harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
This commit is contained in:
Thomas Willingham
2013-08-14 20:44:17 +01:00
parent 94335f237f de4e4c5ebd
commit a0dfd44f91
27 changed files with 1330 additions and 519 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
include/Contact.php
View File

@@ -1,6 +1,31 @@
<?php /** @file */
function rconnect_url($channel_id,$xchan) {
if(! $xchan)
return '';
$r = q("select abook_id from abook where abook_channel = %d and abook_xchan = '%s' limit 1",
intval($channel_id),
dbesc($xchan)
);
if($r)
return '';
$r = q("select hubloc_url from hubloc where hubloc_hash = '%s' and ( hubloc_flags & %d ) limit 1",
dbesc($xchan),
intval(HUBLOC_FLAGS_PRIMARY)
);
if($r)
return $r[0]['hubloc_url'];
return '';
}
function abook_connections($channel_id, $sql_conditions = '') {
$r = q("select * from abook left join xchan on abook_xchan = xchan_hash where abook_channel = %d
and not ( abook_flags & %d ) $sql_conditions",

1
include/account.php
View File

@@ -6,6 +6,7 @@ require_once('include/plugin.php');
require_once('include/text.php');
require_once('include/language.php');
require_once('include/datetime.php');
require_once('include/crypto.php');
function check_account_email($email) {

81
include/items.php
View File

@@ -1342,7 +1342,7 @@ function encode_rel_links($links) {
return xmlify($o);
}
function item_store($arr,$force_parent = false) {
function item_store($arr,$allow_exec = false) {
if(! $arr['uid']) {
logger('item_store: no uid');
@@ -1357,6 +1357,13 @@ function item_store($arr,$force_parent = false) {
unset($arr['parent']);
$arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode');
if(($arr['mimetype'] == 'application/x-php') && (! $allow_exec)) {
logger('item_store: php mimetype but allow_exec is denied.');
return 0;
}
$arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : '');
$arr['body'] = ((x($arr,'body')) ? trim($arr['body']) : '');
@@ -1369,7 +1376,7 @@ function item_store($arr,$force_parent = false) {
// this is a bit messy - we really need an input filter chain that temporarily undoes obscuring
if($arr['mimetype'] != 'text/html') {
if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') {
if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false))
$arr['body'] = escape_tags($arr['body']);
if((strpos($arr['title'],'<') !== false) || (strpos($arr['title'],'>') !== false))
@@ -1665,7 +1672,7 @@ function item_store($arr,$force_parent = false) {
function item_store_update($arr,$force_parent = false) {
function item_store_update($arr,$allow_exec = false) {
if(! intval($arr['uid'])) {
logger('item_store_update: no uid');
@@ -1696,24 +1703,35 @@ function item_store_update($arr,$force_parent = false) {
$arr = $translate['item'];
}
$arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode');
if(($arr['mimetype'] == 'application/x-php') && (! $allow_exec)) {
logger('item_store: php mimetype but allow_exec is denied.');
return 0;
}
// Shouldn't happen but we want to make absolutely sure it doesn't leak from a plugin.
if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false))
$arr['body'] = escape_tags($arr['body']);
if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') {
if((x($arr,'object')) && is_array($arr['object'])) {
activity_sanitise($arr['object']);
$arr['object'] = json_encode($arr['object']);
}
if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false))
$arr['body'] = escape_tags($arr['body']);
if((x($arr,'target')) && is_array($arr['target'])) {
activity_sanitise($arr['target']);
$arr['target'] = json_encode($arr['target']);
}
if((x($arr,'object')) && is_array($arr['object'])) {
activity_sanitise($arr['object']);
$arr['object'] = json_encode($arr['object']);
}
if((x($arr,'attach')) && is_array($arr['attach'])) {
activity_sanitise($arr['attach']);
$arr['attach'] = json_encode($arr['attach']);
if((x($arr,'target')) && is_array($arr['target'])) {
activity_sanitise($arr['target']);
$arr['target'] = json_encode($arr['target']);
}
if((x($arr,'attach')) && is_array($arr['attach'])) {
activity_sanitise($arr['attach']);
$arr['attach'] = json_encode($arr['attach']);
}
}
$orig = q("select * from item where id = %d and uid = %d limit 1",
@@ -1740,7 +1758,6 @@ function item_store_update($arr,$force_parent = false) {
$arr['commented'] = datetime_convert();
$arr['received'] = datetime_convert();
$arr['changed'] = datetime_convert();
$arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode');
$arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : '');
$arr['location'] = ((x($arr,'location')) ? notags(trim($arr['location'])) : '');
$arr['coord'] = ((x($arr,'coord')) ? notags(trim($arr['coord'])) : '');
@@ -2692,7 +2709,7 @@ function consume_feed($xml,$importer,&$contact, &$hub, $datedir = 0, $pass = 0)
}
}
$r = item_store($datarray,$force_parent);
$r = item_store($datarray);
continue;
}
@@ -3127,21 +3144,28 @@ function item_expire($uid,$days) {
// and just expire conversations started by others
$expire_network_only = get_pconfig($uid,'expire','network_only');
$sql_extra = ((intval($expire_network_only)) ? " AND wall = 0 " : "");
$sql_extra = ((intval($expire_network_only)) ? " AND not (item_flags & " . intval(ITEM_WALL) . ") " : "");
$r = q("SELECT * FROM `item`
WHERE `uid` = %d
AND `created` < UTC_TIMESTAMP() - INTERVAL %d DAY
AND `id` = `parent`
$sql_extra
AND `deleted` = 0",
AND NOT (item_restrict & %d )
AND NOT (item_restrict & %d )
AND NOT (item_restrict & %d ) ",
intval($uid),
intval($days)
intval($days),
intval(ITEM_DELETED),
intval(ITEM_WEBPAGE),
intval(ITEM_BUILDBLOCK)
);
if(! count($r))
if(! $r)
return;
$r = fetch_post_tags($r,true);
$expire_items = get_pconfig($uid, 'expire','items');
$expire_items = (($expire_items===false)?1:intval($expire_items)); // default if not set: 1
@@ -3158,20 +3182,19 @@ function item_expire($uid,$days) {
foreach($r as $item) {
// don't expire filed items
if(strpos($item['file'],'[') !== false)
$terms = get_terms_oftype($item['term'],TERM_FILE);
if($terms)
continue;
// Only expire posts, not photos and photo comments
if($expire_photos==0 && strlen($item['resource_id']))
if($expire_photos==0 && ($item['resource_type'] === 'photo'))
continue;
if($expire_starred==0 && intval($item['starred']))
continue;
if($expire_notes==0 && $item['type']=='note')
continue;
if($expire_items==0 && $item['type']!='note')
if($expire_starred==0 && ($item['item_flags'] & ITEM_STARRED))
continue;
drop_item($item['id'],false);

258
include/menu.php Normal file
View File

@@ -0,0 +1,258 @@
<?php /** @file */
require_once('include/security.php');
function menu_fetch($name,$uid,$observer_xchan) {
$sql_options = permissions_sql($uid);
$r = q("select * from menu where menu_channel_id = %d and menu_name = '%s' limit 1",
intval($uid),
dbesc($name)
);
if($r) {
$x = q("select * from menu_item where mitem_menu_id = %d and mitem_channel_id = %d
$sql_options
order by mitem_order asc, mitem_desc asc",
intval($r[0]['menu_id']),
intval($uid)
);
return array('menu' => $r[0], 'items' => $x );
}
return null;
}
function menu_render($menu) {
if(! $menu)
return '';
for($x = 0; $x < count($menu['items']); $x ++)
if($menu['items']['mitem_flags'] & MENU_ITEM_ZID)
$menu['items']['mitem_link'] = zid($menu['items']['mitem_link']);
if($menu['items']['mitem_flags'] & MENU_ITEM_NEWWIN)
$menu['items']['newwin'] = '1';
return replace_macros(get_markup_template('usermenu.tpl'),array(
'$menu' => $menu['menu'],
'$items' => $menu['items']
));
}
function menu_fetch_id($menu_id,$channel_id) {
$r = q("select * from menu where menu_id = %d and menu_channel_id = %d limit 1",
intval($menu_id),
intval($channel_id)
);
return (($r) ? $r[0] : false);
}
function menu_create($arr) {
$menu_name = trim(escape_tags($arr['menu_name']));
$menu_desc = trim(escape_tags($arr['menu_desc']));
if(! $menu_desc)
$menu_desc = $menu_name;
if(! $menu_name)
return false;
$menu_channel_id = intval($arr['menu_channel_id']);
$r = q("select * from menu where menu_name = '%s' and menu_channel_id = %d limit 1",
dbesc($menu_name),
intval($menu_channel_id)
);
if($r)
return false;
$r = q("insert into menu ( menu_name, menu_desc, menu_channel_id )
values( '%s', '%s', %d )",
dbesc($menu_name),
dbesc($menu_desc),
intval($menu_channel_id)
);
if(! $r)
return false;
$r = q("select menu_id from menu where menu_name = '%s' and menu_channel_id = %d limit 1",
dbesc($menu_name),
intval($menu_channel_id)
);
if($r)
return $r[0]['menu_id'];
return false;
}
function menu_list($channel_id) {
$r = q("select * from menu where menu_channel_id = %d order by menu_name",
intval($channel_id)
);
return $r;
}
function menu_edit($arr) {
$menu_id = intval($arr['menu_id']);
$menu_name = trim(escape_tags($arr['menu_name']));
$menu_desc = trim(escape_tags($arr['menu_desc']));
if(! $menu_desc)
$menu_desc = $menu_name;
if(! $menu_name)
return false;
$r = q("select menu_id from menu where menu_name = '%s' and menu_channel_id = %d limit 1",
dbesc($menu_name),
intval($menu_channel_id)
);
if(($r) && ($r[0]['menu_id'] != $menu_id)) {
logger('menu_edit: duplicate menu name for channel ' . $menu_channel_id);
return false;
}
$menu_channel_id = intval($arr['menu_channel_id']);
$r = q("select * from menu where menu_id = %d and menu_channel_id = %d limit 1",
intval($menu_id),
intval($menu_channel_id)
);
if(! $r) {
logger('menu_edit: not found: ' . print_r($arr,true));
return false;
}
$r = q("select * from menu where menu_name = '%s' and menu_channel_id = %d limit 1",
dbesc($menu_name),
intval($menu_channel_id)
);
if($r)
return false;
return q("update menu set menu_name = '%s', menu_desc = '%s'
where menu_id = %d and menu_channel_id = %d limit 1",
dbesc($menu_name),
dbesc($menu_desc),
intval($menu_id),
intval($menu_channel_id)
);
}
function menu_delete($menu_name, $uid) {
$r = q("select menu_id from menu where menu_name = '%s' and menu_channel_id = %d limit 1",
dbesc($menu_name),
intval($uid)
);
if($r)
return menu_delete_id($r[0]['menu_id'],$uid);
return false;
}
function menu_delete_id($menu_id, $uid) {
$r = q("select menu_id from menu where menu_id = %d and menu_channel_id = %d limit 1",
intval($menu_id),
intval($uid)
);
if($r) {
$x = q("delete from menu_item where mitem_menu_id = %d and mitem_channel_id = %d",
intval($menu_id),
intval($uid)
);
return q("delete from menu where menu_id = %d and menu_channel_id = %d limit 1",
intval($menu_id),
intval($uid)
);
}
return false;
}
function menu_add_item($menu_id, $uid, $arr) {
$mitem_link = escape_tags($arr['mitem_link']);
$mitem_desc = escape_tags($arr['mitem_desc']);
$mitem_order = intval($arr['mitem_order']);
$mitem_flags = intval($arr['mitem_flags']);
$allow_cid = perms2str($arr['allow_cid']);
$allow_gid = perms2str($arr['allow_gid']);
$deny_cid = perms2str($arr['deny_cid']);
$deny_gid = perms2str($arr['deny_gid']);
$r = q("insert into menu_item ( mitem_link, mitem_desc, mitem_flags, allow_cid, allow_gid, deny_cid, deny_gid, mitem_channel_id, mitem_menu_id, mitem_order ) values ( '%s', '%s', %d, '%s', '%s', '%s', '%s', %d, %d, %d ) ",
dbesc($mitem_link),
dbesc($mitem_desc),
intval($mitem_flags),
dbesc($allow_cid),
dbesc($allow_gid),
dbesc($deny_cid),
dbesc($deny_gid),
intval($uid),
intval($menu_id),
intval($mitem_order)
);
return $r;
}
function menu_edit_item($menu_id, $uid, $arr) {
$mitem_id = intval($arr['mitem_id']);
$mitem_link = escape_tags($arr['mitem_link']);
$mitem_desc = escape_tags($arr['mitem_desc']);
$mitem_order = intval($arr['mitem_order']);
$mitem_flags = intval($arr['mitem_flags']);
$allow_cid = perms2str($arr['allow_cid']);
$allow_gid = perms2str($arr['allow_gid']);
$deny_cid = perms2str($arr['deny_cid']);
$deny_gid = perms2str($arr['deny_gid']);
$r = q("update menu_item set mitem_link = '%s', mitem_desc = '%s', mitem_flags = %d, allow_cid = '%s', allow_gid = '%s', deny_cid = '%s', deny_gid = '%s', mitem_order = %d where mitem_channel_id = %d and mitem_menu_id = %d and mitem_id = %d limit 1",
dbesc($mitem_link),
dbesc($mitem_desc),
intval($mitem_flags),
dbesc($allow_cid),
dbesc($allow_gid),
dbesc($deny_cid),
dbesc($deny_gid),
intval($mitem_order),
intval($uid),
intval($menu_id),
intval($mitem_id)
);
return $r;
}
function menu_del_item($menu_id,$uid,$item_id) {
$r = q("delete from menu_item where mitem_menu_id = %d and mitem_channel_id = %d and mitem_id = %d limit 1",
intval($menu_id),
intval($uid),
intval($item_id)
);
return $r;
}

5
include/notifier.php
View File

@@ -241,6 +241,11 @@ function notifier_run($argv, $argc){
return;
}
if($target_item['item_restrict'] & ITEM_BUILDBLOCK) {
logger('notifier: target item ITEM_BUILDBLOCK', LOGGER_DEBUG);
return;
}
$s = q("select * from channel where channel_id = %d limit 1",
intval($target_item['uid'])

16
include/text.php
View File

@@ -1142,6 +1142,22 @@ function prepare_text($text,$content_type = 'text/bbcode') {
$s = Markdown($text);
break;
// No security checking is done here at display time - so we need to verify
// that the author is allowed to use PHP before storing. We also cannot allow
// importation of PHP text bodies from other sites. Therefore this content
// type is only valid for web pages (and profile details).
// It may be possible to provide a PHP message body which is evaluated on the
// sender's site before sending it elsewhere. In that case we will have a
// different content-type here.
case 'application/x-php':
ob_start();
eval($text);
$s = ob_get_contents();
ob_end_clean();
break;
case 'text/bbcode':
case '':
default:

9
include/zot.php
View File

@@ -583,9 +583,14 @@ function import_xchan($arr) {
intval(HUBLOC_FLAGS_PRIMARY),
intval($r[0]['hubloc_id'])
);
update_modtime($xchan_hash);
$changed = true;
}
update_modtime($xchan_hash);
$changed = true;
continue;
}
if(! $location['sitekey']) {
logger('import_xchan: empty hubloc sitekey. ' . print_r($location,true));
continue;
}