harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

important bits we need to allow php executable content. These must be explicitly allowed - but only if the account has ACCOUNT_ROLE_ALLOWCODE and *only* for web pages and profile fields. This content cannot be transmitted to other sites.

Browse Source
This commit is contained in:
friendica 2013-08-11 16:56:06 -07:00
parent 5aa508dba7
commit d7a9db1088
3 changed files with 53 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
boot.php
View File

@ -435,7 +435,7 @@ define ( 'ACCOUNT_PENDING', 0x0010 );
*/ */
define ( 'ACCOUNT_ROLE_ADMIN', 0x1000 ); define ( 'ACCOUNT_ROLE_ADMIN', 0x1000 );
define ( 'ACCOUNT_ROLE_ALLOWCODE', 0x0001 );
/** /**
* Item visibility * Item visibility

27
include/items.php
View File

@ -1342,7 +1342,7 @@ function encode_rel_links($links) {
return xmlify($o); return xmlify($o);
} }
function item_store($arr,$force_parent = false) { function item_store($arr,$allow_exec = false) {
if(! $arr['uid']) { if(! $arr['uid']) {
logger('item_store: no uid'); logger('item_store: no uid');
@ -1357,6 +1357,13 @@ function item_store($arr,$force_parent = false) {
unset($arr['parent']); unset($arr['parent']);
$arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode'); $arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode');
if(($arr['mimetype'] == 'application/x-php') && (! $allow_exec)) {
logger('item_store: php mimetype but allow_exec is denied.');
return 0;
}
$arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : ''); $arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : '');
$arr['body'] = ((x($arr,'body')) ? trim($arr['body']) : ''); $arr['body'] = ((x($arr,'body')) ? trim($arr['body']) : '');
@ -1369,7 +1376,7 @@ function item_store($arr,$force_parent = false) {
// this is a bit messy - we really need an input filter chain that temporarily undoes obscuring // this is a bit messy - we really need an input filter chain that temporarily undoes obscuring
if($arr['mimetype'] != 'text/html') { if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') {
if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false))
$arr['body'] = escape_tags($arr['body']); $arr['body'] = escape_tags($arr['body']);
if((strpos($arr['title'],'<') !== false) || (strpos($arr['title'],'>') !== false)) if((strpos($arr['title'],'<') !== false) || (strpos($arr['title'],'>') !== false))
@ -1665,7 +1672,7 @@ function item_store($arr,$force_parent = false) {
function item_store_update($arr,$force_parent = false) { function item_store_update($arr,$allow_exec = false) {
if(! intval($arr['uid'])) { if(! intval($arr['uid'])) {
logger('item_store_update: no uid'); logger('item_store_update: no uid');
@ -1696,8 +1703,18 @@ function item_store_update($arr,$force_parent = false) {
$arr = $translate['item']; $arr = $translate['item'];
} }
$arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode');
if(($arr['mimetype'] == 'application/x-php') && (! $allow_exec)) {
logger('item_store: php mimetype but allow_exec is denied.');
return 0;
}
// Shouldn't happen but we want to make absolutely sure it doesn't leak from a plugin. // Shouldn't happen but we want to make absolutely sure it doesn't leak from a plugin.
if($arr['mimetype'] != 'text/html' && $arr['mimetype'] != 'application/x-php') {
if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false))
$arr['body'] = escape_tags($arr['body']); $arr['body'] = escape_tags($arr['body']);
@ -1715,6 +1732,7 @@ function item_store_update($arr,$force_parent = false) {
activity_sanitise($arr['attach']); activity_sanitise($arr['attach']);
$arr['attach'] = json_encode($arr['attach']); $arr['attach'] = json_encode($arr['attach']);
} }
}
$orig = q("select * from item where id = %d and uid = %d limit 1", $orig = q("select * from item where id = %d and uid = %d limit 1",
intval($orig_post_id), intval($orig_post_id),
@ -1740,7 +1758,6 @@ function item_store_update($arr,$force_parent = false) {
$arr['commented'] = datetime_convert(); $arr['commented'] = datetime_convert();
$arr['received'] = datetime_convert(); $arr['received'] = datetime_convert();
$arr['changed'] = datetime_convert(); $arr['changed'] = datetime_convert();
$arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode');
$arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : ''); $arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : '');
$arr['location'] = ((x($arr,'location')) ? notags(trim($arr['location'])) : ''); $arr['location'] = ((x($arr,'location')) ? notags(trim($arr['location'])) : '');
$arr['coord'] = ((x($arr,'coord')) ? notags(trim($arr['coord'])) : ''); $arr['coord'] = ((x($arr,'coord')) ? notags(trim($arr['coord'])) : '');
@ -2692,7 +2709,7 @@ function consume_feed($xml,$importer,&$contact, &$hub, $datedir = 0, $pass = 0)
} }
} }
$r = item_store($datarray,$force_parent); $r = item_store($datarray);
continue; continue;
} }

16
include/text.php
View File

@ -1142,6 +1142,22 @@ function prepare_text($text,$content_type = 'text/bbcode') {
$s = Markdown($text); $s = Markdown($text);
break; break;
// No security checking is done here at display time - so we need to verify
// that the author is allowed to use PHP before storing. We also cannot allow
// importation of PHP text bodies from other sites. Therefore this content
// type is only valid for web pages (and profile details).
// It may be possible to provide a PHP message body which is evaluated on the
// sender's site before sending it elsewhere. In that case we will have a
// different content-type here.
case 'application/x-php':
ob_start();
eval($text);
$s = ob_get_contents();
ob_end_clean();
break;
case 'text/bbcode': case 'text/bbcode':
case '': case '':
default: default: