From beb3301d43c0d532bd6984ee745074479babdabb Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 22 Jan 2013 02:56:32 -0800 Subject: security fixes related to directory access and sites that are off the grid --- include/zot.php | 15 ++++++++++++++- mod/directory.php | 4 ++++ mod/dirsearch.php | 10 +++------- mod/search.php | 5 +++++ mod/zfinger.php | 3 +-- 5 files changed, 27 insertions(+), 10 deletions(-) diff --git a/include/zot.php b/include/zot.php index 2623d68c4..f35c6f93e 100644 --- a/include/zot.php +++ b/include/zot.php @@ -536,11 +536,24 @@ function import_xchan($arr) { if($r[0]['xchan_photo_date'] != $arr['photo_updated']) $import_photos = true; + // if we import an entry from a site that's not ours and either or both of us is off the grid - hide the entry. + // TODO: check if we're the same directory realm, which would mean we are allowed to see it + + $dirmode = get_config('system','directory_mode'); + + if((($arr['site']['directory_mode'] === 'standalone') || ($dirmode & DIRECTORY_MODE_STANDALONE)) +&& ($arr['site']['url'] != z_root())) + $arr['searchable'] = false; + + + + // Be careful - XCHAN_FLAGS_HIDDEN should evaluate to 1 if(($r[0]['xchan_flags'] & XCHAN_FLAGS_HIDDEN) != $arr['searchable']) $new_flags = $r[0]['xchan_flags'] ^ XCHAN_FLAGS_HIDDEN; else $new_flags = $r[0]['xchan_flags']; - + + if(($r[0]['xchan_name_date'] != $arr['name_updated']) || ($r[0]['xchan_connurl'] != $arr['connections_url']) || ($r[0]['xchan_flags'] != $new_flags)) { $r = q("update xchan set xchan_name = '%s', xchan_name_date = '%s', xchan_connurl = '%s', xchan_flags = %d where xchan_hash = '%s' limit 1", dbesc($arr['name']), diff --git a/mod/directory.php b/mod/directory.php index d9182d1bd..f2d9e1e02 100644 --- a/mod/directory.php +++ b/mod/directory.php @@ -56,6 +56,8 @@ function directory_content(&$a) { $query = $url . '?f=' ; if($search) $query .= '&name=' . urlencode($search); + if(strpos($search,'@')) + $query .= '&address=' . urlencode($search); if($a->pager['page'] != 1) $query .= '&p=' . $a->pager['page']; @@ -63,6 +65,8 @@ function directory_content(&$a) { logger('mod_directory: query: ' . $query); $x = z_fetch_url($query); + logger('directory: return from upstream: ' . print_r($x,true)); + if($x['success']) { $t = 0; $j = json_decode($x['body'],true); diff --git a/mod/dirsearch.php b/mod/dirsearch.php index 57132519c..1dbe60499 100644 --- a/mod/dirsearch.php +++ b/mod/dirsearch.php @@ -14,16 +14,12 @@ function dirsearch_content(&$a) { // If you've got a public directory server, you probably shouldn't block public access - if((get_config('system','block_public')) && (! local_user()) && (! remote_user())) { - $ret['message'] = t('Public access denied.'); - return; - } $dirmode = intval(get_config('system','directory_mode')); if($dirmode == DIRECTORY_MODE_NORMAL) { $ret['message'] = t('This site is not a directory server'); - return; + json_return_and_die($ret); } $name = ((x($_REQUEST,'name')) ? $_REQUEST['name'] : ''); @@ -75,7 +71,7 @@ function dirsearch_content(&$a) { // By default we return one page (default 80 items maximum) and do not count total entries $logic = ((strlen($sql_extra)) ? 0 : 1); - +dbg(1); if($limit) $qlimit = " LIMIT $limit "; else { @@ -95,7 +91,7 @@ function dirsearch_content(&$a) { $r = q("SELECT xchan.*, xprof.* from xchan left join xprof on xchan_hash = xprof_hash where $logic $sql_extra and not ( xchan_flags & %d ) $order $qlimit ", intval(XCHAN_FLAGS_HIDDEN) ); - +dbg(0); $ret['page'] = $page + 1; $ret['records'] = count($r); diff --git a/mod/search.php b/mod/search.php index a9f2df069..7a0f4205d 100644 --- a/mod/search.php +++ b/mod/search.php @@ -117,6 +117,11 @@ function search_content(&$a) { goaway(z_root() . '/directory' . '?f=1&search=' . $search); } + // look for a naked webbie + if(strpos($search,'@') !== false) { + goaway(z_root() . '/directory' . '?f=1&search=' . $search); + } + if(! $search) return $o; diff --git a/mod/zfinger.php b/mod/zfinger.php index 2fb169ef1..b7a89b12b 100644 --- a/mod/zfinger.php +++ b/mod/zfinger.php @@ -75,7 +75,6 @@ function zfinger_init(&$a) { if($e['xchan_flags'] & XCHAN_FLAGS_HIDDEN) $searchable = false; - // This is for birthdays and keywords, but must check access permissions $p = q("select * from profile where uid = %d and is_default = 1", intval($e['channel_id']) @@ -181,7 +180,7 @@ function zfinger_init(&$a) { elseif($dirmode == DIRECTORY_MODE_STANDALONE) $ret['site']['directory_mode'] = 'standalone'; if($dirmode != DIRECTORY_MODE_NORMAL) - $ret['site']['directory_url'] = z_root() . '/dir'; + $ret['site']['directory_url'] = z_root() . '/dirsearch'; json_return_and_die($ret); -- cgit v1.2.3