Merge remote-tracking branch 'upstream/master'

boot.php

@@ -2164,7 +2164,7 @@ function construct_page(&$a) {
 
 	// security headers - see https://securityheaders.io
 
-	if($a->get_scheme() === 'https')
+	if($a->get_scheme() === 'https' && $a->config['system']['transport_security_header'])
 		header("Strict-Transport-Security: max-age=31536000");
 
 	header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'");

doc/hidden_configs.bb

@@ -100,6 +100,10 @@ This document assumes you're an administrator.
     [b]system.paranoia[/b]
         As the pconfig, but on a site-wide basis.  Can be overwritten
         by member settings.
+	[b]system.transport_security_header[/b]
+		if non-zero and SSL is being used, include a strict-transport-security header on webpages
+	[b]system.poke_basic[/b]
+		Reduce the number of poke verbs to exactly 1 ("poke"). Disable other verbs. 
     [b]system.openssl_conf_file[/b]
         Specify a file containing OpenSSL configuration.  Read the code first.
         If you can't read the code, don't play with it.

include/ItemObject.php

@@ -681,6 +681,11 @@ class Item extends BaseObject {
 		$qc = ((local_channel()) ? get_pconfig(local_channel(),'system','qcomment') : null);
 		$qcomment = (($qc) ? explode("\n",$qc) : null);
 
+		$arr = array('comment_buttons' => '');
+		call_hooks('comment_buttons',$arr);
+		$comment_buttons = $arr['comment_buttons'];
+
+
 		$comment_box = replace_macros($template,array(
 			'$return_path' => '',
 			'$threaded' => $this->is_threaded(),
@@ -689,6 +694,7 @@ class Item extends BaseObject {
 			'$id' => $this->get_id(),
 			'$parent' => $this->get_id(),
 			'$qcomment' => $qcomment,
+			'$comment_buttons' => $comment_buttons,
 			'$profile_uid' =>  $conv->get_profile_owner(),
 			'$mylink' => $observer['xchan_url'],
 			'$mytitle' => t('This is you'),

include/oembed.php

@@ -3,6 +3,34 @@ function oembed_replacecb($matches){
 
 	$embedurl=$matches[1];
 
+
+	// site white/black list
+
+	if(($x = get_config('system','embed_deny'))) {
+		$l = explode("\n",$x);
+		if($l) {
+			foreach($l as $ll) {
+				if(trim($ll) && strpos($embedurl,trim($ll)) !== false)
+					return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
+			}
+		}
+	}
+	if(($x = get_config('system','embed_allow'))) {
+		$found = false;
+		$l = explode("\n",$x);
+		if($l) {
+			foreach($l as $ll) {
+				if(trim($ll) && strpos($embedurl,trim($ll)) !== false) {
+					$found = true;
+					break;
+				}
+			}
+		}
+		if(! $found) {
+			return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
+		}
+	}
+
 	// implements a personal embed white/black list for logged in members
 	if(local_channel()) {
 		if(($x = get_pconfig(local_channel(),'system','embed_deny'))) {

include/text.php

@@ -968,16 +968,24 @@ function get_poke_verbs() {
 	// index is present tense verb
 	// value is array containing past tense verb, translation of present, translation of past
 
-	$arr = array(
-		'poke' => array( 'poked', t('poke'), t('poked')),
-		'ping' => array( 'pinged', t('ping'), t('pinged')),
-		'prod' => array( 'prodded', t('prod'), t('prodded')),
-		'slap' => array( 'slapped', t('slap'), t('slapped')),
-		'finger' => array( 'fingered', t('finger'), t('fingered')),
-		'rebuff' => array( 'rebuffed', t('rebuff'), t('rebuffed')),
-	);
+	if(get_config('system','poke_basic')) {
+		$arr = array(
+			'poke' => array( 'poked', t('poke'), t('poked')),
+		);
+	}
+	else {
+		$arr = array(
+			'poke' => array( 'poked', t('poke'), t('poked')),
+			'ping' => array( 'pinged', t('ping'), t('pinged')),
+			'prod' => array( 'prodded', t('prod'), t('prodded')),
+			'slap' => array( 'slapped', t('slap'), t('slapped')),
+			'finger' => array( 'fingered', t('finger'), t('fingered')),
+			'rebuff' => array( 'rebuffed', t('rebuff'), t('rebuffed')),
+		);
+
+		call_hooks('poke_verbs', $arr);
+	}
 
-	call_hooks('poke_verbs', $arr);
 	return $arr;
 }
 

include/widgets.php

@@ -1269,6 +1269,7 @@ function widget_admin($arr) {
 		'site'      => array(z_root() . '/admin/site/',     t('Site'),           'site'),
 		'users'     => array(z_root() . '/admin/users/',    t('Accounts'),       'users'),
 		'channels'  => array(z_root() . '/admin/channels/', t('Channels'),       'channels'),
+		'security'  => array(z_root() . '/admin/security/', t('Security'),       'security'),
 		'features'  => array(z_root() . '/admin/features/', t('Features'),       'features'),
 		'plugins'   => array(z_root() . '/admin/plugins/',  t('Plugins'),        'plugins'),
 		'themes'    => array(z_root() . '/admin/themes/',   t('Themes'),         'themes'),

mod/admin.php

@@ -62,6 +62,9 @@ function admin_post(&$a){
 			case 'hubloc':
 				admin_page_hubloc_post($a);
 				break;
+			case 'security':
+				admin_page_security_post($a);
+				break;
 			case 'features':
 				admin_page_features_post($a);
 				break;
@@ -116,6 +119,9 @@ function admin_content(&$a) {
 //			case 'hubloc':
 //				$o = admin_page_hubloc($a);
 //				break;
+			case 'security':
+				$o = admin_page_security($a);
+				break;
 			case 'features':
 				$o = admin_page_features($a);
 				break;
@@ -251,7 +257,6 @@ function admin_page_site_post(&$a){
 	$allowed_sites        = ((x($_POST,'allowed_sites'))	? notags(trim($_POST['allowed_sites']))		: '');
 	$allowed_email        = ((x($_POST,'allowed_email'))	? notags(trim($_POST['allowed_email']))		: '');
 	$not_allowed_email    = ((x($_POST,'not_allowed_email'))	? notags(trim($_POST['not_allowed_email']))		: '');
-	$block_public         = ((x($_POST,'block_public'))		? True	: False);
 	$force_publish        = ((x($_POST,'publish_all'))		? True	: False);
 	$disable_discover_tab = ((x($_POST,'disable_discover_tab'))		? False	:	True);
 	$login_on_homepage    = ((x($_POST,'login_on_homepage'))		? True	:	False);
@@ -316,7 +321,6 @@ function admin_page_site_post(&$a){
 	set_config('system','allowed_sites', $allowed_sites);
 	set_config('system','allowed_email', $allowed_email);
 	set_config('system','not_allowed_email', $not_allowed_email);	
-	set_config('system','block_public', $block_public);
 	set_config('system','publish_all', $force_publish);
 	set_config('system','disable_discover_tab', $disable_discover_tab);
 	if ($global_directory == '') {
@@ -477,7 +481,6 @@ function admin_page_site(&$a) {
 		'$allowed_sites'	=> array('allowed_sites', t("Allowed friend domains"), get_config('system','allowed_sites'), t("Comma separated list of domains which are allowed to establish friendships with this site. Wildcards are accepted. Empty to allow any domains")),
 		'$allowed_email'	=> array('allowed_email', t("Allowed email domains"), get_config('system','allowed_email'), t("Comma separated list of domains which are allowed in email addresses for registrations to this site. Wildcards are accepted. Empty to allow any domains")),
 		'$not_allowed_email'	=> array('not_allowed_email', t("Not allowed email domains"), get_config('system','not_allowed_email'), t("Comma separated list of domains which are not allowed in email addresses for registrations to this site. Wildcards are accepted. Empty to allow any domains, unless allowed domains have been defined.")),
-		'$block_public'		=> array('block_public', t("Block public"), get_config('system','block_public'), t("Check to block public access to all otherwise public personal pages on this site unless you are currently logged in.")),
 		'$verify_email'		=> array('verify_email', t("Verify Email Addresses"), get_config('system','verify_email'), t("Check to verify email addresses used in account registration (recommended).")),
 		'$force_publish'	=> array('publish_all', t("Force publish"), get_config('system','publish_all'), t("Check to force all profiles on this site to be listed in the site directory.")),
 		'$disable_discover_tab'	=> array('disable_discover_tab', t('Import Public Streams'), $discover_tab, t('Import and allow access to public content pulled from other sites. Warning: this content is unmoderated.')),
@@ -536,6 +539,53 @@ function admin_page_hubloc_post(&$a){
 	goaway($a->get_baseurl(true) . '/admin/hubloc' );
 }
 
+function trim_array_elems($arr) {
+	$narr = array();
+
+	if($arr && is_array($arr)) {
+		for($x = 0; $x < count($arr); $x ++) {
+			$y = trim($arr[$x]);
+			if($y)
+				$narr[] = $y;
+		}
+	}
+	return $narr;
+}
+
+function admin_page_security_post(&$a){
+	check_form_security_token_redirectOnErr('/admin/security', 'admin_security');
+
+logger('post: ' . print_r($_POST,true));
+
+	$block_public         = ((x($_POST,'block_public'))		? True	: False);
+	set_config('system','block_public',$block_public);
+
+	$ws = trim_array_elems(explode("\n",$_POST['whitelisted_sites']));
+	set_config('system','whitelisted_sites',$ws);
+
+	$bs = trim_array_elems(explode("\n",$_POST['blacklisted_sites']));
+	set_config('system','blacklisted_sites',$bs);
+
+	$wc = trim_array_elems(explode("\n",$_POST['whitelisted_channels']));
+	set_config('system','whitelisted_channels',$wc);
+
+	$bc = trim_array_elems(explode("\n",$_POST['blacklisted_channels']));
+	set_config('system','blacklisted_channels',$bc);
+
+	$embed_coop         = ((x($_POST,'embed_coop'))		? True	: False);
+	set_config('system','embed_coop',$embed_coop);
+
+	$we = trim_array_elems(explode("\n",$_POST['embed_allow']));
+	set_config('system','embed_allow',$we);
+
+	$be = trim_array_elems(explode("\n",$_POST['embed_deny']));
+	set_config('system','embed_deny',$be);
+
+	goaway(z_root() . '/admin/security');
+}
+
+
+
 
 function admin_page_features_post(&$a) {
 
@@ -626,6 +676,54 @@ function admin_page_hubloc(&$a) {
 	));
 }
 
+function admin_page_security(&$a) {
+
+	$whitesites = get_config('system','whitelisted_sites');
+	$whitesites_str = ((is_array($whitesites)) ? implode($whitesites,"\n") : '');
+
+	$blacksites = get_config('system','blacklisted_sites');
+	$blacksites_str = ((is_array($blacksites)) ? implode($blacksites,"\n") : '');
+
+
+	$whitechannels = get_config('system','whitelisted_channels');
+	$whitechannels_str = ((is_array($whitechannels)) ? implode($whitechannels,"\n") : '');
+
+	$blackchannels = get_config('system','blacklisted_channels');
+	$blackchannels_str = ((is_array($blackchannels)) ? implode($blackchannels,"\n") : '');
+
+
+	$whiteembeds = get_config('system','embed_allow');
+	$whiteembeds_str = ((is_array($whiteembeds)) ? implode($whiteembeds,"\n") : '');
+
+	$blackembeds = get_config('system','embed_deny');
+	$blackembeds_str = ((is_array($blackembeds)) ? implode($blackembeds,"\n") : '');
+
+	$embed_coop = intval(get_config('system','embed_coop'));
+
+// wait to implement this until we have a co-op in place. 
+//	if((! $whiteembeds) && (! $blackembeds) && (! $embed_coop))
+//		$whiteembeds_str = "youtube.com\nyoutu.be\ntwitter.com\nvimeo.com\nsoundcloud.com\nwikipedia.com";
+
+	$t = get_markup_template('admin_security.tpl');
+	return replace_macros($t, array(
+		'$title' => t('Administration'),
+		'$page' => t('Security'),
+		'$form_security_token' => get_form_security_token('admin_security'),
+        '$block_public'     => array('block_public', t("Block public"), get_config('system','block_public'), t("Check to block public access to all otherwise public personal pages on this site unless you are currently authenticated.")),
+		'$whitelisted_sites' => array('whitelisted_sites', t('Allow communications only from these sites'), $whitesites_str, t('One site per line. Leave empty to allow communication from anywhere by default')),
+		'$blacklisted_sites' => array('blacklisted_sites', t('Block communications from these sites'), $blacksites_str, ''),
+		'$whitelisted_channels' => array('whitelisted_channels', t('Allow communications only from these channels'), $whitechannels_str, t('One channel (hash) per line. Leave empty to allow from any channel by default')),
+		'$blacklisted_channels' => array('blacklisted_channels', t('Block communications from these channels'), $blackchannels_str, ''),
+		'$embed_allow' => array('embed_allow', t('Allow embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')),
+		'$embed_deny' => array('embed_deny', t('Block embedded HTML from these domains'), $blackembeds_str, ''),
+
+        '$embed_coop'     => array('embed_coop', t('Cooperative embed security'), $embed_coop, t('Enable to share embed security with other compatible sites/hubs')),
+		'$submit' => t('Submit')
+	));
+}
+
+
+
 
 function admin_page_dbsync(&$a) {
 	$o = '';

mod/help.php

@@ -145,7 +145,10 @@ function help_content(&$a) {
 	if($_REQUEST['search']) {
 	
 		$o .= '<div id="help-content" class="generic-content-wrapper">';
+		$o .= '<div class="section-title-wrapper">';
 		$o .= '<h2>' . t('Documentation Search') . ' - ' . htmlspecialchars($_REQUEST['search']) . '</h2>';
+		$o .= '</div>';
+		$o .= '<div class="section-content-wrapper">';
 
 		$r = search_doc_files($_REQUEST['search']);
 		if($r) {
@@ -162,6 +165,7 @@ function help_content(&$a) {
 			}
 			$o .= '</ul>';
 			$o .= '</div>';
+			$o .= '</div>';
 		}
 		return $o;
 	}

mod/oep.php

@@ -8,6 +8,7 @@ function oep_init(&$a) {
 
 	logger('oep: ' . print_r($_REQUEST,true), LOGGER_DEBUG, LOG_INFO);
 
+	$html = ((argc() > 1 && argv(1) === 'html') ? true : false);
 	if($_REQUEST['url']) {
 		$_REQUEST['url'] = strip_zids($_REQUEST['url']);
 		$url = $_REQUEST['url'];
@@ -38,8 +39,16 @@ function oep_init(&$a) {
 		$arr = oep_profile_reply($_REQUEST);
 
 	if($arr) {
-		header('Content-Type: application/json+oembed');
-		echo json_encode($arr);
+		if($html) {
+			if($arr['type'] === 'rich') {
+				header('Content-Type: text/html');
+				echo $arr['html'];
+			}
+		}
+		else {
+			header('Content-Type: application/json+oembed');
+			echo json_encode($arr);
+		}
 		killme();
 	}
 

mod/poke.php

@@ -158,16 +158,27 @@ function poke_content(&$a) {
 		if($v[1] !== 'NOTRANSLATION')
 			$shortlist[] = array($k,$v[1]);
 
-	$tpl = get_markup_template('poke_content.tpl');
 
-	$o = replace_macros($tpl,array(
-		'$title' => t('Poke/Prod'),
-		'$desc' => t('poke, prod or do other things to somebody'),
+	$poke_basic = get_config('system','poke_basic');
+	if($poke_basic) {
+		$title = t('Poke');
+		$desc = t('Poke somebody');
+	}
+	else {
+		$title = t('Poke/Prod');
+		$desc = t('Poke, prod or do other things to somebody');
+	}
+
+	$o = replace_macros(get_markup_template('poke_content.tpl'),array(
+		'$title' => $title,
+		'$poke_basic' => $poke_basic,
+		'$desc' => $desc,
 		'$clabel' => t('Recipient'),
 		'$choice' => t('Choose what you wish to do to recipient'),
 		'$verbs' => $shortlist,
 		'$parent' => $parent,
 		'$prv_desc' => t('Make this post private'),
+		'$private' => array('private', t('Make this post private'), false, ''),
 		'$submit' => t('Submit'),
 		'$name' => $name,
 		'$id' => $id

util/config

@@ -8,12 +8,14 @@ require_once('include/cli_startup.php');
 cli_startup();
 
 if($argc > 3) {
+	
+
 	set_config($argv[1],$argv[2],$argv[3]);
-	echo "config[{$argv[1]}][{$argv[2]}] = " . get_config($argv[1],$argv[2]) . "\n";
+	echo "config[{$argv[1]}][{$argv[2]}] = " . printable_config(get_config($argv[1],$argv[2])) . "\n";
 }
 
 if($argc == 3) {
-	echo "config[{$argv[1]}][{$argv[2]}] = " . get_config($argv[1],$argv[2]) . "\n";
+	echo "config[{$argv[1]}][{$argv[2]}] = " . printable_config(get_config($argv[1],$argv[2])) . "\n";
 }
 
 if($argc == 2) {
@@ -27,8 +29,19 @@ if($argc == 1) {
 	$r = q("select * from config where 1");
 	if($r) {
 		foreach($r as $rr) {
-			echo "config[{$rr['cat']}][{$rr['k']}] = " . $rr['v'] . "\n";
+			echo "config[{$rr['cat']}][{$rr['k']}] = " . printable_config($rr['v']) . "\n";
 		}
 	}
 }
 
+function printable_config($x) {
+	$s = '';
+	if(is_array($x)) {
+		foreach($x as $v) {
+			$s .= $v . "\n";
+		}
+		return $s;
+	}
+	else
+		return $x;
+}

version.inc

@@ -1 +1 @@
-2016-02-02.1297H
+2016-02-04.1299H

view/tpl/admin_aside.tpl

@@ -16,6 +16,7 @@
 	<li><a href='{{$admin.site.0}}'>{{$admin.site.1}}</a></li>
 	<li><a href='{{$admin.users.0}}'>{{$admin.users.1}}<span id='pending-update' title='{{$h_pending}}'></span></a></li>
 	<li><a href='{{$admin.channels.0}}'>{{$admin.channels.1}}</a></li>
+	<li><a href='{{$admin.security.0}}'>{{$admin.security.1}}</a></li>
 	<li><a href='{{$admin.queue.0}}'>{{$admin.queue.1}}</a></li>
 	<li><a href='{{$admin.plugins.0}}'>{{$admin.plugins.1}}</a></li>
 	<li><a href='{{$admin.themes.0}}'>{{$admin.themes.1}}</a></li>

view/tpl/admin_security.tpl

@@ -0,0 +1,31 @@
+<div class="generic-content-wrapper-styled" id='adminpage'>
+	<h1>{{$title}} - {{$page}}</h1>
+
+	<form action="{{$baseurl}}/admin/security" method="post">
+
+	<input type='hidden' name='form_security_token' value='{{$form_security_token}}'>
+
+
+	{{include file="field_checkbox.tpl" field=$block_public}}
+
+
+	{{include file="field_textarea.tpl" field=$whitelisted_sites}}
+	{{include file="field_textarea.tpl" field=$blacklisted_sites}}
+
+	{{include file="field_textarea.tpl" field=$whitelisted_channels}}
+	{{include file="field_textarea.tpl" field=$blacklisted_channels}}
+
+
+	{{include file="field_checkbox.tpl" field=$embed_coop}}
+
+	{{include file="field_textarea.tpl" field=$embed_allow}}
+	{{include file="field_textarea.tpl" field=$embed_deny}}
+
+
+	<div class="admin-submit-wrapper" >
+		<input type="submit" name="submit" class="admin-submit" value="{{$submit}}" />
+	</div>
+
+	</form>
+
+</div>

view/tpl/comment_item.tpl

@@ -57,6 +57,7 @@
 							</button>
 						</div>
 						{{/if}}
+						{{$comment_buttons}}
 					</div>
 					<div class="btn-group pull-right" id="comment-edit-submit-wrapper-{{$id}}">
 						{{if $preview}}

view/tpl/poke_content.tpl

@@ -1,32 +1,48 @@
-<h3>{{$title}}</h3>
 
-<div id="poke-desc">{{$desc}}</div>
+<div id="poke-content" class="generic-content-wrapper">
+    <div class="section-title-wrapper">
+    <h2>{{$title}}</h2>
+    </div>
+    <div class="section-content-wrapper">
+
+	<div id="poke-desc">{{$desc}}</div>
+
+<br />
+<br />
+
 
 <form action="poke" method="get">
-<br />
-<br />
 
-<div id="poke-recip-label">{{$clabel}}</div>
-<br />
-<input id="poke-recip" type="text" size="64" maxlength="255" value="{{$name}}" name="pokename" autocomplete="off" />
-<input id="poke-recip-complete" type="hidden" value="{{$id}}" name="cid" />
-<input id="poke-parent" type="hidden" value="{{$parent}}" name="parent" />
-<br />
-<br />
-<div id="poke-action-label">{{$choice}}</div>
-<br />
-<br />
-<select name="verb" id="poke-verb-select" >
-{{foreach $verbs as $v}}
-<option value="{{$v.0}}">{{$v.1}}</option>
-{{/foreach}}
-</select>
-<br />
-<br />
-<div id="poke-private-desc">{{$prv_desc}}</div>
-<input type="checkbox" name="private" {{if $parent}}disabled="disabled"{{/if}} value="1" />
-<br />
-<br />
+
+<div class="form-group field input">
+	<label id="poke-recip-label" for="poke-recip">{{$clabel}}</label>
+	<input class="form-control" id="poke-recip" type="text" value="{{$name}}" name="pokename" autocomplete="off" />
+</div>
+
+	<input id="poke-recip-complete" type="hidden" value="{{$id}}" name="cid" />
+	<input id="poke-parent" type="hidden" value="{{$parent}}" name="parent" />
+
+
+{{if $poke_basic}}
+<input type="hidden" name="verb" value="poke" />
+{{else}}
+<div class="form-group field custom">
+	<label for="poke-verb-select" id="poke-verb-lbl">{{$choice}}</label>
+	<select class="form-control" name="verb" id="poke-verb-select" >
+	{{foreach $verbs as $v}}
+	<option value="{{$v.0}}">{{$v.1}}</option>
+	{{/foreach}}
+	</select>
+</div>
+{{/if}}
+
+{{if ! $parent}}
+{{include file="field_checkbox.tpl" field=$private}}
+{{/if}}
+
 <input type="submit" name="submit" value="{{$submit}}" />
 </form>
 
+
+    </div>
+</div>