strip hard-wired zids from posted links as they will have the wrong identity when somebody tries to view the link

include/items.php

@@ -145,7 +145,9 @@ function can_comment_on_post($observer_xchan,$item) {
  * @function red_zrl_callback
  *   preg_match function when fixing 'naked' links in mod item.php
  *   Check if we've got a hubloc for the site and use a zrl if we do, a url if we don't. 
- * 
+ *   Remove any existing zid= param which may have been pasted by mistake - and will have
+ *   the author's credentials. zid's are dynamic and can't really be passed around like
+ *   that.
  */
 
 
@@ -159,6 +161,13 @@ function red_zrl_callback($matches) {
 		if($r)
 			$zrl = true;
 	}
+
+	$t = strip_zids($matches[2]);
+	if($t !== $matches[2]) {
+		$zrl = true;
+		$matches[2] = $t;
+	}
+
 	if($matches[1] === '#^')
 		$matches[1] = '';
 	if($zrl)

include/text.php

@@ -621,6 +621,11 @@ function get_tags($s) {
 }
 
 
+function strip_zids($s) {
+	return preg_replace('/[\?&]zid=(.*?)(&|$)/ism','$2',$s);
+}
+
+
 // quick and dirty quoted_printable encoding
 
 

index.php

@@ -92,7 +92,7 @@ if((x($_SESSION,'language')) && ($_SESSION['language'] !== $lang)) {
 }
 
 if((x($_GET,'zid')) && (! $a->install)) {
-	$a->query_string = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/is','',$a->query_string);
+	$a->query_string = strip_zids($a->query_string);
 	if(! local_user()) {
 		$_SESSION['my_address'] = $_GET['zid'];
 		zid_init($a);

mod/cloud.php

@@ -73,11 +73,11 @@ function cloud_init(&$a) {
 
 
 	$_SERVER['QUERY_STRING'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['QUERY_STRING']);
-	$_SERVER['QUERY_STRING'] = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/ism','',$_SERVER['QUERY_STRING']);
+	$_SERVER['QUERY_STRING'] = strip_zids($_SERVER['QUERY_STRING']);
 	$_SERVER['QUERY_STRING'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['QUERY_STRING']);
 
 	$_SERVER['REQUEST_URI'] = str_replace(array('?f=','&f='),array('',''),$_SERVER['REQUEST_URI']);
-	$_SERVER['REQUEST_URI'] = preg_replace('/[\?&]zid=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']);
+	$_SERVER['REQUEST_URI'] = strip_zids($_SERVER['REQUEST_URI']);
 	$_SERVER['REQUEST_URI'] = preg_replace('/[\?&]davguest=(.*?)([\?&]|$)/ism','',$_SERVER['REQUEST_URI']);
 
 	$rootDirectory = new RedDirectory('/',$auth);

mod/item.php

@@ -423,19 +423,13 @@ function item_post(&$a) {
 		/**
 		 * fix naked links by passing through a callback to see if this is a red site
 		 * (already known to us) which will get a zrl, otherwise link with url, add bookmark tag to both.
-		 * First wrap any url which is part of link anchor text already in quotes so we don't double link it.
-		 * e.g. [url=http://foobar.com]something with http://elsewhere.com in it[/url]
-		 * becomes [url=http://foobar.com]something with "http://elsewhere.com" in it[/url]
-		 * otherwise http://elsewhere.com becomes #^[url=http://elsewhere.com]http://elsewhere.com[/url]
+		 * First protect any url inside certain bbcode tags so we don't double link it.
 		 */
 
 		$body = preg_replace_callback('/\[code(.*?)\[\/(code)\]/ism','red_escape_codeblock',$body);
 		$body = preg_replace_callback('/\[url(.*?)\[\/(url)\]/ism','red_escape_codeblock',$body);
 		$body = preg_replace_callback('/\[zrl(.*?)\[\/(zrl)\]/ism','red_escape_codeblock',$body);
 
-// no longer needed
-//		$body = preg_replace_callback('/\[([uz])rl(.*?)\](.*?)(https?\:\/\/[a-zA-Z0-9\:\/\-\?\&\;\.\=\@\_\~\#\%\$\!\+\,]+)(.*?)\[\/([uz])rl\]/ism','red_escape_zrl_callback',$body);
-
 		$body = preg_replace_callback("/([^\]\='".'"'."]|^|\#\^)(https?\:\/\/[a-zA-Z0-9\:\/\-\?\&\;\.\=\@\_\~\#\%\$\!\+\,]+)/ism", 'red_zrl_callback', $body);
 
 		$body = preg_replace_callback('/\[\$b64zrl(.*?)\[\/(zrl)\]/ism','red_unescape_codeblock',$body);

version.inc

@@ -1 +1 @@
-2014-02-14.588
+2014-02-16.590