From d7a9db10881b8d9de1b5f7e2a2dfae3df396fb45 Mon Sep 17 00:00:00 2001 From: friendica Date: Sun, 11 Aug 2013 16:56:06 -0700 Subject: important bits we need to allow php executable content. These must be explicitly allowed - but only if the account has ACCOUNT_ROLE_ALLOWCODE and *only* for web pages and profile fields. This content cannot be transmitted to other sites. --- include/items.php | 53 +++++++++++++++++++++++++++++++++++------------------ include/text.php | 16 ++++++++++++++++ 2 files changed, 51 insertions(+), 18 deletions(-) (limited to 'include') diff --git a/include/items.php b/include/items.php index e71fd0350..7662f7823 100755 --- a/include/items.php +++ b/include/items.php @@ -1342,7 +1342,7 @@ function encode_rel_links($links) { return xmlify($o); } -function item_store($arr,$force_parent = false) { +function item_store($arr,$allow_exec = false) { if(! $arr['uid']) { logger('item_store: no uid'); @@ -1357,6 +1357,13 @@ function item_store($arr,$force_parent = false) { unset($arr['parent']); $arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode'); + + if(($arr['mimetype'] == 'application/x-php') && (! $allow_exec)) { + logger('item_store: php mimetype but allow_exec is denied.'); + return 0; + } + + $arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : ''); $arr['body'] = ((x($arr,'body')) ? trim($arr['body']) : ''); @@ -1369,7 +1376,7 @@ function item_store($arr,$force_parent = false) { // this is a bit messy - we really need an input filter chain that temporarily undoes obscuring - if($arr['mimetype'] != 'text/html') { + if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') { if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) $arr['body'] = escape_tags($arr['body']); if((strpos($arr['title'],'<') !== false) || (strpos($arr['title'],'>') !== false)) @@ -1665,7 +1672,7 @@ function item_store($arr,$force_parent = false) { -function item_store_update($arr,$force_parent = false) { +function item_store_update($arr,$allow_exec = false) { if(! intval($arr['uid'])) { logger('item_store_update: no uid'); @@ -1696,24 +1703,35 @@ function item_store_update($arr,$force_parent = false) { $arr = $translate['item']; } + $arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode'); + + if(($arr['mimetype'] == 'application/x-php') && (! $allow_exec)) { + logger('item_store: php mimetype but allow_exec is denied.'); + return 0; + } + + // Shouldn't happen but we want to make absolutely sure it doesn't leak from a plugin. - if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) - $arr['body'] = escape_tags($arr['body']); + if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') { - if((x($arr,'object')) && is_array($arr['object'])) { - activity_sanitise($arr['object']); - $arr['object'] = json_encode($arr['object']); - } + if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) + $arr['body'] = escape_tags($arr['body']); - if((x($arr,'target')) && is_array($arr['target'])) { - activity_sanitise($arr['target']); - $arr['target'] = json_encode($arr['target']); - } + if((x($arr,'object')) && is_array($arr['object'])) { + activity_sanitise($arr['object']); + $arr['object'] = json_encode($arr['object']); + } - if((x($arr,'attach')) && is_array($arr['attach'])) { - activity_sanitise($arr['attach']); - $arr['attach'] = json_encode($arr['attach']); + if((x($arr,'target')) && is_array($arr['target'])) { + activity_sanitise($arr['target']); + $arr['target'] = json_encode($arr['target']); + } + + if((x($arr,'attach')) && is_array($arr['attach'])) { + activity_sanitise($arr['attach']); + $arr['attach'] = json_encode($arr['attach']); + } } $orig = q("select * from item where id = %d and uid = %d limit 1", @@ -1740,7 +1758,6 @@ function item_store_update($arr,$force_parent = false) { $arr['commented'] = datetime_convert(); $arr['received'] = datetime_convert(); $arr['changed'] = datetime_convert(); - $arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode'); $arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : ''); $arr['location'] = ((x($arr,'location')) ? notags(trim($arr['location'])) : ''); $arr['coord'] = ((x($arr,'coord')) ? notags(trim($arr['coord'])) : ''); @@ -2692,7 +2709,7 @@ function consume_feed($xml,$importer,&$contact, &$hub, $datedir = 0, $pass = 0) } } - $r = item_store($datarray,$force_parent); + $r = item_store($datarray); continue; } diff --git a/include/text.php b/include/text.php index 61b39cb59..99d5c9d78 100755 --- a/include/text.php +++ b/include/text.php @@ -1142,6 +1142,22 @@ function prepare_text($text,$content_type = 'text/bbcode') { $s = Markdown($text); break; + // No security checking is done here at display time - so we need to verify + // that the author is allowed to use PHP before storing. We also cannot allow + // importation of PHP text bodies from other sites. Therefore this content + // type is only valid for web pages (and profile details). + + // It may be possible to provide a PHP message body which is evaluated on the + // sender's site before sending it elsewhere. In that case we will have a + // different content-type here. + + case 'application/x-php': + ob_start(); + eval($text); + $s = ob_get_contents(); + ob_end_clean(); + break; + case 'text/bbcode': case '': default: -- cgit v1.2.3