reduce susceptibility to bleichenberger attack

boot.php

@@ -1176,6 +1176,7 @@ function check_config(&$a) {
 		// our URL changed. Do something.
 
 		$oldurl = hex2bin($saved);
+		logger('Baseurl changed!');
 		
 		$oldhost = substr($oldurl,strpos($oldurl,'//')+2);
 		$host = substr(z_root(),strpos(z_root(),'//')+2);

include/text.php

@@ -1312,7 +1312,7 @@ function get_plink($item) {
 	$a = get_app();	
 	if (x($item,'plink') && ($item['item_private'] != 1)) {
 		return array(
-			'href' => $item['plink'],
+			'href' => zid($item['plink']),
 			'title' => t('link to source'),
 		);
 	} 

mod/post.php

@@ -174,18 +174,30 @@ function post_post(&$a) {
 	if(array_key_exists('iv',$data)) {
 		$data = aes_unencapsulate($data,get_config('system','prvkey'));
 		logger('mod_zot: decrypt1: ' . $data, LOGGER_DATA);
-		if(! $data) {
+
-			$ret['message'] = 'Decryption failed.';
+//	susceptible to Bleichenberger attack
-			json_return_and_die($ret);
+//		if(! $data) {
-		}
+//			$ret['message'] = 'Decryption failed.';
+//			json_return_and_die($ret);
+//		}
 
 		$data = json_decode($data,true);
 
 	}
 
 	if(! $data) {
-		$ret['message'] = 'No data received.';
+
-		json_return_and_die($ret);
+		// possible Bleichenberger attack, just treat it as a 
+		// message we have no handler for. It should fail a bit 
+		// further along with "no hub". Our public key is public
+		// knowledge. There's no reason why anybody should get the 
+		// encryption wrong unless they're fishing or hacking. If 
+		// they're developing and made a goof, this can be discovered 
+		// in the logs of the destination site. If they're fishing or 
+		// hacking, the bottom line is we can't verify their hub. 
+		// That's all we're going to tell them.
+
+		$data = array('type' => 'bogus');
 	}
 
 	logger('mod_zot: decoded data: ' . print_r($data,true), LOGGER_DATA);

version.inc

@@ -1 +1 @@
-2013-09-23.445
+2013-09-24.446