harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PRIVACY: possible privacy leakage under a defined set of circumstances

Browse Source
This commit is contained in:
redmatrix
2015-05-20 18:46:23 -07:00
parent fe00d29047
commit 6466774b6e
8 changed files with 32 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
include/items.php
View File

@@ -2527,6 +2527,7 @@ function item_store_update($arr,$allow_exec = false) {
$arr['title'] = ((array_key_exists('title',$arr) && strlen($arr['title'])) ? trim($arr['title']) : '');
$arr['body'] = ((array_key_exists('body',$arr) && strlen($arr['body'])) ? trim($arr['body']) : '');
$arr['attach'] = ((x($arr,'attach')) ? notags(trim($arr['attach'])) : $orig[0]['attach']);
$arr['app'] = ((x($arr,'app')) ? notags(trim($arr['app'])) : $orig[0]['app']);
// $arr['item_restrict'] = ((x($arr,'item_restrict')) ? intval($arr['item_restrict']) : $orig[0]['item_restrict'] );
@@ -4372,12 +4373,14 @@ function fetch_post_tags($items,$link = false) {
function zot_feed($uid,$observer_xchan,$arr) {
function zot_feed($uid,$observer_hash,$arr) {
$result = array();
$mindate = null;
$message_id = null;
require_once('include/security.php');
if(array_key_exists('mindate',$arr)) {
$mindate = datetime_convert('UTC','UTC',$arr['mindate']);
}
@@ -4395,14 +4398,14 @@ function zot_feed($uid,$observer_xchan,$arr) {
if($message_id)
logger('message_id: ' . $message_id,LOGGER_DEBUG);
if(! perm_is_allowed($uid,$observer_xchan,'view_stream')) {
if(! perm_is_allowed($uid,$observer_hash,'view_stream')) {
logger('zot_feed: permission denied.');
return $result;
}
if(! is_sys_channel($uid)) {
require_once('include/security.php');
$sql_extra = item_permissions_sql($uid);
$sql_extra = item_permissions_sql($uid,$observer_hash);
}
$limit = " LIMIT 100 ";
@@ -4416,6 +4419,7 @@ function zot_feed($uid,$observer_xchan,$arr) {
$limit = '';
}
$items = array();
/** @FIXME fix this part for PostgreSQL */
@@ -4425,7 +4429,6 @@ function zot_feed($uid,$observer_xchan,$arr) {
}
if(is_sys_channel($uid)) {
require_once('include/security.php');
$r = q("SELECT parent, created, postopts from item
WHERE uid != %d
AND item_private = 0 AND item_restrict = 0 AND uid in (" . stream_perms_api_uids(PERMS_PUBLIC,10,1) . ")
@@ -4633,7 +4636,7 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C
//$start = dba_timer();
require_once('include/security.php');
$sql_extra .= item_permissions_sql($channel['channel_id']);
$sql_extra .= item_permissions_sql($channel['channel_id'],$observer_hash);
if ($arr['pages'])
$item_restrict = " AND (item_restrict & " . ITEM_WEBPAGE . ") ";