Merge remote-tracking branch 'upstream/2021.09-rc' into user-contact

src/Module/Admin/Site.php

@@ -162,6 +162,7 @@ class Site extends BaseAdmin
 		$disable_embedded       = !empty($_POST['disable_embedded']);
 		$allow_users_remote_self = !empty($_POST['allow_users_remote_self']);
 		$explicit_content       = !empty($_POST['explicit_content']);
+		$proxify_content        = !empty($_POST['proxify_content']);
 
 		$enable_multi_reg       = !empty($_POST['enable_multi_reg']);
 		$enable_openid          = !empty($_POST['enable_openid']);
@@ -328,6 +329,7 @@ class Site extends BaseAdmin
 		DI::config()->set('system', 'disable_embedded'       , $disable_embedded);
 		DI::config()->set('system', 'allow_users_remote_self', $allow_users_remote_self);
 		DI::config()->set('system', 'explicit_content'       , $explicit_content);
+		DI::config()->set('system', 'proxify_content'        , $proxify_content);
 		DI::config()->set('system', 'check_new_version_url'  , $check_new_version_url);
 
 		DI::config()->set('system', 'block_extended_register', !$enable_multi_reg);
@@ -551,6 +553,7 @@ class Site extends BaseAdmin
 			'$private_addons'         => ['private_addons', DI::l10n()->t('Disallow public access to addons listed in the apps menu.'), DI::config()->get('config', 'private_addons'), DI::l10n()->t('Checking this box will restrict addons listed in the apps menu to members only.')],
 			'$disable_embedded'       => ['disable_embedded', DI::l10n()->t('Don\'t embed private images in posts'), DI::config()->get('system', 'disable_embedded'), DI::l10n()->t('Don\'t replace locally-hosted private photos in posts with an embedded copy of the image. This means that contacts who receive posts containing private photos will have to authenticate and load each image, which may take a while.')],
 			'$explicit_content'       => ['explicit_content', DI::l10n()->t('Explicit Content'), DI::config()->get('system', 'explicit_content'), DI::l10n()->t('Set this to announce that your node is used mostly for explicit content that might not be suited for minors. This information will be published in the node information and might be used, e.g. by the global directory, to filter your node from listings of nodes to join. Additionally a note about this will be shown at the user registration page.')],
+			'$proxify_content'        => ['proxify_content', DI::l10n()->t('Proxify external content'), DI::config()->get('system', 'proxify_content'), DI::l10n()->t('Route external content via the proxy functionality. This is used for example for some OEmbed accesses and in some other rare cases.')],
 			'$allow_users_remote_self'=> ['allow_users_remote_self', DI::l10n()->t('Allow Users to set remote_self'), DI::config()->get('system', 'allow_users_remote_self'), DI::l10n()->t('With checking this, every user is allowed to mark every contact as a remote_self in the repair contact dialog. Setting this flag on a contact causes mirroring every posting of that contact in the users stream.')],
 			'$enable_multi_reg'       => ['enable_multi_reg', DI::l10n()->t('Enable multiple registrations'), !DI::config()->get('system', 'block_extended_register'), DI::l10n()->t('Enable users to register additional accounts for use as pages.')],
 			'$enable_openid'          => ['enable_openid', DI::l10n()->t('Enable OpenID'), !DI::config()->get('system', 'no_openid'), DI::l10n()->t('Enable OpenID support for registration and logins.')],

src/Module/Api/Mastodon/Statuses.php

@@ -63,7 +63,10 @@ class Statuses extends BaseApi
 		// The imput is defined as text. So we can use Markdown for some enhancements
 		$body = Markdown::toBBCode($request['status']);
 
-		$body = BBCode::expandTags($body);
+		// Avoids potential double expansion of existing links
+		$body = BBCode::performWithEscapedTags($body, ['url'], function ($body) {
+			return BBCode::expandTags($body);
+		});
 
 		$item = [];
 		$item['uid']        = $uid;

src/Module/Contact.php

@@ -59,6 +59,10 @@ class Contact extends BaseModule
 			return;
 		}
 
+		$redirectUrl = $_POST['redirect_url'] ?? 'contact';
+
+		self::checkFormSecurityTokenRedirectOnError($redirectUrl, 'contact_batch_actions');
+
 		$orig_records = Model\Contact::selectToArray(['id', 'uid'], ['id' => $_POST['contact_batch'], 'uid' => [0, local_user()], 'self' => false, 'deleted' => false]);
 
 		$count_actions = 0;
@@ -93,7 +97,7 @@ class Contact extends BaseModule
 			info(DI::l10n()->tt('%d contact edited.', '%d contacts edited.', $count_actions));
 		}
 
-		DI::baseUrl()->redirect($_POST['redirect_url'] ?? 'contact');
+		DI::baseUrl()->redirect($redirectUrl);
 	}
 
 	public static function post(array $parameters = [])
@@ -361,6 +365,16 @@ class Contact extends BaseModule
 				throw new NotFoundException(DI::l10n()->t('Contact not found'));
 			}
 
+			if ($cmd === 'posts') {
+				return self::getPostsHTML($a, $contact_id);
+			}
+
+			if ($cmd === 'conversations') {
+				return self::getConversationsHMTL($a, $contact_id, $update);
+			}
+
+			self::checkFormSecurityTokenRedirectOnError('contact/' . $contact_id, 'contact_action', 't');
+
 			$cdata = Model\Contact::getPublicAndUserContactID($orig_record['id'], local_user());
 			if (empty($cdata)) {
 				throw new NotFoundException(DI::l10n()->t('Contact not found'));
@@ -434,12 +448,6 @@ class Contact extends BaseModule
 				DI::baseUrl()->redirect('contact');
 				// NOTREACHED
 			}
-			if ($cmd === 'posts') {
-				return self::getPostsHTML($a, $contact_id);
-			}
-			if ($cmd === 'conversations') {
-				return self::getConversationsHMTL($a, $contact_id, $update);
-			}
 		}
 
 		$_SESSION['return_path'] = DI::args()->getQueryString();
@@ -840,6 +848,7 @@ class Contact extends BaseModule
 			'$submit'     => DI::l10n()->t('Find'),
 			'$cmd'        => DI::args()->getCommand(),
 			'$contacts'   => $contacts,
+			'$form_security_token'  => BaseModule::getFormSecurityToken('contact_batch_actions'),
 			'$contact_drop_confirm' => DI::l10n()->t('Do you really want to delete this contact?'),
 			'multiselect' => 1,
 			'$batch_actions' => [
@@ -1080,6 +1089,8 @@ class Contact extends BaseModule
 		$poll_enabled = in_array($contact['network'], [Protocol::ACTIVITYPUB, Protocol::DFRN, Protocol::OSTATUS, Protocol::FEED, Protocol::MAIL]);
 		$contact_actions = [];
 
+		$formSecurityToken = self::getFormSecurityToken('contact_action');
+
 		// Provide friend suggestion only for Friendica contacts
 		if ($contact['network'] === Protocol::DFRN) {
 			$contact_actions['suggest'] = [
@@ -1094,7 +1105,7 @@ class Contact extends BaseModule
 		if ($poll_enabled) {
 			$contact_actions['update'] = [
 				'label' => DI::l10n()->t('Update now'),
-				'url'   => 'contact/' . $contact['id'] . '/update',
+				'url'   => 'contact/' . $contact['id'] . '/update?t=' . $formSecurityToken,
 				'title' => '',
 				'sel'   => '',
 				'id'    => 'update',
@@ -1104,7 +1115,7 @@ class Contact extends BaseModule
 		if (in_array($contact['network'], Protocol::NATIVE_SUPPORT)) {
 			$contact_actions['updateprofile'] = [
 				'label' => DI::l10n()->t('Refetch contact data'),
-				'url'   => 'contact/' . $contact['id'] . '/updateprofile',
+				'url'   => 'contact/' . $contact['id'] . '/updateprofile?t=' . $formSecurityToken,
 				'title' => '',
 				'sel'   => '',
 				'id'    => 'updateprofile',
@@ -1113,7 +1124,7 @@ class Contact extends BaseModule
 
 		$contact_actions['block'] = [
 			'label' => (intval($contact['blocked']) ? DI::l10n()->t('Unblock') : DI::l10n()->t('Block')),
-			'url'   => 'contact/' . $contact['id'] . '/block',
+			'url'   => 'contact/' . $contact['id'] . '/block?t=' . $formSecurityToken,
 			'title' => DI::l10n()->t('Toggle Blocked status'),
 			'sel'   => (intval($contact['blocked']) ? 'active' : ''),
 			'id'    => 'toggle-block',
@@ -1121,7 +1132,7 @@ class Contact extends BaseModule
 
 		$contact_actions['ignore'] = [
 			'label' => (intval($contact['readonly']) ? DI::l10n()->t('Unignore') : DI::l10n()->t('Ignore')),
-			'url'   => 'contact/' . $contact['id'] . '/ignore',
+			'url'   => 'contact/' . $contact['id'] . '/ignore?t=' . $formSecurityToken,
 			'title' => DI::l10n()->t('Toggle Ignored status'),
 			'sel'   => (intval($contact['readonly']) ? 'active' : ''),
 			'id'    => 'toggle-ignore',
@@ -1130,7 +1141,7 @@ class Contact extends BaseModule
 		if ($contact['uid'] != 0) {
 			$contact_actions['delete'] = [
 				'label' => DI::l10n()->t('Delete'),
-				'url'   => 'contact/' . $contact['id'] . '/drop',
+				'url'   => 'contact/' . $contact['id'] . '/drop?t=' . $formSecurityToken,
 				'title' => DI::l10n()->t('Delete contact'),
 				'sel'   => '',
 				'id'    => 'delete',

src/Module/Proxy.php

@@ -24,6 +24,7 @@ namespace Friendica\Module;
 use Friendica\BaseModule;
 use Friendica\Core\Logger;
 use Friendica\Core\System;
+use Friendica\DI;
 use Friendica\Object\Image;
 use Friendica\Util\HTTPSignature;
 use Friendica\Util\Images;
@@ -44,6 +45,13 @@ class Proxy extends BaseModule
 	 */
 	public static function rawContent(array $parameters = [])
 	{
+		$request = self::getRequestInfo($parameters);
+
+		if (!DI::config()->get('system', 'proxify_content')) {
+			Logger::notice('Proxy access is forbidden', ['request' => $request, 'agent' => $_SERVER['HTTP_USER_AGENT'] ?? '', 'accept' => $_SERVER['HTTP_ACCEPT'] ?? '']);
+			throw new \Friendica\Network\HTTPException\NotFoundException();
+		}
+
 		if (isset($_SERVER["HTTP_IF_MODIFIED_SINCE"])) {
 			header("HTTP/1.1 304 Not Modified");
 			header("Last-Modified: " . gmdate("D, d M Y H:i:s", time()) . " GMT");
@@ -60,8 +68,6 @@ class Proxy extends BaseModule
 			exit;
 		}
 
-		$request = self::getRequestInfo($parameters);
-
 		if (empty($request['url'])) {
 			throw new \Friendica\Network\HTTPException\BadRequestException();
 		}