security fixes related to directory access and sites that are off the grid

include/zot.php

@@ -536,11 +536,24 @@ function import_xchan($arr) {
 		if($r[0]['xchan_photo_date'] != $arr['photo_updated'])
 			$import_photos = true;
 
+		// if we import an entry from a site that's not ours and either or both of us is off the grid - hide the entry.
+		// TODO: check if we're the same directory realm, which would mean we are allowed to see it
+
+		$dirmode = get_config('system','directory_mode'); 
+
+		if((($arr['site']['directory_mode'] === 'standalone') || ($dirmode & DIRECTORY_MODE_STANDALONE))
+&& ($arr['site']['url'] != z_root()))
+			$arr['searchable'] = false;
+
+		
+
+		// Be careful - XCHAN_FLAGS_HIDDEN should evaluate to 1
 		if(($r[0]['xchan_flags'] & XCHAN_FLAGS_HIDDEN) != $arr['searchable'])
 			$new_flags = $r[0]['xchan_flags'] ^ XCHAN_FLAGS_HIDDEN;
 		else
 			$new_flags = $r[0]['xchan_flags'];
-
+		
+			
 		if(($r[0]['xchan_name_date'] != $arr['name_updated']) || ($r[0]['xchan_connurl'] != $arr['connections_url']) || ($r[0]['xchan_flags'] != $new_flags)) {
 			$r = q("update xchan set xchan_name = '%s', xchan_name_date = '%s', xchan_connurl = '%s', xchan_flags = %d  where xchan_hash = '%s' limit 1",
 				dbesc($arr['name']),

mod/directory.php

@@ -56,6 +56,8 @@ function directory_content(&$a) {
 		$query = $url . '?f=' ;
 		if($search)
 			$query .= '&name=' . urlencode($search);
+		if(strpos($search,'@'))
+			$query .= '&address=' . urlencode($search);
 
 		if($a->pager['page'] != 1)
 			$query .= '&p=' . $a->pager['page'];
@@ -63,6 +65,8 @@ function directory_content(&$a) {
 		logger('mod_directory: query: ' . $query);
 
 		$x = z_fetch_url($query);
+		logger('directory: return from upstream: ' . print_r($x,true));
+
 		if($x['success']) {
 			$t = 0;
 			$j = json_decode($x['body'],true);

mod/dirsearch.php

@@ -14,16 +14,12 @@ function dirsearch_content(&$a) {
 
 	// If you've got a public directory server, you probably shouldn't block public access
 
-	if((get_config('system','block_public')) && (! local_user()) && (! remote_user())) {
-		$ret['message'] = t('Public access denied.');
-		return;
-	}
 
 	$dirmode = intval(get_config('system','directory_mode'));
 
 	if($dirmode == DIRECTORY_MODE_NORMAL) {
 		$ret['message'] = t('This site is not a directory server');
-		return;
+		json_return_and_die($ret);
 	}
 
 	$name = ((x($_REQUEST,'name')) ? $_REQUEST['name'] : '');
@@ -75,7 +71,7 @@ function dirsearch_content(&$a) {
 	// By default we return one page (default 80 items maximum) and do not count total entries
 
 	$logic = ((strlen($sql_extra)) ? 0 : 1);
-
+dbg(1);
 	if($limit) 
 		$qlimit = " LIMIT $limit ";
 	else {
@@ -95,7 +91,7 @@ function dirsearch_content(&$a) {
 	$r = q("SELECT xchan.*, xprof.* from xchan left join xprof on xchan_hash = xprof_hash where $logic $sql_extra and not ( xchan_flags & %d ) $order $qlimit ",
 		intval(XCHAN_FLAGS_HIDDEN)
 	);
-
+dbg(0);
 	$ret['page'] = $page + 1;
 	$ret['records'] = count($r);		
 

mod/search.php

@@ -117,6 +117,11 @@ function search_content(&$a) {
 		goaway(z_root() . '/directory' . '?f=1&search=' . $search);
 	}
 
+	// look for a naked webbie
+	if(strpos($search,'@') !== false) {
+		goaway(z_root() . '/directory' . '?f=1&search=' . $search);
+	}
+
 	if(! $search)
 		return $o;
 

mod/zfinger.php

@@ -75,7 +75,6 @@ function zfinger_init(&$a) {
 	if($e['xchan_flags'] & XCHAN_FLAGS_HIDDEN)
 		$searchable = false;
 	 
-
 	//  This is for birthdays and keywords, but must check access permissions
 	$p = q("select * from profile where uid = %d and is_default = 1",
 		intval($e['channel_id'])
@@ -181,7 +180,7 @@ function zfinger_init(&$a) {
 	elseif($dirmode == DIRECTORY_MODE_STANDALONE)
 		$ret['site']['directory_mode'] = 'standalone';
 	if($dirmode != DIRECTORY_MODE_NORMAL)
-		$ret['site']['directory_url'] = z_root() . '/dir';
+		$ret['site']['directory_url'] = z_root() . '/dirsearch';
  
 	json_return_and_die($ret);