mirror of
https://codeberg.org/streams/streams.git
synced 2024-09-20 04:15:12 +00:00
security fixes related to directory access and sites that are off the grid
This commit is contained in:
parent
bda4ca4c0d
commit
beb3301d43
5 changed files with 27 additions and 10 deletions
|
@ -536,11 +536,24 @@ function import_xchan($arr) {
|
|||
if($r[0]['xchan_photo_date'] != $arr['photo_updated'])
|
||||
$import_photos = true;
|
||||
|
||||
// if we import an entry from a site that's not ours and either or both of us is off the grid - hide the entry.
|
||||
// TODO: check if we're the same directory realm, which would mean we are allowed to see it
|
||||
|
||||
$dirmode = get_config('system','directory_mode');
|
||||
|
||||
if((($arr['site']['directory_mode'] === 'standalone') || ($dirmode & DIRECTORY_MODE_STANDALONE))
|
||||
&& ($arr['site']['url'] != z_root()))
|
||||
$arr['searchable'] = false;
|
||||
|
||||
|
||||
|
||||
// Be careful - XCHAN_FLAGS_HIDDEN should evaluate to 1
|
||||
if(($r[0]['xchan_flags'] & XCHAN_FLAGS_HIDDEN) != $arr['searchable'])
|
||||
$new_flags = $r[0]['xchan_flags'] ^ XCHAN_FLAGS_HIDDEN;
|
||||
else
|
||||
$new_flags = $r[0]['xchan_flags'];
|
||||
|
||||
|
||||
|
||||
if(($r[0]['xchan_name_date'] != $arr['name_updated']) || ($r[0]['xchan_connurl'] != $arr['connections_url']) || ($r[0]['xchan_flags'] != $new_flags)) {
|
||||
$r = q("update xchan set xchan_name = '%s', xchan_name_date = '%s', xchan_connurl = '%s', xchan_flags = %d where xchan_hash = '%s' limit 1",
|
||||
dbesc($arr['name']),
|
||||
|
|
|
@ -56,6 +56,8 @@ function directory_content(&$a) {
|
|||
$query = $url . '?f=' ;
|
||||
if($search)
|
||||
$query .= '&name=' . urlencode($search);
|
||||
if(strpos($search,'@'))
|
||||
$query .= '&address=' . urlencode($search);
|
||||
|
||||
if($a->pager['page'] != 1)
|
||||
$query .= '&p=' . $a->pager['page'];
|
||||
|
@ -63,6 +65,8 @@ function directory_content(&$a) {
|
|||
logger('mod_directory: query: ' . $query);
|
||||
|
||||
$x = z_fetch_url($query);
|
||||
logger('directory: return from upstream: ' . print_r($x,true));
|
||||
|
||||
if($x['success']) {
|
||||
$t = 0;
|
||||
$j = json_decode($x['body'],true);
|
||||
|
|
|
@ -14,16 +14,12 @@ function dirsearch_content(&$a) {
|
|||
|
||||
// If you've got a public directory server, you probably shouldn't block public access
|
||||
|
||||
if((get_config('system','block_public')) && (! local_user()) && (! remote_user())) {
|
||||
$ret['message'] = t('Public access denied.');
|
||||
return;
|
||||
}
|
||||
|
||||
$dirmode = intval(get_config('system','directory_mode'));
|
||||
|
||||
if($dirmode == DIRECTORY_MODE_NORMAL) {
|
||||
$ret['message'] = t('This site is not a directory server');
|
||||
return;
|
||||
json_return_and_die($ret);
|
||||
}
|
||||
|
||||
$name = ((x($_REQUEST,'name')) ? $_REQUEST['name'] : '');
|
||||
|
@ -75,7 +71,7 @@ function dirsearch_content(&$a) {
|
|||
// By default we return one page (default 80 items maximum) and do not count total entries
|
||||
|
||||
$logic = ((strlen($sql_extra)) ? 0 : 1);
|
||||
|
||||
dbg(1);
|
||||
if($limit)
|
||||
$qlimit = " LIMIT $limit ";
|
||||
else {
|
||||
|
@ -95,7 +91,7 @@ function dirsearch_content(&$a) {
|
|||
$r = q("SELECT xchan.*, xprof.* from xchan left join xprof on xchan_hash = xprof_hash where $logic $sql_extra and not ( xchan_flags & %d ) $order $qlimit ",
|
||||
intval(XCHAN_FLAGS_HIDDEN)
|
||||
);
|
||||
|
||||
dbg(0);
|
||||
$ret['page'] = $page + 1;
|
||||
$ret['records'] = count($r);
|
||||
|
||||
|
|
|
@ -117,6 +117,11 @@ function search_content(&$a) {
|
|||
goaway(z_root() . '/directory' . '?f=1&search=' . $search);
|
||||
}
|
||||
|
||||
// look for a naked webbie
|
||||
if(strpos($search,'@') !== false) {
|
||||
goaway(z_root() . '/directory' . '?f=1&search=' . $search);
|
||||
}
|
||||
|
||||
if(! $search)
|
||||
return $o;
|
||||
|
||||
|
|
|
@ -75,7 +75,6 @@ function zfinger_init(&$a) {
|
|||
if($e['xchan_flags'] & XCHAN_FLAGS_HIDDEN)
|
||||
$searchable = false;
|
||||
|
||||
|
||||
// This is for birthdays and keywords, but must check access permissions
|
||||
$p = q("select * from profile where uid = %d and is_default = 1",
|
||||
intval($e['channel_id'])
|
||||
|
@ -181,7 +180,7 @@ function zfinger_init(&$a) {
|
|||
elseif($dirmode == DIRECTORY_MODE_STANDALONE)
|
||||
$ret['site']['directory_mode'] = 'standalone';
|
||||
if($dirmode != DIRECTORY_MODE_NORMAL)
|
||||
$ret['site']['directory_url'] = z_root() . '/dir';
|
||||
$ret['site']['directory_url'] = z_root() . '/dirsearch';
|
||||
|
||||
json_return_and_die($ret);
|
||||
|
||||
|
|
Loading…
Reference in a new issue