From 1ff982983ef29aa394fc0f4acd5c19ac4d2d9c3e Mon Sep 17 00:00:00 2001 From: Mario Date: Wed, 9 Nov 2022 11:33:10 +0000 Subject: items_fetch(): check if set and if there is a value --- include/items.php | 40 +++++++++++++++++++--------------------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/include/items.php b/include/items.php index 46140b699..96e3980f1 100644 --- a/include/items.php +++ b/include/items.php @@ -4336,7 +4336,6 @@ function zot_feed($uid, $observer_hash, $arr) { } function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = CLIENT_MODE_NORMAL,$module = 'network') { - $result = ['success' => false]; $sql_extra = ''; $sql_nets = ''; @@ -4354,7 +4353,7 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C ); } - if(isset($arr['uid'])) { + if(isset($arr['uid']) && $arr['uid']) { $uid = $arr['uid']; } @@ -4364,30 +4363,30 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C $item_uids = " item.uid = " . intval($uid) . " "; } - if(isset($arr['top'])) + if(isset($arr['top']) && $arr['top']) $sql_options .= " and item_thread_top = 1 "; - if(isset($arr['star'])) + if(isset($arr['star']) && $arr['star']) $sql_options .= " and item_starred = 1 "; - if(isset($arr['wall'])) + if(isset($arr['wall']) && $arr['wall']) $sql_options .= " and item_wall = 1 "; - if(isset($arr['item_id'])) + if(isset($arr['item_id']) && $arr['item_id']) $sql_options .= " and parent = " . intval($arr['item_id']) . " "; - if(isset($arr['mid'])) + if(isset($arr['mid']) && $arr['mid']) $sql_options .= " and parent_mid = '" . dbesc($arr['mid']) . "' "; $sql_extra = " AND item.parent IN ( SELECT parent FROM item WHERE $item_uids and item_thread_top = 1 $sql_options $item_normal ) "; - if(isset($arr['since_id'])) + if(isset($arr['since_id']) && $arr['since_id']) $sql_extra .= " and item.id > " . intval($arr['since_id']) . " "; - if(isset($arr['cat'])) + if(isset($arr['cat']) && $arr['cat']) $sql_extra .= protect_sprintf(term_query('item', $arr['cat'], TERM_CATEGORY)); - if(isset($arr['gid']) && $uid) { + if((isset($arr['gid']) && $arr['gid']) && $uid) { $r = q("SELECT * FROM pgrp WHERE id = %d AND uid = %d LIMIT 1", intval($arr['group']), intval($uid) @@ -4418,7 +4417,7 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C $x = AccessList::by_hash($uid, $r[0]['hash']); $result['headline'] = sprintf( t('Privacy group: %s'),$x['gname']); } - elseif(isset($arr['cid']) && $uid) { + elseif((isset($arr['cid']) && $arr['cid']) && $uid) { $r = q("SELECT abook.*, xchan.* from abook left join xchan on abook_xchan = xchan_hash where abook_id = %d and abook_channel = %d and abook_blocked = 0 limit 1", intval($arr['cid']), @@ -4437,14 +4436,14 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C $sql_extra = " AND author_xchan = '" . $channel['channel_hash'] . "' and item_private = 0 $item_normal "; } - if (isset($arr['datequery'])) { + if (isset($arr['datequery']) && $arr['datequery']) { $sql_extra3 .= protect_sprintf(sprintf(" AND item.created <= '%s' ", dbesc(datetime_convert('UTC','UTC',$arr['datequery'])))); } - if (isset($arr['datequery2'])) { + if (isset($arr['datequery2']) && $arr['datequery2']) { $sql_extra3 .= protect_sprintf(sprintf(" AND item.created >= '%s' ", dbesc(datetime_convert('UTC','UTC',$arr['datequery2'])))); } - if(isset($arr['search'])) { + if(isset($arr['search']) && $arr['search']) { if(strpos($arr['search'],'#') === 0) $sql_extra .= term_query('item',substr($arr['search'],1),TERM_HASHTAG,TERM_COMMUNITYTAG); else @@ -4453,11 +4452,11 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C ); } - if(isset($arr['file'])) { - $sql_extra .= term_query('item',$arr['files'],TERM_FILE); + if(isset($arr['file']) && $arr['file']) { + $sql_extra .= term_query('item',$arr['file'],TERM_FILE); } - if(isset($arr['conv']) && $channel) { + if((isset($arr['conv']) && $arr['conv']) && $channel) { $sql_extra .= sprintf(" AND parent IN (SELECT distinct parent from item where ( author_xchan like '%s' or item_mentionsme = 1 )) ", dbesc(protect_sprintf($uidhash)) ); @@ -4507,15 +4506,16 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C require_once('include/security.php'); $sql_extra .= item_permissions_sql($channel['channel_id'],$observer_hash); - if(isset($arr['pages'])) + if(isset($arr['pages']) && $arr['pages']) { $item_restrict = " AND item_type = " . ITEM_TYPE_WEBPAGE . " "; + } else $item_restrict = " AND item_type = 0 "; if(isset($arr['item_type']) && $arr['item_type'] === '*') $item_restrict = ''; - if (((isset($arr['compat'])) || (isset($arr['nouveau']) && ($client_mode & CLIENT_MODE_LOAD))) && $channel) { + if (((isset($arr['compat']) && $arr['compat']) || ((isset($arr['nouveau']) && $arr['nouveau']) && ($client_mode & CLIENT_MODE_LOAD))) && $channel) { // "New Item View" - show all items unthreaded in reverse created date order @@ -4552,9 +4552,7 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C $ordering = "commented"; if(($client_mode & CLIENT_MODE_LOAD) || ($client_mode == CLIENT_MODE_NORMAL)) { - // Fetch a page full of parent items for this page - $r = dbq("SELECT distinct item.id AS item_id, item.$ordering FROM item left join abook on item.author_xchan = abook.abook_xchan WHERE $item_uids $item_restrict -- cgit v1.2.3 From ad9fb411f69a5863deaec22c78c3f79e8adfc987 Mon Sep 17 00:00:00 2001 From: Mario Date: Wed, 9 Nov 2022 11:52:55 +0000 Subject: address issue #1705 --- Zotlabs/Module/Cdav.php | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/Zotlabs/Module/Cdav.php b/Zotlabs/Module/Cdav.php index e68b2e5b4..8e77515ce 100644 --- a/Zotlabs/Module/Cdav.php +++ b/Zotlabs/Module/Cdav.php @@ -332,9 +332,9 @@ class Cdav extends Controller { } while ($duplicate == true); $properties = [ - '{DAV:}displayname' => $_REQUEST['{DAV:}displayname'], - '{http://apple.com/ns/ical/}calendar-color' => $_REQUEST['color'], - '{urn:ietf:params:xml:ns:caldav}calendar-description' => $channel['channel_name'] + '{DAV:}displayname' => escape_tags($_REQUEST['{DAV:}displayname']), + '{http://apple.com/ns/ical/}calendar-color' => escape_tags($_REQUEST['color']), + '{urn:ietf:params:xml:ns:caldav}calendar-description' => escape_tags($channel['channel_name']) ]; $id = $caldavBackend->createCalendar($principalUri, $calendarUri, $properties); @@ -366,7 +366,7 @@ class Cdav extends Controller { $allday = $_REQUEST['allday']; - $title = $_REQUEST['title']; + $title = escape_tags($_REQUEST['title']); $start = datetime_convert('UTC', 'UTC', $_REQUEST['dtstart']); $dtstart = new \DateTime($start); @@ -374,8 +374,8 @@ class Cdav extends Controller { $end = datetime_convert('UTC', 'UTC', $_REQUEST['dtend']); $dtend = new \DateTime($end); } - $description = $_REQUEST['description']; - $location = $_REQUEST['location']; + $description = escape_tags($_REQUEST['description']); + $location = escape_tags($_REQUEST['location']); do { $duplicate = false; @@ -441,8 +441,8 @@ class Cdav extends Controller { $cdavdata = $this->get_cdav_data($id[0], 'calendarinstances'); $mutations = [ - '{DAV:}displayname' => $_REQUEST['{DAV:}displayname'], - '{http://apple.com/ns/ical/}calendar-color' => $_REQUEST['color'] + '{DAV:}displayname' => escape_tags($_REQUEST['{DAV:}displayname']), + '{http://apple.com/ns/ical/}calendar-color' => escape_tags($_REQUEST['color']) ]; $patch = new \Sabre\DAV\PropPatch($mutations); @@ -471,18 +471,18 @@ class Cdav extends Controller { $timezone = ((x($_POST,'timezone_select')) ? escape_tags(trim($_POST['timezone_select'])) : ''); $tz = (($timezone) ? $timezone : date_default_timezone_get()); - $allday = $_REQUEST['allday']; + $allday = intval($_REQUEST['allday']); - $uri = $_REQUEST['uri']; - $title = $_REQUEST['title']; + $uri = escape_tags($_REQUEST['uri']); + $title = escape_tags($_REQUEST['title']); $start = datetime_convert('UTC', 'UTC', $_REQUEST['dtstart']); $dtstart = new \DateTime($start); if($_REQUEST['dtend']) { $end = datetime_convert('UTC', 'UTC', $_REQUEST['dtend']); $dtend = new \DateTime($end); } - $description = $_REQUEST['description']; - $location = $_REQUEST['location']; + $description = escape_tags($_REQUEST['description']); + $location = escape_tags($_REQUEST['location']); $object = $caldavBackend->getCalendarObject($id, $uri); @@ -654,7 +654,7 @@ class Cdav extends Controller { $duplicate = true; } while ($duplicate == true); - $properties = ['{DAV:}displayname' => $_REQUEST['{DAV:}displayname']]; + $properties = ['{DAV:}displayname' => escape_tags($_REQUEST['{DAV:}displayname'])]; $carddavBackend->createAddressBook($principalUri, $addressbookUri, $properties); @@ -668,9 +668,9 @@ class Cdav extends Controller { } //edit addressbook - if($_REQUEST['{DAV:}displayname'] && $_REQUEST['edit'] && intval($_REQUEST['id'])) { + if($_REQUEST['{DAV:}displayname'] && $_REQUEST['edit'] && $_REQUEST['id']) { - $id = $_REQUEST['id']; + $id = intval($_REQUEST['id']); if(! cdav_perms($id,$addressbooks)) return; @@ -678,7 +678,7 @@ class Cdav extends Controller { $cdavdata = $this->get_cdav_data($id, 'addressbooks'); $mutations = [ - '{DAV:}displayname' => $_REQUEST['{DAV:}displayname'] + '{DAV:}displayname' => escape_tags($_REQUEST['{DAV:}displayname']) ]; $patch = new \Sabre\DAV\PropPatch($mutations); -- cgit v1.2.3 From e9b786d5e8fbf288db5e14dc8f2804e9d7b4f94a Mon Sep 17 00:00:00 2001 From: Mario Date: Wed, 9 Nov 2022 13:05:48 +0000 Subject: =?UTF-8?q?=C3=83wrong=20array=20key?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Zotlabs/Lib/Libsync.php | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Zotlabs/Lib/Libsync.php b/Zotlabs/Lib/Libsync.php index 9851ce52a..09b81dc83 100644 --- a/Zotlabs/Lib/Libsync.php +++ b/Zotlabs/Lib/Libsync.php @@ -184,6 +184,8 @@ class Libsync { require_once('include/import.php'); +hz_syslog(print_r($arr, true)); + $result = []; $keychange = ((array_key_exists('keychange', $arr)) ? true : false); @@ -192,7 +194,10 @@ class Libsync { dbesc($sender) ); - $DR = new DReport(z_root(), $sender, $d, 'sync'); + $mid = 'sync'; + + + $DR = new DReport(z_root(), $sender, $d, $mid); if (!$r) { $DR->update('recipient not found'); @@ -202,7 +207,6 @@ class Libsync { $channel = $r[0]; - $mid = 'sync'; $DR->set_name($channel['channel_name'] . ' <' . channel_reddress($channel) . '>'); @@ -297,7 +301,7 @@ class Libsync { if (array_key_exists('item', $arr) && $arr['item']) { sync_items($channel, $arr['item'], ((array_key_exists('relocate', $arr)) ? $arr['relocate'] : null)); - $mid = $arr['item']['mid'] . '#sync'; + $mid = $arr['item'][0]['message_id'] . '#sync'; } // deprecated, maintaining for a few months for upward compatibility @@ -750,7 +754,6 @@ class Libsync { $result[] = $DR->get(); } - return $result; } -- cgit v1.2.3 From a1a287bac79f1e4f5b60e0ee293b5281c8049774 Mon Sep 17 00:00:00 2001 From: Mario Date: Thu, 10 Nov 2022 10:34:05 +0000 Subject: fix typo in variable name --- Zotlabs/Module/Activity.php | 2 +- Zotlabs/Module/Oep.php | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Zotlabs/Module/Activity.php b/Zotlabs/Module/Activity.php index 2fbc35274..4ddfe602d 100644 --- a/Zotlabs/Module/Activity.php +++ b/Zotlabs/Module/Activity.php @@ -182,7 +182,7 @@ class Activity extends Controller { return; } - $ob_authorise = false; + $ob_authorize = false; $item_uid = 0; $bear = ZlibActivity::token_from_request(); diff --git a/Zotlabs/Module/Oep.php b/Zotlabs/Module/Oep.php index d3ef05e16..bf17e6436 100644 --- a/Zotlabs/Module/Oep.php +++ b/Zotlabs/Module/Oep.php @@ -343,6 +343,7 @@ class Oep extends \Zotlabs\Web\Controller { if(! ($chn && $res)) return; + $c = q("select * from channel where channel_address = '%s' limit 1", dbesc($chn) ); -- cgit v1.2.3 From 63dc8d7fc4092d7bb527a46149d211c9d135a7f0 Mon Sep 17 00:00:00 2001 From: Mario Date: Thu, 10 Nov 2022 10:37:41 +0000 Subject: fix undefined variable --- Zotlabs/Web/WebServer.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Zotlabs/Web/WebServer.php b/Zotlabs/Web/WebServer.php index 9fa5a7797..f43ae10a4 100644 --- a/Zotlabs/Web/WebServer.php +++ b/Zotlabs/Web/WebServer.php @@ -50,7 +50,8 @@ class WebServer { else unset($_SESSION['language']); } - if((x($_SESSION, 'language')) && ($_SESSION['language'] !== $lang)) { + + if ((x($_SESSION, 'language')) && ($_SESSION['language'] !== \App::$language)) { \App::$language = $_SESSION['language']; load_translation_table(\App::$language); } -- cgit v1.2.3 From 30ddee65a4b4cc52a5cfb6cef77ac43b9ad7f299 Mon Sep 17 00:00:00 2001 From: Mario Date: Thu, 10 Nov 2022 10:48:24 +0000 Subject: fix wrong array key and undefined array key --- include/feedutils.php | 4 ++-- include/items.php | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/include/feedutils.php b/include/feedutils.php index 814e9c163..eea908fe8 100644 --- a/include/feedutils.php +++ b/include/feedutils.php @@ -1904,7 +1904,7 @@ function atom_entry($item, $type, $author, $owner, $comment = false, $cid = 0, $ if(! $item['parent']) return; - if($item['deleted']) + if($item['item_deleted']) return '' . "\r\n"; create_export_photo_body($item); @@ -2024,7 +2024,7 @@ function atom_entry($item, $type, $author, $owner, $comment = false, $cid = 0, $ } } - if($item['term']) { + if (isset($item['term']) && $item['term']) { foreach($item['term'] as $term) { $scheme = ''; $label = ''; diff --git a/include/items.php b/include/items.php index 96e3980f1..4e4869aa8 100644 --- a/include/items.php +++ b/include/items.php @@ -4608,9 +4608,10 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C $items = array(); } - if($parents_str && $arr['mark_seen']) + if ($parents_str && (isset($arr['mark_seen']) && $arr['mark_seen'])) { $update_unseen = ' AND parent IN ( ' . dbesc($parents_str) . ' )'; /** @FIXME finish mark unseen sql */ + } } return $items; -- cgit v1.2.3 From 9eb332f03265821b8f9f2965e9977aef69e0413f Mon Sep 17 00:00:00 2001 From: Mario Date: Thu, 10 Nov 2022 17:57:26 +0000 Subject: allow to look for pubstream items if we do not own one but make sure the permissons are checked correctly --- Zotlabs/Module/Display.php | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/Zotlabs/Module/Display.php b/Zotlabs/Module/Display.php index 0aac96f4a..1a1c09d7c 100644 --- a/Zotlabs/Module/Display.php +++ b/Zotlabs/Module/Display.php @@ -213,27 +213,27 @@ class Display extends \Zotlabs\Web\Controller { $observer_hash = get_observer_hash(); $item_normal = item_normal(); $item_normal_update = item_normal_update(); - - $sql_extra = ((local_channel()) ? EMPTY_STR : item_permissions_sql(0, $observer_hash)); + $sql_extra = ''; + $r = []; if($noscript_content || $load) { - require_once('include/channel.php'); $sys = get_sys_channel(); // in case somebody turned off public access to sys channel content using permissions // make that content unsearchable by ensuring the owner uid can't match $sys_id = perm_is_allowed($sys['channel_id'], $observer_hash, 'view_stream') ? $sys['channel_id'] : 0; - $r = null; - if(local_channel()) { $r = q("SELECT item.id AS item_id FROM item WHERE uid = %d AND mid = '%s' $item_normal LIMIT 1", intval(local_channel()), dbesc($target_item['parent_mid']) ); + } - if($r === null) { + if(!$r) { + $sql_extra = item_permissions_sql(0, $observer_hash); + $r = q("SELECT item.id AS item_id FROM item WHERE ((mid = '%s' AND (((( item.allow_cid = '' AND item.allow_gid = '' AND item.deny_cid = '' @@ -257,7 +257,6 @@ class Display extends \Zotlabs\Web\Controller { // make that content unsearchable by ensuring the owner uid can't match $sys_id = perm_is_allowed($sys['channel_id'], $observer_hash, 'view_stream') ? $sys['channel_id'] : 0; - $r = null; if(local_channel()) { $r = q("SELECT item.parent AS item_id from item WHERE uid = %d @@ -270,7 +269,9 @@ class Display extends \Zotlabs\Web\Controller { ); } - if($r === null) { + if(!$r) { + $sql_extra = item_permissions_sql(0, $observer_hash); + $r = q("SELECT item.id as item_id from item WHERE ((parent_mid = '%s' AND (((( item.allow_cid = '' AND item.allow_gid = '' AND item.deny_cid = '' @@ -287,10 +288,6 @@ class Display extends \Zotlabs\Web\Controller { } } - else { - $r = []; - } - if($r) { $parents_str = ids_to_querystr($r,'item_id'); if($parents_str) { -- cgit v1.2.3 From 6da65c7ddcc37481c039b5927edcd2bf0df33c58 Mon Sep 17 00:00:00 2001 From: Mario Date: Sun, 13 Nov 2022 17:13:33 +0000 Subject: cast the type to update if it is an edit --- Zotlabs/Lib/Activity.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Zotlabs/Lib/Activity.php b/Zotlabs/Lib/Activity.php index 963a8ff75..9dbb15c28 100644 --- a/Zotlabs/Lib/Activity.php +++ b/Zotlabs/Lib/Activity.php @@ -545,6 +545,7 @@ class Activity { call_hooks('encode_item', $hookinfo); + return $hookinfo['encoded']; } @@ -821,8 +822,12 @@ class Activity { } $ret['published'] = ((isset($i['created'])) ? datetime_convert('UTC', 'UTC', $i['created'], ATOM_TIME) : datetime_convert()); - if (isset($i['created'], $i['edited']) && $i['created'] !== $i['edited']) + if (isset($i['created'], $i['edited']) && $i['created'] !== $i['edited']) { $ret['updated'] = datetime_convert('UTC', 'UTC', $i['edited'], ATOM_TIME); + if ($ret['type'] === 'Create') { + $ret['type'] = 'Update'; + } + } if (isset($i['app']) && $i['app']) { $ret['generator'] = ['type' => 'Application', 'name' => $i['app']]; -- cgit v1.2.3 From 6e124a4d724475f3e20d534b33ad7f245b76d6ff Mon Sep 17 00:00:00 2001 From: Mario Date: Sun, 13 Nov 2022 19:40:03 +0000 Subject: changelog --- CHANGELOG | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index 1731eceb8..f3eb1d375 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,11 @@ +Hubzilla 7.8.5 (2022-11-13) + - Fix outbound edit activity not of type update + - Fix mod display not falling through to fetch public item + - Fix more PHP warnings + - Fix regression in items_fetch() which resulted in empty feed + - Pubcrawl: cleanup and slightly restructre mod inbox + + Hubzilla 7.8.4 (2022-11-09) - Fix new uuid created when editing a post -- cgit v1.2.3 From 04516b787ac1230d7da4bd7445f7a8bc76bd65a1 Mon Sep 17 00:00:00 2001 From: Mario Date: Sun, 13 Nov 2022 19:42:07 +0000 Subject: update changelog --- CHANGELOG | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index f3eb1d375..548f98c78 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,7 +2,7 @@ Hubzilla 7.8.5 (2022-11-13) - Fix outbound edit activity not of type update - Fix mod display not falling through to fetch public item - Fix more PHP warnings - - Fix regression in items_fetch() which resulted in empty feed + - Fix regression in items_fetch() which resulted in empty atom feed - Pubcrawl: cleanup and slightly restructre mod inbox -- cgit v1.2.3