harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

plug potential hole in magic auth, add link to chanview to view in dedicated window

Browse Source
This commit is contained in:
friendica 2013-01-23 16:06:01 -08:00
parent 0b18dd15c5
commit f63997f618
9 changed files with 77 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
include/Contact.php
View File

@ -1,7 +1,7 @@
<?php <?php
function vcard_from_xchan($xchan) { function vcard_from_xchan($xchan, $observer = null, $mode = '') {
$connect = false; $connect = false;
if(local_user()) { if(local_user()) {
@ -13,11 +13,19 @@ function vcard_from_xchan($xchan) {
$connect = t('Connect'); $connect = t('Connect');
} }
$url = (($observer)
? z_root() . '/magic?f=&dest=' . $xchan['xchan_url'] . '&addr=' . $xchan['xchan_addr']
: $xchan['xchan_url']
);
return replace_macros(get_markup_template('xchan_vcard.tpl'),array( return replace_macros(get_markup_template('xchan_vcard.tpl'),array(
'$name' => $xchan['xchan_name'], '$name' => $xchan['xchan_name'],
'$photo' => $xchan['xchan_photo_l'], '$photo' => $xchan['xchan_photo_l'],
'$follow' => $xchan['xchan_addr'], '$follow' => $xchan['xchan_addr'],
'$connect' => $connect '$connect' => $connect,
'$newwin' => (($mode === 'chanview') ? t('New window') : ''),
'$newtit' => t('Open the selected location in a different window or browser tab'),
'$url' => $url,
)); ));
} }

2
mod/chanview.php
View File

@ -76,7 +76,7 @@ function chanview_content(&$a) {
} }
if($xchan['xchan_hash']) if($xchan['xchan_hash'])
$a->set_widget('vcard',vcard_from_xchan($xchan)); $a->set_widget('vcard',vcard_from_xchan($xchan,$observer,'chanview'));
$url = (($observer) $url = (($observer)
? z_root() . '/magic?f=&dest=' . $xchan['xchan_url'] . '&addr=' . $xchan['xchan_addr'] ? z_root() . '/magic?f=&dest=' . $xchan['xchan_url'] . '&addr=' . $xchan['xchan_addr']

2
mod/connections.php
View File

@ -28,7 +28,7 @@ function connections_init(&$a) {
function connections_aside(&$a) { function connections_aside(&$a) {
if(x($a->data,'abook')) { if(x($a->data,'abook')) {
$a->set_widget('vcard',vcard_from_xchan($a->data['abook'])); $a->set_widget('vcard',vcard_from_xchan($a->data['abook'],$a->get_observer()));
} }
else { else {
$a->set_widget('follow', follow_widget()); $a->set_widget('follow', follow_widget());

2
mod/magic.php
View File

@ -85,7 +85,7 @@ function magic_init(&$a) {
dbesc('auth'), dbesc('auth'),
intval($channel['channel_id']), intval($channel['channel_id']),
dbesc($token), dbesc($token),
dbesc($hubloc['hubloc_hash']), dbesc($x[0]['hubloc_hash']),
dbesc(datetime_convert()) dbesc(datetime_convert())
); );

48
mod/post.php
View File

@ -44,7 +44,7 @@ function post_init(&$a) {
); );
if(! $c) { if(! $c) {
logger('mod_zot: auth: unable to find channel ' . $webbie); logger('mod_zot: auth: unable to find channel ' . $webbie);
// They'll get a notice when they hit the page, we don't need two. // They'll get a notice when they hit the page, we don't need two of them.
goaway($desturl); goaway($desturl);
} }
@ -70,14 +70,26 @@ function post_init(&$a) {
// check credentials and access // check credentials and access
// If they are already authenticated and haven't changed credentials,
// we can save an expensive network round trip and improve performance.
$remote = remote_user();
$result = null;
$already_authed = ((($remote) && ($x[0]['hubloc_hash'] == $remote)) ? true : false);
if(! $already_authed) {
// Auth packets MUST use ultra top-secret hush-hush mode // Auth packets MUST use ultra top-secret hush-hush mode
$p = zot_build_packet($c[0],$type = 'auth_check',
$p = zot_build_packet($c[0],$type = 'auth_check',array(array('guid' => $x[0]['hubloc_guid'],'guid_sig' => $x[0]['hubloc_guid_sig'])), $x[0]['hubloc_sitekey'], $sec); array(array('guid' => $x[0]['hubloc_guid'],'guid_sig' => $x[0]['hubloc_guid_sig'])),
$x[0]['hubloc_sitekey'], $sec);
$result = zot_zot($x[0]['hubloc_callback'],$p); $result = zot_zot($x[0]['hubloc_callback'],$p);
if(! $result['success'])
if($result['success']) { goaway($desturl);
$j = json_decode($result['body'],true); $j = json_decode($result['body'],true);
if($j['result']) { }
if($already_authed || $j['result']) {
// everything is good... maybe // everything is good... maybe
if(local_user()) { if(local_user()) {
notice( t('Remote authentication blocked. You are logged into this site locally. Please logout and retry') . EOL); notice( t('Remote authentication blocked. You are logged into this site locally. Please logout and retry') . EOL);
@ -91,12 +103,6 @@ function post_init(&$a) {
$a->set_groups(init_groups_visitor($_SESSION['visitor_id'])); $a->set_groups(init_groups_visitor($_SESSION['visitor_id']));
info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name'])); info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name']));
} }
}
goaway($desturl); goaway($desturl);
} }
@ -274,13 +280,22 @@ function post_post(&$a) {
$arr = $data['sender']; $arr = $data['sender'];
$sender_hash = base64url_encode(hash('whirlpool',$arr['guid'] . $arr['guid_sig'], true)); $sender_hash = base64url_encode(hash('whirlpool',$arr['guid'] . $arr['guid_sig'], true));
// garbage collect any old unused notifications
q("delete from verify where type = 'auth' and created < UTC_TIMESTAMP() - INTERVAL 10 MINUTE");
$y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1", $y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1",
dbesc($sender_hash) dbesc($sender_hash)
); );
// We created a unique hash in mod/magic.php when we invoked remote auth, and stored it in
// the verify table. It is now coming back to us as 'secret' and is signed by the other site.
// First verify their signature.
if((! $y) || (! rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) { if((! $y) || (! rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) {
logger('mod_zot: auth_check: sender not found or secret_sig invalid.'); logger('mod_zot: auth_check: sender not found or secret_sig invalid.');
json_return_and_die($ret); json_return_and_die($ret);
} }
// There should be exactly one recipient
if($data['recipients']) { if($data['recipients']) {
$arr = $data['recipients'][0]; $arr = $data['recipients'][0];
@ -292,9 +307,14 @@ function post_post(&$a) {
logger('mod_zot: auth_check: recipient channel not found.'); logger('mod_zot: auth_check: recipient channel not found.');
json_return_and_die($ret); json_return_and_die($ret);
} }
$z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' limit 1",
// This additionally checks for forged senders since we already stored the expected result in meta
// and we've already verified that this is them via zot_gethub() and that their key signed our token
$z = q("select id from verify where channel = %d and type = 'auth' and token = '%s' and meta = '%s' limit 1",
intval($c[0]['channel_id']), intval($c[0]['channel_id']),
dbesc($data['secret']) dbesc($data['secret']),
dbesc($sender_hash)
); );
if(! $z) { if(! $z) {
logger('mod_zot: auth_check: verification key not found.'); logger('mod_zot: auth_check: verification key not found.');

2
version.inc
View File

@ -1 +1 @@
2013-01-22.208 2013-01-23.209

14
view/tpl/smarty3/jot-header.tpl
View File

@ -134,7 +134,7 @@ function enableOnUser(){
var uploader = new window.AjaxUpload( var uploader = new window.AjaxUpload(
'wall-image-upload', 'wall-image-upload',
{ action: 'wall_upload/{{$nickname}}', { action: '{{$baseurl}}/wall_upload/{{$nickname}}',
name: 'userfile', name: 'userfile',
onSubmit: function(file,ext) { $('#profile-rotator').show(); }, onSubmit: function(file,ext) { $('#profile-rotator').show(); },
onComplete: function(file,response) { onComplete: function(file,response) {
@ -145,7 +145,7 @@ function enableOnUser(){
); );
var file_uploader = new window.AjaxUpload( var file_uploader = new window.AjaxUpload(
'wall-file-upload', 'wall-file-upload',
{ action: 'wall_attach/{{$nickname}}', { action: '{{$baseurl}}/wall_attach/{{$nickname}}',
name: 'userfile', name: 'userfile',
onSubmit: function(file,ext) { $('#profile-rotator').show(); }, onSubmit: function(file,ext) { $('#profile-rotator').show(); },
onComplete: function(file,response) { onComplete: function(file,response) {
@ -181,7 +181,7 @@ function enableOnUser(){
if(reply && reply.length) { if(reply && reply.length) {
reply = bin2hex(reply); reply = bin2hex(reply);
$('#profile-rotator').show(); $('#profile-rotator').show();
$.get('parse_url?binurl=' + reply, function(data) { $.get('{{$baseurl}}/parse_url?binurl=' + reply, function(data) {
addeditortext(data); addeditortext(data);
$('#profile-rotator').hide(); $('#profile-rotator').hide();
}); });
@ -214,7 +214,7 @@ function enableOnUser(){
if ($('#jot-popup').length != 0) $('#jot-popup').show(); if ($('#jot-popup').length != 0) $('#jot-popup').show();
$('#like-rotator-' + id).show(); $('#like-rotator-' + id).show();
$.get('share/' + id, function(data) { $.get('{{$baseurl}}/share/' + id, function(data) {
if (!editor) $("#profile-jot-text").val(""); if (!editor) $("#profile-jot-text").val("");
initEditor(function(){ initEditor(function(){
addeditortext(data); addeditortext(data);
@ -238,7 +238,7 @@ function enableOnUser(){
if(reply && reply.length) { if(reply && reply.length) {
reply = bin2hex(reply); reply = bin2hex(reply);
$('#profile-rotator').show(); $('#profile-rotator').show();
$.get('parse_url?binurl=' + reply, function(data) { $.get('{{$baseurl}}/parse_url?binurl=' + reply, function(data) {
if (!editor) $("#profile-jot-text").val(""); if (!editor) $("#profile-jot-text").val("");
initEditor(function(){ initEditor(function(){
addeditortext(data); addeditortext(data);
@ -257,7 +257,7 @@ function enableOnUser(){
commentBusy = true; commentBusy = true;
$('body').css('cursor', 'wait'); $('body').css('cursor', 'wait');
$.get('tagger/' + id + '?term=' + reply); $.get('{{$baseurl}}/tagger/' + id + '?term=' + reply);
if(timer) clearTimeout(timer); if(timer) clearTimeout(timer);
timer = setTimeout(NavUpdate,3000); timer = setTimeout(NavUpdate,3000);
liking = 1; liking = 1;
@ -284,7 +284,7 @@ function enableOnUser(){
if(reply && reply.length) { if(reply && reply.length) {
commentBusy = true; commentBusy = true;
$('body').css('cursor', 'wait'); $('body').css('cursor', 'wait');
$.get('filer/' + id + '?term=' + reply, NavUpdate); $.get('{{$baseurl}}/filer/' + id + '?term=' + reply, NavUpdate);
// if(timer) clearTimeout(timer); // if(timer) clearTimeout(timer);
// timer = setTimeout(NavUpdate,3000); // timer = setTimeout(NavUpdate,3000);
liking = 1; liking = 1;

5
view/tpl/smarty3/xchan_vcard.tpl
View File

@ -10,6 +10,11 @@
{{if $connect}} {{if $connect}}
<li><a id="follow-link" href="follow?f=&url={{$follow}}">{{$connect}}</a></li> <li><a id="follow-link" href="follow?f=&url={{$follow}}">{{$connect}}</a></li>
{{/if}} {{/if}}
{{if $newwin}}
<li><a id="visit-chan-link" href="{{$url}}" title="{{$newtit}}" target="_blank" >{{$newwin}}</a></li>
{{/if}}
</ul> </ul>
</div> </div>

5
view/tpl/xchan_vcard.tpl
View File

@ -10,6 +10,11 @@
{{ if $connect }} {{ if $connect }}
<li><a id="follow-link" href="follow?f=&url=$follow">$connect</a></li> <li><a id="follow-link" href="follow?f=&url=$follow">$connect</a></li>
{{ endif }} {{ endif }}
{{ if $newwin }}
<li><a id="visit-chan-link" href="$url" title="$newtit" target="_blank" >$newwin</a></li>
{{ endif }}
</ul> </ul>
</div> </div>