sanitise all incoming url's - also stop them from getting mangled by simplepie

This commit is contained in:
Friendika 2011-02-16 17:32:15 -08:00
parent 9f1f9da89b
commit 527e050ecc
5 changed files with 32 additions and 18 deletions

View file

@ -2453,7 +2453,12 @@ if(! function_exists('get_plink')) {
function get_plink($item) { function get_plink($item) {
$a = get_app(); $a = get_app();
$plink = (((x($item,'plink')) && (! $item['private'])) ? '<div class="wall-item-links-wrapper"><a href="' $plink = (((x($item,'plink')) && (! $item['private'])) ? '<div class="wall-item-links-wrapper"><a href="'
. $item['plink'] . '" title="' . t('link to source') . '"><img src="' . $a->get_baseurl() . '/images/link-icon.gif" alt="' . t('link to source') . '" /></a></div>' : ''); . $item['plink'] . '" title="' . t('link to source') . '"><img src="' . $a->get_baseurl() . '/images/remote-link.gif" alt="' . t('link to source') . '" /></a></div>' : '');
return $plink; return $plink;
}} }}
if(! function_exists('unamp')) {
function unamp($s) {
return str_replace('&amp;', '&', $s);
}}

BIN
images/remote-link.gif Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 357 B

View file

@ -19,15 +19,15 @@ function follow_post(&$a) {
if(count($links)) { if(count($links)) {
foreach($links as $link) { foreach($links as $link) {
if($link['@attributes']['rel'] === NAMESPACE_DFRN) if($link['@attributes']['rel'] === NAMESPACE_DFRN)
$dfrn = $link['@attributes']['href']; $dfrn = unamp($link['@attributes']['href']);
if($link['@attributes']['rel'] === 'salmon') if($link['@attributes']['rel'] === 'salmon')
$notify = $link['@attributes']['href']; $notify = unamp($link['@attributes']['href']);
if($link['@attributes']['rel'] === NAMESPACE_FEED) if($link['@attributes']['rel'] === NAMESPACE_FEED)
$poll = $link['@attributes']['href']; $poll = unamp($link['@attributes']['href']);
if($link['@attributes']['rel'] === 'http://microformats.org/profile/hcard') if($link['@attributes']['rel'] === 'http://microformats.org/profile/hcard')
$hcard = $link['@attributes']['href']; $hcard = unamp($link['@attributes']['href']);
if($link['@attributes']['rel'] === 'http://webfinger.net/rel/profile-page') if($link['@attributes']['rel'] === 'http://webfinger.net/rel/profile-page')
$profile = $link['@attributes']['href']; $profile = unamp($link['@attributes']['href']);
} }
@ -43,10 +43,10 @@ function follow_post(&$a) {
if(strpos($link['@attributes']['href'],'@') === false) { if(strpos($link['@attributes']['href'],'@') === false) {
if(isset($profile)) { if(isset($profile)) {
if($link['@attributes']['href'] !== $profile) if($link['@attributes']['href'] !== $profile)
$alias = $link['@attributes']['href']; $alias = unamp($link['@attributes']['href']);
} }
else else
$profile = $link['@attributes']['href']; $profile = unamp($link['@attributes']['href']);
} }
} }
} }
@ -103,7 +103,7 @@ function follow_post(&$a) {
$ret = scrape_feed($url); $ret = scrape_feed($url);
if(count($ret) && ($ret['feed_atom'] || $ret['feed_rss'])) { if(count($ret) && ($ret['feed_atom'] || $ret['feed_rss'])) {
$poll = ((x($ret,'feed_atom')) ? $ret['feed_atom'] : $ret['feed_rss']); $poll = ((x($ret,'feed_atom')) ? unamp($ret['feed_atom']) : unamp($ret['feed_rss']));
$vcard = array(); $vcard = array();
require_once('simplepie/simplepie.inc'); require_once('simplepie/simplepie.inc');
$feed = new SimplePie(); $feed = new SimplePie();
@ -116,27 +116,31 @@ function follow_post(&$a) {
$vcard['photo'] = $feed->get_image_url(); $vcard['photo'] = $feed->get_image_url();
$author = $feed->get_author(); $author = $feed->get_author();
if($author) { if($author) {
$vcard['fn'] = trim($author->get_name()); $vcard['fn'] = unxmlify(trim($author->get_name()));
$vcard['nick'] = strtolower($vcard['fn']); $vcard['nick'] = strtolower(notags(unxmlify($vcard['fn'])));
if(strpos($vcard['nick'],' ')) if(strpos($vcard['nick'],' '))
$vcard['nick'] = trim(substr($vcard['nick'],0,strpos($vcard['nick'],' '))); $vcard['nick'] = trim(substr($vcard['nick'],0,strpos($vcard['nick'],' ')));
$email = $author->get_email(); $email = unxmlify($author->get_email());
} }
else { else {
$item = $feed->get_item(0); $item = $feed->get_item(0);
if($item) { if($item) {
$author = $item->get_author(); $author = $item->get_author();
if($author) { if($author) {
$vcard['fn'] = trim($author->get_name()); $vcard['fn'] = trim(unxmlify($author->get_name()));
$vcard['nick'] = strtolower($vcard['fn']); if(! $vcard['fn'])
$vcard['fn'] = trim(unxmlify($author->get_email()));
if(strpos($vcard['fn'],'@') !== false)
$vcard['fn'] = substr($vcard['fn'],0,strpos($vcard['fn'],'@'));
$vcard['nick'] = strtolower(unxmlify($vcard['fn']));
if(strpos($vcard['nick'],' ')) if(strpos($vcard['nick'],' '))
$vcard['nick'] = trim(substr($vcard['nick'],0,strpos($vcard['nick'],' '))); $vcard['nick'] = trim(substr($vcard['nick'],0,strpos($vcard['nick'],' ')));
$email = $author->get_email(); $email = unxmlify($author->get_email());
} }
if(! $vcard['photo']) { if(! $vcard['photo']) {
$rawmedia = $item->get_item_tags('http://search.yahoo.com/mrss/','thumbnail'); $rawmedia = $item->get_item_tags('http://search.yahoo.com/mrss/','thumbnail');
if($rawmedia && $rawmedia[0]['attribs']['']['url']) if($rawmedia && $rawmedia[0]['attribs']['']['url'])
$vcard['photo'] = $rawmedia[0]['attribs']['']['url']; $vcard['photo'] = unxmlify($rawmedia[0]['attribs']['']['url']);
} }
} }
} }
@ -150,6 +154,9 @@ function follow_post(&$a) {
logger('follow: poll=' . $poll . ' notify=' . $notify . ' profile=' . $profile . ' vcard=' . print_r($vcard,true)); logger('follow: poll=' . $poll . ' notify=' . $notify . ' profile=' . $profile . ' vcard=' . print_r($vcard,true));
$vcard['fn'] = notags($vcard['fn']);
$vcard['nick'] = notags($vcard['nick']);
// do we have enough information? // do we have enough information?
if(! ((x($vcard['fn'])) && ($poll) && ($profile))) { if(! ((x($vcard['fn'])) && ($poll) && ($profile))) {
@ -157,6 +164,7 @@ function follow_post(&$a) {
goaway($_SESSION['return_url']); goaway($_SESSION['return_url']);
} }
if(! $notify) { if(! $notify) {
notice( t('Limited profile. This person will be unable to receive direct/personal notifications from you.') . EOL); notice( t('Limited profile. This person will be unable to receive direct/personal notifications from you.') . EOL);
} }

View file

@ -9226,6 +9226,7 @@ class SimplePie_Misc
function absolutize_url($relative, $base) function absolutize_url($relative, $base)
{ {
return $relative;
$iri = SimplePie_IRI::absolutize(new SimplePie_IRI($base), $relative); $iri = SimplePie_IRI::absolutize(new SimplePie_IRI($base), $relative);
return $iri->get_iri(); return $iri->get_iri();
} }