From ebd52368bb134e57a54d853732b5b4970a8ce02b Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Sun, 16 Feb 2014 14:13:26 -0800
Subject: strip hard-wired zids from posted links as they will have the wrong
 identity when somebody tries to view the link

---
 include/items.php | 11 ++++++++++-
 include/text.php  |  5 +++++
 index.php         |  2 +-
 mod/cloud.php     |  4 ++--
 mod/item.php      |  8 +-------
 version.inc       |  2 +-
 6 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/include/items.php b/include/items.php
index 3c10b8f5c..9bcdd7d0b 100755
--- a/include/items.php
+++ b/include/items.php
@@ -145,7 +145,9 @@ function can_comment_on_post($observer_xchan,$item) {
  * @function red_zrl_callback
  *   preg_match function when fixing 'naked' links in mod item.php
  *   Check if we've got a hubloc for the site and use a zrl if we do, a url if we don't. 
- * 
+ *   Remove any existing zid= param which may have been pasted by mistake - and will have
+ *   the author's credentials. zid's are dynamic and can't really be passed around like
+ *   that.
  */
 
 
@@ -159,6 +161,13 @@ function red_zrl_callback($matches) {
 		if($r)
 			$zrl = true;
 	}
+
+	$t = strip_zids($matches[2]);
+	if($t !== $matches[2]) {
+		$zrl = true;
+		$matches[2] = $t;
+	}
+
 	if($matches[1] === '#^')
 		$matches[1] = '';
 	if($zrl)
diff --git a/include/text.php b/include/text.php
index 2b334068f..2f5accf6e 100755
--- a/include/text.php
+++ b/include/text.php
@@ -621,6 +621,11 @@ function get_tags($s) {
 }
 
 
+function strip_zids($s) {
+	return preg_replace('/[\?&]zid=(.*?)(&|$)/ism','$2',$s);
+}
+
+
 // quick and dirty quoted_printable encoding
 
 
diff --git a/index.php b/index.php
index 736918661..24d54d829 100755
--- a/index.php
+++ b/index.php
@@ -92,7 +92,7 @@ if((x($_SESSION,'language')) && ($_SESSION['language'] !== $lang)) {
 }
 
 if((x($_GET,'zid')) && (! $a->install)) {
-	$a->query_string = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/is','',$a->query_string);
+	$a->query_string = strip_zids($a->query_string);
 	if(! local_user()) {
 		$_SESSION['my_address'] = $_GET['zid'];
 		zid_init($a);
diff --git a/mod/cloud.php b/mod/cloud.php
index 18b61f941..3606325bd 100644
--- a/mod/cloud.php
+++ b/mod/cloud.php
@@ -73,11 +73,11 @@ function cloud_init(&$a) {
 
 
 	$_SERVER['QUERY_STRING'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['QUERY_STRING']);
-	$_SERVER['QUERY_STRING'] = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/ism','',$_SERVER['QUERY_STRING']);
+	$_SERVER['QUERY_STRING'] = strip_zids($_SERVER['QUERY_STRING']);
 	$_SERVER['QUERY_STRING'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['QUERY_STRING']);
 
 	$_SERVER['REQUEST_URI'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['REQUEST_URI']);
-	$_SERVER['REQUEST_URI'] = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']);
+	$_SERVER['REQUEST_URI'] = strip_zids($_SERVER['REQUEST_URI']);
 	$_SERVER['REQUEST_URI'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']);
 
 	$rootDirectory = new RedDirectory('/',$auth);
diff --git a/mod/item.php b/mod/item.php
index 48f85f692..1c32a637a 100644
--- a/mod/item.php
+++ b/mod/item.php
@@ -423,19 +423,13 @@ function item_post(&$a) {
 		/**
 		 * fix naked links by passing through a callback to see if this is a red site
 		 * (already known to us) which will get a zrl, otherwise link with url, add bookmark tag to both.
-		 * First wrap any url which is part of link anchor text already in quotes so we don't double link it.
-		 * e.g. [url=http://foobar.com]something with http://elsewhere.com in it[/url]
-		 * becomes [url=http://foobar.com]something with "http://elsewhere.com" in it[/url]
-		 * otherwise http://elsewhere.com becomes #^[url=http://elsewhere.com]http://elsewhere.com[/url]
+		 * First protect any url inside certain bbcode tags so we don't double link it.
 		 */
 
 		$body = preg_replace_callback('/\[code(.*?)\[\/(code)\]/ism','red_escape_codeblock',$body);
 		$body = preg_replace_callback('/\[url(.*?)\[\/(url)\]/ism','red_escape_codeblock',$body);
 		$body = preg_replace_callback('/\[zrl(.*?)\[\/(zrl)\]/ism','red_escape_codeblock',$body);
 
-// no longer needed
-//		$body = preg_replace_callback('/\[([uz])rl(.*?)\](.*?)(https?\:\/\/[a-zA-Z0-9\:\/\-\?\&\;\.\=\@\_\~\#\%\$\!\+\,]+)(.*?)\[\/([uz])rl\]/ism','red_escape_zrl_callback',$body);
-
 		$body = preg_replace_callback("/([^\]\='".'"'."]|^|\#\^)(https?\:\/\/[a-zA-Z0-9\:\/\-\?\&\;\.\=\@\_\~\#\%\$\!\+\,]+)/ism", 'red_zrl_callback', $body);
 
 		$body = preg_replace_callback('/\[\$b64zrl(.*?)\[\/(zrl)\]/ism','red_unescape_codeblock',$body);
diff --git a/version.inc b/version.inc
index b73d1c3e6..cc21a24b6 100644
--- a/version.inc
+++ b/version.inc
@@ -1 +1 @@
-2014-02-14.588
+2014-02-16.590
-- 
cgit v1.2.3