harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

strip hard-wired zids from posted links as they will have the wrong identity when somebody tries to view the link

Browse Source
This commit is contained in:
friendica 2014-02-16 14:13:26 -08:00
parent d9e4f63466
commit ebd52368bb
6 changed files with 20 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
include/items.php
View File

@ -145,7 +145,9 @@ function can_comment_on_post($observer_xchan,$item) {
* @function red_zrl_callback * @function red_zrl_callback
* preg_match function when fixing 'naked' links in mod item.php * preg_match function when fixing 'naked' links in mod item.php
* Check if we've got a hubloc for the site and use a zrl if we do, a url if we don't. * Check if we've got a hubloc for the site and use a zrl if we do, a url if we don't.
* * Remove any existing zid= param which may have been pasted by mistake - and will have
* the author's credentials. zid's are dynamic and can't really be passed around like
* that.
*/ */
@ -159,6 +161,13 @@ function red_zrl_callback($matches) {
if($r) if($r)
$zrl = true; $zrl = true;
} }
$t = strip_zids($matches[2]);
if($t !== $matches[2]) {
$zrl = true;
$matches[2] = $t;
}
if($matches[1] === '#^') if($matches[1] === '#^')
$matches[1] = ''; $matches[1] = '';
if($zrl) if($zrl)

5
include/text.php
View File

@ -621,6 +621,11 @@ function get_tags($s) {
} }
function strip_zids($s) {
return preg_replace('/[\?&]zid=(.*?)(&|$)/ism','$2',$s);
}
// quick and dirty quoted_printable encoding // quick and dirty quoted_printable encoding

2
index.php
View File

@ -92,7 +92,7 @@ if((x($_SESSION,'language')) && ($_SESSION['language'] !== $lang)) {
} }
if((x($_GET,'zid')) && (! $a->install)) { if((x($_GET,'zid')) && (! $a->install)) {
$a->query_string = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/is','',$a->query_string); $a->query_string = strip_zids($a->query_string);
if(! local_user()) { if(! local_user()) {
$_SESSION['my_address'] = $_GET['zid']; $_SESSION['my_address'] = $_GET['zid'];
zid_init($a); zid_init($a);

4
mod/cloud.php
View File

@ -73,11 +73,11 @@ function cloud_init(&$a) {
$_SERVER['QUERY_STRING'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['QUERY_STRING']); $_SERVER['QUERY_STRING'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['QUERY_STRING']);
$_SERVER['QUERY_STRING'] = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/ism','',$_SERVER['QUERY_STRING']); $_SERVER['QUERY_STRING'] = strip_zids($_SERVER['QUERY_STRING']);
$_SERVER['QUERY_STRING'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['QUERY_STRING']); $_SERVER['QUERY_STRING'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['QUERY_STRING']);
$_SERVER['REQUEST_URI'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['REQUEST_URI']); $_SERVER['REQUEST_URI'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['REQUEST_URI']);
$_SERVER['REQUEST_URI'] = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']); $_SERVER['REQUEST_URI'] = strip_zids($_SERVER['REQUEST_URI']);
$_SERVER['REQUEST_URI'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']); $_SERVER['REQUEST_URI'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']);
$rootDirectory = new RedDirectory('/',$auth); $rootDirectory = new RedDirectory('/',$auth);

8
mod/item.php
View File

@ -423,19 +423,13 @@ function item_post(&$a) {
/** /**
* fix naked links by passing through a callback to see if this is a red site * fix naked links by passing through a callback to see if this is a red site
* (already known to us) which will get a zrl, otherwise link with url, add bookmark tag to both. * (already known to us) which will get a zrl, otherwise link with url, add bookmark tag to both.
* First wrap any url which is part of link anchor text already in quotes so we don't double link it. * First protect any url inside certain bbcode tags so we don't double link it.
* e.g. [url=http://foobar.com]something with http://elsewhere.com in it[/url]
* becomes [url=http://foobar.com]something with "http://elsewhere.com" in it[/url]
* otherwise http://elsewhere.com becomes #^[url=http://elsewhere.com]http://elsewhere.com[/url]
*/ */
$body = preg_replace_callback('/\[code(.*?)\[\/(code)\]/ism','red_escape_codeblock',$body); $body = preg_replace_callback('/\[code(.*?)\[\/(code)\]/ism','red_escape_codeblock',$body);
$body = preg_replace_callback('/\[url(.*?)\[\/(url)\]/ism','red_escape_codeblock',$body); $body = preg_replace_callback('/\[url(.*?)\[\/(url)\]/ism','red_escape_codeblock',$body);
$body = preg_replace_callback('/\[zrl(.*?)\[\/(zrl)\]/ism','red_escape_codeblock',$body); $body = preg_replace_callback('/\[zrl(.*?)\[\/(zrl)\]/ism','red_escape_codeblock',$body);
// no longer needed
// $body = preg_replace_callback('/\[([uz])rl(.*?)\](.*?)(https?\:\/\/[a-zA-Z0-9\:\/\-\?\&\;\.\=\@\_\~\#\%\$\!\+\,]+)(.*?)\[\/([uz])rl\]/ism','red_escape_zrl_callback',$body);
$body = preg_replace_callback("/([^\]\='".'"'."]|^|\#\^)(https?\:\/\/[a-zA-Z0-9\:\/\-\?\&\;\.\=\@\_\~\#\%\$\!\+\,]+)/ism", 'red_zrl_callback', $body); $body = preg_replace_callback("/([^\]\='".'"'."]|^|\#\^)(https?\:\/\/[a-zA-Z0-9\:\/\-\?\&\;\.\=\@\_\~\#\%\$\!\+\,]+)/ism", 'red_zrl_callback', $body);
$body = preg_replace_callback('/\[\$b64zrl(.*?)\[\/(zrl)\]/ism','red_unescape_codeblock',$body); $body = preg_replace_callback('/\[\$b64zrl(.*?)\[\/(zrl)\]/ism','red_unescape_codeblock',$body);

2
version.inc
View File

@ -1 +1 @@
2014-02-14.588 2014-02-16.590