harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add account_level, is_foreigner and is_member functions; convert all e2ee user input and prompts to hex to avoid javascipt's lame handling of quotes. !!This breaks all prior encrypted posts.!!

Browse Source
This commit is contained in:
friendica
2013-12-23 15:13:09 -08:00
parent 4517bdcff1
commit 63a42480c7
9 changed files with 80 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
boot.php
View File

@@ -46,7 +46,7 @@ define ( 'RED_PLATFORM', 'Red Matrix' );
define ( 'RED_VERSION', trim(file_get_contents('version.inc')) . 'R');
define ( 'ZOT_REVISION', 1 );
define ( 'DB_UPDATE_VERSION', 1086 );
define ( 'DB_UPDATE_VERSION', 1087 );
define ( 'EOL', '<br />' . "\r\n" );
define ( 'ATOM_TIME', 'Y-m-d\TH:i:s\Z' );

11
include/bbcode.php
View File

@@ -105,21 +105,24 @@ function bb_parse_crypt($match) {
$attributes = $match[1];
$algorithm = "";
preg_match("/alg='(.*?)'/ism", $attributes, $matches);
if ($matches[1] != "")
$algorithm = html_entity_decode($matches[1],ENT_QUOTES,'UTF-8');
$algorithm = $matches[1];
preg_match("/alg=\&quot\;(.*?)\&quot\;/ism", $attributes, $matches);
if ($matches[1] != "")
$algorithm = html_entity_decode($matches[1],ENT_QUOTES,'UTF-8');
$algorithm = $matches[1];
$hint = "";
preg_match("/hint='(.*?)'/ism", $attributes, $matches);
if ($matches[1] != "")
$hint = html_entity_decode($matches[1],ENT_QUOTES,'UTF-8');
$hint = $matches[1];
preg_match("/hint=\&quot\;(.*?)\&quot\;/ism", $attributes, $matches);
if ($matches[1] != "")
$hint = html_entity_decode($matches[1],ENT_QUOTES,'UTF-8');
$hint = $matches[1];
$x = random_string();

32
include/identity.php
View File

@@ -1138,3 +1138,35 @@ function get_default_profile_photo($size = 175) {
$scheme = 'rainbow_man';
return 'images/default_profile_photos/' . $scheme . '/' . $size . '.jpg';
}
/**
*
* @function is_foreigner($s)
* Test whether a given identity is NOT a member of the Red Matrix
* @param string $s;
* xchan_hash of the identity in question
*
* @returns boolean true or false
*
*/
function is_foreigner($s) {
return((strpbrk($s,':@')) ? true : false);
}
/**
*
* @function is_member($s)
* Test whether a given identity is a member of the Red Matrix
* @param string $s;
* xchan_hash of the identity in question
*
* @returns boolean true or false
*
*/
function is_member($s) {
return((is_foreigner($s)) ? false : true);
}

4
install/database.sql
View File

@@ -54,6 +54,7 @@ CREATE TABLE IF NOT EXISTS `account` (
`account_expires` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
`account_expire_notified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
`account_service_class` char(32) NOT NULL DEFAULT '',
`account_level` int(10) unsigned NOT NULL DEFAULT 0,
PRIMARY KEY (`account_id`),
KEY `account_email` (`account_email`),
KEY `account_service_class` (`account_service_class`),
@@ -63,7 +64,8 @@ CREATE TABLE IF NOT EXISTS `account` (
KEY `account_lastlog` (`account_lastlog`),
KEY `account_expires` (`account_expires`),
KEY `account_default_channel` (`account_default_channel`),
KEY `account_external` (`account_external`)
KEY `account_external` (`account_external`),
KEY `account_level` (`account_level`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
CREATE TABLE IF NOT EXISTS `addon` (

11
install/update.php
View File

@@ -1,6 +1,6 @@
<?php
define( 'UPDATE_VERSION' , 1086 );
define( 'UPDATE_VERSION' , 1087 );
/**
*
@@ -948,3 +948,12 @@ function update_r1085() {
return UPDATE_FAILED;
}
function update_r1086() {
$r = q("ALTER TABLE `account` ADD `account_level` INT UNSIGNED NOT NULL DEFAULT '0',
ADD INDEX ( `account_level` )");
if($r)
return UPDATE_SUCCESS;
return UPDATE_FAILED;
}

10
js/crypto.js
View File

@@ -43,7 +43,7 @@ function red_encrypt(alg, elem,text) {
// key and hint need to be localised
var enc_key = prompt(aStr['passphrase']);
var enc_key = bin2hex(prompt(aStr['passphrase']));
// If you don't provide a key you get rot13, which doesn't need a key
// but consequently isn't secure.
@@ -59,7 +59,7 @@ function red_encrypt(alg, elem,text) {
// This is the prompt we're going to use when the receiver tries to open it.
// Maybe "Grandma's maiden name" or "our secret place" or something.
var enc_hint = prompt(aStr['passhint']);
var enc_hint = bin2hex(prompt(aStr['passhint']));
enc_text = CryptoJS.AES.encrypt(text,enc_key);
@@ -72,7 +72,7 @@ function red_encrypt(alg, elem,text) {
// This is the prompt we're going to use when the receiver tries to open it.
// Maybe "Grandma's maiden name" or "our secret place" or something.
var enc_hint = prompt(aStr['passhint']);
var enc_hint = bin2hex(prompt(aStr['passhint']));
enc_text = CryptoJS.Rabbit.encrypt(text,enc_key);
encrypted = enc_text.toString();
@@ -84,7 +84,7 @@ function red_encrypt(alg, elem,text) {
// This is the prompt we're going to use when the receiver tries to open it.
// Maybe "Grandma's maiden name" or "our secret place" or something.
var enc_hint = prompt(aStr['passhint']);
var enc_hint = bin2hex(prompt(aStr['passhint']));
enc_text = CryptoJS.TripleDES.encrypt(text,enc_key);
encrypted = enc_text.toString();
@@ -135,7 +135,7 @@ function red_decrypt(alg,hint,text,elem) {
if(alg == 'rot13' || alg == 'triple-rot13')
dec_text = str_rot13(text);
else {
var enc_key = prompt((hint.length) ? hint : aStr['passphrase']);
var enc_key = bin2hex(prompt((hint.length) ? hex2bin(hint) : aStr['passphrase']));
}
if(alg == 'aes256') {

9
js/main.js
View File

@@ -873,6 +873,15 @@ function updateConvItems(mode,data) {
return a.join('');
}
function hex2bin(hex) {
var bytes = [], str;
for(var i=0; i< hex.length-1; i+=2)
bytes.push(parseInt(hex.substr(i, 2), 16));
return String.fromCharCode.apply(String, bytes);
}
function groupChangeMember(gid, cid, sec_token) {
$('body .fakelink').css('cursor', 'wait');
$.get('group/' + gid + '/' + cid + "?t=" + sec_token, function(data) {

12
mod/chanview.php
View File

@@ -78,10 +78,14 @@ function chanview_content(&$a) {
return;
}
$url = (($observer)
? z_root() . '/magic?f=&dest=' . $a->poi['xchan_url'] . '&addr=' . $a->poi['xchan_addr']
: $a->poi['xchan_url']
);
if(is_foreigner($a->poi['xchan_hash']))
$url = $a->poi['xchan_url'];
else {
$url = (($observer)
? z_root() . '/magic?f=&dest=' . $a->poi['xchan_url'] . '&addr=' . $a->poi['xchan_addr']
: $a->poi['xchan_url']
);
}
// let somebody over-ride the iframed viewport presentation

5
mod/post.php
View File

@@ -69,6 +69,7 @@ function post_init(&$a) {
* "success":1,
* "confirm":"q0Ysovd1u..."
* "service_class":(optional)
* "level":(optional)
* }
*
* 'confirm' in this case is the base64url encoded RSA signature of the concatenation of 'secret' with the
@@ -150,6 +151,7 @@ function post_init(&$a) {
$remote = remote_user();
$result = null;
$remote_service_class = '';
$remote_level = 0;
$remote_hub = $x[0]['hubloc_url'];
// Also check that they are coming from the same site as they authenticated with originally.
@@ -210,6 +212,8 @@ function post_init(&$a) {
}
if(array_key_exists('service_class',$j))
$remote_service_class = $j['service_class'];
if(array_key_exists('level',$j))
$remote_level = $j['level'];
}
// everything is good... maybe
if(local_user()) {
@@ -241,6 +245,7 @@ function post_init(&$a) {
$_SESSION['visitor_id'] = $x[0]['xchan_hash'];
$_SESSION['my_address'] = $address;
$_SESSION['remote_service_class'] = $remote_service_class;
$_SESSION['remote_level'] = $remote_level;
$_SESSION['remote_hub'] = $remote_hub;
$arr = array('xchan' => $x[0], 'url' => $desturl, 'session' => $_SESSION);