From 6466774b6e6ed72ea1cc57cbc76e451205934aca Mon Sep 17 00:00:00 2001
From: redmatrix <redmatrix@redmatrix.me>
Date: Wed, 20 May 2015 18:46:23 -0700
Subject: PRIVACY: possible privacy leakage under a defined set of
 circumstances

---
 include/items.php    | 13 ++++++++-----
 include/security.php | 10 +++++-----
 include/text.php     | 10 ----------
 mod/channel.php      |  2 +-
 mod/editpost.php     |  1 +
 mod/item.php         | 17 +++++++++++++----
 version.inc          |  2 +-
 view/tpl/jot.tpl     |  3 +++
 8 files changed, 32 insertions(+), 26 deletions(-)

diff --git a/include/items.php b/include/items.php
index 1db3fab2b..245259e38 100755
--- a/include/items.php
+++ b/include/items.php
@@ -2527,6 +2527,7 @@ function item_store_update($arr,$allow_exec = false) {
 
 	$arr['title'] = ((array_key_exists('title',$arr) && strlen($arr['title']))  ? trim($arr['title']) : '');
 	$arr['body']  = ((array_key_exists('body',$arr) && strlen($arr['body']))    ? trim($arr['body'])  : '');
+
 	$arr['attach']        = ((x($arr,'attach'))        ? notags(trim($arr['attach']))        : $orig[0]['attach']);
 	$arr['app']           = ((x($arr,'app'))           ? notags(trim($arr['app']))           : $orig[0]['app']);
 //	$arr['item_restrict'] = ((x($arr,'item_restrict')) ? intval($arr['item_restrict'])       : $orig[0]['item_restrict'] );
@@ -4372,12 +4373,14 @@ function fetch_post_tags($items,$link = false) {
 
 
 
-function zot_feed($uid,$observer_xchan,$arr) {
+function zot_feed($uid,$observer_hash,$arr) {
 
 	$result = array();
 	$mindate = null;
 	$message_id = null;
 
+	require_once('include/security.php');
+
 	if(array_key_exists('mindate',$arr)) {
 		$mindate = datetime_convert('UTC','UTC',$arr['mindate']);
 	}
@@ -4395,14 +4398,14 @@ function zot_feed($uid,$observer_xchan,$arr) {
 	if($message_id)
 		logger('message_id: ' . $message_id,LOGGER_DEBUG);
 
-	if(! perm_is_allowed($uid,$observer_xchan,'view_stream')) {
+	if(! perm_is_allowed($uid,$observer_hash,'view_stream')) {
 		logger('zot_feed: permission denied.');
 		return $result;
 	}
 
 	if(! is_sys_channel($uid)) {
 		require_once('include/security.php');
-		$sql_extra = item_permissions_sql($uid);
+		$sql_extra = item_permissions_sql($uid,$observer_hash);
 	}
 
 	$limit = " LIMIT 100 ";
@@ -4416,6 +4419,7 @@ function zot_feed($uid,$observer_xchan,$arr) {
 		$limit = '';
 	}
 
+
 	$items = array();
 
 	/** @FIXME fix this part for PostgreSQL */
@@ -4425,7 +4429,6 @@ function zot_feed($uid,$observer_xchan,$arr) {
 	}
 
 	if(is_sys_channel($uid)) {
-		require_once('include/security.php');
 		$r = q("SELECT parent, created, postopts from item
 			WHERE uid != %d
 			AND item_private = 0 AND item_restrict = 0 AND uid in (" . stream_perms_api_uids(PERMS_PUBLIC,10,1) . ")
@@ -4633,7 +4636,7 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C
 	//$start = dba_timer();
 
 	require_once('include/security.php');
-	$sql_extra .= item_permissions_sql($channel['channel_id']);
+	$sql_extra .= item_permissions_sql($channel['channel_id'],$observer_hash);
 
 	if ($arr['pages'])
 		$item_restrict = " AND (item_restrict & " . ITEM_WEBPAGE . ") ";
diff --git a/include/security.php b/include/security.php
index c3b0e9763..91683cc98 100644
--- a/include/security.php
+++ b/include/security.php
@@ -148,7 +148,7 @@ function change_channel($change_channel) {
  *
  * @return string additional SQL where statement
  */
-function permissions_sql($owner_id, $remote_verified = false, $groups = null) {
+function permissions_sql($owner_id, $remote_observer = null) {
 
 	$local_channel = local_channel();
 
@@ -181,7 +181,7 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) {
 	 */
 
 	else {
-		$observer = get_observer_hash();
+		$observer = (($remote_observer) ? $remote_observer : get_observer_hash());
 		if($observer) {
 			$groups = init_groups_visitor($observer);
 
@@ -217,7 +217,7 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) {
  *
  * @return string additional SQL where statement
  */
-function item_permissions_sql($owner_id, $remote_verified = false, $groups = null) {
+function item_permissions_sql($owner_id, $remote_observer = null) {
 
 	$local_channel = local_channel();
 
@@ -227,7 +227,7 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul
 	 * default permissions - anonymous user
 	 */
 
-	$sql = " AND item_private=0 ";
+	$sql = " AND item_private = 0 ";
 
 	/**
 	 * Profile owner - everything is visible
@@ -246,7 +246,7 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul
 	 */
 
 	else {
-		$observer = get_observer_hash();
+		$observer = (($remote_observer) ? $remote_observer : get_observer_hash());
 
 		if($observer) {
 			$groups = init_groups_visitor($observer);
diff --git a/include/text.php b/include/text.php
index 6ed06e92a..d483424ec 100644
--- a/include/text.php
+++ b/include/text.php
@@ -1379,12 +1379,8 @@ function generate_named_map($location) {
 
 function prepare_body(&$item,$attach = false) {
 
-	if(get_config('system','item_cache') && $item['html'])
-		return $item['html'];
-
 	call_hooks('prepare_body_init', $item); 
 
-
 	unobscure($item);
 
 	$s = prepare_text($item['body'],$item['mimetype']);
@@ -1452,12 +1448,6 @@ function prepare_body(&$item,$attach = false) {
 	$prep_arr = array('item' => $item, 'html' => $s);
 	call_hooks('prepare_body_final', $prep_arr);
 
-	if(get_config('system','item_cache'))
-		q("update item set html = '%s' where id = %d",
-			dbesc($prep_arr['html']),
-			intval($item['id'])
-		);
-
 	return $prep_arr['html'];
 }
 
diff --git a/mod/channel.php b/mod/channel.php
index 022def2a8..b06602994 100644
--- a/mod/channel.php
+++ b/mod/channel.php
@@ -146,7 +146,7 @@ function channel_content(&$a, $update = 0, $load = false) {
 	 */
 
 
-	$sql_extra = item_permissions_sql($a->profile['profile_uid'],$remote_contact,$groups);
+	$sql_extra = item_permissions_sql($a->profile['profile_uid']);
 
 	if(get_pconfig($a->profile['profile_uid'],'system','channel_list_mode') && (! $mid))
 		$page_mode = 'list';
diff --git a/mod/editpost.php b/mod/editpost.php
index 58ebe31cb..81bb91b2a 100644
--- a/mod/editpost.php
+++ b/mod/editpost.php
@@ -132,6 +132,7 @@ function editpost_content(&$a) {
 		'$ptyp' => $itm[0]['type'],
 		'$content' => undo_post_tagging($itm[0]['body']),
 		'$post_id' => $post_id,
+		'$parent' => (($itm[0]['parent'] != $itm[0]['id']) ? $itm[0]['parent'] : ''),
 		'$baseurl' => $a->get_baseurl(),
 		'$defloc' => $channel['channel_location'],
 		'$visitor' => false,
diff --git a/mod/item.php b/mod/item.php
index a732a9f81..cbbaa9e27 100644
--- a/mod/item.php
+++ b/mod/item.php
@@ -452,8 +452,6 @@ function item_post(&$a) {
 		}
 	}
 
-	$post_type = notags(trim($_REQUEST['type']));
-
 	$mimetype = notags(trim($_REQUEST['mimetype']));
 	if(! $mimetype)
 		$mimetype = 'text/bbcode';
@@ -659,8 +657,19 @@ function item_post(&$a) {
 
 	$item_unseen =  1;
 	
-	if($post_type === 'wall' || $post_type === 'wall-comment')
-		$item_flags = $item_flags | ITEM_WALL;
+
+	// determine if this is a wall post
+
+	if($parent) {
+		if($parent_item['item_flags'] & ITEM_WALL) {
+			$item_flags = $item_flags | ITEM_WALL;
+		}
+	}
+	else {
+		if(! $webpage) {
+			$item_flags = $item_flags | ITEM_WALL;
+		}
+	}
 
 	if($origin)
 		$item_flags = $item_flags | ITEM_ORIGIN;
diff --git a/version.inc b/version.inc
index acb250bd9..f2e8ff81c 100644
--- a/version.inc
+++ b/version.inc
@@ -1 +1 @@
-2015-05-19.1037
+2015-05-20.1038
diff --git a/view/tpl/jot.tpl b/view/tpl/jot.tpl
index 2fcd4d59b..100dd15b9 100755
--- a/view/tpl/jot.tpl
+++ b/view/tpl/jot.tpl
@@ -1,5 +1,8 @@
 <div id="profile-jot-wrapper">
 	<form id="profile-jot-form" action="{{$action}}" method="post">
+		{{if $parent}}
+			<input type="hidden" name="parent" value="{{$parent}}" />
+		{{/if}}
 		<input type="hidden" name="type" value="{{$ptyp}}" />
 		<input type="hidden" name="profile_uid" value="{{$profile_uid}}" />
 		<input type="hidden" name="return" value="{{$return_path}}" />
-- 
cgit v1.2.3