From 6466774b6e6ed72ea1cc57cbc76e451205934aca Mon Sep 17 00:00:00 2001 From: redmatrix Date: Wed, 20 May 2015 18:46:23 -0700 Subject: PRIVACY: possible privacy leakage under a defined set of circumstances --- include/items.php | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index 1db3fab2b..245259e38 100755 --- a/include/items.php +++ b/include/items.php @@ -2527,6 +2527,7 @@ function item_store_update($arr,$allow_exec = false) { $arr['title'] = ((array_key_exists('title',$arr) && strlen($arr['title'])) ? trim($arr['title']) : ''); $arr['body'] = ((array_key_exists('body',$arr) && strlen($arr['body'])) ? trim($arr['body']) : ''); + $arr['attach'] = ((x($arr,'attach')) ? notags(trim($arr['attach'])) : $orig[0]['attach']); $arr['app'] = ((x($arr,'app')) ? notags(trim($arr['app'])) : $orig[0]['app']); // $arr['item_restrict'] = ((x($arr,'item_restrict')) ? intval($arr['item_restrict']) : $orig[0]['item_restrict'] ); @@ -4372,12 +4373,14 @@ function fetch_post_tags($items,$link = false) { -function zot_feed($uid,$observer_xchan,$arr) { +function zot_feed($uid,$observer_hash,$arr) { $result = array(); $mindate = null; $message_id = null; + require_once('include/security.php'); + if(array_key_exists('mindate',$arr)) { $mindate = datetime_convert('UTC','UTC',$arr['mindate']); } @@ -4395,14 +4398,14 @@ function zot_feed($uid,$observer_xchan,$arr) { if($message_id) logger('message_id: ' . $message_id,LOGGER_DEBUG); - if(! perm_is_allowed($uid,$observer_xchan,'view_stream')) { + if(! perm_is_allowed($uid,$observer_hash,'view_stream')) { logger('zot_feed: permission denied.'); return $result; } if(! is_sys_channel($uid)) { require_once('include/security.php'); - $sql_extra = item_permissions_sql($uid); + $sql_extra = item_permissions_sql($uid,$observer_hash); } $limit = " LIMIT 100 "; @@ -4416,6 +4419,7 @@ function zot_feed($uid,$observer_xchan,$arr) { $limit = ''; } + $items = array(); /** @FIXME fix this part for PostgreSQL */ @@ -4425,7 +4429,6 @@ function zot_feed($uid,$observer_xchan,$arr) { } if(is_sys_channel($uid)) { - require_once('include/security.php'); $r = q("SELECT parent, created, postopts from item WHERE uid != %d AND item_private = 0 AND item_restrict = 0 AND uid in (" . stream_perms_api_uids(PERMS_PUBLIC,10,1) . ") @@ -4633,7 +4636,7 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C //$start = dba_timer(); require_once('include/security.php'); - $sql_extra .= item_permissions_sql($channel['channel_id']); + $sql_extra .= item_permissions_sql($channel['channel_id'],$observer_hash); if ($arr['pages']) $item_restrict = " AND (item_restrict & " . ITEM_WEBPAGE . ") "; -- cgit v1.2.3 From 0826c5fd96dfc371620eb0ca6d0781d9539b3b0c Mon Sep 17 00:00:00 2001 From: redmatrix Date: Wed, 20 May 2015 19:18:32 -0700 Subject: don't allow item_id to update without a valid post id --- include/items.php | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index 245259e38..d0b647a92 100755 --- a/include/items.php +++ b/include/items.php @@ -4142,6 +4142,8 @@ function delete_item_lowlevel($item, $stage = DROPITEM_NORMAL, $force = false) { $linked_item = (($item['resource_id']) ? true : false); + logger('item: ' . $item . ' stage: ' . $stage . ' force: ' . $force, LOGGER_DATA); + switch($stage) { case DROPITEM_PHASE2: $r = q("UPDATE item SET item_restrict = ( item_restrict | %d ), body = '', title = '', @@ -4742,6 +4744,9 @@ function update_remote_id($channel,$post_id,$webpage,$pagetitle,$namespace,$remo $page_type = ''; + if(! $post_id) + return; + if($webpage & ITEM_WEBPAGE) $page_type = 'WEBPAGE'; elseif($webpage & ITEM_BUILDBLOCK) -- cgit v1.2.3 From 62df06b3d6b2e56d271b69bebf8427caa715dd16 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Wed, 20 May 2015 20:20:35 -0700 Subject: cloning abook entries was broken in several ways if the target xchan wasn't available on the clone site. This should make it less broken. --- include/items.php | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index d0b647a92..3936f1a6f 100755 --- a/include/items.php +++ b/include/items.php @@ -971,6 +971,14 @@ function import_author_diaspora($x) { if(! $x['address']) return false; + $r = q("select * from xchan where xchan_addr = '%s' limit 1", + dbesc($x['address']) + ); + if($r) { + logger('in_cache: ' . $x['address'], LOGGER_DATA); + return $r[0]['chan_hash']; + } + if(discover_by_webbie($x['address'])) { $r = q("select xchan_hash from xchan where xchan_addr = '%s' limit 1", dbesc($x['address']) -- cgit v1.2.3