From cd518625bf561f1ed42db0b78030b74c32435136 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Sun, 1 May 2016 19:19:17 -0700 Subject: some much needed work on oembed security --- Zotlabs/Module/Admin.php | 29 +++++++++++++++++++---------- Zotlabs/Module/Oep.php | 2 +- 2 files changed, 20 insertions(+), 11 deletions(-) (limited to 'Zotlabs/Module') diff --git a/Zotlabs/Module/Admin.php b/Zotlabs/Module/Admin.php index 1d37b41bc..b22931b1a 100644 --- a/Zotlabs/Module/Admin.php +++ b/Zotlabs/Module/Admin.php @@ -568,25 +568,25 @@ class Admin extends \Zotlabs\Web\Controller { $block_public = ((x($_POST,'block_public')) ? True : False); set_config('system','block_public',$block_public); - $ws = trim_array_elems(explode("\n",$_POST['whitelisted_sites'])); + $ws = $this->trim_array_elems(explode("\n",$_POST['whitelisted_sites'])); set_config('system','whitelisted_sites',$ws); - $bs = trim_array_elems(explode("\n",$_POST['blacklisted_sites'])); + $bs = $this->trim_array_elems(explode("\n",$_POST['blacklisted_sites'])); set_config('system','blacklisted_sites',$bs); - $wc = trim_array_elems(explode("\n",$_POST['whitelisted_channels'])); + $wc = $this->trim_array_elems(explode("\n",$_POST['whitelisted_channels'])); set_config('system','whitelisted_channels',$wc); - $bc = trim_array_elems(explode("\n",$_POST['blacklisted_channels'])); + $bc = $this->trim_array_elems(explode("\n",$_POST['blacklisted_channels'])); set_config('system','blacklisted_channels',$bc); $embed_coop = ((x($_POST,'embed_coop')) ? True : False); set_config('system','embed_coop',$embed_coop); - $we = trim_array_elems(explode("\n",$_POST['embed_allow'])); + $we = $this->trim_array_elems(explode("\n",$_POST['embed_allow'])); set_config('system','embed_allow',$we); - $be = trim_array_elems(explode("\n",$_POST['embed_deny'])); + $be = $this->trim_array_elems(explode("\n",$_POST['embed_deny'])); set_config('system','embed_deny',$be); goaway(z_root() . '/admin/security'); @@ -708,9 +708,13 @@ class Admin extends \Zotlabs\Web\Controller { $embed_coop = intval(get_config('system','embed_coop')); - // wait to implement this until we have a co-op in place. - // if((! $whiteembeds) && (! $blackembeds) && (! $embed_coop)) - // $whiteembeds_str = "youtube.com\nyoutu.be\ntwitter.com\nvimeo.com\nsoundcloud.com\nwikipedia.com"; + if((! $whiteembeds) && (! $blackembeds)) { + $embedhelp1 = t("By default, unfiltered HTML is allowed in embedded media. This is inherently insecure."); + } + + $embedhelp2 = t("The recommended setting is to only allow unfiltered HTML from the following sites:"); + $embedhelp3 = t("youtube.com
youtu.be
twitter.com
vimeo.com
soundcloud.com
wikipedia.com
"); + $embedhelp4 = t("All other embedded content will be filtered, unless embedded content from that site is explicitly blocked."); $t = get_markup_template('admin_security.tpl'); return replace_macros($t, array( @@ -722,10 +726,15 @@ class Admin extends \Zotlabs\Web\Controller { '$blacklisted_sites' => array('blacklisted_sites', t('Block communications from these sites'), $blacksites_str, ''), '$whitelisted_channels' => array('whitelisted_channels', t('Allow communications only from these channels'), $whitechannels_str, t('One channel (hash) per line. Leave empty to allow from any channel by default')), '$blacklisted_channels' => array('blacklisted_channels', t('Block communications from these channels'), $blackchannels_str, ''), - '$embed_allow' => array('embed_allow', t('Allow embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')), + '$embed_allow' => array('embed_allow', t('Allow unfiltered embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')), '$embed_deny' => array('embed_deny', t('Block embedded HTML from these domains'), $blackembeds_str, ''), // '$embed_coop' => array('embed_coop', t('Cooperative embed security'), $embed_coop, t('Enable to share embed security with other compatible sites/hubs')), + '$embedhelp1' => $embedhelp1, + '$embedhelp2' => $embedhelp2, + '$embedhelp3' => $embedhelp3, + '$embedhelp4' => $embedhelp4, + '$submit' => t('Submit') )); } diff --git a/Zotlabs/Module/Oep.php b/Zotlabs/Module/Oep.php index f36a452e8..638ea7e2d 100644 --- a/Zotlabs/Module/Oep.php +++ b/Zotlabs/Module/Oep.php @@ -220,7 +220,7 @@ class Oep extends \Zotlabs\Web\Controller { $ret['width'] = intval($width); $ret['height'] = intval($height); - $ret['html'] = get_zcard($c,get_observer_hash(),array('width' => $width, 'height' => $height)); + $ret['html'] = get_zcard_embed($c,get_observer_hash(),array('width' => $width, 'height' => $height)); return $ret; -- cgit v1.2.3 From f284558007583c7b882071fa995f994661bb97cc Mon Sep 17 00:00:00 2001 From: redmatrix Date: Sun, 1 May 2016 19:29:30 -0700 Subject: use only the std_version --- Zotlabs/Module/Admin.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Zotlabs/Module') diff --git a/Zotlabs/Module/Admin.php b/Zotlabs/Module/Admin.php index b22931b1a..5eaede6a6 100644 --- a/Zotlabs/Module/Admin.php +++ b/Zotlabs/Module/Admin.php @@ -221,7 +221,7 @@ class Admin extends \Zotlabs\Web\Controller { '$pending' => array( t('Pending registrations'), $pending), '$channels' => array( t('Registered channels'), $channels), '$plugins' => array( t('Active plugins'), $plugins ), - '$version' => array( t('Version'), RED_VERSION), + '$version' => array( t('Version'), STD_VERSION), '$build' => get_config('system', 'db_version') )); } -- cgit v1.2.3 From 5e458491f1e0fce5ec9e4855dac13340af627ded Mon Sep 17 00:00:00 2001 From: redmatrix Date: Sun, 1 May 2016 20:43:57 -0700 Subject: sort addons based on the internal display name instead of the filename --- Zotlabs/Module/Admin.php | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'Zotlabs/Module') diff --git a/Zotlabs/Module/Admin.php b/Zotlabs/Module/Admin.php index 5eaede6a6..6dad11ab8 100644 --- a/Zotlabs/Module/Admin.php +++ b/Zotlabs/Module/Admin.php @@ -1336,6 +1336,8 @@ class Admin extends \Zotlabs\Web\Controller { } } + usort($plugins,'self::plugin_sort'); + $t = get_markup_template('admin_plugins.tpl'); return replace_macros($t, array( '$title' => t('Administration'), @@ -1349,6 +1351,11 @@ class Admin extends \Zotlabs\Web\Controller { )); } + static public function plugin_sort($a,$b) { + return(strcmp(strtolower($a[2]['name']),strtolower($b[2]['name']))); + } + + /** * @param array $themes * @param string $th -- cgit v1.2.3 From a10fe5f13e67faa33a72caa33c49c36113213ffe Mon Sep 17 00:00:00 2001 From: redmatrix Date: Sun, 1 May 2016 22:45:38 -0700 Subject: a couple of bugfixes from earlier checkins and implementation of source tags --- Zotlabs/Module/Sources.php | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) (limited to 'Zotlabs/Module') diff --git a/Zotlabs/Module/Sources.php b/Zotlabs/Module/Sources.php index cca9e5ebf..ef32991ee 100644 --- a/Zotlabs/Module/Sources.php +++ b/Zotlabs/Module/Sources.php @@ -7,7 +7,7 @@ class Sources extends \Zotlabs\Web\Controller { function post() { if(! local_channel()) return; - + if(! feature_enabled(local_channel(),'channel_sources')) return ''; @@ -17,6 +17,7 @@ class Sources extends \Zotlabs\Web\Controller { $words = $_REQUEST['words']; $frequency = $_REQUEST['frequency']; $name = $_REQUEST['name']; + $tags = $_REQUEST['tags']; $channel = \App::get_channel(); @@ -36,14 +37,15 @@ class Sources extends \Zotlabs\Web\Controller { notice ( t('Failed to create source. No channel selected.') . EOL); return; } - + if(! $source) { - $r = q("insert into source ( src_channel_id, src_channel_xchan, src_xchan, src_patt ) - values ( %d, '%s', '%s', '%s' ) ", + $r = q("insert into source ( src_channel_id, src_channel_xchan, src_xchan, src_patt, src_tag ) + values ( %d, '%s', '%s', '%s', '%s' ) ", intval(local_channel()), dbesc($channel['channel_hash']), dbesc($xchan), - dbesc($words) + dbesc($words), + dbesc($tags) ); if($r) { info( t('Source created.') . EOL); @@ -51,9 +53,10 @@ class Sources extends \Zotlabs\Web\Controller { goaway(z_root() . '/sources'); } else { - $r = q("update source set src_xchan = '%s', src_patt = '%s' where src_channel_id = %d and src_id = %d", + $r = q("update source set src_xchan = '%s', src_patt = '%s', src_tag = '%s' where src_channel_id = %d and src_id = %d", dbesc($xchan), dbesc($words), + dbesc($tags), intval(local_channel()), intval($source) ); @@ -62,6 +65,7 @@ class Sources extends \Zotlabs\Web\Controller { } } + } @@ -105,6 +109,8 @@ class Sources extends \Zotlabs\Web\Controller { '$desc' => t('Import all or selected content from the following channel into this channel and distribute it according to your channel settings.'), '$words' => array( 'words', t('Only import content with these words (one per line)'),'',t('Leave blank to import all public content')), '$name' => array( 'name', t('Channel Name'), '', ''), + '$tags' => array('tags', t('Add the following tags to posts imported from this source (comma separated)','','')), + '$submit' => t('Submit') )); return $o; @@ -138,6 +144,7 @@ class Sources extends \Zotlabs\Web\Controller { '$words' => array( 'words', t('Only import content with these words (one per line)'),$r[0]['src_patt'],t('Leave blank to import all public content')), '$xchan' => $r[0]['src_xchan'], '$abook' => $x[0]['abook_id'], + '$tags' => array('tags', t('Add the following tags to posts imported from this source (comma separated)'),$r[0]['src_tag'],''), '$name' => array( 'name', t('Channel Name'), $r[0]['xchan_name'], ''), '$submit' => t('Submit') )); -- cgit v1.2.3 From 559ed3f0a8cbe90b6c20cc4ada649bc063f41c25 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Mon, 2 May 2016 01:18:18 -0700 Subject: sort out the rest of the source categories --- Zotlabs/Module/Sources.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Zotlabs/Module') diff --git a/Zotlabs/Module/Sources.php b/Zotlabs/Module/Sources.php index ef32991ee..a180d9b6e 100644 --- a/Zotlabs/Module/Sources.php +++ b/Zotlabs/Module/Sources.php @@ -109,7 +109,7 @@ class Sources extends \Zotlabs\Web\Controller { '$desc' => t('Import all or selected content from the following channel into this channel and distribute it according to your channel settings.'), '$words' => array( 'words', t('Only import content with these words (one per line)'),'',t('Leave blank to import all public content')), '$name' => array( 'name', t('Channel Name'), '', ''), - '$tags' => array('tags', t('Add the following tags to posts imported from this source (comma separated)','','')), + '$tags' => array('tags', t('Add the following categories to posts imported from this source (comma separated)'),'',t('Optional')), '$submit' => t('Submit') )); @@ -144,7 +144,7 @@ class Sources extends \Zotlabs\Web\Controller { '$words' => array( 'words', t('Only import content with these words (one per line)'),$r[0]['src_patt'],t('Leave blank to import all public content')), '$xchan' => $r[0]['src_xchan'], '$abook' => $x[0]['abook_id'], - '$tags' => array('tags', t('Add the following tags to posts imported from this source (comma separated)'),$r[0]['src_tag'],''), + '$tags' => array('tags', t('Add the following categories to posts imported from this source (comma separated)'),$r[0]['src_tag'],t('Optional')), '$name' => array( 'name', t('Channel Name'), $r[0]['xchan_name'], ''), '$submit' => t('Submit') )); -- cgit v1.2.3 From b371c028ad31180b4c73f92b45c4ca8f5fff259e Mon Sep 17 00:00:00 2001 From: redmatrix Date: Mon, 2 May 2016 22:28:27 -0700 Subject: more security stuff --- Zotlabs/Module/Admin.php | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) (limited to 'Zotlabs/Module') diff --git a/Zotlabs/Module/Admin.php b/Zotlabs/Module/Admin.php index 6dad11ab8..e1eaa6e0e 100644 --- a/Zotlabs/Module/Admin.php +++ b/Zotlabs/Module/Admin.php @@ -580,8 +580,8 @@ class Admin extends \Zotlabs\Web\Controller { $bc = $this->trim_array_elems(explode("\n",$_POST['blacklisted_channels'])); set_config('system','blacklisted_channels',$bc); - $embed_coop = ((x($_POST,'embed_coop')) ? True : False); - set_config('system','embed_coop',$embed_coop); + $embed_sslonly = ((x($_POST,'embed_sslonly')) ? True : False); + set_config('system','embed_sslonly',$embed_sslonly); $we = $this->trim_array_elems(explode("\n",$_POST['embed_allow'])); set_config('system','embed_allow',$we); @@ -589,6 +589,12 @@ class Admin extends \Zotlabs\Web\Controller { $be = $this->trim_array_elems(explode("\n",$_POST['embed_deny'])); set_config('system','embed_deny',$be); + $ts = ((x($_POST,'transport_security')) ? True : False); + set_config('system','transport_security_header',$ts); + + $cs = ((x($_POST,'content_security')) ? True : False); + set_config('system','content_security_policy',$cs); + goaway(z_root() . '/admin/security'); } @@ -713,7 +719,7 @@ class Admin extends \Zotlabs\Web\Controller { } $embedhelp2 = t("The recommended setting is to only allow unfiltered HTML from the following sites:"); - $embedhelp3 = t("youtube.com
youtu.be
twitter.com
vimeo.com
soundcloud.com
wikipedia.com
"); + $embedhelp3 = t("https://youtube.com/
https://www.youtube.com/
https://youtu.be/
https://vimeo.com/
https://soundcloud.com/
"); $embedhelp4 = t("All other embedded content will be filtered, unless embedded content from that site is explicitly blocked."); $t = get_markup_template('admin_security.tpl'); @@ -722,18 +728,17 @@ class Admin extends \Zotlabs\Web\Controller { '$page' => t('Security'), '$form_security_token' => get_form_security_token('admin_security'), '$block_public' => array('block_public', t("Block public"), get_config('system','block_public'), t("Check to block public access to all otherwise public personal pages on this site unless you are currently authenticated.")), + '$transport_security' => array('transport_security', t('Set "Transport Security" HTTP header'),intval(get_config('system','transport_security_header')),''), + '$content_security' => array('content_security', t('Set "Content Security Policy" HTTP header'),intval(get_config('system','content_security_policy')),''), '$whitelisted_sites' => array('whitelisted_sites', t('Allow communications only from these sites'), $whitesites_str, t('One site per line. Leave empty to allow communication from anywhere by default')), '$blacklisted_sites' => array('blacklisted_sites', t('Block communications from these sites'), $blacksites_str, ''), '$whitelisted_channels' => array('whitelisted_channels', t('Allow communications only from these channels'), $whitechannels_str, t('One channel (hash) per line. Leave empty to allow from any channel by default')), '$blacklisted_channels' => array('blacklisted_channels', t('Block communications from these channels'), $blackchannels_str, ''), - '$embed_allow' => array('embed_allow', t('Allow unfiltered embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')), + '$embed_sslonly' => array('embed_sslonly',t('Only allow embeds from secure (SSL) websites and links.'), intval(get_config('system','embed_sslonly')),''), + '$embed_allow' => array('embed_allow', t('Allow unfiltered embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. By default embedded content is filtered.')), '$embed_deny' => array('embed_deny', t('Block embedded HTML from these domains'), $blackembeds_str, ''), // '$embed_coop' => array('embed_coop', t('Cooperative embed security'), $embed_coop, t('Enable to share embed security with other compatible sites/hubs')), - '$embedhelp1' => $embedhelp1, - '$embedhelp2' => $embedhelp2, - '$embedhelp3' => $embedhelp3, - '$embedhelp4' => $embedhelp4, '$submit' => t('Submit') )); -- cgit v1.2.3