From 06e0272db873ad0b7dbc96596e92b8c635f940a2 Mon Sep 17 00:00:00 2001 From: friendica Date: Sun, 17 Nov 2013 16:50:32 -0800 Subject: populate some posts when somebody is granted "read stream" permission --- include/items.php | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index 520ea7230..5793a7d66 100755 --- a/include/items.php +++ b/include/items.php @@ -3757,6 +3757,7 @@ function fetch_post_tags($items,$link = false) { function zot_feed($uid,$observer_xchan,$mindate) { + $result = array(); $mindate = datetime_convert('UTC','UTC',$mindate); if(! $mindate) @@ -3764,10 +3765,14 @@ function zot_feed($uid,$observer_xchan,$mindate) { $mindate = dbesc($mindate); + logger('zot_feed: ' . $uid); + if(! perm_is_allowed($uid,$observer_xchan,'view_stream')) { + logger('zot_feed: permission denied.'); return $result; } + require_once('include/security.php'); $sql_extra = item_permissions_sql($uid); if($mindate != '0000-00-00 00:00:00') { -- cgit v1.2.3 From 13538cdd21c6e13a2ff108f1b42dbecaab8b375a Mon Sep 17 00:00:00 2001 From: friendica Date: Sun, 17 Nov 2013 19:22:24 -0800 Subject: pull in some posts when we first connect with a new channel (if allowed to) - if not allowed to, do it if that condition changes --- include/items.php | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index 5793a7d66..f8b698a4a 100755 --- a/include/items.php +++ b/include/items.php @@ -552,15 +552,20 @@ function get_item_elements($x) { $arr['created'] = datetime_convert('UTC','UTC',$x['created']); $arr['edited'] = datetime_convert('UTC','UTC',$x['edited']); - $arr['expires'] = ((x($x,'expires') && $x['expires']) - ? datetime_convert('UTC','UTC',$x['expires']) - : '0000-00-00 00:00:00'); if($arr['created'] > datetime_convert()) $arr['created'] = datetime_convert(); if($arr['edited'] > datetime_convert()) $arr['edited'] = datetime_convert(); + $arr['expires'] = ((x($x,'expires') && $x['expires']) + ? datetime_convert('UTC','UTC',$x['expires']) + : '0000-00-00 00:00:00'); + + $arr['commented'] = ((x($x,'commented') && $x['commented']) + ? datetime_convert('UTC','UTC',$x['commented']) + : $arr['created']); + $arr['title'] = (($x['title']) ? htmlentities($x['title'], ENT_COMPAT,'UTF-8',false) : ''); if(mb_strlen($arr['title']) > 255) @@ -714,6 +719,7 @@ function encode_item($item) { $x['created'] = $item['created']; $x['edited'] = $item['edited']; $x['expires'] = $item['expires']; + $x['commented'] = $item['commented']; $x['mimetype'] = $item['mimetype']; $x['title'] = $item['title']; $x['body'] = $item['body']; @@ -1539,8 +1545,8 @@ function item_store($arr,$allow_exec = false) { $arr['owner_xchan'] = ((x($arr,'owner_xchan')) ? notags(trim($arr['owner_xchan'])) : ''); $arr['created'] = ((x($arr,'created') !== false) ? datetime_convert('UTC','UTC',$arr['created']) : datetime_convert()); $arr['edited'] = ((x($arr,'edited') !== false) ? datetime_convert('UTC','UTC',$arr['edited']) : datetime_convert()); - $arr['expires'] = ((x($arr,'expires') !== false) ? datetime_convert('UTC','UTC',$arr['expires']) : '0000-00-00 00:00:00'); - $arr['commented'] = datetime_convert(); + $arr['expires'] = ((x($arr,'expires') !== false) ? datetime_convert('UTC','UTC',$arr['expires']) : '0000-00-00 00:00:00'); + $arr['commented'] = ((x($arr,'commented') !== false) ? datetime_convert('UTC','UTC',$arr['commented']) : datetime_convert()); $arr['received'] = datetime_convert(); $arr['changed'] = datetime_convert(); $arr['location'] = ((x($arr,'location')) ? notags(trim($arr['location'])) : ''); @@ -1777,8 +1783,15 @@ function item_store($arr,$allow_exec = false) { // update the commented timestamp on the parent - q("UPDATE item set commented = '%s', changed = '%s' WHERE id = %d LIMIT 1", - dbesc(datetime_convert()), + q("update item set commented = ( select max(created) from item where parent_mid = '%s' and uid = %d ) + where id = %d limit 1", + dbesc($arr['parent_mid']), + intval($arr['uid']), + intval($parent_id) + ); + + + q("UPDATE item set changed = '%s' WHERE id = %d LIMIT 1", dbesc(datetime_convert()), intval($parent_id) ); -- cgit v1.2.3 From 23352b939b0fadaadad9c6e02d6d1545f00ee0e9 Mon Sep 17 00:00:00 2001 From: friendica Date: Sun, 17 Nov 2013 19:49:48 -0800 Subject: better job of setting parent created --- include/items.php | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index f8b698a4a..5625f2c68 100755 --- a/include/items.php +++ b/include/items.php @@ -1783,16 +1783,13 @@ function item_store($arr,$allow_exec = false) { // update the commented timestamp on the parent - q("update item set commented = ( select max(created) from item where parent_mid = '%s' and uid = %d ) - where id = %d limit 1", + $z = q("select max(created) as created from item where parent_mid = '%s' and uid = %d ", dbesc($arr['parent_mid']), - intval($arr['uid']), - intval($parent_id) + intval($arr['uid']) ); - - q("UPDATE item set changed = '%s' WHERE id = %d LIMIT 1", - dbesc(datetime_convert()), + q("UPDATE item set created = '%s', changed = '%s' WHERE id = %d LIMIT 1", + dbesc(($z) ? $z[0]['created'] : (datetime_convert())), intval($parent_id) ); -- cgit v1.2.3 From 6378600747e70ed19f43614cd022aa332d731c45 Mon Sep 17 00:00:00 2001 From: friendica Date: Sun, 17 Nov 2013 20:09:40 -0800 Subject: fix commented timestamp --- include/items.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index 5625f2c68..7db22d0da 100755 --- a/include/items.php +++ b/include/items.php @@ -1783,13 +1783,14 @@ function item_store($arr,$allow_exec = false) { // update the commented timestamp on the parent - $z = q("select max(created) as created from item where parent_mid = '%s' and uid = %d ", + $z = q("select max(commented) as commented from item where parent_mid = '%s' and uid = %d ", dbesc($arr['parent_mid']), intval($arr['uid']) ); - q("UPDATE item set created = '%s', changed = '%s' WHERE id = %d LIMIT 1", - dbesc(($z) ? $z[0]['created'] : (datetime_convert())), + q("UPDATE item set commented = '%s', changed = '%s' WHERE id = %d LIMIT 1", + dbesc(($z) ? $z[0]['commented'] : (datetime_convert())), + dbesc(datetime_convert()), intval($parent_id) ); -- cgit v1.2.3 From dd6c64f95adc89895d4adf9ede8fbc8fdae41750 Mon Sep 17 00:00:00 2001 From: friendica Date: Sun, 17 Nov 2013 23:12:34 -0800 Subject: magic auth issues --- include/items.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index 7db22d0da..7e21b9c4d 100755 --- a/include/items.php +++ b/include/items.php @@ -1783,7 +1783,7 @@ function item_store($arr,$allow_exec = false) { // update the commented timestamp on the parent - $z = q("select max(commented) as commented from item where parent_mid = '%s' and uid = %d ", + $z = q("select max(created) as commented from item where parent_mid = '%s' and uid = %d ", dbesc($arr['parent_mid']), intval($arr['uid']) ); -- cgit v1.2.3 From d7ee552c570f4fca760c3d1573f32c005cf73bb8 Mon Sep 17 00:00:00 2001 From: friendica Date: Wed, 20 Nov 2013 15:20:12 -0800 Subject: Protocol: now set data['alg'] on all encapsulated encrypted packets, so that we can more easily retire 'aes256cbc' once it is no longer viable. --- include/items.php | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index 7e21b9c4d..fabad6a63 100755 --- a/include/items.php +++ b/include/items.php @@ -644,9 +644,9 @@ function get_item_elements($x) { $arr['item_flags'] = $arr['item_flags'] | ITEM_OBSCURED; $key = get_config('system','pubkey'); if($arr['title']) - $arr['title'] = json_encode(aes_encapsulate($arr['title'],$key)); + $arr['title'] = json_encode(crypto_encapsulate($arr['title'],$key)); if($arr['body']) - $arr['body'] = json_encode(aes_encapsulate($arr['body'],$key)); + $arr['body'] = json_encode(crypto_encapsulate($arr['body'],$key)); } @@ -699,9 +699,9 @@ function encode_item($item) { if(array_key_exists('item_flags',$item) && ($item['item_flags'] & ITEM_OBSCURED)) { $key = get_config('system','prvkey'); if($item['title']) - $item['title'] = aes_unencapsulate(json_decode_plus($item['title']),$key); + $item['title'] = crypto_unencapsulate(json_decode_plus($item['title']),$key); if($item['body']) - $item['body'] = aes_unencapsulate(json_decode_plus($item['body']),$key); + $item['body'] = crypto_unencapsulate(json_decode_plus($item['body']),$key); } if($item['item_restrict'] & ITEM_DELETED) { @@ -908,9 +908,9 @@ function encode_mail($item) { if(array_key_exists('mail_flags',$item) && ($item['mail_flags'] & MAIL_OBSCURED)) { $key = get_config('system','prvkey'); if($item['title']) - $item['title'] = aes_unencapsulate(json_decode_plus($item['title']),$key); + $item['title'] = crypto_unencapsulate(json_decode_plus($item['title']),$key); if($item['body']) - $item['body'] = aes_unencapsulate(json_decode_plus($item['body']),$key); + $item['body'] = crypto_unencapsulate(json_decode_plus($item['body']),$key); } $x['message_id'] = $item['mid']; @@ -963,10 +963,10 @@ function get_mail_elements($x) { $arr['mail_flags'] |= MAIL_OBSCURED; $arr['body'] = htmlentities($arr['body'],ENT_COMPAT,'UTF-8',false); if($arr['body']) - $arr['body'] = json_encode(aes_encapsulate($arr['body'],$key)); + $arr['body'] = json_encode(crypto_encapsulate($arr['body'],$key)); $arr['title'] = htmlentities($arr['title'],ENT_COMPAT,'UTF-8',false); if($arr['title']) - $arr['title'] = json_encode(aes_encapsulate($arr['title'],$key)); + $arr['title'] = json_encode(crypto_encapsulate($arr['title'],$key)); if($arr['created'] > datetime_convert()) $arr['created'] = datetime_convert(); @@ -1516,9 +1516,9 @@ function item_store($arr,$allow_exec = false) { $key = get_config('system','pubkey'); $arr['item_flags'] = $arr['item_flags'] | ITEM_OBSCURED; if($arr['title']) - $arr['title'] = json_encode(aes_encapsulate($arr['title'],$key)); + $arr['title'] = json_encode(crypto_encapsulate($arr['title'],$key)); if($arr['body']) - $arr['body'] = json_encode(aes_encapsulate($arr['body'],$key)); + $arr['body'] = json_encode(crypto_encapsulate($arr['body'],$key)); } } @@ -1887,9 +1887,9 @@ function item_store_update($arr,$allow_exec = false) { $key = get_config('system','pubkey'); $arr['item_flags'] = $arr['item_flags'] | ITEM_OBSCURED; if($arr['title']) - $arr['title'] = json_encode(aes_encapsulate($arr['title'],$key)); + $arr['title'] = json_encode(crypto_encapsulate($arr['title'],$key)); if($arr['body']) - $arr['body'] = json_encode(aes_encapsulate($arr['body'],$key)); + $arr['body'] = json_encode(crypto_encapsulate($arr['body'],$key)); } } @@ -2243,7 +2243,7 @@ function tag_deliver($uid,$item_id) { if($item['item_flags'] & ITEM_OBSCURED) { $key = get_config('system','prvkey'); if($item['body']) - $body = aes_unencapsulate(json_decode_plus($item['body']),$key); + $body = crypto_unencapsulate(json_decode_plus($item['body']),$key); } else $body = $item['body']; -- cgit v1.2.3 From 5315c88621719c93235f4d2d8a93eed29d7ae851 Mon Sep 17 00:00:00 2001 From: friendica Date: Wed, 20 Nov 2013 16:20:32 -0800 Subject: webpage edit - losing the ability to pass unfiltered html and perhaps some php due to unsetting uid too early in item_store_update() --- include/items.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index fabad6a63..9fbd3fd8a 100755 --- a/include/items.php +++ b/include/items.php @@ -1844,8 +1844,6 @@ function item_store_update($arr,$allow_exec = false) { $arr['item_flags'] = intval($arr['item_flags']) | $orig[0]['item_flags']; $arr['item_restrict'] = intval($arr['item_restrict']) | $orig[0]['item_restrict']; - unset($arr['id']); - unset($arr['uid']); if(array_key_exists('edit',$arr)) unset($arr['edit']); @@ -1911,7 +1909,8 @@ function item_store_update($arr,$allow_exec = false) { } - + unset($arr['id']); + unset($arr['uid']); unset($arr['aid']); unset($arr['mid']); unset($arr['parent']); -- cgit v1.2.3 From dde3e28ceb150b2ddc6f60ea6c0c25aa45176921 Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 26 Nov 2013 15:26:11 -0800 Subject: add drop_item hook --- include/items.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index 9fbd3fd8a..6968781f7 100755 --- a/include/items.php +++ b/include/items.php @@ -3551,6 +3551,9 @@ function drop_item($id,$interactive = true) { if($ok_to_delete) { + $arr = array('item' => $item); + call_hooks('drop_item', $arr ); + $notify_id = intval($item['id']); $items = q("select * from item where parent = %d and uid = %d", -- cgit v1.2.3 From ff635f0133532b82efc1e1fb531a1e3943cfe337 Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 26 Nov 2013 23:00:32 -0800 Subject: ensure that drop_item doesn't recurse --- include/items.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index 6968781f7..02f733d92 100755 --- a/include/items.php +++ b/include/items.php @@ -3525,7 +3525,7 @@ function drop_item($id,$interactive = true) { intval($id) ); - if(! $r) { + if((! $r) || ($r[0]['item_restrict'] & ITEM_DELETED)) { if(! $interactive) return 0; notice( t('Item not found.') . EOL); -- cgit v1.2.3 From da29ce6dac0667de2883101e34c9dd64258719ce Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 26 Nov 2013 23:10:10 -0800 Subject: more loop prevention --- include/items.php | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index 02f733d92..45c5f5ac9 100755 --- a/include/items.php +++ b/include/items.php @@ -3551,6 +3551,14 @@ function drop_item($id,$interactive = true) { if($ok_to_delete) { + // set the deleted flag immediately on this item just in case the + // hook calls a remote process which loops. We'll delete it properly in a second. + + $r = q("UPDATE item SET item_restrict = ( item_restrict | %d ) WHERE id = %d LIMIT 1", + intval(ITEM_DELETED), + intval($item['id']) + ); + $arr = array('item' => $item); call_hooks('drop_item', $arr ); -- cgit v1.2.3 From eae33275840495d27717f95f9647cf96c1c1d6cd Mon Sep 17 00:00:00 2001 From: friendica Date: Thu, 28 Nov 2013 18:10:04 -0800 Subject: item store hooks --- include/items.php | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index 45c5f5ac9..e380be488 100755 --- a/include/items.php +++ b/include/items.php @@ -1432,6 +1432,12 @@ function encode_rel_links($links) { function item_store($arr,$allow_exec = false) { + $d = array('item' => $arr, 'allow_exec' => $allow_exec); + call_hooks('item_store', $d ); + $arr = $d['item']; + $allow_exec = $d['allow_exec']; + + $ret = array('result' => false, 'item_id' => 0); if(! $arr['uid']) { @@ -1808,6 +1814,15 @@ function item_store($arr,$allow_exec = false) { function item_store_update($arr,$allow_exec = false) { + + + $d = array('item' => $arr, 'allow_exec' => $allow_exec); + call_hooks('item_store_update', $d ); + $arr = $d['item']; + $allow_exec = $d['allow_exec']; + + + $ret = array('result' => false, 'item_id' => 0); if(! intval($arr['uid'])) { logger('item_store_update: no uid'); -- cgit v1.2.3 From bd33e0486d992eb8904f84862c052ee2f9d01d55 Mon Sep 17 00:00:00 2001 From: friendica Date: Sun, 1 Dec 2013 00:16:02 -0800 Subject: deprecate a->get_curl_code() and $a->get_curl_headers() --- include/items.php | 192 ------------------------------------------------------ 1 file changed, 192 deletions(-) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index e380be488..fa46b62a1 100755 --- a/include/items.php +++ b/include/items.php @@ -2579,198 +2579,6 @@ function mail_store($arr) { - - - -function dfrn_deliver($owner,$contact,$atom, $dissolve = false) { - - $a = get_app(); - - $idtosend = $orig_id = (($contact['dfrn_id']) ? $contact['dfrn_id'] : $contact['issued_id']); - - if($contact['duplex'] && $contact['dfrn_id']) - $idtosend = '0:' . $orig_id; - if($contact['duplex'] && $contact['issued_id']) - $idtosend = '1:' . $orig_id; - - $rino = ((function_exists('mcrypt_encrypt')) ? 1 : 0); - - $rino_enable = get_config('system','rino_encrypt'); - - if(! $rino_enable) - $rino = 0; - -// $ssl_val = intval(get_config('system','ssl_policy')); -// $ssl_policy = ''; - -// switch($ssl_val){ -// case SSL_POLICY_FULL: -// $ssl_policy = 'full'; -// break; -// case SSL_POLICY_SELFSIGN: -// $ssl_policy = 'self'; -// break; -// case SSL_POLICY_NONE: -// default: -// $ssl_policy = 'none'; -// break; -// } - - $url = $contact['notify'] . '&dfrn_id=' . $idtosend . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . (($rino) ? '&rino=1' : ''); - - logger('dfrn_deliver: ' . $url); - - $xml = fetch_url($url); - - $curl_stat = $a->get_curl_code(); - if(! $curl_stat) - return(-1); // timed out - - logger('dfrn_deliver: ' . $xml, LOGGER_DATA); - - if(! $xml) - return 3; - - if(strpos($xml,'status) != 0) || (! strlen($res->challenge)) || (! strlen($res->dfrn_id))) - return (($res->status) ? $res->status : 3); - - $postvars = array(); - $sent_dfrn_id = hex2bin((string) $res->dfrn_id); - $challenge = hex2bin((string) $res->challenge); - $perm = (($res->perm) ? $res->perm : null); - $dfrn_version = (float) (($res->dfrn_version) ? $res->dfrn_version : 2.0); - $rino_allowed = ((intval($res->rino) === 1) ? 1 : 0); - $page = (($owner['page-flags'] == PAGE_COMMUNITY) ? 1 : 0); - - if($owner['page-flags'] == PAGE_PRVGROUP) - $page = 2; - - $final_dfrn_id = ''; - - if($perm) { - if((($perm == 'rw') && (! intval($contact['writable']))) - || (($perm == 'r') && (intval($contact['writable'])))) { - q("update contact set writable = %d where id = %d limit 1", - intval(($perm == 'rw') ? 1 : 0), - intval($contact['id']) - ); - $contact['writable'] = (string) 1 - intval($contact['writable']); - } - } - - if(($contact['duplex'] && strlen($contact['pubkey'])) - || ($owner['page-flags'] == PAGE_COMMUNITY && strlen($contact['pubkey'])) - || ($contact['rel'] == CONTACT_IS_SHARING && strlen($contact['pubkey']))) { - openssl_public_decrypt($sent_dfrn_id,$final_dfrn_id,$contact['pubkey']); - openssl_public_decrypt($challenge,$postvars['challenge'],$contact['pubkey']); - } - else { - openssl_private_decrypt($sent_dfrn_id,$final_dfrn_id,$contact['prvkey']); - openssl_private_decrypt($challenge,$postvars['challenge'],$contact['prvkey']); - } - - $final_dfrn_id = substr($final_dfrn_id, 0, strpos($final_dfrn_id, '.')); - - if(strpos($final_dfrn_id,':') == 1) - $final_dfrn_id = substr($final_dfrn_id,2); - - if($final_dfrn_id != $orig_id) { - logger('dfrn_deliver: wrong dfrn_id.'); - // did not decode properly - cannot trust this site - return 3; - } - - $postvars['dfrn_id'] = $idtosend; - $postvars['dfrn_version'] = DFRN_PROTOCOL_VERSION; - if($dissolve) - $postvars['dissolve'] = '1'; - - - if((($contact['rel']) && ($contact['rel'] != CONTACT_IS_SHARING) && (! $contact['blocked'])) || ($owner['page-flags'] == PAGE_COMMUNITY)) { - $postvars['data'] = $atom; - $postvars['perm'] = 'rw'; - } - else { - $postvars['data'] = str_replace('1','0',$atom); - $postvars['perm'] = 'r'; - } - -// $postvars['ssl_policy'] = $ssl_policy; - - if($page) - $postvars['page'] = $page; - - if($rino && $rino_allowed && (! $dissolve)) { - $key = substr(random_string(),0,16); - $data = bin2hex(aes_encrypt($postvars['data'],$key)); - $postvars['data'] = $data; - logger('rino: sent key = ' . $key, LOGGER_DEBUG); - - - if($dfrn_version >= 2.1) { - if(($contact['duplex'] && strlen($contact['pubkey'])) - || ($owner['page-flags'] == PAGE_COMMUNITY && strlen($contact['pubkey'])) - || ($contact['rel'] == CONTACT_IS_SHARING && strlen($contact['pubkey']))) { - - openssl_public_encrypt($key,$postvars['key'],$contact['pubkey']); - } - else { - openssl_private_encrypt($key,$postvars['key'],$contact['prvkey']); - } - } - else { - if(($contact['duplex'] && strlen($contact['prvkey'])) || ($owner['page-flags'] == PAGE_COMMUNITY)) { - openssl_private_encrypt($key,$postvars['key'],$contact['prvkey']); - } - else { - openssl_public_encrypt($key,$postvars['key'],$contact['pubkey']); - } - } - - logger('md5 rawkey ' . md5($postvars['key'])); - - $postvars['key'] = bin2hex($postvars['key']); - } - - logger('dfrn_deliver: ' . "SENDING: " . print_r($postvars,true), LOGGER_DATA); - - $xml = post_url($contact['notify'],$postvars); - - logger('dfrn_deliver: ' . "RECEIVED: " . $xml, LOGGER_DATA); - - $curl_stat = $a->get_curl_code(); - if((! $curl_stat) || (! strlen($xml))) - return(-1); // timed out - - if(($curl_stat == 503) && (stristr($a->get_curl_headers(),'retry-after'))) - return(-1); - - if(strpos($xml,'status; -} - - /** * * consume_feed - process atom feed and update anything/everything we might need to update -- cgit v1.2.3 From d8903f09f5a6d637b4258632eee16859373e1893 Mon Sep 17 00:00:00 2001 From: friendica Date: Wed, 4 Dec 2013 00:19:29 -0800 Subject: include re-organisation and more doco, post_to_red fix ampersands in categories --- include/items.php | 42 +++++++++++++++++++----------------------- 1 file changed, 19 insertions(+), 23 deletions(-) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index fa46b62a1..b6a196f4a 100755 --- a/include/items.php +++ b/include/items.php @@ -609,8 +609,8 @@ function get_item_elements($x) { // once, and after that your hub knows them. Sure some info is in the post, but it's only a transit identifier // and not enough info to be able to look you up from your hash - which is the only thing stored with the post. - if(import_author_xchan($x['author'])) - $arr['author_xchan'] = base64url_encode(hash('whirlpool',$x['author']['guid'] . $x['author']['guid_sig'], true)); + if(($xchan_hash = import_author_xchan($x['author'])) !== false) + $arr['author_xchan'] = $xchan_hash; else return array(); @@ -618,8 +618,8 @@ function get_item_elements($x) { if($arr['author_xchan'] === base64url_encode(hash('whirlpool',$x['owner']['guid'] . $x['owner']['guid_sig'], true))) $arr['owner_xchan'] = $arr['author_xchan']; else { - if(import_author_xchan($x['owner'])) - $arr['owner_xchan'] = base64url_encode(hash('whirlpool',$x['owner']['guid'] . $x['owner']['guid_sig'], true)); + if(($xchan_hash = import_author_xchan($x['owner'])) !== false) + $arr['owner_xchan'] = $xchan_hash; else return array(); } @@ -657,21 +657,18 @@ function get_item_elements($x) { function import_author_xchan($x) { - $r = q("select hubloc_url from hubloc where hubloc_guid = '%s' and hubloc_guid_sig = '%s' and (hubloc_flags & %d) limit 1", - dbesc($x['guid']), - dbesc($x['guid_sig']), - intval(HUBLOC_FLAGS_PRIMARY) - ); + $arr = array('xchan' => $x, 'xchan_hash' => ''); + call_hooks('import_author_xchan',$arr); + if($arr['xchan_hash']) + return $arr['xchan_hash']; - if($r) { - logger('import_author_xchan: in cache', LOGGER_DEBUG); - return true; + if((! array_key_exists('network', $x)) || ($x['network'] === 'zot')) { + return import_author_zot($x); } - logger('import_author_xchan: entry not in cache - probing: ' . print_r($x,true), LOGGER_DEBUG); + // TODO: create xchans for other common and/or aligned networks - $them = array('hubloc_url' => $x['url'],'xchan_guid' => $x['guid'], 'xchan_guid_sig' => $x['guid_sig']); - return zot_refresh($them); + return false; } function encode_item($item) { @@ -785,6 +782,7 @@ function encode_item_xchan($xchan) { $ret['name'] = $xchan['xchan_name']; $ret['address'] = $xchan['xchan_addr']; $ret['url'] = $xchan['hubloc_url']; + $ret['network'] = $xchan['xchan_network']; $ret['photo'] = array('mimetype' => $xchan['xchan_photo_mimetype'], 'src' => $xchan['xchan_photo_m']); $ret['guid'] = $xchan['xchan_guid']; $ret['guid_sig'] = $xchan['xchan_guid_sig']; @@ -977,18 +975,16 @@ function get_mail_elements($x) { if($x['attach']) $arr['attach'] = activity_sanitise($x['attach']); - - if(import_author_xchan($x['from'])) - $arr['from_xchan'] = base64url_encode(hash('whirlpool',$x['from']['guid'] . $x['from']['guid_sig'], true)); + if(($xchan_hash = import_author_xchan($x['from'])) !== false) + $arr['from_xchan'] = $xchan_hash; else return array(); - if(import_author_xchan($x['to'])) - $arr['to_xchan'] = base64url_encode(hash('whirlpool',$x['to']['guid'] . $x['to']['guid_sig'], true)); + if(($xchan_hash = import_author_xchan($x['to'])) !== false) + $arr['to_xchan'] = $xchan_hash; else return array(); - return $arr; } @@ -998,8 +994,8 @@ function get_profile_elements($x) { $arr = array(); - if(import_author_xchan($x['from'])) - $arr['xprof_hash'] = base64url_encode(hash('whirlpool',$x['from']['guid'] . $x['from']['guid_sig'], true)); + if(($xchan_hash = import_author_xchan($x['from'])) !== false) + $arr['xprof_hash'] = $xchan_hash; else return array(); -- cgit v1.2.3 From b8454cbd1df76bb96af6a6d65ff40f08f6919dc5 Mon Sep 17 00:00:00 2001 From: friendica Date: Sat, 7 Dec 2013 23:29:26 -0800 Subject: post_activity_item issues --- include/items.php | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index b6a196f4a..4af544de1 100755 --- a/include/items.php +++ b/include/items.php @@ -202,11 +202,29 @@ function post_activity_item($arr) { return $ret; } - if(array_key_exists('content_type',$arr) && $arr['content_type'] == 'text/html') - $arr['body'] = purify_html($arr['body']); - else - $arr['body'] = escape_tags($arr['body']); + if(! array_key_exists('mimetype',$arr)) + $arr['mimetype'] = 'text/bbcode'; + + if(array_key_exists('item_private',$arr) && $arr['item_private']) { + + $arr['body'] = z_input_filter($arr['uid'],$arr['body'],$arr['mimetype']); + + if($channel) { + if($channel['channel_hash'] === $arr['author_xchan']) { + $arr['sig'] = base64url_encode(rsa_sign($arr['body'],$channel['channel_prvkey'])); + $arr['item_flags'] = $arr['item_flags'] | ITEM_VERIFIED; + } + } + + logger('Encrypting local storage'); + $key = get_config('system','pubkey'); + $arr['item_flags'] = $arr['item_flags'] | ITEM_OBSCURED; + if($arr['title']) + $arr['title'] = json_encode(aes_encapsulate($arr['title'],$key)); + if($arr['body']) + $arr['body'] = json_encode(aes_encapsulate($arr['body'],$key)); + } $arr['mid'] = ((x($arr,'mid')) ? $arr['mid'] : item_message_id()); $arr['parent_mid'] = ((x($arr,'parent_mid')) ? $arr['parent_mid'] : $arr['mid']); @@ -238,7 +256,7 @@ function post_activity_item($arr) { $post = item_store($arr); - if($post['result']) + if($post['success']) $post_id = $post['item_id']; if($post_id) { -- cgit v1.2.3 From 082ac6777829c98ded48c271f4210ac5d6e1a68f Mon Sep 17 00:00:00 2001 From: friendica Date: Sun, 8 Dec 2013 20:08:50 -0800 Subject: suggestion widget tweaked to make it comanche capable. Remove old versions of specs that are so obsolete it isn't funny. Zot protocol reference is in red's github wiki, and in the code. We should move the github copy to /doc once it is updated to match the code. There's no point in documenting dfrn in the red code base. --- include/items.php | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index 4af544de1..dd3cf7644 100755 --- a/include/items.php +++ b/include/items.php @@ -3692,6 +3692,8 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C $sql_options = ''; $sql_extra2 = ''; $sql_extra3 = ''; + $def_acl = ''; + $item_uids = ' true '; if($channel) { @@ -3708,7 +3710,7 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C $sql_extra = " AND item.parent IN ( SELECT parent FROM item WHERE (item_flags & " . intval(ITEM_THREAD_TOP) . ") $sql_options ) "; - if($arr['group'] && $uid) { + if($arr['gid'] && $uid) { $r = q("SELECT * FROM `group` WHERE id = %d AND uid = %d LIMIT 1", intval($arr['group']), intval($uid) @@ -3718,7 +3720,6 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C return $result; } - $contact_str = ''; $contacts = group_get_members($group); if($contacts) { @@ -3730,11 +3731,15 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C } else { $contact_str = ' 0 '; - info( t('Group is empty')); + $result['message'] = t('Collection is empty.'); + return $result; } $sql_extra = " AND item.parent IN ( SELECT DISTINCT parent FROM item WHERE true $sql_options AND (( author_xchan IN ( $contact_str ) OR owner_xchan in ( $contact_str)) or allow_gid like '" . protect_sprintf('%<' . dbesc($r[0]['hash']) . '>%') . "' ) and id = parent and item_restrict = 0 ) "; + $x = group_rec_byhash($uid,$r[0]['hash']); + $result['headline'] = sprintf( t('Collection: %s'),$x['name']); + } elseif($arr['cid'] && $uid) { @@ -3744,6 +3749,7 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C ); if($r) { $sql_extra = " AND item.parent IN ( SELECT DISTINCT parent FROM item WHERE true $sql_options AND uid = " . intval($arr['uid']) . " AND ( author_xchan = '" . dbesc($r[0]['abook_xchan']) . "' or owner_xchan = '" . dbesc($r[0]['abook_xchan']) . "' ) and item_restrict = 0 ) "; + $result['headline'] = sprintf( t('Connection: %s'),$r[0]['xchan_name']); } else { $result['message'] = t('Connection not found.'); -- cgit v1.2.3 From b3fe221b7fe9c6ecc151d9c00f36d3913526f6a3 Mon Sep 17 00:00:00 2001 From: friendica Date: Wed, 11 Dec 2013 23:13:36 -0800 Subject: issue #240 - we were using htmlentities instead of htmlspecialchars in several places, and this was a bit greedy in the set of characters which were converted from utf-8 to HTML entities. Also brought mail attachments up to date so they are rendered identically to item attachments. --- include/items.php | 71 +++++++++++++++++++++++++++---------------------------- 1 file changed, 35 insertions(+), 36 deletions(-) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index dd3cf7644..2cec6bc36 100755 --- a/include/items.php +++ b/include/items.php @@ -564,9 +564,9 @@ function title_is_body($title, $body) { function get_item_elements($x) { -// logger('get_item_elements'); + $arr = array(); - $arr['body'] = (($x['body']) ? htmlentities($x['body'],ENT_COMPAT,'UTF-8',false) : ''); + $arr['body'] = (($x['body']) ? htmlspecialchars($x['body'],ENT_COMPAT,'UTF-8',false) : ''); $arr['created'] = datetime_convert('UTC','UTC',$x['created']); $arr['edited'] = datetime_convert('UTC','UTC',$x['edited']); @@ -584,27 +584,27 @@ function get_item_elements($x) { ? datetime_convert('UTC','UTC',$x['commented']) : $arr['created']); - $arr['title'] = (($x['title']) ? htmlentities($x['title'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['title'] = (($x['title']) ? htmlspecialchars($x['title'], ENT_COMPAT,'UTF-8',false) : ''); if(mb_strlen($arr['title']) > 255) $arr['title'] = mb_substr($arr['title'],0,255); - $arr['app'] = (($x['app']) ? htmlentities($x['app'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['mid'] = (($x['message_id']) ? htmlentities($x['message_id'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['parent_mid'] = (($x['message_top']) ? htmlentities($x['message_top'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['thr_parent'] = (($x['message_parent']) ? htmlentities($x['message_parent'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['app'] = (($x['app']) ? htmlspecialchars($x['app'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['mid'] = (($x['message_id']) ? htmlspecialchars($x['message_id'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['parent_mid'] = (($x['message_top']) ? htmlspecialchars($x['message_top'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['thr_parent'] = (($x['message_parent']) ? htmlspecialchars($x['message_parent'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['plink'] = (($x['permalink']) ? htmlentities($x['permalink'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['location'] = (($x['location']) ? htmlentities($x['location'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['coord'] = (($x['longlat']) ? htmlentities($x['longlat'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['verb'] = (($x['verb']) ? htmlentities($x['verb'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['mimetype'] = (($x['mimetype']) ? htmlentities($x['mimetype'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['obj_type'] = (($x['object_type']) ? htmlentities($x['object_type'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['tgt_type'] = (($x['target_type']) ? htmlentities($x['target_type'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['comment_policy'] = (($x['comment_scope']) ? htmlentities($x['comment_scope'], ENT_COMPAT,'UTF-8',false) : 'contacts'); + $arr['plink'] = (($x['permalink']) ? htmlspecialchars($x['permalink'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['location'] = (($x['location']) ? htmlspecialchars($x['location'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['coord'] = (($x['longlat']) ? htmlspecialchars($x['longlat'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['verb'] = (($x['verb']) ? htmlspecialchars($x['verb'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['mimetype'] = (($x['mimetype']) ? htmlspecialchars($x['mimetype'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['obj_type'] = (($x['object_type']) ? htmlspecialchars($x['object_type'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['tgt_type'] = (($x['target_type']) ? htmlspecialchars($x['target_type'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['comment_policy'] = (($x['comment_scope']) ? htmlspecialchars($x['comment_scope'], ENT_COMPAT,'UTF-8',false) : 'contacts'); - $arr['sig'] = (($x['signature']) ? htmlentities($x['signature'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['sig'] = (($x['signature']) ? htmlspecialchars($x['signature'], ENT_COMPAT,'UTF-8',false) : ''); $arr['object'] = activity_sanitise($x['object']); @@ -667,7 +667,6 @@ function get_item_elements($x) { $arr['body'] = json_encode(crypto_encapsulate($arr['body'],$key)); } - return $arr; } @@ -832,8 +831,8 @@ function decode_tags($t) { $ret = array(); foreach($t as $x) { $tag = array(); - $tag['term'] = htmlentities($x['tag'], ENT_COMPAT,'UTF-8',false); - $tag['url'] = htmlentities($x['url'], ENT_COMPAT,'UTF-8',false); + $tag['term'] = htmlspecialchars($x['tag'], ENT_COMPAT,'UTF-8',false); + $tag['url'] = htmlspecialchars($x['url'], ENT_COMPAT,'UTF-8',false); switch($x['type']) { case 'hashtag': $tag['type'] = TERM_HASHTAG; @@ -876,12 +875,12 @@ function activity_sanitise($arr) { if(is_array($x)) $ret[$k] = activity_sanitise($x); else - $ret[$k] = htmlentities($x, ENT_COMPAT,'UTF-8',false); + $ret[$k] = htmlspecialchars($x, ENT_COMPAT,'UTF-8',false); } return $ret; } else { - return htmlentities($arr, ENT_COMPAT,'UTF-8', false); + return htmlspecialchars($arr, ENT_COMPAT,'UTF-8', false); } } return ''; @@ -893,7 +892,7 @@ function array_sanitise($arr) { if($arr) { $ret = array(); foreach($arr as $x) { - $ret[] = htmlentities($x, ENT_COMPAT,'UTF-8',false); + $ret[] = htmlspecialchars($x, ENT_COMPAT,'UTF-8',false); } return $ret; } @@ -958,8 +957,8 @@ function get_mail_elements($x) { $arr = array(); - $arr['body'] = (($x['body']) ? htmlentities($x['body'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['title'] = (($x['title'])? htmlentities($x['title'],ENT_COMPAT,'UTF-8',false) : ''); + $arr['body'] = (($x['body']) ? htmlspecialchars($x['body'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['title'] = (($x['title'])? htmlspecialchars($x['title'],ENT_COMPAT,'UTF-8',false) : ''); $arr['created'] = datetime_convert('UTC','UTC',$x['created']); if((! array_key_exists('expires',$x)) || ($x['expires'] === '0000-00-00 00:00:00')) @@ -977,18 +976,18 @@ function get_mail_elements($x) { $key = get_config('system','pubkey'); $arr['mail_flags'] |= MAIL_OBSCURED; - $arr['body'] = htmlentities($arr['body'],ENT_COMPAT,'UTF-8',false); + $arr['body'] = htmlspecialchars($arr['body'],ENT_COMPAT,'UTF-8',false); if($arr['body']) $arr['body'] = json_encode(crypto_encapsulate($arr['body'],$key)); - $arr['title'] = htmlentities($arr['title'],ENT_COMPAT,'UTF-8',false); + $arr['title'] = htmlspecialchars($arr['title'],ENT_COMPAT,'UTF-8',false); if($arr['title']) $arr['title'] = json_encode(crypto_encapsulate($arr['title'],$key)); if($arr['created'] > datetime_convert()) $arr['created'] = datetime_convert(); - $arr['mid'] = (($x['message_id']) ? htmlentities($x['message_id'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['parent_mid'] = (($x['message_parent']) ? htmlentities($x['message_parent'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['mid'] = (($x['message_id']) ? htmlspecialchars($x['message_id'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['parent_mid'] = (($x['message_parent']) ? htmlspecialchars($x['message_parent'], ENT_COMPAT,'UTF-8',false) : ''); if($x['attach']) $arr['attach'] = activity_sanitise($x['attach']); @@ -1017,18 +1016,18 @@ function get_profile_elements($x) { else return array(); - $arr['desc'] = (($x['title']) ? htmlentities($x['title'],ENT_COMPAT,'UTF-8',false) : ''); + $arr['desc'] = (($x['title']) ? htmlspecialchars($x['title'],ENT_COMPAT,'UTF-8',false) : ''); $arr['dob'] = datetime_convert('UTC','UTC',$x['birthday'],'Y-m-d'); $arr['age'] = (($x['age']) ? intval($x['age']) : 0); - $arr['gender'] = (($x['gender']) ? htmlentities($x['gender'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['marital'] = (($x['marital']) ? htmlentities($x['marital'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['sexual'] = (($x['sexual']) ? htmlentities($x['sexual'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['locale'] = (($x['locale']) ? htmlentities($x['locale'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['region'] = (($x['region']) ? htmlentities($x['region'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['postcode'] = (($x['postcode']) ? htmlentities($x['postcode'], ENT_COMPAT,'UTF-8',false) : ''); - $arr['country'] = (($x['country']) ? htmlentities($x['country'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['gender'] = (($x['gender']) ? htmlspecialchars($x['gender'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['marital'] = (($x['marital']) ? htmlspecialchars($x['marital'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['sexual'] = (($x['sexual']) ? htmlspecialchars($x['sexual'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['locale'] = (($x['locale']) ? htmlspecialchars($x['locale'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['region'] = (($x['region']) ? htmlspecialchars($x['region'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['postcode'] = (($x['postcode']) ? htmlspecialchars($x['postcode'], ENT_COMPAT,'UTF-8',false) : ''); + $arr['country'] = (($x['country']) ? htmlspecialchars($x['country'], ENT_COMPAT,'UTF-8',false) : ''); $arr['keywords'] = (($x['keywords'] && is_array($x['keywords'])) ? array_sanitise($x['keywords']) : array()); -- cgit v1.2.3 From 7b5a42568a7f4cf90e81036b4ed5d93ec3f6e3e2 Mon Sep 17 00:00:00 2001 From: friendica Date: Mon, 16 Dec 2013 18:07:41 -0800 Subject: Tricky little bug. Allowed somebody to bypass comment permissions. Hopefully the fix will have no undesired side effects. --- include/items.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'include/items.php') diff --git a/include/items.php b/include/items.php index 2cec6bc36..b328ca2d1 100755 --- a/include/items.php +++ b/include/items.php @@ -2362,12 +2362,13 @@ function tgroup_check($uid,$item) { $mention = false; // check that the message originated elsewhere and is a top-level post - // or is a followup and we have already accepted the top level post + // or is a followup and we have already accepted the top level post as an uplink if($item['mid'] != $item['parent_mid']) { - $r = q("select id from item where mid = '%s' and uid = %d limit 1", + $r = q("select id from item where mid = '%s' and uid = %d and ( item_flags & %d ) limit 1", dbesc($item['parent_mid']), - intval($uid) + intval($uid), + intval(ITEM_UPLINK) ); if($r) return true; -- cgit v1.2.3