From deedac6ae542a1ff8d599076b7e0ef344d30e1a8 Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Thu, 16 May 2013 20:21:12 -0700
Subject: workarounds for people that re-install and end up polluting
 everybody's databases with stale entries

---
 include/notifier.php |  4 ++--
 mod/item.php         |  2 ++
 mod/post.php         | 29 ++++++++++++++++++++++++-----
 3 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/include/notifier.php b/include/notifier.php
index 60cae2dc0..c805ef4cd 100644
--- a/include/notifier.php
+++ b/include/notifier.php
@@ -321,8 +321,8 @@ function notifier_run($argv, $argc){
 
 	$sql_extra = (($private) ? "" : " or hubloc_url = '" . z_root() . "' ");
 
-	$r = q("select distinct(hubloc_callback),hubloc_host,hubloc_sitekey from hubloc 
-		where hubloc_hash in (" . implode(',',$recipients) . ") $sql_extra group by hubloc_callback");
+	$r = q("select distinct hubloc_sitekey, hubloc_callback, hubloc_host from hubloc 
+		where hubloc_hash in (" . implode(',',$recipients) . ") $sql_extra group by hubloc_sitekey");
 	if(! $r) {
 		logger('notifier: no hubs');
 		return;
diff --git a/mod/item.php b/mod/item.php
index a8d1bdf31..6678930ec 100644
--- a/mod/item.php
+++ b/mod/item.php
@@ -545,6 +545,8 @@ function item_post(&$a) {
 		echo json_encode(array('preview' => $o));
 		killme();
 	}
+	if($orig_post)
+		$datarray['edit'] = true;
 
 	call_hooks('post_local',$datarray);
 
diff --git a/mod/post.php b/mod/post.php
index 20100c032..286eb743d 100644
--- a/mod/post.php
+++ b/mod/post.php
@@ -200,17 +200,36 @@ function post_post(&$a) {
 			logger('mod_zot: pickup: ' . $ret['message']);
 			json_return_and_die($ret);
 		}
-		// verify the url_sig
-		$sitekey = $r[0]['hubloc_sitekey'];
-//		logger('sitekey: ' . $sitekey);
 
-		if(! rsa_verify($data['callback'],base64url_decode($data['callback_sig']),$sitekey)) {
+		foreach ($r as $hubsite) {
+
+			// verify the url_sig
+			// If the server was re-installed at some point, there could be multiple hubs with the same url and callback.
+			// Only one will have a valid key.
+
+			$forgery = true;
+			$secret_fail = true;
+
+			$sitekey = $hubsite['hubloc_sitekey'];
+
+			//		logger('sitekey: ' . $sitekey);
+
+			if(rsa_verify($data['callback'],base64url_decode($data['callback_sig']),$sitekey)) {
+				$forgery = false;
+			}
+			if(rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$sitekey)) {
+				$secret_fail = false;
+			}
+			if((! $forgery) && (! $secret_fail))
+				break;
+		}
+		if($forgery) {
 			$ret['message'] = 'possible site forgery';
 			logger('mod_zot: pickup: ' . $ret['message']);
 			json_return_and_die($ret);
 		}
 
-		if(! rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$sitekey)) {
+		if($secret_fail) {
 			$ret['message'] = 'secret validation failed';
 			logger('mod_zot: pickup: ' . $ret['message']);
 			json_return_and_die($ret);
-- 
cgit v1.2.3