harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

firehose testing (network?f=&fh=1) - some possible security bugs so testing purposes only

Browse Source
This commit is contained in:
friendica 2014-03-26 22:05:19 -07:00
parent a00c581e27
commit 5a3903a40c
4 changed files with 22 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/poller.php
View File

@ -176,6 +176,7 @@ function poller_run($argv, $argc){
if($r) { if($r) {
$feedurl = $r[0]['site_url'] . '/zotfeed?f=&mindate=' . urlencode(datetime_convert('','','now - 15 days')); $feedurl = $r[0]['site_url'] . '/zotfeed?f=&mindate=' . urlencode(datetime_convert('','','now - 15 days'));
$x = z_fetch_url($feedurl); $x = z_fetch_url($feedurl);
if(($x) && ($x['success'])) { if(($x) && ($x['success'])) {
$total = 0; $total = 0;
$j = json_decode($x['body'],true); $j = json_decode($x['body'],true);

105
mod/community.php
View File

@ -1,105 +0,0 @@
<?php
function community_init(&$a) {
if(! local_user()) {
unset($_SESSION['theme']);
unset($_SESSION['mobile_theme']);
}
}
function community_content(&$a, $update = 0) {
$o = '';
if((get_config('system','block_public')) && (! local_user()) && (! remote_user())) {
notice( t('Public access denied.') . EOL);
return;
}
if(get_config('system','no_community_page')) {
notice( t('Not available.') . EOL);
return;
}
require_once("include/bbcode.php");
require_once('include/security.php');
require_once('include/conversation.php');
$o .= '<h3>' . t('Community') . '</h3>';
if(! $update) {
nav_set_selected('community');
$o .= '<div id="live-community"></div>' . "\r\n";
$o .= "<script> var profile_uid = -1; var netargs = '/?f='; var profile_page = " . $a->pager['page'] . "; </script>\r\n";
}
if(x($a->data,'search'))
$search = notags(trim($a->data['search']));
else
$search = ((x($_GET,'search')) ? notags(trim(rawurldecode($_GET['search']))) : '');
// Here is the way permissions work in this module...
// Only public posts can be shown
// OR your own posts if you are a logged in member
if(! get_pconfig(local_user(),'system','alt_pager')) {
$r = q("SELECT COUNT(distinct(`item`.`mid`)) AS `total`
FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id` LEFT JOIN `user` ON `user`.`uid` = `item`.`uid`
WHERE `item`.`visible` = 1 AND `item`.`deleted` = 0 and `item`.`moderated` = 0
AND `item`.`allow_cid` = '' AND `item`.`allow_gid` = ''
AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = ''
AND `item`.`private` = 0 AND `item`.`wall` = 1 AND `user`.`hidewall` = 0
AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0"
);
if(count($r))
$a->set_pager_total($r[0]['total']);
if(! $r[0]['total']) {
info( t('No results.') . EOL);
return $o;
}
}
$r = q("SELECT distinct(`item`.`mid`), `item`.*, `item`.`id` AS `item_id`,
`contact`.`name`, `contact`.`photo`, `contact`.`url`, `contact`.`alias`, `contact`.`rel`,
`contact`.`network`, `contact`.`thumb`, `contact`.`self`, `contact`.`writable`,
`contact`.`id` AS `cid`, `contact`.`uid` AS `contact-uid`,
`user`.`nickname`, `user`.`hidewall`
FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id`
LEFT JOIN `user` ON `user`.`uid` = `item`.`uid`
WHERE `item`.`visible` = 1 AND `item`.`deleted` = 0 and `item`.`moderated` = 0
AND `item`.`allow_cid` = '' AND `item`.`allow_gid` = ''
AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = ''
AND `item`.`private` = 0 AND `item`.`wall` = 1 AND `user`.`hidewall` = 0
AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0 group by `item`.`mid`
ORDER BY `received` DESC LIMIT %d, %d ",
intval($a->pager['start']),
intval($a->pager['itemspage'])
);
if(! count($r)) {
info( t('No results.') . EOL);
return $o;
}
// we behave the same in message lists as the search module
$o .= conversation($a,$r,'community',$update);
if(! get_pconfig(local_user(),'system','alt_pager')) {
$o .= paginate($a);
}
else {
$o .= alt_pager($a,count($r));
}
return $o;
}

28
mod/network.php
View File

@ -100,6 +100,7 @@ function network_content(&$a, $update = 0, $load = false) {
$spam = ((x($_GET,'spam')) ? intval($_GET['spam']) : 0); $spam = ((x($_GET,'spam')) ? intval($_GET['spam']) : 0);
$cmin = ((x($_GET,'cmin')) ? intval($_GET['cmin']) : 0); $cmin = ((x($_GET,'cmin')) ? intval($_GET['cmin']) : 0);
$cmax = ((x($_GET,'cmax')) ? intval($_GET['cmax']) : 99); $cmax = ((x($_GET,'cmax')) ? intval($_GET['cmax']) : 99);
$firehose = ((x($_GET,'fh')) ? intval($_GET['fh']) : 0);
$file = ((x($_GET,'file')) ? $_GET['file'] : ''); $file = ((x($_GET,'file')) ? $_GET['file'] : '');
@ -218,6 +219,7 @@ function network_content(&$a, $update = 0, $load = false) {
. ((x($_GET,'cmin')) ? '&cmin=' . $_GET['cmin'] : '') . ((x($_GET,'cmin')) ? '&cmin=' . $_GET['cmin'] : '')
. ((x($_GET,'cmax')) ? '&cmax=' . $_GET['cmax'] : '') . ((x($_GET,'cmax')) ? '&cmax=' . $_GET['cmax'] : '')
. ((x($_GET,'file')) ? '&file=' . $_GET['file'] : '') . ((x($_GET,'file')) ? '&file=' . $_GET['file'] : '')
. ((x($_GET,'fh')) ? '&fh=' . $_GET['fh'] : '')
. "'; var profile_page = " . $a->pager['page'] . ";</script>"; . "'; var profile_page = " . $a->pager['page'] . ";</script>";
@ -235,6 +237,7 @@ function network_content(&$a, $update = 0, $load = false) {
'$liked' => (($liked) ? $liked : '0'), '$liked' => (($liked) ? $liked : '0'),
'$conv' => (($conv) ? $conv : '0'), '$conv' => (($conv) ? $conv : '0'),
'$spam' => (($spam) ? $spam : '0'), '$spam' => (($spam) ? $spam : '0'),
'$fh' => (($firehose) ? $firehose : '0'),
'$nouveau' => (($nouveau) ? $nouveau : '0'), '$nouveau' => (($nouveau) ? $nouveau : '0'),
'$wall' => '0', '$wall' => '0',
'$list' => ((x($_REQUEST,'list')) ? intval($_REQUEST['list']) : 0), '$list' => ((x($_REQUEST,'list')) ? intval($_REQUEST['list']) : 0),
@ -316,6 +319,16 @@ function network_content(&$a, $update = 0, $load = false) {
} }
if($firehose) {
require_once('include/identity.php');
$sys = get_sys_channel();
$uids = " and item.uid in ( " . intval(local_user()) . "," . intval($sys['channel_id']) . ") ";
}
else {
$uids = " and item.uid = " . local_user() . " ";
}
$simple_update = (($update) ? " and ( item.item_flags & " . intval(ITEM_UNSEEN) . " ) " : ''); $simple_update = (($update) ? " and ( item.item_flags & " . intval(ITEM_UNSEEN) . " ) " : '');
if($load) if($load)
$simple_update = ''; $simple_update = '';
@ -354,12 +367,11 @@ function network_content(&$a, $update = 0, $load = false) {
$r = q("SELECT distinct item.id AS item_id FROM item $r = q("SELECT distinct item.id AS item_id FROM item
left join abook on item.author_xchan = abook.abook_xchan left join abook on item.author_xchan = abook.abook_xchan
WHERE item.uid = %d AND item.item_restrict = 0 WHERE true $uids AND item.item_restrict = 0
AND item.parent = item.id AND item.parent = item.id
and ((abook.abook_flags & %d) = 0 or abook.abook_flags is null) and ((abook.abook_flags & %d) = 0 or abook.abook_flags is null)
$sql_extra3 $sql_extra $sql_nets $sql_extra3 $sql_extra $sql_nets group by item.mid
ORDER BY item.$ordering DESC $pager_sql ", ORDER BY item.$ordering DESC $pager_sql ",
intval(local_user()),
intval(ABOOK_FLAG_BLOCKED) intval(ABOOK_FLAG_BLOCKED)
); );
@ -368,10 +380,9 @@ function network_content(&$a, $update = 0, $load = false) {
// update // update
$r = q("SELECT item.parent AS item_id FROM item $r = q("SELECT item.parent AS item_id FROM item
left join abook on item.author_xchan = abook.abook_xchan left join abook on item.author_xchan = abook.abook_xchan
WHERE item.uid = %d AND item.item_restrict = 0 $simple_update WHERE true $uids AND item.item_restrict = 0 $simple_update
and ((abook.abook_flags & %d) = 0 or abook.abook_flags is null) and ((abook.abook_flags & %d) = 0 or abook.abook_flags is null)
$sql_extra3 $sql_extra $sql_nets ", $sql_extra3 $sql_extra $sql_nets group by item.mid ",
intval(local_user()),
intval(ABOOK_FLAG_BLOCKED) intval(ABOOK_FLAG_BLOCKED)
); );
@ -388,10 +399,9 @@ function network_content(&$a, $update = 0, $load = false) {
$parents_str = ids_to_querystr($r,'item_id'); $parents_str = ids_to_querystr($r,'item_id');
$items = q("SELECT `item`.*, `item`.`id` AS `item_id` FROM `item` $items = q("SELECT `item`.*, `item`.`id` AS `item_id` FROM `item`
WHERE `item`.`uid` = %d AND `item`.`item_restrict` = 0 WHERE true $uids AND `item`.`item_restrict` = 0
AND `item`.`parent` IN ( %s ) AND `item`.`parent` IN ( %s )
$sql_extra ", $sql_extra group by item.mid",
intval(local_user()),
dbesc($parents_str) dbesc($parents_str)
); );

2
view/tpl/build_query.tpl
View File

@ -16,6 +16,7 @@
var bParam_page = {{$page}}; var bParam_page = {{$page}};
var bParam_wall = {{$wall}}; var bParam_wall = {{$wall}};
var bParam_list = {{$list}}; var bParam_list = {{$list}};
var bParam_fh = {{$fh}};
var bParam_search = "{{$search}}"; var bParam_search = "{{$search}}";
var bParam_order = "{{$order}}"; var bParam_order = "{{$order}}";
@ -40,6 +41,7 @@
if(bParam_new != 0) bCmd = bCmd + "&new=" + bParam_new; if(bParam_new != 0) bCmd = bCmd + "&new=" + bParam_new;
if(bParam_wall != 0) bCmd = bCmd + "&wall=" + bParam_wall; if(bParam_wall != 0) bCmd = bCmd + "&wall=" + bParam_wall;
if(bParam_list != 0) bCmd = bCmd + "&list=" + bParam_list; if(bParam_list != 0) bCmd = bCmd + "&list=" + bParam_list;
if(bParam_fh != 0) bCmd = bCmd + "&fh=" + bParam_fh;
if(bParam_search != "") bCmd = bCmd + "&search=" + bParam_search; if(bParam_search != "") bCmd = bCmd + "&search=" + bParam_search;
if(bParam_order != "") bCmd = bCmd + "&order=" + bParam_order; if(bParam_order != "") bCmd = bCmd + "&order=" + bParam_order;
if(bParam_file != "") bCmd = bCmd + "&file=" + bParam_file; if(bParam_file != "") bCmd = bCmd + "&file=" + bParam_file;