Streams/streams
Streams/streams
1
0
Fork 0
mirror of https://codeberg.org/streams/streams.git synced 2024-09-19 01:55:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

img_cache not filtering private messages as well as it could

Browse source
This commit is contained in:
Mike Macgirvin 2024-07-29 13:59:09 +10:00
parent d5befc9f69
commit fcf28a99e9
4 changed files with 22 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
include/misc.php
View file

@ -1158,7 +1158,11 @@ function sslify($s, $cache_enable = true)
foreach ($matches as $match) {
// For access controlled photos using OpenWebAuth, remove any zid attributes.
// This will cache a publicly available image but will not cache a protected one.
$clean = strip_zids(strip_query_param($match[2], 'f'));
$dirty = $match[2];
$clean = strip_zids(strip_accesstokens(strip_query_param($dirty, 'f')));
if ($dirty !== $clean) {
continue;
}
$cached = Img_cache::check($clean, 'cache/img');
if ($cached) {
// $file = Img_cache::get_filename($clean,'cache/img');
@ -1168,7 +1172,7 @@ function sslify($s, $cache_enable = true)
// $alt = preg_match('/alt=\"(.*?)\"/ism', $match[1], $a);
// @fixme getimagesize and replace height/width/alt in image tag
$s = str_replace($match[2], z_root() . '/ca/' . basename(Img_cache::get_filename($clean, 'cache/img')) . '?url=' . urlencode($clean), $s);
$s = str_replace($match[2], z_root() . '/ca/' . basename(Img_cache::get_filename($clean, 'cache/img')) . '?url=' . urlencode($dirty), $s);
}
}
}

5
include/zid.php
View file

@ -123,6 +123,11 @@ function strip_zids($s)
return preg_replace('/[\?&]zid=(.*?)(&|$)/ism', '$2', $s);
}
function strip_accesstokens($s)
{
return preg_replace('/[\?&]token=(.*?)(&|$)/ism', '$2', $s);
}
function strip_owt($s)
{
return preg_replace('/[\?&]owt=(.*?)(&|$)/ism', '$2', $s);

7
src/Lib/Img_cache.php
View file

@ -46,6 +46,13 @@ class Img_cache
public static function url_to_cache($url, $file): bool
{
$dirty = $url;
$clean = strip_zids(strip_accesstokens(strip_query_param($dirty, 'f')));
if ($dirty !== $clean) {
return false;
}
$fp = fopen($file, 'wb');
if (!$fp) {

8
src/Module/Item.php
View file

@ -7,7 +7,7 @@ namespace Code\Module;
* As a GET request, this module answers to activitypub and zot6 item fetches and
* acts as a permalink for local content.
*
* Otherwise this is the POST destination for most all locally posted
* Otherwise, this is the POST destination for most all locally posted
* text stuff. This function handles status, wall-to-wall status,
* local comments, and remote coments that are posted on this site
* (as opposed to being delivered in a feed).
@ -64,7 +64,7 @@ class Item extends Controller
if (!$item_uuid) {
http_status_exit(404, 'Not found');
}
$portable_id = EMPTY_STR;
$portable_id = '';
$item_normal = " and item.item_hidden = 0 and item.item_type = 0 and item.item_unpublished = 0 and item.item_delayed = 0 and item.item_blocked = 0 ";
@ -87,7 +87,7 @@ class Item extends Controller
// process an authenticated fetch
$sigdata = HTTPSig::verify(EMPTY_STR);
$sigdata = HTTPSig::verify('');
if ($sigdata['portable_id'] && $sigdata['header_valid']) {
$portable_id = $sigdata['portable_id'];
if (!check_channelallowed($portable_id)) {
@ -118,7 +118,7 @@ class Item extends Controller
dbesc($r[0]['parent_mid'])
);
// If any of these have our request uri as a child, make that the head of the conversation we are going to return.
// Otherwise keep looking.
// Otherwise, keep looking.
foreach ($j as $test) {
$candidate = q("select id as item_id from item where ((mid like '%s' and mid like '%s') or uuid = '%s') and parent = %d ",
dbesc(z_root() . '%'),