From beb3301d43c0d532bd6984ee745074479babdabb Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 22 Jan 2013 02:56:32 -0800 Subject: security fixes related to directory access and sites that are off the grid --- mod/directory.php | 4 ++++ mod/dirsearch.php | 10 +++------- mod/search.php | 5 +++++ mod/zfinger.php | 3 +-- 4 files changed, 13 insertions(+), 9 deletions(-) (limited to 'mod') diff --git a/mod/directory.php b/mod/directory.php index d9182d1bd..f2d9e1e02 100644 --- a/mod/directory.php +++ b/mod/directory.php @@ -56,6 +56,8 @@ function directory_content(&$a) { $query = $url . '?f=' ; if($search) $query .= '&name=' . urlencode($search); + if(strpos($search,'@')) + $query .= '&address=' . urlencode($search); if($a->pager['page'] != 1) $query .= '&p=' . $a->pager['page']; @@ -63,6 +65,8 @@ function directory_content(&$a) { logger('mod_directory: query: ' . $query); $x = z_fetch_url($query); + logger('directory: return from upstream: ' . print_r($x,true)); + if($x['success']) { $t = 0; $j = json_decode($x['body'],true); diff --git a/mod/dirsearch.php b/mod/dirsearch.php index 57132519c..1dbe60499 100644 --- a/mod/dirsearch.php +++ b/mod/dirsearch.php @@ -14,16 +14,12 @@ function dirsearch_content(&$a) { // If you've got a public directory server, you probably shouldn't block public access - if((get_config('system','block_public')) && (! local_user()) && (! remote_user())) { - $ret['message'] = t('Public access denied.'); - return; - } $dirmode = intval(get_config('system','directory_mode')); if($dirmode == DIRECTORY_MODE_NORMAL) { $ret['message'] = t('This site is not a directory server'); - return; + json_return_and_die($ret); } $name = ((x($_REQUEST,'name')) ? $_REQUEST['name'] : ''); @@ -75,7 +71,7 @@ function dirsearch_content(&$a) { // By default we return one page (default 80 items maximum) and do not count total entries $logic = ((strlen($sql_extra)) ? 0 : 1); - +dbg(1); if($limit) $qlimit = " LIMIT $limit "; else { @@ -95,7 +91,7 @@ function dirsearch_content(&$a) { $r = q("SELECT xchan.*, xprof.* from xchan left join xprof on xchan_hash = xprof_hash where $logic $sql_extra and not ( xchan_flags & %d ) $order $qlimit ", intval(XCHAN_FLAGS_HIDDEN) ); - +dbg(0); $ret['page'] = $page + 1; $ret['records'] = count($r); diff --git a/mod/search.php b/mod/search.php index a9f2df069..7a0f4205d 100644 --- a/mod/search.php +++ b/mod/search.php @@ -117,6 +117,11 @@ function search_content(&$a) { goaway(z_root() . '/directory' . '?f=1&search=' . $search); } + // look for a naked webbie + if(strpos($search,'@') !== false) { + goaway(z_root() . '/directory' . '?f=1&search=' . $search); + } + if(! $search) return $o; diff --git a/mod/zfinger.php b/mod/zfinger.php index 2fb169ef1..b7a89b12b 100644 --- a/mod/zfinger.php +++ b/mod/zfinger.php @@ -75,7 +75,6 @@ function zfinger_init(&$a) { if($e['xchan_flags'] & XCHAN_FLAGS_HIDDEN) $searchable = false; - // This is for birthdays and keywords, but must check access permissions $p = q("select * from profile where uid = %d and is_default = 1", intval($e['channel_id']) @@ -181,7 +180,7 @@ function zfinger_init(&$a) { elseif($dirmode == DIRECTORY_MODE_STANDALONE) $ret['site']['directory_mode'] = 'standalone'; if($dirmode != DIRECTORY_MODE_NORMAL) - $ret['site']['directory_url'] = z_root() . '/dir'; + $ret['site']['directory_url'] = z_root() . '/dirsearch'; json_return_and_die($ret); -- cgit v1.2.3