From fcf28a99e9ecc24d5f2e596ec13357e9b56303cc Mon Sep 17 00:00:00 2001 From: Mike Macgirvin Date: Mon, 29 Jul 2024 13:59:09 +1000 Subject: [PATCH] img_cache not filtering private messages as well as it could --- include/misc.php | 8 ++++++-- include/zid.php | 5 +++++ src/Lib/Img_cache.php | 7 +++++++ src/Module/Item.php | 8 ++++---- 4 files changed, 22 insertions(+), 6 deletions(-) diff --git a/include/misc.php b/include/misc.php index 5bf82dee0..a447928c1 100644 --- a/include/misc.php +++ b/include/misc.php @@ -1158,7 +1158,11 @@ function sslify($s, $cache_enable = true) foreach ($matches as $match) { // For access controlled photos using OpenWebAuth, remove any zid attributes. // This will cache a publicly available image but will not cache a protected one. - $clean = strip_zids(strip_query_param($match[2], 'f')); + $dirty = $match[2]; + $clean = strip_zids(strip_accesstokens(strip_query_param($dirty, 'f'))); + if ($dirty !== $clean) { + continue; + } $cached = Img_cache::check($clean, 'cache/img'); if ($cached) { // $file = Img_cache::get_filename($clean,'cache/img'); @@ -1168,7 +1172,7 @@ function sslify($s, $cache_enable = true) // $alt = preg_match('/alt=\"(.*?)\"/ism', $match[1], $a); // @fixme getimagesize and replace height/width/alt in image tag - $s = str_replace($match[2], z_root() . '/ca/' . basename(Img_cache::get_filename($clean, 'cache/img')) . '?url=' . urlencode($clean), $s); + $s = str_replace($match[2], z_root() . '/ca/' . basename(Img_cache::get_filename($clean, 'cache/img')) . '?url=' . urlencode($dirty), $s); } } } diff --git a/include/zid.php b/include/zid.php index 05d914c3c..137056d5a 100644 --- a/include/zid.php +++ b/include/zid.php @@ -123,6 +123,11 @@ function strip_zids($s) return preg_replace('/[\?&]zid=(.*?)(&|$)/ism', '$2', $s); } +function strip_accesstokens($s) +{ + return preg_replace('/[\?&]token=(.*?)(&|$)/ism', '$2', $s); +} + function strip_owt($s) { return preg_replace('/[\?&]owt=(.*?)(&|$)/ism', '$2', $s); diff --git a/src/Lib/Img_cache.php b/src/Lib/Img_cache.php index d20e76a22..43e3adb94 100644 --- a/src/Lib/Img_cache.php +++ b/src/Lib/Img_cache.php @@ -46,6 +46,13 @@ class Img_cache public static function url_to_cache($url, $file): bool { + + $dirty = $url; + $clean = strip_zids(strip_accesstokens(strip_query_param($dirty, 'f'))); + if ($dirty !== $clean) { + return false; + } + $fp = fopen($file, 'wb'); if (!$fp) { diff --git a/src/Module/Item.php b/src/Module/Item.php index 4613c7559..b8c370f8a 100644 --- a/src/Module/Item.php +++ b/src/Module/Item.php @@ -7,7 +7,7 @@ namespace Code\Module; * As a GET request, this module answers to activitypub and zot6 item fetches and * acts as a permalink for local content. * - * Otherwise this is the POST destination for most all locally posted + * Otherwise, this is the POST destination for most all locally posted * text stuff. This function handles status, wall-to-wall status, * local comments, and remote coments that are posted on this site * (as opposed to being delivered in a feed). @@ -64,7 +64,7 @@ class Item extends Controller if (!$item_uuid) { http_status_exit(404, 'Not found'); } - $portable_id = EMPTY_STR; + $portable_id = ''; $item_normal = " and item.item_hidden = 0 and item.item_type = 0 and item.item_unpublished = 0 and item.item_delayed = 0 and item.item_blocked = 0 "; @@ -87,7 +87,7 @@ class Item extends Controller // process an authenticated fetch - $sigdata = HTTPSig::verify(EMPTY_STR); + $sigdata = HTTPSig::verify(''); if ($sigdata['portable_id'] && $sigdata['header_valid']) { $portable_id = $sigdata['portable_id']; if (!check_channelallowed($portable_id)) { @@ -118,7 +118,7 @@ class Item extends Controller dbesc($r[0]['parent_mid']) ); // If any of these have our request uri as a child, make that the head of the conversation we are going to return. - // Otherwise keep looking. + // Otherwise, keep looking. foreach ($j as $test) { $candidate = q("select id as item_id from item where ((mid like '%s' and mid like '%s') or uuid = '%s') and parent = %d ", dbesc(z_root() . '%'),