function get_server_role() { + static public function get_server_role() { if(UNO) return 'basic'; return 'advanced'; } - // return the standardised version. Since we can't easily compare - // before the STD_VERSION definition was applied, we have to treat - // all prior release versions the same. You can dig through them - // with other means (such as RED_VERSION) if necessary. - - function get_std_version() { + static public function get_std_version() { if(defined('STD_VERSION')) return STD_VERSION; return '0.0.0'; diff --git a/boot.php b/boot.php index 2a8bf0d17..bb78db44f 100755 --- a/boot.php +++ b/boot.php @@ -46,7 +46,6 @@ require_once('include/account.php'); define ( 'PLATFORM_NAME', 'hubzilla' ); -define ( 'RED_VERSION', trim(file_get_contents('version.inc'))); define ( 'STD_VERSION', '1.4.4' ); define ( 'ZOT_REVISION', 1 ); diff --git a/include/api.php b/include/api.php index e64c86695..3b2c71923 100644 --- a/include/api.php +++ b/include/api.php @@ -2108,7 +2108,7 @@ require_once('include/api_auth.php'); 'shorturllength' => '30', 'hubzilla' => array( 'PLATFORM_NAME' => Zotlabs\Project\System::get_platform_name(), - 'RED_VERSION' => Zotlabs\Project\System::get_project_version(), + 'STD_VERSION' => Zotlabs\Project\System::get_project_version(), 'ZOT_REVISION' => ZOT_REVISION, 'DB_UPDATE_VERSION' => Zotlabs\Project\System::get_update_version() ) diff --git a/include/identity.php b/include/identity.php index f50c497cd..c60c846c0 100644 --- a/include/identity.php +++ b/include/identity.php @@ -491,7 +491,7 @@ function identity_basic_export($channel_id, $items = false) { // use constants here as otherwise we will have no idea if we can import from a site // with a non-standard platform and version. - $ret['compatibility'] = array('project' => PLATFORM_NAME, 'version' => RED_VERSION, 'database' => DB_UPDATE_VERSION, 'server_role' => Zotlabs\Project\System::get_server_role()); + $ret['compatibility'] = array('project' => PLATFORM_NAME, 'version' => STD_VERSION, 'database' => DB_UPDATE_VERSION, 'server_role' => Zotlabs\Project\System::get_server_role()); $r = q("select * from channel where channel_id = %d limit 1", intval($channel_id) diff --git a/include/zot.php b/include/zot.php index 1ca1b862b..157354afa 100644 --- a/include/zot.php +++ b/include/zot.php @@ -3914,7 +3914,7 @@ function zotinfo($arr) { $ret['site']['channels'] = channel_total(); - $ret['site']['version'] = Zotlabs\Project\System::get_platform_name() . ' ' . RED_VERSION . '[' . DB_UPDATE_VERSION . ']'; + $ret['site']['version'] = Zotlabs\Project\System::get_platform_name() . ' ' . STD_VERSION . '[' . DB_UPDATE_VERSION . ']'; $ret['site']['admin'] = get_config('system','admin_email'); diff --git a/version.inc b/version.inc deleted file mode 100644 index aec5959ca..000000000 --- a/version.inc +++ /dev/null @@ -1 +0,0 @@ -2016-05-01.1383H -- cgit v1.2.3 From 5e458491f1e0fce5ec9e4855dac13340af627ded Mon Sep 17 00:00:00 2001 From: redmatrix Date: Sun, 1 May 2016 20:43:57 -0700 Subject: sort addons based on the internal display name instead of the filename --- Zotlabs/Module/Admin.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Zotlabs/Module/Admin.php b/Zotlabs/Module/Admin.php index 5eaede6a6..6dad11ab8 100644 --- a/Zotlabs/Module/Admin.php +++ b/Zotlabs/Module/Admin.php @@ -1336,6 +1336,8 @@ class Admin extends \Zotlabs\Web\Controller { } } + usort($plugins,'self::plugin_sort'); + $t = get_markup_template('admin_plugins.tpl'); return replace_macros($t, array( '$title' => t('Administration'), @@ -1349,6 +1351,11 @@ class Admin extends \Zotlabs\Web\Controller { )); } + static public function plugin_sort($a,$b) { + return(strcmp(strtolower($a[2]['name']),strtolower($b[2]['name']))); + } + + /** * @param array $themes * @param string $th -- cgit v1.2.3 From bd2f11ed8b0be4fb611c33e85b568048f79b7090 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Sun, 1 May 2016 21:00:02 -0700 Subject: db schema change to add tags to content sources --- boot.php | 2 +- install/schema_mysql.sql | 1 + install/schema_postgres.sql | 3 ++- install/update.php | 11 ++++++++++- 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/boot.php b/boot.php index bb78db44f..95f41dfda 100755 --- a/boot.php +++ b/boot.php @@ -49,7 +49,7 @@ define ( 'PLATFORM_NAME', 'hubzilla' ); define ( 'STD_VERSION', '1.4.4' ); define ( 'ZOT_REVISION', 1 ); -define ( 'DB_UPDATE_VERSION', 1166 ); +define ( 'DB_UPDATE_VERSION', 1167 ); /** diff --git a/install/schema_mysql.sql b/install/schema_mysql.sql index c36bfaa57..2305d4a0b 100644 --- a/install/schema_mysql.sql +++ b/install/schema_mysql.sql @@ -1181,6 +1181,7 @@ CREATE TABLE IF NOT EXISTS `source` ( `src_channel_xchan` char(255) NOT NULL DEFAULT '', `src_xchan` char(255) NOT NULL DEFAULT '', `src_patt` mediumtext NOT NULL, + `src_tag` mediumtext NOT NULL, PRIMARY KEY (`src_id`), KEY `src_channel_id` (`src_channel_id`), KEY `src_channel_xchan` (`src_channel_xchan`), diff --git a/install/schema_postgres.sql b/install/schema_postgres.sql index d4bb54b1e..2c0847cbf 100644 --- a/install/schema_postgres.sql +++ b/install/schema_postgres.sql @@ -1166,7 +1166,8 @@ CREATE TABLE "source" ( "src_channel_id" bigint NOT NULL DEFAULT '0', "src_channel_xchan" text NOT NULL DEFAULT '', "src_xchan" text NOT NULL DEFAULT '', - "src_patt" text NOT NULL, + "src_patt" text NOT NULL DEFAULT '', + "src_tag" text NOT NULL DEFAULT '', PRIMARY KEY ("src_id") ); create index "src_channel_id" on "source" ("src_channel_id"); diff --git a/install/update.php b/install/update.php index 2dc4a6db3..b8e20786c 100644 --- a/install/update.php +++ b/install/update.php @@ -1,6 +1,6 @@ Date: Sun, 1 May 2016 22:45:38 -0700 Subject: a couple of bugfixes from earlier checkins and implementation of source tags --- Zotlabs/Module/Sources.php | 19 +++++++++++++------ include/items.php | 34 ++++++++++++++++++++++++++++++++++ include/text.php | 2 +- view/tpl/sources_edit.tpl | 1 + view/tpl/sources_new.tpl | 1 + 5 files changed, 50 insertions(+), 7 deletions(-) diff --git a/Zotlabs/Module/Sources.php b/Zotlabs/Module/Sources.php index cca9e5ebf..ef32991ee 100644 --- a/Zotlabs/Module/Sources.php +++ b/Zotlabs/Module/Sources.php @@ -7,7 +7,7 @@ class Sources extends \Zotlabs\Web\Controller { function post() { if(! local_channel()) return; - + if(! feature_enabled(local_channel(),'channel_sources')) return ''; @@ -17,6 +17,7 @@ class Sources extends \Zotlabs\Web\Controller { $words = $_REQUEST['words']; $frequency = $_REQUEST['frequency']; $name = $_REQUEST['name']; + $tags = $_REQUEST['tags']; $channel = \App::get_channel(); @@ -36,14 +37,15 @@ class Sources extends \Zotlabs\Web\Controller { notice ( t('Failed to create source. No channel selected.') . EOL); return; } - + if(! $source) { - $r = q("insert into source ( src_channel_id, src_channel_xchan, src_xchan, src_patt ) - values ( %d, '%s', '%s', '%s' ) ", + $r = q("insert into source ( src_channel_id, src_channel_xchan, src_xchan, src_patt, src_tag ) + values ( %d, '%s', '%s', '%s', '%s' ) ", intval(local_channel()), dbesc($channel['channel_hash']), dbesc($xchan), - dbesc($words) + dbesc($words), + dbesc($tags) ); if($r) { info( t('Source created.') . EOL); @@ -51,9 +53,10 @@ class Sources extends \Zotlabs\Web\Controller { goaway(z_root() . '/sources'); } else { - $r = q("update source set src_xchan = '%s', src_patt = '%s' where src_channel_id = %d and src_id = %d", + $r = q("update source set src_xchan = '%s', src_patt = '%s', src_tag = '%s' where src_channel_id = %d and src_id = %d", dbesc($xchan), dbesc($words), + dbesc($tags), intval(local_channel()), intval($source) ); @@ -62,6 +65,7 @@ class Sources extends \Zotlabs\Web\Controller { } } + } @@ -105,6 +109,8 @@ class Sources extends \Zotlabs\Web\Controller { '$desc' => t('Import all or selected content from the following channel into this channel and distribute it according to your channel settings.'), '$words' => array( 'words', t('Only import content with these words (one per line)'),'',t('Leave blank to import all public content')), '$name' => array( 'name', t('Channel Name'), '', ''), + '$tags' => array('tags', t('Add the following tags to posts imported from this source (comma separated)','','')), + '$submit' => t('Submit') )); return $o; @@ -138,6 +144,7 @@ class Sources extends \Zotlabs\Web\Controller { '$words' => array( 'words', t('Only import content with these words (one per line)'),$r[0]['src_patt'],t('Leave blank to import all public content')), '$xchan' => $r[0]['src_xchan'], '$abook' => $x[0]['abook_id'], + '$tags' => array('tags', t('Add the following tags to posts imported from this source (comma separated)'),$r[0]['src_tag'],''), '$name' => array( 'name', t('Channel Name'), $r[0]['xchan_name'], ''), '$submit' => t('Submit') )); diff --git a/include/items.php b/include/items.php index 2720dd841..3649ef8c9 100755 --- a/include/items.php +++ b/include/items.php @@ -3400,6 +3400,37 @@ function tgroup_check($uid,$item) { */ function start_delivery_chain($channel, $item, $item_id, $parent) { + $sourced = check_item_source($channel['channel_id'],$item); + + if($sourced) { + $r = q("select * from source where src_channel_id = %d and ( src_xchan = '%s' or src_xchan = '*' ) limit 1", + intval($channel['channel_id']), + dbesc(($item['source_xchan']) ? $item['source_xchan'] : $item['owner_xchan']) + ); + if($r) { + $t = trim($r[0]['src_tag']); + if($t) { + $tags = explode(',',$t); + if($tags) { + foreach($tags as $tt) { + $tt = trim($tt); + if($tt) { + q("insert into term (uid,oid,otype,type,term,url) + values(%d,%d,%d,%d,'%s','%s') ", + intval($channel['channel_id']), + intval($item_id), + intval(TERM_OBJ_POST), + intval(TERM_UNKNOWN), + dbesc($tt), + dbesc(z_root() . '/search?f=&tag=' . urlencode($tt)) + ); + } + } + } + } + } + } + // Change this copy of the post to a forum head message and deliver to all the tgroup members // also reset all the privacy bits to the forum default permissions @@ -3459,6 +3490,9 @@ function start_delivery_chain($channel, $item, $item_id, $parent) { intval($item_id) ); + + + if($r) proc_run('php','include/notifier.php','tgroup',$item_id); else { diff --git a/include/text.php b/include/text.php index cf2f777aa..66a49d4b5 100644 --- a/include/text.php +++ b/include/text.php @@ -122,7 +122,7 @@ function z_input_filter($channel_id,$s,$type = 'text/bbcode') { -function purify_html($s, $allow_position) { +function purify_html($s, $allow_position = false) { require_once('library/HTMLPurifier.auto.php'); require_once('include/html2bbcode.php'); diff --git a/view/tpl/sources_edit.tpl b/view/tpl/sources_edit.tpl index a5b384ca3..61f6e8cb0 100644 --- a/view/tpl/sources_edit.tpl +++ b/view/tpl/sources_edit.tpl @@ -7,6 +7,7 @@ {{include file="field_input.tpl" field=$name}} +{{include file="field_input.tpl" field=$tags}} {{include file="field_textarea.tpl" field=$words}}
diff --git a/view/tpl/sources_new.tpl b/view/tpl/sources_new.tpl index 3c8a54373..bbc22df84 100644 --- a/view/tpl/sources_new.tpl +++ b/view/tpl/sources_new.tpl @@ -6,6 +6,7 @@
{{include file="field_input.tpl" field=$name}} +{{include file="field_input.tpl" field=$tags}} {{include file="field_textarea.tpl" field=$words}}
-- cgit v1.2.3 From 559ed3f0a8cbe90b6c20cc4ada649bc063f41c25 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Mon, 2 May 2016 01:18:18 -0700 Subject: sort out the rest of the source categories --- Zotlabs/Module/Sources.php | 4 ++-- include/items.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Zotlabs/Module/Sources.php b/Zotlabs/Module/Sources.php index ef32991ee..a180d9b6e 100644 --- a/Zotlabs/Module/Sources.php +++ b/Zotlabs/Module/Sources.php @@ -109,7 +109,7 @@ class Sources extends \Zotlabs\Web\Controller { '$desc' => t('Import all or selected content from the following channel into this channel and distribute it according to your channel settings.'), '$words' => array( 'words', t('Only import content with these words (one per line)'),'',t('Leave blank to import all public content')), '$name' => array( 'name', t('Channel Name'), '', ''), - '$tags' => array('tags', t('Add the following tags to posts imported from this source (comma separated)','','')), + '$tags' => array('tags', t('Add the following categories to posts imported from this source (comma separated)'),'',t('Optional')), '$submit' => t('Submit') )); @@ -144,7 +144,7 @@ class Sources extends \Zotlabs\Web\Controller { '$words' => array( 'words', t('Only import content with these words (one per line)'),$r[0]['src_patt'],t('Leave blank to import all public content')), '$xchan' => $r[0]['src_xchan'], '$abook' => $x[0]['abook_id'], - '$tags' => array('tags', t('Add the following tags to posts imported from this source (comma separated)'),$r[0]['src_tag'],''), + '$tags' => array('tags', t('Add the following categories to posts imported from this source (comma separated)'),$r[0]['src_tag'],t('Optional')), '$name' => array( 'name', t('Channel Name'), $r[0]['xchan_name'], ''), '$submit' => t('Submit') )); diff --git a/include/items.php b/include/items.php index 3649ef8c9..b3c9403e0 100755 --- a/include/items.php +++ b/include/items.php @@ -3420,9 +3420,9 @@ function start_delivery_chain($channel, $item, $item_id, $parent) { intval($channel['channel_id']), intval($item_id), intval(TERM_OBJ_POST), - intval(TERM_UNKNOWN), + intval(TERM_CATEGORY), dbesc($tt), - dbesc(z_root() . '/search?f=&tag=' . urlencode($tt)) + dbesc(z_root() . '/channel/' . $channel['channel_address'] . '?f=&cat=' . urlencode($tt)) ); } } -- cgit v1.2.3 From 78e42a75f10fc7e44e910983fc4a3f977eec2261 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Jim=C3=A9nez=20Friaza?= Date: Mon, 2 May 2016 14:00:13 +0200 Subject: Contextual help in Spanish --- doc/context/es/admin/logs/help.html | 36 +++++++++++++ doc/context/es/admin/queue/help.html | 17 ++++++ doc/context/es/admin/security/help.html | 17 ++++++ doc/context/es/channel/help.html | 35 +++++++++++++ doc/context/es/chat/help.html | 30 +++++++++++ doc/context/es/cloud/help.html | 30 +++++++++++ doc/context/es/connections/help.html | 8 +++ doc/context/es/connections/ifpending/help.html | 31 +++++++++++ doc/context/es/events/help.html | 23 +++++++++ doc/context/es/mail/help.html | 38 ++++++++++++++ doc/context/es/network/help.html | 71 ++++++++++++++++++++++++++ doc/context/es/photos/help.html | 27 ++++++++++ doc/context/es/profile/help.html | 32 ++++++++++++ 13 files changed, 395 insertions(+) create mode 100644 doc/context/es/admin/logs/help.html create mode 100644 doc/context/es/admin/queue/help.html create mode 100644 doc/context/es/admin/security/help.html create mode 100644 doc/context/es/channel/help.html create mode 100644 doc/context/es/chat/help.html create mode 100644 doc/context/es/cloud/help.html create mode 100644 doc/context/es/connections/help.html create mode 100644 doc/context/es/connections/ifpending/help.html create mode 100644 doc/context/es/events/help.html create mode 100644 doc/context/es/mail/help.html create mode 100644 doc/context/es/network/help.html create mode 100644 doc/context/es/photos/help.html create mode 100644 doc/context/es/profile/help.html diff --git a/doc/context/es/admin/logs/help.html b/doc/context/es/admin/logs/help.html new file mode 100644 index 000000000..2324492bf --- /dev/null +++ b/doc/context/es/admin/logs/help.html @@ -0,0 +1,36 @@ + + + + + +
+
General
+
Esta página le + permite ajustar los parámetros de los informes del + sistema (logs) y para ver uno existente.
+
Ajustes de los informes (logs)
+
Cuando se habilita la + opción de depuración, el sistema de + información comenzará a añadir + los informes (logs) en el archivo especificado en + el cuadro "Fichero de informes" + (la ruta es relativa al + directorio raíz del servidor, por + ejemplo, /var /www). Tenga en cuenta que este archivo tiene que ser modificable por el servidor web.
+
Nivel de depuración
+
La opción de nivel + de depuración le permite establecer la + cantidad de información que se anexa al + fichero de informes (logs). Advertencia: + El aumento de este nivel puede + aumentar rápidamente el tamaño de este + fichero hasta en más de 100 MB, + especialmente en los hubs con + más que unos pocos miembros.
+
+ + diff --git a/doc/context/es/admin/queue/help.html b/doc/context/es/admin/queue/help.html new file mode 100644 index 000000000..a4085c5c6 --- /dev/null +++ b/doc/context/es/admin/queue/help.html @@ -0,0 +1,17 @@ + + + + + +
+
General
+
Las estadísticas + de la cola muestran cuántos mensajes + están en la cola para su entrega a + otros hubs. La prioridad + está relacionada con la cantidad de veces + que la entrega se ha intentado, sin + éxito.
+
+ + diff --git a/doc/context/es/admin/security/help.html b/doc/context/es/admin/security/help.html new file mode 100644 index 000000000..8817636ed --- /dev/null +++ b/doc/context/es/admin/security/help.html @@ -0,0 +1,17 @@ + + + + + +
+
General
+
Esta página contiene + varios ajustes para el administrador relacionados con la seguridad. + Para guardar los cambios que realice en estos ajustes, debe + pulsar el botón Enviar.
+
+ + diff --git a/doc/context/es/channel/help.html b/doc/context/es/channel/help.html new file mode 100644 index 000000000..3d925241d --- /dev/null +++ b/doc/context/es/channel/help.html @@ -0,0 +1,35 @@ + + + + + +
+
General
+
Esta es + la página principal de un canal. + Es similar al "muro" del perfil + de una persona en un contexto de red + social. Las entradas creadas + por el canal se muestran + de acuerdo con los permisos de visualización del observador.
+
Crear una entrada
+
Si tiene permiso + para crear entradas en la página del + canal, a continuación, podrá + ver el editor de entradas en la parte + superior.
+
Pestañas de los + contenidos del canal
+
Las pestañas + de los contenidos del canal son + enlaces a otros contenidos publicados por el + canal. La pestaña "Mi + perfil" enlaza con el perfil del canal. La pestaña "Fotos" + enlaza con las galerías de fotos. La pestaña "Ficheros" + enlaza con los ficheros de cualquier tipo compartidos por el canal.
+
+ + diff --git a/doc/context/es/chat/help.html b/doc/context/es/chat/help.html new file mode 100644 index 000000000..805f7b87a --- /dev/null +++ b/doc/context/es/chat/help.html @@ -0,0 +1,30 @@ + + + + + +
+
General
+
Creación y uso de + salas de chat para comunicarse en tiempo real, + utilizando el sistema de permisos + Hubzilla estándar para el control de + acceso a la sala de chat.
+
Create una nueva sala de chat
+
Utilice el + botón "Crear" para crear + una nueva sala de chat. Introduzca un nombre y cuánto tiempo + se deben conservar los mensajes.
+
Chatear
+
Introduzca su mensaje + en el cuadro de mensaje y pulse "Enviar". + Se puede establecer un estado seleccionando + el botón de menú sala de chat junto + al botón Enviar. Si hay otras personas + "en la sala", serán visibles en + el panel lateral, en "Miembros del chat".
+
+ + diff --git a/doc/context/es/cloud/help.html b/doc/context/es/cloud/help.html new file mode 100644 index 000000000..474918e81 --- /dev/null +++ b/doc/context/es/cloud/help.html @@ -0,0 +1,30 @@ + + + + + +
+
General
+
Esta página muestra + los ficheros en la "nube" de un canal. + Los archivos visibles para el + observador dependen de los permisos de + archivo individuales establecidas por + el propietario del canal. Si tiene + permiso para crear o cargar + ficheros, verá botones de control + por encima de la lista de ficheros.
+
Pestañas de los contenidos + del canal
+
+
Las pestañas + de los contenidos del canal son + enlaces a otros contenidos publicados por el + canal. La pestaña "Mi + perfil" enlaza con el perfil del canal. La pestaña "Fotos" + enlaza con las galerías de fotos. La pestaña "Ficheros" enlaza con los + ficheros de cualquier tipo compartidos por el canal.
+
+ + diff --git a/doc/context/es/connections/help.html b/doc/context/es/connections/help.html new file mode 100644 index 000000000..0f95fde63 --- /dev/null +++ b/doc/context/es/connections/help.html @@ -0,0 +1,8 @@ +
+
General
+
This page displays a list of all this channel's connections. The list can be sorted and filtered using the menu button beside the search button.
+
Connection Details
+
Each list entry shows the details of a specific connection. A translucent avatar image indicates an archived connection.
+
Connection Status
+
A connection can be in different states:
  • Archived
  • Ignored
  • Blocked
  • Hidden
+
\ No newline at end of file diff --git a/doc/context/es/connections/ifpending/help.html b/doc/context/es/connections/ifpending/help.html new file mode 100644 index 000000000..5fb0f3a0a --- /dev/null +++ b/doc/context/es/connections/ifpending/help.html @@ -0,0 +1,31 @@ + + + + + +
+
General
+
Esta página muestra + una lista de todas las conexiones + de este canal. La + lista se puede ordenar y filtrar usando + el botón de menú al lado del botón de búsqueda.
+
Detalles de la conexión
+
Cada entrada + de la lista muestra los detalles de una + conexión específica. Una + imagen de avatar translúcida indica + una conexión archivada.
+
Estado de la conexión
+
Una conexión puede estar en diferentes estados: +
    +
  • Archivada
    • +
  • Ignorada
    • +
  • Bloqueada
    • +
  • Oculta
    • +
+
+
+ + diff --git a/doc/context/es/events/help.html b/doc/context/es/events/help.html new file mode 100644 index 000000000..681f72e89 --- /dev/null +++ b/doc/context/es/events/help.html @@ -0,0 +1,23 @@ + + + + + +
+
General
+
Esta página muestra + un calendario de eventos tanto de su + propiedad como compartido con usted desde otros canales.
+
Vistas del calendario
+
El calendario se + puede mostrar en modo mensual, semanal o + diario usando las opciones del panel + lateral.
+
Exportar/Importar
+
Exportar o importar eventos del calendario usando el formato estándar + de los ficheros de iCalendar (.ics).
+
+ + diff --git a/doc/context/es/mail/help.html b/doc/context/es/mail/help.html new file mode 100644 index 000000000..e51f7225c --- /dev/null +++ b/doc/context/es/mail/help.html @@ -0,0 +1,38 @@ + + + + + +
+
General
+
Los mensajes que + aparecen en el correo privado son + visibles sólo para usted y un único + destinatario.
+
Vista combinada
+
Las conversaciones + completas se pueden ver en un hilo + continuo seleccionando "Vista combinada". + Las conversaciones disponibles se muestran + debajo del menú en el panel + lateral.
+
Bandeja de entrada/Bandeja de salida
+
Los mensajes individuales enviados son visibles seleccionando la Bandeja de salida y los mensajes + recibidos se pueden ver usando el filtro de la Bandeja + de entrada.
+
+
Mensaje nuevo
+
Los mensajes + individuales tienen informes de entrega + que se pueden ver usando el menú + desplegable. Los mensajes también se + pueden revocar desde el mismo menú, lo + que puede evitar que el destinatario vea + el mensaje, si aún no lo ha leído.
+
+ + diff --git a/doc/context/es/network/help.html b/doc/context/es/network/help.html new file mode 100644 index 000000000..00b25428c --- /dev/null +++ b/doc/context/es/network/help.html @@ -0,0 +1,71 @@ + + + + + +
+
General
+
La página + de Mi red muestra un flujo de + entradas y conversaciones, normalmente + ordenadas según la actualización más reciente. + Esta página es altamente + personalizable.
+
Crear una entrada
+
+
En la parte superior + de la página hay un cuadro de texto + que dice "Compartir". + Al hacer clic en esta casilla se + abre un nuevo editor de entradas. + El editor de entradas es + personalizable, pero el editor + básico proporciona campos para el + cuerpo de la publicación y un título + opcional. Los botones que hay debajo de la + zona de texto, a la izquierda, proporcionan + accesos directos para el Formato + de texto y para  insertar enlaces, + imágenes y otros datos en la + entrada. Los botones a la + derecha proporcionan una vista + previa del mensaje, + los ajustes de permisos de la entrada, + y un botón Enviar + para publicarla.
+
Grupos de canales
+
+
Los grupos + de canales que ha creado se muestran en + el panel lateral. Seleccionándolos, + se filtran las entradas + creadas por los canales incluidos en + el grupo elegido.
+
Permisos + de una entrada
+
+
La lista de + control de acceso (ACL) es lo + que se utiliza para establecer quién + puede ver su nueva entrada. Al + pulsar el botón ACL, al lado del + botón Enviar, se mostrará un cuadro + de diálogo en el que puede seleccionar + qué canales y / o grupos + de canales pueden ver el mensaje. + También puede seleccionar a quién se le niega + el acceso explícitamente. Por ejemplo, + digamos que usted está planeando una + fiesta sorpresa para un amigo. Puede + enviar un mensaje de invitación a + todos los miembros de su grupo de Amigos, + excepto el amigo al que quiere sorprender. En este caso, "se + mostrará"  al grupo de amigos, pero + "no se mostrará" a esa + única persona.
+
+ + diff --git a/doc/context/es/photos/help.html b/doc/context/es/photos/help.html new file mode 100644 index 000000000..44d0bed15 --- /dev/null +++ b/doc/context/es/photos/help.html @@ -0,0 +1,27 @@ + + + + + +
+
General
+
Esta página muestra + los álbumes de fotos de un canal. + Las imágenes visibles para + el observador dependen de los + permisos individuales de cada imagen.
+
Pestañas de los + contenidos del canal
+
+
Las pestañas + de los contenidos del canal son + enlaces a otros contenidos publicados por el + canal. La pestaña "Mi + perfil" enlaza con el perfil del canal. La pestaña "Fotos" + enlaza con las galerías de fotos. La pestaña "Ficheros" + enlaza con los ficheros de cualquier tipo compartidos por el canal.
+
+ + diff --git a/doc/context/es/profile/help.html b/doc/context/es/profile/help.html new file mode 100644 index 000000000..314552f9b --- /dev/null +++ b/doc/context/es/profile/help.html @@ -0,0 +1,32 @@ + + + + + +
+
General
+
Esta es + la página de perfil de un canal. + Por lo general muestra la información + que describe el canal. Si el canal + representa a una persona en una red social, + por ejemplo, el perfil podría + proporcionar información de contacto y otros + datos personales. Los + canales pueden tener varios perfiles, + en cuyo caso el perfil que se muestra depende del observador.
+
Pestañas de los + contenidos del canal
+
+
Las pestañas + de los contenidos del canal son + enlaces a otros contenidos publicados por el + canal. La pestaña "Mi + perfil" enlaza con el perfil del canal. La pestaña "Fotos" + enlaza con las galerías de fotos. La pestaña "Ficheros" + enlaza con los ficheros de cualquier tipo compartidos por el canal.
+
+ + -- cgit v1.2.3 From 2b7b26f4c0d6527f9cfe6b852e7b210c0406d9d2 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Mon, 2 May 2016 13:31:14 -0700 Subject: a bit more oembed security - and document the shortcomings of this approach --- include/oembed.php | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/include/oembed.php b/include/oembed.php index 356b9f961..af5e51a6f 100755 --- a/include/oembed.php +++ b/include/oembed.php @@ -49,11 +49,7 @@ function oembed_action($embedurl) { if($x) { foreach($x as $ll) { $t = trim($ll); - - // don't allow somebody to provide a url like https://foobar.com/something/youtube - // to bypass a block or allow of youtube - - if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) { + if(($t) && (strpos($embedurl,$t) !== false)) { $action = 'block'; break; } @@ -69,14 +65,26 @@ function oembed_action($embedurl) { if($x) { foreach($x as $ll) { $t = trim($ll); + $has_slash = ((strpos($t,'/') !== false) ? true : false); // don't allow somebody to provide a url like https://foobar.com/something/youtube - // to bypass a block or allow of youtube - - if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) { - $found = true; - $action = 'allow'; - break; + // to bypass an allow of youtube. Note they could still get through this + // with something like https://youtube.com.foobar.com/something so this is tagged with + // @FIXME, otherwise to fully secure a site will require every possible variation + // of every allowed service base URL. http vs. https, www. vs nothing, + // youtube.[com|org|whatever], youtu.be, and this is just for one service. + + if($t) { + if(strpos($t,$host) !== false) { + $found = true; + $action = 'allow'; + break; + } + elseif(($has_slash) && (strpos($embedurl,$t) !== false)) { + $found = true; + $action = 'allow'; + break; + } } } } @@ -96,11 +104,7 @@ function oembed_action($embedurl) { if($x) { foreach($x as $ll) { $t = trim($ll); - - // don't allow somebody to provide a url like https://foobar.com/something/youtube - // to bypass a block or allow of youtube - - if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) { + if(($t) && (strpos($embedurl,$t) !== false)) { $action = 'block'; break; } -- cgit v1.2.3 From b371c028ad31180b4c73f92b45c4ca8f5fff259e Mon Sep 17 00:00:00 2001 From: redmatrix Date: Mon, 2 May 2016 22:28:27 -0700 Subject: more security stuff --- Zotlabs/Module/Admin.php | 21 +++++++----- include/bbcode.php | 2 +- include/oembed.php | 84 +++++++++++++++++++-------------------------- view/tpl/admin_security.tpl | 16 ++------- 4 files changed, 52 insertions(+), 71 deletions(-) diff --git a/Zotlabs/Module/Admin.php b/Zotlabs/Module/Admin.php index 6dad11ab8..e1eaa6e0e 100644 --- a/Zotlabs/Module/Admin.php +++ b/Zotlabs/Module/Admin.php @@ -580,8 +580,8 @@ class Admin extends \Zotlabs\Web\Controller { $bc = $this->trim_array_elems(explode("\n",$_POST['blacklisted_channels'])); set_config('system','blacklisted_channels',$bc); - $embed_coop = ((x($_POST,'embed_coop')) ? True : False); - set_config('system','embed_coop',$embed_coop); + $embed_sslonly = ((x($_POST,'embed_sslonly')) ? True : False); + set_config('system','embed_sslonly',$embed_sslonly); $we = $this->trim_array_elems(explode("\n",$_POST['embed_allow'])); set_config('system','embed_allow',$we); @@ -589,6 +589,12 @@ class Admin extends \Zotlabs\Web\Controller { $be = $this->trim_array_elems(explode("\n",$_POST['embed_deny'])); set_config('system','embed_deny',$be); + $ts = ((x($_POST,'transport_security')) ? True : False); + set_config('system','transport_security_header',$ts); + + $cs = ((x($_POST,'content_security')) ? True : False); + set_config('system','content_security_policy',$cs); + goaway(z_root() . '/admin/security'); } @@ -713,7 +719,7 @@ class Admin extends \Zotlabs\Web\Controller { } $embedhelp2 = t("The recommended setting is to only allow unfiltered HTML from the following sites:"); - $embedhelp3 = t("youtube.com
youtu.be
twitter.com
vimeo.com
soundcloud.com
wikipedia.com
"); + $embedhelp3 = t("https://youtube.com/
https://www.youtube.com/
https://youtu.be/
https://vimeo.com/
https://soundcloud.com/
"); $embedhelp4 = t("All other embedded content will be filtered, unless embedded content from that site is explicitly blocked."); $t = get_markup_template('admin_security.tpl'); @@ -722,18 +728,17 @@ class Admin extends \Zotlabs\Web\Controller { '$page' => t('Security'), '$form_security_token' => get_form_security_token('admin_security'), '$block_public' => array('block_public', t("Block public"), get_config('system','block_public'), t("Check to block public access to all otherwise public personal pages on this site unless you are currently authenticated.")), + '$transport_security' => array('transport_security', t('Set "Transport Security" HTTP header'),intval(get_config('system','transport_security_header')),''), + '$content_security' => array('content_security', t('Set "Content Security Policy" HTTP header'),intval(get_config('system','content_security_policy')),''), '$whitelisted_sites' => array('whitelisted_sites', t('Allow communications only from these sites'), $whitesites_str, t('One site per line. Leave empty to allow communication from anywhere by default')), '$blacklisted_sites' => array('blacklisted_sites', t('Block communications from these sites'), $blacksites_str, ''), '$whitelisted_channels' => array('whitelisted_channels', t('Allow communications only from these channels'), $whitechannels_str, t('One channel (hash) per line. Leave empty to allow from any channel by default')), '$blacklisted_channels' => array('blacklisted_channels', t('Block communications from these channels'), $blackchannels_str, ''), - '$embed_allow' => array('embed_allow', t('Allow unfiltered embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')), + '$embed_sslonly' => array('embed_sslonly',t('Only allow embeds from secure (SSL) websites and links.'), intval(get_config('system','embed_sslonly')),''), + '$embed_allow' => array('embed_allow', t('Allow unfiltered embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. By default embedded content is filtered.')), '$embed_deny' => array('embed_deny', t('Block embedded HTML from these domains'), $blackembeds_str, ''), // '$embed_coop' => array('embed_coop', t('Cooperative embed security'), $embed_coop, t('Enable to share embed security with other compatible sites/hubs')), - '$embedhelp1' => $embedhelp1, - '$embedhelp2' => $embedhelp2, - '$embedhelp3' => $embedhelp3, - '$embedhelp4' => $embedhelp4, '$submit' => t('Submit') )); diff --git a/include/bbcode.php b/include/bbcode.php index 5bd5301cc..7a7ea8ce6 100644 --- a/include/bbcode.php +++ b/include/bbcode.php @@ -629,7 +629,7 @@ function bbcode($Text, $preserve_nl = false, $tryoembed = true, $cache = false) } if($tryoembed) { if (strpos($Text,'[/url]') !== false) { - $Text = preg_replace_callback("/\[url\]([$URLSearchString]*)\[\/url\]/ism", 'tryoembed', $Text); + $Text = preg_replace_callback("/[^\^]\[url\]([$URLSearchString]*)\[\/url\]/ism", 'tryoembed', $Text); } } if (strpos($Text,'[/url]') !== false) { diff --git a/include/oembed.php b/include/oembed.php index af5e51a6f..1e5c51172 100755 --- a/include/oembed.php +++ b/include/oembed.php @@ -1,14 +1,16 @@ ' . $embedurl . ''; + $result = oembed_action($embedurl); + if($result['action'] === 'block') { + return '' . $result['url'] . ''; } - $j = oembed_fetch_url($embedurl); + $j = oembed_fetch_url($result['url']); $s = oembed_format_object($j); return $s; } @@ -17,22 +19,11 @@ function oembed_replacecb($matches){ function oembed_action($embedurl) { $host = ''; + $action = 'filter'; - $action = 'allow'; - - // The default action is 'allow'. This is insecure. We might want to - // change this to 'filter' except it will be a support burden because - // then youtube videos won't work out of the box and will need to be - // explicitly enabled. - - $embedurl = str_replace('&','&', $embedurl); + $embedurl = trim(str_replace('&','&', $embedurl)); - logger('oembed_action: ' . $embedurl); - - $p = parse_url($embedurl); - - if($p) - $host = $p['host']; + logger('oembed_action: ' . $embedurl, LOGGER_DEBUG, LOG_INFO); // These media files should now be caught in bbcode.php // left here as a fallback in case this is called from another source @@ -40,6 +31,11 @@ function oembed_action($embedurl) { $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus"); $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION); + if(strpos($embedurl,'http://') === 0) { + if(intval(get_config('system','embed_sslonly'))) { + $action = 'block'; + } + } // site white/black list @@ -65,26 +61,10 @@ function oembed_action($embedurl) { if($x) { foreach($x as $ll) { $t = trim($ll); - $has_slash = ((strpos($t,'/') !== false) ? true : false); - - // don't allow somebody to provide a url like https://foobar.com/something/youtube - // to bypass an allow of youtube. Note they could still get through this - // with something like https://youtube.com.foobar.com/something so this is tagged with - // @FIXME, otherwise to fully secure a site will require every possible variation - // of every allowed service base URL. http vs. https, www. vs nothing, - // youtube.[com|org|whatever], youtu.be, and this is just for one service. - - if($t) { - if(strpos($t,$host) !== false) { - $found = true; - $action = 'allow'; - break; - } - elseif(($has_slash) && (strpos($embedurl,$t) !== false)) { - $found = true; - $action = 'allow'; - break; - } + if(($t) && (strpos($embedurl,$t) !== false) && ($action !== 'block')) { + $found = true; + $action = 'allow'; + break; } } } @@ -95,7 +75,7 @@ function oembed_action($embedurl) { // allow individual members to block something that wasn't blocked already. // They cannot over-ride the site to allow or change the filtering on an - // embed that is not allowed by the site. + // embed that is not allowed by the site admin. if(local_channel()) { if(($x = get_pconfig(local_channel(),'system','embed_deny'))) { @@ -113,9 +93,12 @@ function oembed_action($embedurl) { } } - logger('action: ' . $action . ' url: ' . $embedurl, LOGGER_DEBUG,LOG_DEBUG); + $arr = array('url' => $embedurl, 'action' => $action); + call_hooks('oembed_action',$arr); + + logger('action: ' . $arr['action'] . ' url: ' . $arr['url'], LOGGER_DEBUG,LOG_DEBUG); - return $action; + return $arr; } @@ -139,9 +122,10 @@ function oembed_fetch_url($embedurl){ $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus"); $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION); - $action = oembed_action($embedurl); + $result = oembed_action($embedurl); - $embedurl = str_replace('&','&', $embedurl); + $embedurl = $result['url']; + $action = $result['action']; $txt = null; @@ -222,12 +206,14 @@ function oembed_fetch_url($embedurl){ $j = json_decode($txt); - if($j->html && $action === 'filter') { - $orig = $j->html; - $allow_position = (($zrl) ? true : false); - $j->html = purify_html($j->html,$allow_position); - if($j->html != $orig) { - logger('oembed html was purified. original: ' . $orig . ' purified: ' . $j->html, LOGGER_DEBUG, LOG_INFO); + if($action === 'filter') { + if($j->html) { + $orig = $j->html; + $allow_position = (($zrl) ? true : false); + $j->html = purify_html($j->html,$allow_position); + if($j->html != $orig) { + logger('oembed html was purified. original: ' . $orig . ' purified: ' . $j->html, LOGGER_DEBUG, LOG_INFO); + } } } diff --git a/view/tpl/admin_security.tpl b/view/tpl/admin_security.tpl index 39f389e54..721b5f38f 100755 --- a/view/tpl/admin_security.tpl +++ b/view/tpl/admin_security.tpl @@ -7,7 +7,9 @@ {{include file="field_checkbox.tpl" field=$block_public}} - + {{include file="field_checkbox.tpl" field=$transport_security}} + {{include file="field_checkbox.tpl" field=$content_security}} + {{include file="field_checkbox.tpl" field=$embed_sslonly}} {{include file="field_textarea.tpl" field=$whitelisted_sites}} {{include file="field_textarea.tpl" field=$blacklisted_sites}} @@ -15,18 +17,6 @@ {{include file="field_textarea.tpl" field=$whitelisted_channels}} {{include file="field_textarea.tpl" field=$blacklisted_channels}} - {{if $embedhelp1}} -
{{$embedhelp1}}
- {{/if}} - -
-
{{$embedhelp2}}
-
-
{{$embedhelp3}}
-
-
{{$embedhelp4}}
-
- {{include file="field_textarea.tpl" field=$embed_allow}} {{include file="field_textarea.tpl" field=$embed_deny}} -- cgit v1.2.3 From dccdeedb75874ac8a244770cc3be0bf9ee71a0cd Mon Sep 17 00:00:00 2001 From: redmatrix Date: Mon, 2 May 2016 22:30:57 -0700 Subject: add the new hook --- doc/hooklist.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/hooklist.bb b/doc/hooklist.bb index 994d0dbb2..9331873b4 100644 --- a/doc/hooklist.bb +++ b/doc/hooklist.bb @@ -356,6 +356,9 @@ Hooks allow plugins/addons to "hook into" the code at many points and alter the [zrl=[baseurl]/help/hook/obj_verbs]obj_verbs[/zrl] Called when creating the list of verbs available for profile "things". +[zrl=[baseurl]/help/hook/oembed_action]oembed_action[/zrl] + Called when deciding if an oembed url is to be filter, blocked, or approved + [zrl=[baseurl]/help/hook/oembed_probe]oembed_probe[/zrl] Called when performing an oembed content lookup -- cgit v1.2.3