From c00c550c58f0125785b194c9413a98e114a7ab98 Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Wed, 31 Jul 2013 02:32:41 -0700
Subject: better mail obscuring

---
 include/enotify.php | 17 ++++++++--
 include/items.php   | 30 ++++++++---------
 include/message.php | 94 ++++++++++++++++++++++++++++++-----------------------
 3 files changed, 84 insertions(+), 57 deletions(-)

(limited to 'include')

diff --git a/include/enotify.php b/include/enotify.php
index 3b7a643ed..fc8eb6439 100644
--- a/include/enotify.php
+++ b/include/enotify.php
@@ -33,7 +33,7 @@ function notification($params) {
 
 	push_lang($recip['account_language']); // should probably have a channel language
 
-	$banner     = t('Red Notification');
+	$banner     = t('Red Matrix Notification');
 	$product    = RED_PLATFORM;
 	$siteurl    = $a->get_baseurl(true);
 	$thanks     = t('Thank You,');
@@ -89,7 +89,7 @@ function notification($params) {
 			intval($recip['channel_id'])
 		);
 		if($p) {
-			logger('notification comment already notified');
+			logger('notification: comment already notified');
 			pop_lang();
 			return;
 		}
@@ -168,6 +168,19 @@ function notification($params) {
 	}
 
 	if($params['type'] == NOTIFY_TAGSELF) {
+
+		$p = null;
+		$p = q("select id from notify where link = '%s' and uid = %d limit 1",
+			dbesc($params['link']),
+			intval($recip['channel_id'])
+		);
+		if($p) {
+			logger('enotify: tag: already notified about this post');
+			pop_lang();
+			return;
+		}
+	
+
 		$subject =	sprintf( t('[Red:Notify] %s tagged you') , $sender['xchan_name']);
 		$preamble = sprintf( t('%1$s tagged you at %2$s') , $sender['xchan_name'], $sitename);
 		$epreamble = sprintf( t('%1$s [zrl=%2$s]tagged you[/zrl].') , 
diff --git a/include/items.php b/include/items.php
index 38ee5df58..49e3dd3de 100755
--- a/include/items.php
+++ b/include/items.php
@@ -491,7 +491,6 @@ function title_is_body($title, $body) {
 function get_item_elements($x) {
 
 	$arr = array();
-
 	$arr['body']         = (($x['body']) ? htmlentities($x['body'],ENT_COMPAT,'UTF-8',false) : '');
 
 	$arr['created']      = datetime_convert('UTC','UTC',$x['created']);
@@ -804,7 +803,13 @@ function encode_mail($item) {
 	$x = array();
 	$x['type'] = 'mail';
 
-	logger('encode_mail: ' . print_r($item,true));
+	if(array_key_exists('mail_flags',$item) && ($item['mail_flags'] & MAIL_OBSCURED)) {
+		$key = get_config('system','prvkey');
+		if($item['title'])
+			$item['title'] = aes_unencapsulate(json_decode($item['title'],true),$key);
+		if($item['body'])
+			$item['body'] = aes_unencapsulate(json_decode($item['body'],true),$key);
+	}
 
 	$x['message_id']     = $item['mid'];
 	$x['message_parent'] = $item['parent_mid'];
@@ -816,9 +821,6 @@ function encode_mail($item) {
 
 	$x['flags'] = array();
 
-	if($item['mail_flags'] & MAIL_OBSCURED)
-		$x['flags'][] = 'obscured';
-		
 	if($item['mail_flags'] & MAIL_RECALLED) {
 		$x['flags'][] = 'recalled';
 		$x['title'] = '';
@@ -845,18 +847,16 @@ function get_mail_elements($x) {
 		if(in_array('recalled',$x['flags'])) {
 			$arr['mail_flags'] |= MAIL_RECALLED;
 		}
-		if(in_array('obscured',$x['flags'])) {
-
-			$arr['mail_flags'] |= MAIL_OBSCURED;
-			$arr['body'] = base64url_decode($arr['body']);
-			$arr['body'] = htmlentities($arr['body'],ENT_COMPAT,'UTF-8',false);
-			$arr['body'] = base64url_encode($arr['body']);
-			$arr['title'] = base64url_decode($arr['title']);
-			$arr['title'] = htmlentities($arr['title'],ENT_COMPAT,'UTF-8',false);
-			$arr['title'] = base64url_encode($arr['title']);
-		}
 	}
 
+	$key = get_config('system','pubkey');
+	$arr['mail_flags'] |= MAIL_OBSCURED;
+	$arr['body'] = htmlentities($arr['body'],ENT_COMPAT,'UTF-8',false);
+	if($arr['body'])
+		$arr['body']  = json_encode(aes_encapsulate($arr['body'],$key));
+	$arr['title'] = htmlentities($arr['title'],ENT_COMPAT,'UTF-8',false);
+	if($arr['title'])
+		$arr['title'] = json_encode(aes_encapsulate($arr['title'],$key));
 
 	if($arr['created'] > datetime_convert())
 		$arr['created']  = datetime_convert();
diff --git a/include/message.php b/include/message.php
index 6c44a54f3..d6294cdba 100644
--- a/include/message.php
+++ b/include/message.php
@@ -2,6 +2,7 @@
 
 /* Private Message backend API */
 
+require_once('include/crypto.php');
 
 // send a private message
 	
@@ -56,6 +57,28 @@ function send_message($uid = 0, $recipient='', $body='', $subject='', $replyto='
 		$replyto = $mid;
 	}
 
+	/**
+	 *
+	 * When a photo was uploaded into the message using the (profile wall) ajax 
+	 * uploader, The permissions are initially set to disallow anybody but the
+	 * owner from seeing it. This is because the permissions may not yet have been
+	 * set for the post. If it's private, the photo permissions should be set
+	 * appropriately. But we didn't know the final permissions on the post until
+	 * now. So now we'll look for links of uploaded messages that are in the
+	 * post and set them to the same permissions as the post itself.
+	 *
+	 */
+
+	$match = null;
+	$images = null;
+	if(preg_match_all("/\[img\](.*?)\[\/img\]/",$body,$match))
+		$images = $match[1];
+
+	$key = get_config('system','pubkey');
+	if($subject)
+		$subject = json_encode(aes_encapsulate($subject,$key));
+	if($body)
+		$body  = json_encode(aes_encapsulate($body,$key));
 	
 	$r = q("INSERT INTO mail ( account_id, mail_flags, channel_id, from_xchan, to_xchan, title, body, mid, parent_mid, created )
 		VALUES ( %d, %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' )",
@@ -64,8 +87,8 @@ function send_message($uid = 0, $recipient='', $body='', $subject='', $replyto='
 		intval($channel['channel_id']),
 		dbesc($channel['channel_hash']),
 		dbesc($recipient),
-		dbesc(base64url_encode($subject)),
-		dbesc(base64url_encode($body)),
+		dbesc($subject),
+		dbesc($body),
 		dbesc($mid),
 		dbesc($replyto),
 		dbesc(datetime_convert())
@@ -84,35 +107,18 @@ function send_message($uid = 0, $recipient='', $body='', $subject='', $replyto='
 		return $ret;
 	}
 
-	/**
-	 *
-	 * When a photo was uploaded into the message using the (profile wall) ajax 
-	 * uploader, The permissions are initially set to disallow anybody but the
-	 * owner from seeing it. This is because the permissions may not yet have been
-	 * set for the post. If it's private, the photo permissions should be set
-	 * appropriately. But we didn't know the final permissions on the post until
-	 * now. So now we'll look for links of uploaded messages that are in the
-	 * post and set them to the same permissions as the post itself.
-	 *
-	 */
-
-	$match = null;
-
-	if(preg_match_all("/\[img\](.*?)\[\/img\]/",$body,$match)) {
-		$images = $match[1];
-		if(count($images)) {
-			foreach($images as $image) {
-				if(! stristr($image,$a->get_baseurl() . '/photo/'))
-					continue;
-				$image_uri = substr($image,strrpos($image,'/') + 1);
-				$image_uri = substr($image_uri,0, strpos($image_uri,'-'));
-				$r = q("UPDATE photo SET allow_cid = '%s' WHERE resource_id = '%s' AND uid = %d and allow_cid = '%s'",
-					dbesc('<' . $recipient . '>'),
-					dbesc($image_uri),
-					intval($channel['channel_id']),
-					dbesc('<' . $channel['channel_hash'] . '>')
-				); 
-			}
+	if(count($images)) {
+		foreach($images as $image) {
+			if(! stristr($image,$a->get_baseurl() . '/photo/'))
+				continue;
+			$image_uri = substr($image,strrpos($image,'/') + 1);
+			$image_uri = substr($image_uri,0, strpos($image_uri,'-'));
+			$r = q("UPDATE photo SET allow_cid = '%s' WHERE resource_id = '%s' AND uid = %d and allow_cid = '%s'",
+				dbesc('<' . $recipient . '>'),
+				dbesc($image_uri),
+				intval($channel['channel_id']),
+				dbesc('<' . $channel['channel_hash'] . '>')
+			); 
 		}
 	}
 	
@@ -171,11 +177,14 @@ function private_messages_list($uid, $mailbox = '', $start = 0, $numitems = 0) {
 		$r[$k]['to']   = find_xchan_in_array($rr['to_xchan'],$c);
 		$r[$k]['seen'] = (($rr['mail_flags'] & MAIL_SEEN) ? 1 : 0);
 		if($r[$k]['mail_flags'] & MAIL_OBSCURED) {
-			$r[$k]['title'] = base64url_decode($r[$k]['title']);
-			$r[$k]['body'] = base64url_decode($r[$k]['body']);
-		}
-
+			logger('unencrypting');
+			$key = get_config('system','prvkey');
 
+			if($r[$k]['title'])
+				$r[$k]['title'] = aes_unencapsulate(json_decode($r[$k]['title'],true),$key);
+			if($r[$k]['body'])
+				$r[$k]['body'] = aes_unencapsulate(json_decode($r[$k]['body'],true),$key);
+		}
 	}
 
 	return $r;
@@ -209,8 +218,11 @@ function private_messages_fetch_message($channel_id, $messageitem_id, $updatesee
 		$messages[$k]['from'] = find_xchan_in_array($message['from_xchan'],$c);
 		$messages[$k]['to']   = find_xchan_in_array($message['to_xchan'],$c);
 		if($messages[$k]['mail_flags'] & MAIL_OBSCURED) {
-			$messages[$k]['title'] = base64url_decode($messages[$k]['title']);
-			$messages[$k]['body'] = base64url_decode($messages[$k]['body']);
+			$key = get_config('system','prvkey');
+			if($messages[$k]['title'])
+				$messages[$k]['title'] = aes_unencapsulate(json_decode($messages[$k]['title'],true),$key);
+			if($messages[$k]['body'])
+				$messages[$k]['body'] = aes_unencapsulate(json_decode($messages[$k]['body'],true),$key);
 		}
 	}
 
@@ -294,10 +306,12 @@ function private_messages_fetch_conversation($channel_id, $messageitem_id, $upda
 		$messages[$k]['from'] = find_xchan_in_array($message['from_xchan'],$c);
 		$messages[$k]['to']   = find_xchan_in_array($message['to_xchan'],$c);
 		if($messages[$k]['mail_flags'] & MAIL_OBSCURED) {
-			$messages[$k]['title'] = base64url_decode($messages[$k]['title']);
-			$messages[$k]['body'] = base64url_decode($messages[$k]['body']);
+			$key = get_config('system','prvkey');
+			if($messages[$k]['title'])
+				$messages[$k]['title'] = aes_unencapsulate(json_decode($messages[$k]['title'],true),$key);
+			if($messages[$k]['body'])
+				$messages[$k]['body'] = aes_unencapsulate(json_decode($messages[$k]['body'],true),$key);
 		}
-
 	}
 
 
-- 
cgit v1.2.3