mirror of
https://codeberg.org/streams/streams.git
synced 2024-09-19 16:55:18 +00:00
img_cache not filtering private messages as well as it could
This commit is contained in:
parent
d5befc9f69
commit
fcf28a99e9
4 changed files with 22 additions and 6 deletions
|
@ -1158,7 +1158,11 @@ function sslify($s, $cache_enable = true)
|
|||
foreach ($matches as $match) {
|
||||
// For access controlled photos using OpenWebAuth, remove any zid attributes.
|
||||
// This will cache a publicly available image but will not cache a protected one.
|
||||
$clean = strip_zids(strip_query_param($match[2], 'f'));
|
||||
$dirty = $match[2];
|
||||
$clean = strip_zids(strip_accesstokens(strip_query_param($dirty, 'f')));
|
||||
if ($dirty !== $clean) {
|
||||
continue;
|
||||
}
|
||||
$cached = Img_cache::check($clean, 'cache/img');
|
||||
if ($cached) {
|
||||
// $file = Img_cache::get_filename($clean,'cache/img');
|
||||
|
@ -1168,7 +1172,7 @@ function sslify($s, $cache_enable = true)
|
|||
// $alt = preg_match('/alt=\"(.*?)\"/ism', $match[1], $a);
|
||||
|
||||
// @fixme getimagesize and replace height/width/alt in image tag
|
||||
$s = str_replace($match[2], z_root() . '/ca/' . basename(Img_cache::get_filename($clean, 'cache/img')) . '?url=' . urlencode($clean), $s);
|
||||
$s = str_replace($match[2], z_root() . '/ca/' . basename(Img_cache::get_filename($clean, 'cache/img')) . '?url=' . urlencode($dirty), $s);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -123,6 +123,11 @@ function strip_zids($s)
|
|||
return preg_replace('/[\?&]zid=(.*?)(&|$)/ism', '$2', $s);
|
||||
}
|
||||
|
||||
function strip_accesstokens($s)
|
||||
{
|
||||
return preg_replace('/[\?&]token=(.*?)(&|$)/ism', '$2', $s);
|
||||
}
|
||||
|
||||
function strip_owt($s)
|
||||
{
|
||||
return preg_replace('/[\?&]owt=(.*?)(&|$)/ism', '$2', $s);
|
||||
|
|
|
@ -46,6 +46,13 @@ class Img_cache
|
|||
public static function url_to_cache($url, $file): bool
|
||||
{
|
||||
|
||||
|
||||
$dirty = $url;
|
||||
$clean = strip_zids(strip_accesstokens(strip_query_param($dirty, 'f')));
|
||||
if ($dirty !== $clean) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$fp = fopen($file, 'wb');
|
||||
|
||||
if (!$fp) {
|
||||
|
|
|
@ -7,7 +7,7 @@ namespace Code\Module;
|
|||
* As a GET request, this module answers to activitypub and zot6 item fetches and
|
||||
* acts as a permalink for local content.
|
||||
*
|
||||
* Otherwise this is the POST destination for most all locally posted
|
||||
* Otherwise, this is the POST destination for most all locally posted
|
||||
* text stuff. This function handles status, wall-to-wall status,
|
||||
* local comments, and remote coments that are posted on this site
|
||||
* (as opposed to being delivered in a feed).
|
||||
|
@ -64,7 +64,7 @@ class Item extends Controller
|
|||
if (!$item_uuid) {
|
||||
http_status_exit(404, 'Not found');
|
||||
}
|
||||
$portable_id = EMPTY_STR;
|
||||
$portable_id = '';
|
||||
|
||||
$item_normal = " and item.item_hidden = 0 and item.item_type = 0 and item.item_unpublished = 0 and item.item_delayed = 0 and item.item_blocked = 0 ";
|
||||
|
||||
|
@ -87,7 +87,7 @@ class Item extends Controller
|
|||
// process an authenticated fetch
|
||||
|
||||
|
||||
$sigdata = HTTPSig::verify(EMPTY_STR);
|
||||
$sigdata = HTTPSig::verify('');
|
||||
if ($sigdata['portable_id'] && $sigdata['header_valid']) {
|
||||
$portable_id = $sigdata['portable_id'];
|
||||
if (!check_channelallowed($portable_id)) {
|
||||
|
@ -118,7 +118,7 @@ class Item extends Controller
|
|||
dbesc($r[0]['parent_mid'])
|
||||
);
|
||||
// If any of these have our request uri as a child, make that the head of the conversation we are going to return.
|
||||
// Otherwise keep looking.
|
||||
// Otherwise, keep looking.
|
||||
foreach ($j as $test) {
|
||||
$candidate = q("select id as item_id from item where ((mid like '%s' and mid like '%s') or uuid = '%s') and parent = %d ",
|
||||
dbesc(z_root() . '%'),
|
||||
|
|
Loading…
Reference in a new issue