From 26c7b64e34ed0677b9d98133cc69f15dbb38e95f Mon Sep 17 00:00:00 2001 From: Mike Macgirvin Date: Thu, 23 Jun 2022 03:47:35 -0700 Subject: [PATCH] add mention and tag count limits to reduce abuse when bypassing permissions --- Code/Module/Settings/Channel.php | 14 ++++++++++++-- include/items.php | 17 +++++++++++++---- view/tpl/settings.tpl | 2 ++ 3 files changed, 27 insertions(+), 6 deletions(-) diff --git a/Code/Module/Settings/Channel.php b/Code/Module/Settings/Channel.php index a4d05cf14..715eac848 100644 --- a/Code/Module/Settings/Channel.php +++ b/Code/Module/Settings/Channel.php @@ -159,6 +159,8 @@ class Channel $noindex = ((x($_POST, 'noindex')) ? intval($_POST['noindex']) : 0); $channel_menu = ((x($_POST['channel_menu'])) ? htmlspecialchars_decode(trim($_POST['channel_menu']), ENT_QUOTES) : ''); + $unless_mention_count = ((x($_POST, 'unless_mention_count')) ? intval($_POST['unless_mention_count']) : 0); + $unless_tag_count = ((x($_POST, 'unless_tag_count')) ? intval($_POST['unless_tag_count']) : 0); $expire_items = ((x($_POST, 'expire_items')) ? intval($_POST['expire_items']) : 0); $expire_starred = ((x($_POST, 'expire_starred')) ? intval($_POST['expire_starred']) : 0); $expire_photos = ((x($_POST, 'expire_photos')) ? intval($_POST['expire_photos']) : 0); @@ -339,12 +341,14 @@ class Channel set_pconfig(local_channel(), 'system', 'default_permcat', $defpermcat); set_pconfig(local_channel(), 'system', 'email_notify_host', $mailhost); set_pconfig(local_channel(), 'system', 'profile_assign', $profile_assign); -// set_pconfig(local_channel(),'system','anymention',$anymention); +// set_pconfig(local_channel(), 'system', 'anymention', $anymention); set_pconfig(local_channel(), 'system', 'hyperdrive', $hyperdrive); set_pconfig(local_channel(), 'system', 'activitypub', $activitypub); set_pconfig(local_channel(), 'system', 'autoperms', $autoperms); set_pconfig(local_channel(), 'system', 'tag_username', $tag_username); set_pconfig(local_channel(), 'system', 'permit_all_mentions', $permit_all_mentions); + set_pconfig(local_channel(), 'system', 'unless_mention_count', $unless_mention_count); + set_pconfig(local_channel(), 'system', 'unless_tag_count', $unless_tag_count); set_pconfig(local_channel(), 'system', 'noindex', $noindex); @@ -624,7 +628,11 @@ class Channel $followed = EMPTY_STR; } - + $mention_count = get_pconfig(local_channel(), 'system', 'unless_mention_count', + get_config('system', 'unless_mention_count', 20)); + $tag_count = get_pconfig(local_channel(), 'system', 'unless_tag_count', + get_config('system', 'unless_tag_count', 20)); + $o .= replace_macros(Theme::get_template('settings.tpl'), [ '$ptitle' => t('Channel Settings'), '$submit' => t('Submit'), @@ -730,6 +738,8 @@ class Channel '$always_show_in_notices' => array('always_show_in_notices', t('Show new wall posts, private messages and connections under Notices'), $always_show_in_notices, 1, '', $yes_no), '$permit_all_mentions' => ['permit_all_mentions', t('Accept messages from strangers which mention you'), get_pconfig(local_channel(), 'system', 'permit_all_mentions'), t('This setting bypasses normal permissions'), $yes_no], '$followed_tags' => ['followed_tags', t('Accept messages from strangers which include any of the following hashtags'), $followed, t('comma separated, do not include the #')], + '$unless_mention_count' => ['unless_mention_count', t('Unless more than this many channels are mentioned'), $mention_count, t('0 for unlimited')], + '$unless_tag_count' => ['unless_tag_count', t('Unless more than this many hashtags are used'), $tag_count, t('0 for unlimited')], '$evdays' => array('evdays', t('Notify me of events this many days in advance'), $evdays, t('Must be greater than 0')), '$basic_addon' => $plugin['basic'], '$sec_addon' => $plugin['security'], diff --git a/include/items.php b/include/items.php index 6afb0cfbd..8bb8b5065 100644 --- a/include/items.php +++ b/include/items.php @@ -2913,6 +2913,7 @@ function tgroup_check($uid, $item) { return true; } + $tag_result = false; $terms = ((isset($item['term'])) ? get_terms_oftype($item['term'],TERM_HASHTAG) : false); if ($terms) { $followed_tags = PConfig::Get($uid,'system','followed_tags'); @@ -2923,13 +2924,17 @@ function tgroup_check($uid, $item) { foreach ($terms as $term) { foreach ($followed_tags as $tag) { if (strcasecmp($term['term'],$tag) === 0) { - return true; + $tag_result = true; } } } - } - - return false; + $unless = intval(get_pconfig($channel['channel_id'], 'system', 'unless_tag_count', + get_config('system', 'unless_tag_count', 20))); + if ($unless && count($terms) > $unless) { + $tag_result= false; + } + } + return $tag_result; } @@ -2958,6 +2963,10 @@ function i_am_mentioned($channel,$item) { } } } + $unless = intval(get_pconfig($channel['channel_id'], 'system', 'unless_mention_count', get_config('system', 'unless_mention_count', 20))); + if ($unless && count($terms) > $unless) { + $tagged = false; + } return $tagged; } diff --git a/view/tpl/settings.tpl b/view/tpl/settings.tpl index 58905936a..fa0776488 100755 --- a/view/tpl/settings.tpl +++ b/view/tpl/settings.tpl @@ -55,7 +55,9 @@ {{include file="field_input.tpl" field=$close_comments}} {{include file="field_select.tpl" field=$mail_perms}} {{include file="field_checkbox.tpl" field=$permit_all_mentions}} + {{include file="field_input.tpl" field=$unless_mention_count}} {{include file="field_input.tpl" field=$followed_tags}} + {{include file="field_input.tpl" field=$unless_tag_count}}