harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PRIVACY: possible privacy leakage under a defined set of circumstances

Browse Source
This commit is contained in:
redmatrix 2015-05-20 18:46:23 -07:00
parent fe00d29047
commit 6466774b6e
8 changed files with 32 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
include/items.php
View File

@ -2527,6 +2527,7 @@ function item_store_update($arr,$allow_exec = false) {
$arr['title'] = ((array_key_exists('title',$arr) && strlen($arr['title'])) ? trim($arr['title']) : ''); $arr['title'] = ((array_key_exists('title',$arr) && strlen($arr['title'])) ? trim($arr['title']) : '');
$arr['body'] = ((array_key_exists('body',$arr) && strlen($arr['body'])) ? trim($arr['body']) : ''); $arr['body'] = ((array_key_exists('body',$arr) && strlen($arr['body'])) ? trim($arr['body']) : '');
$arr['attach'] = ((x($arr,'attach')) ? notags(trim($arr['attach'])) : $orig[0]['attach']); $arr['attach'] = ((x($arr,'attach')) ? notags(trim($arr['attach'])) : $orig[0]['attach']);
$arr['app'] = ((x($arr,'app')) ? notags(trim($arr['app'])) : $orig[0]['app']); $arr['app'] = ((x($arr,'app')) ? notags(trim($arr['app'])) : $orig[0]['app']);
// $arr['item_restrict'] = ((x($arr,'item_restrict')) ? intval($arr['item_restrict']) : $orig[0]['item_restrict'] ); // $arr['item_restrict'] = ((x($arr,'item_restrict')) ? intval($arr['item_restrict']) : $orig[0]['item_restrict'] );
@ -4372,12 +4373,14 @@ function fetch_post_tags($items,$link = false) {
function zot_feed($uid,$observer_xchan,$arr) { function zot_feed($uid,$observer_hash,$arr) {
$result = array(); $result = array();
$mindate = null; $mindate = null;
$message_id = null; $message_id = null;
require_once('include/security.php');
if(array_key_exists('mindate',$arr)) { if(array_key_exists('mindate',$arr)) {
$mindate = datetime_convert('UTC','UTC',$arr['mindate']); $mindate = datetime_convert('UTC','UTC',$arr['mindate']);
} }
@ -4395,14 +4398,14 @@ function zot_feed($uid,$observer_xchan,$arr) {
if($message_id) if($message_id)
logger('message_id: ' . $message_id,LOGGER_DEBUG); logger('message_id: ' . $message_id,LOGGER_DEBUG);
if(! perm_is_allowed($uid,$observer_xchan,'view_stream')) { if(! perm_is_allowed($uid,$observer_hash,'view_stream')) {
logger('zot_feed: permission denied.'); logger('zot_feed: permission denied.');
return $result; return $result;
} }
if(! is_sys_channel($uid)) { if(! is_sys_channel($uid)) {
require_once('include/security.php'); require_once('include/security.php');
$sql_extra = item_permissions_sql($uid); $sql_extra = item_permissions_sql($uid,$observer_hash);
} }
$limit = " LIMIT 100 "; $limit = " LIMIT 100 ";
@ -4416,6 +4419,7 @@ function zot_feed($uid,$observer_xchan,$arr) {
$limit = ''; $limit = '';
} }
$items = array(); $items = array();
/** @FIXME fix this part for PostgreSQL */ /** @FIXME fix this part for PostgreSQL */
@ -4425,7 +4429,6 @@ function zot_feed($uid,$observer_xchan,$arr) {
} }
if(is_sys_channel($uid)) { if(is_sys_channel($uid)) {
require_once('include/security.php');
$r = q("SELECT parent, created, postopts from item $r = q("SELECT parent, created, postopts from item
WHERE uid != %d WHERE uid != %d
AND item_private = 0 AND item_restrict = 0 AND uid in (" . stream_perms_api_uids(PERMS_PUBLIC,10,1) . ") AND item_private = 0 AND item_restrict = 0 AND uid in (" . stream_perms_api_uids(PERMS_PUBLIC,10,1) . ")
@ -4633,7 +4636,7 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C
//$start = dba_timer(); //$start = dba_timer();
require_once('include/security.php'); require_once('include/security.php');
$sql_extra .= item_permissions_sql($channel['channel_id']); $sql_extra .= item_permissions_sql($channel['channel_id'],$observer_hash);
if ($arr['pages']) if ($arr['pages'])
$item_restrict = " AND (item_restrict & " . ITEM_WEBPAGE . ") "; $item_restrict = " AND (item_restrict & " . ITEM_WEBPAGE . ") ";

10
include/security.php
View File

@ -148,7 +148,7 @@ function change_channel($change_channel) {
* *
* @return string additional SQL where statement * @return string additional SQL where statement
*/ */
function permissions_sql($owner_id, $remote_verified = false, $groups = null) { function permissions_sql($owner_id, $remote_observer = null) {
$local_channel = local_channel(); $local_channel = local_channel();
@ -181,7 +181,7 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) {
*/ */
else { else {
$observer = get_observer_hash(); $observer = (($remote_observer) ? $remote_observer : get_observer_hash());
if($observer) { if($observer) {
$groups = init_groups_visitor($observer); $groups = init_groups_visitor($observer);
@ -217,7 +217,7 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) {
* *
* @return string additional SQL where statement * @return string additional SQL where statement
*/ */
function item_permissions_sql($owner_id, $remote_verified = false, $groups = null) { function item_permissions_sql($owner_id, $remote_observer = null) {
$local_channel = local_channel(); $local_channel = local_channel();
@ -227,7 +227,7 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul
* default permissions - anonymous user * default permissions - anonymous user
*/ */
$sql = " AND item_private=0 "; $sql = " AND item_private = 0 ";
/** /**
* Profile owner - everything is visible * Profile owner - everything is visible
@ -246,7 +246,7 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul
*/ */
else { else {
$observer = get_observer_hash(); $observer = (($remote_observer) ? $remote_observer : get_observer_hash());
if($observer) { if($observer) {
$groups = init_groups_visitor($observer); $groups = init_groups_visitor($observer);

10
include/text.php
View File

@ -1379,12 +1379,8 @@ function generate_named_map($location) {
function prepare_body(&$item,$attach = false) { function prepare_body(&$item,$attach = false) {
if(get_config('system','item_cache') && $item['html'])
return $item['html'];
call_hooks('prepare_body_init', $item); call_hooks('prepare_body_init', $item);
unobscure($item); unobscure($item);
$s = prepare_text($item['body'],$item['mimetype']); $s = prepare_text($item['body'],$item['mimetype']);
@ -1452,12 +1448,6 @@ function prepare_body(&$item,$attach = false) {
$prep_arr = array('item' => $item, 'html' => $s); $prep_arr = array('item' => $item, 'html' => $s);
call_hooks('prepare_body_final', $prep_arr); call_hooks('prepare_body_final', $prep_arr);
if(get_config('system','item_cache'))
q("update item set html = '%s' where id = %d",
dbesc($prep_arr['html']),
intval($item['id'])
);
return $prep_arr['html']; return $prep_arr['html'];
} }

2
mod/channel.php
View File

@ -146,7 +146,7 @@ function channel_content(&$a, $update = 0, $load = false) {
*/ */
$sql_extra = item_permissions_sql($a->profile['profile_uid'],$remote_contact,$groups); $sql_extra = item_permissions_sql($a->profile['profile_uid']);
if(get_pconfig($a->profile['profile_uid'],'system','channel_list_mode') && (! $mid)) if(get_pconfig($a->profile['profile_uid'],'system','channel_list_mode') && (! $mid))
$page_mode = 'list'; $page_mode = 'list';

1
mod/editpost.php
View File

@ -132,6 +132,7 @@ function editpost_content(&$a) {
'$ptyp' => $itm[0]['type'], '$ptyp' => $itm[0]['type'],
'$content' => undo_post_tagging($itm[0]['body']), '$content' => undo_post_tagging($itm[0]['body']),
'$post_id' => $post_id, '$post_id' => $post_id,
'$parent' => (($itm[0]['parent'] != $itm[0]['id']) ? $itm[0]['parent'] : ''),
'$baseurl' => $a->get_baseurl(), '$baseurl' => $a->get_baseurl(),
'$defloc' => $channel['channel_location'], '$defloc' => $channel['channel_location'],
'$visitor' => false, '$visitor' => false,

15
mod/item.php
View File

@ -452,8 +452,6 @@ function item_post(&$a) {
} }
} }
$post_type = notags(trim($_REQUEST['type']));
$mimetype = notags(trim($_REQUEST['mimetype'])); $mimetype = notags(trim($_REQUEST['mimetype']));
if(! $mimetype) if(! $mimetype)
$mimetype = 'text/bbcode'; $mimetype = 'text/bbcode';
@ -659,8 +657,19 @@ function item_post(&$a) {
$item_unseen = 1; $item_unseen = 1;
if($post_type === 'wall' || $post_type === 'wall-comment')
// determine if this is a wall post
if($parent) {
if($parent_item['item_flags'] & ITEM_WALL) {
$item_flags = $item_flags | ITEM_WALL; $item_flags = $item_flags | ITEM_WALL;
}
}
else {
if(! $webpage) {
$item_flags = $item_flags | ITEM_WALL;
}
}
if($origin) if($origin)
$item_flags = $item_flags | ITEM_ORIGIN; $item_flags = $item_flags | ITEM_ORIGIN;

2
version.inc
View File

@ -1 +1 @@
2015-05-19.1037 2015-05-20.1038

3
view/tpl/jot.tpl
View File

@ -1,5 +1,8 @@
<div id="profile-jot-wrapper"> <div id="profile-jot-wrapper">
<form id="profile-jot-form" action="{{$action}}" method="post"> <form id="profile-jot-form" action="{{$action}}" method="post">
{{if $parent}}
<input type="hidden" name="parent" value="{{$parent}}" />
{{/if}}
<input type="hidden" name="type" value="{{$ptyp}}" /> <input type="hidden" name="type" value="{{$ptyp}}" />
<input type="hidden" name="profile_uid" value="{{$profile_uid}}" /> <input type="hidden" name="profile_uid" value="{{$profile_uid}}" />
<input type="hidden" name="return" value="{{$return_path}}" /> <input type="hidden" name="return" value="{{$return_path}}" />