From f459a35cf4fe475d505e2eebbc10428adbab959e Mon Sep 17 00:00:00 2001 From: Lynn Stephenson <63118982+lynn-stephenson@users.noreply.github.com> Date: Sat, 4 Apr 2020 08:06:49 +0000 Subject: [PATCH 1/6] Update lostpass.php use CSPRNG for password reset token generation --- mod/lostpass.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mod/lostpass.php b/mod/lostpass.php index 2ce396e36..8a1a9f36e 100644 --- a/mod/lostpass.php +++ b/mod/lostpass.php @@ -41,7 +41,7 @@ function lostpass_post(App $a) DI::baseUrl()->redirect(); } - $pwdreset_token = Strings::getRandomName(12) . random_int(1000, 9999); + $pwdreset_token = Strings::getRandomHex(32); $fields = [ 'pwdreset' => $pwdreset_token, From 6cbcea1aac202e53cef2c8755f076ce97f01a56f Mon Sep 17 00:00:00 2001 From: Lynn Stephenson <63118982+lynn-stephenson@users.noreply.github.com> Date: Sat, 4 Apr 2020 08:10:39 +0000 Subject: [PATCH 2/6] Update lostpass.php reduce info leakage on password reset tokens --- mod/lostpass.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mod/lostpass.php b/mod/lostpass.php index 8a1a9f36e..211477b0d 100644 --- a/mod/lostpass.php +++ b/mod/lostpass.php @@ -44,7 +44,7 @@ function lostpass_post(App $a) $pwdreset_token = Strings::getRandomHex(32); $fields = [ - 'pwdreset' => $pwdreset_token, + 'pwdreset' => hash('sha256', $pwdreset_token), 'pwdreset_time' => DateTimeFormat::utcNow() ]; $result = DBA::update('user', $fields, ['uid' => $user['uid']]); @@ -95,7 +95,7 @@ function lostpass_content(App $a) if ($a->argc > 1) { $pwdreset_token = $a->argv[1]; - $user = DBA::selectFirst('user', ['uid', 'username', 'nickname', 'email', 'pwdreset_time', 'language'], ['pwdreset' => $pwdreset_token]); + $user = DBA::selectFirst('user', ['uid', 'username', 'nickname', 'email', 'pwdreset_time', 'language'], ['pwdreset' => hash('sha256', $pwdreset_token)]); if (!DBA::isResult($user)) { notice(DI::l10n()->t("Request could not be verified. \x28You may have previously submitted it.\x29 Password reset failed.")); From bdd6e1913acd8091dd1c058aa49b05d99c1ee6a4 Mon Sep 17 00:00:00 2001 From: Michael Date: Sat, 4 Apr 2020 17:59:08 +0000 Subject: [PATCH 3/6] AP: Limited comment distribution --- src/Protocol/ActivityPub/Transmitter.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Protocol/ActivityPub/Transmitter.php b/src/Protocol/ActivityPub/Transmitter.php index 837e81c1e..ecda2dc68 100644 --- a/src/Protocol/ActivityPub/Transmitter.php +++ b/src/Protocol/ActivityPub/Transmitter.php @@ -478,7 +478,7 @@ class Transmitter $data['to'][] = $profile['url']; } else { $data['cc'][] = $profile['url']; - if (($item['private'] != Item::PRIVATE) && $item['private'] && !empty($actor_profile['followers'])) { + if (($item['private'] != Item::PRIVATE) && !empty($actor_profile['followers'])) { $data['cc'][] = $actor_profile['followers']; } } From f280dcaa5eecb39897786bc3fc06c1f7689a614a Mon Sep 17 00:00:00 2001 From: Michael Date: Sat, 4 Apr 2020 20:00:40 +0000 Subject: [PATCH 4/6] Issue 8493: Avoid fatal error when fetching items via API --- include/conversation.php | 292 ++++++++++++--------------------------- 1 file changed, 88 insertions(+), 204 deletions(-) diff --git a/include/conversation.php b/include/conversation.php index 899987382..5dd7e147e 100644 --- a/include/conversation.php +++ b/include/conversation.php @@ -144,222 +144,106 @@ function localize_item(&$item) $item['body'] = item_redir_and_replace_images($extracted['body'], $extracted['images'], $item['contact-id']); } - /* - heluecht 2018-06-19: from my point of view this whole code part is useless. - It just renders the body message of technical posts (Like, dislike, ...). - But: The body isn't visible at all. So we do this stuff just because we can. - Even if these messages were visible, this would only mean that something went wrong. - During the further steps of the database restructuring I would like to address this issue. - */ + /// @todo The following functionality needs to be cleaned up. + if (!empty($item['verb'])) { + $activity = DI::activity(); - $activity = DI::activity(); + if (stristr($item['verb'], Activity::POKE)) { + $verb = urldecode(substr($item['verb'],strpos($item['verb'],'#')+1)); + if (!$verb) { + return; + } + if ($item['object-type']=="" || $item['object-type']!== Activity\ObjectType::PERSON) { + return; + } - $xmlhead = "<" . "?xml version='1.0' encoding='UTF-8' ?" . ">"; - if ($activity->match($item['verb'], Activity::LIKE) - || $activity->match($item['verb'], Activity::DISLIKE) - || $activity->match($item['verb'], Activity::ATTEND) - || $activity->match($item['verb'], Activity::ATTENDNO) - || $activity->match($item['verb'], Activity::ATTENDMAYBE)) { + $Aname = $item['author-name']; + $Alink = $item['author-link']; + + $xmlhead = "<" . "?xml version='1.0' encoding='UTF-8' ?" . ">"; + + $obj = XML::parseString($xmlhead.$item['object']); + + $Bname = $obj->title; + $Blink = $obj->id; + $Bphoto = ""; + + foreach ($obj->link as $l) { + $atts = $l->attributes(); + switch ($atts['rel']) { + case "alternate": $Blink = $atts['href']; + case "photo": $Bphoto = $atts['href']; + } + } + + $A = '[url=' . Contact::magicLink($Alink) . ']' . $Aname . '[/url]'; + $B = '[url=' . Contact::magicLink($Blink) . ']' . $Bname . '[/url]'; + if ($Bphoto != "") { + $Bphoto = '[url=' . Contact::magicLink($Blink) . '][img=80x80]' . $Bphoto . '[/img][/url]'; + } + + /* + * we can't have a translation string with three positions but no distinguishable text + * So here is the translate string. + */ + $txt = DI::l10n()->t('%1$s poked %2$s'); + + // now translate the verb + $poked_t = trim(sprintf($txt, "", "")); + $txt = str_replace($poked_t, DI::l10n()->t($verb), $txt); + + // then do the sprintf on the translation string + + $item['body'] = sprintf($txt, $A, $B). "\n\n\n" . $Bphoto; - $fields = ['author-link', 'author-name', 'verb', 'object-type', 'resource-id', 'body', 'plink']; - $obj = Item::selectFirst($fields, ['uri' => $item['parent-uri']]); - if (!DBA::isResult($obj)) { - return; } - $author = '[url=' . $item['author-link'] . ']' . $item['author-name'] . '[/url]'; - $objauthor = '[url=' . $obj['author-link'] . ']' . $obj['author-name'] . '[/url]'; + if ($activity->match($item['verb'], Activity::TAG)) { + $fields = ['author-id', 'author-link', 'author-name', 'author-network', + 'verb', 'object-type', 'resource-id', 'body', 'plink']; + $obj = Item::selectFirst($fields, ['uri' => $item['parent-uri']]); + if (!DBA::isResult($obj)) { + return; + } - switch ($obj['verb']) { - case Activity::POST: - switch ($obj['object-type']) { - case Activity\ObjectType::EVENT: - $post_type = DI::l10n()->t('event'); - break; - default: + $author_arr = ['uid' => 0, 'id' => $item['author-id'], + 'network' => $item['author-network'], 'url' => $item['author-link']]; + $author = '[url=' . Contact::magicLinkByContact($author_arr) . ']' . $item['author-name'] . '[/url]'; + + $author_arr = ['uid' => 0, 'id' => $obj['author-id'], + 'network' => $obj['author-network'], 'url' => $obj['author-link']]; + $objauthor = '[url=' . Contact::magicLinkByContact($author_arr) . ']' . $obj['author-name'] . '[/url]'; + + switch ($obj['verb']) { + case Activity::POST: + switch ($obj['object-type']) { + case Activity\ObjectType::EVENT: + $post_type = DI::l10n()->t('event'); + break; + default: + $post_type = DI::l10n()->t('status'); + } + break; + default: + if ($obj['resource-id']) { + $post_type = DI::l10n()->t('photo'); + $m=[]; preg_match("/\[url=([^]]*)\]/", $obj['body'], $m); + $rr['plink'] = $m[1]; + } else { $post_type = DI::l10n()->t('status'); - } - break; - default: - if ($obj['resource-id']) { - $post_type = DI::l10n()->t('photo'); - $m = []; - preg_match("/\[url=([^]]*)\]/", $obj['body'], $m); - $rr['plink'] = $m[1]; - } else { - $post_type = DI::l10n()->t('status'); - } - } - - $plink = '[url=' . $obj['plink'] . ']' . $post_type . '[/url]'; - - $bodyverb = ''; - if ($activity->match($item['verb'], Activity::LIKE)) { - $bodyverb = DI::l10n()->t('%1$s likes %2$s\'s %3$s'); - } elseif ($activity->match($item['verb'], Activity::DISLIKE)) { - $bodyverb = DI::l10n()->t('%1$s doesn\'t like %2$s\'s %3$s'); - } elseif ($activity->match($item['verb'], Activity::ATTEND)) { - $bodyverb = DI::l10n()->t('%1$s attends %2$s\'s %3$s'); - } elseif ($activity->match($item['verb'], Activity::ATTENDNO)) { - $bodyverb = DI::l10n()->t('%1$s doesn\'t attend %2$s\'s %3$s'); - } elseif ($activity->match($item['verb'], Activity::ATTENDMAYBE)) { - $bodyverb = DI::l10n()->t('%1$s attends maybe %2$s\'s %3$s'); - } - - $item['body'] = sprintf($bodyverb, $author, $objauthor, $plink); - } - - if ($activity->match($item['verb'], Activity::FRIEND)) { - - if ($item['object-type']=="" || $item['object-type']!== Activity\ObjectType::PERSON) return; - - $Aname = $item['author-name']; - $Alink = $item['author-link']; - - $xmlhead="<"."?xml version='1.0' encoding='UTF-8' ?".">"; - - $obj = XML::parseString($xmlhead.$item['object']); - $links = XML::parseString($xmlhead."".XML::unescape($obj->link).""); - - $Bname = $obj->title; - $Blink = ""; - $Bphoto = ""; - foreach ($links->link as $l) { - $atts = $l->attributes(); - switch ($atts['rel']) { - case "alternate": $Blink = $atts['href']; break; - case "photo": $Bphoto = $atts['href']; break; + } + // Let's break everthing ... ;-) + break; } - } + $plink = '[url=' . $obj['plink'] . ']' . $post_type . '[/url]'; - $A = '[url=' . Contact::magicLink($Alink) . ']' . $Aname . '[/url]'; - $B = '[url=' . Contact::magicLink($Blink) . ']' . $Bname . '[/url]'; - if ($Bphoto != "") { - $Bphoto = '[url=' . Contact::magicLink($Blink) . '][img]' . $Bphoto . '[/img][/url]'; - } + $parsedobj = XML::parseString($xmlhead.$item['object']); - $item['body'] = DI::l10n()->t('%1$s is now friends with %2$s', $A, $B)."\n\n\n".$Bphoto; - - } - if (stristr($item['verb'], Activity::POKE)) { - $verb = urldecode(substr($item['verb'],strpos($item['verb'],'#')+1)); - if (!$verb) { - return; - } - if ($item['object-type']=="" || $item['object-type']!== Activity\ObjectType::PERSON) { - return; - } - - $Aname = $item['author-name']; - $Alink = $item['author-link']; - - $xmlhead = "<" . "?xml version='1.0' encoding='UTF-8' ?" . ">"; - - $obj = XML::parseString($xmlhead.$item['object']); - - $Bname = $obj->title; - $Blink = $obj->id; - $Bphoto = ""; - - foreach ($obj->link as $l) { - $atts = $l->attributes(); - switch ($atts['rel']) { - case "alternate": $Blink = $atts['href']; - case "photo": $Bphoto = $atts['href']; - } - } - - $A = '[url=' . Contact::magicLink($Alink) . ']' . $Aname . '[/url]'; - $B = '[url=' . Contact::magicLink($Blink) . ']' . $Bname . '[/url]'; - if ($Bphoto != "") { - $Bphoto = '[url=' . Contact::magicLink($Blink) . '][img=80x80]' . $Bphoto . '[/img][/url]'; - } - - /* - * we can't have a translation string with three positions but no distinguishable text - * So here is the translate string. - */ - $txt = DI::l10n()->t('%1$s poked %2$s'); - - // now translate the verb - $poked_t = trim(sprintf($txt, "", "")); - $txt = str_replace($poked_t, DI::l10n()->t($verb), $txt); - - // then do the sprintf on the translation string - - $item['body'] = sprintf($txt, $A, $B). "\n\n\n" . $Bphoto; - - } - - if ($activity->match($item['verb'], Activity::TAG)) { - $fields = ['author-id', 'author-link', 'author-name', 'author-network', - 'verb', 'object-type', 'resource-id', 'body', 'plink']; - $obj = Item::selectFirst($fields, ['uri' => $item['parent-uri']]); - if (!DBA::isResult($obj)) { - return; - } - - $author_arr = ['uid' => 0, 'id' => $item['author-id'], - 'network' => $item['author-network'], 'url' => $item['author-link']]; - $author = '[url=' . Contact::magicLinkByContact($author_arr) . ']' . $item['author-name'] . '[/url]'; - - $author_arr = ['uid' => 0, 'id' => $obj['author-id'], - 'network' => $obj['author-network'], 'url' => $obj['author-link']]; - $objauthor = '[url=' . Contact::magicLinkByContact($author_arr) . ']' . $obj['author-name'] . '[/url]'; - - switch ($obj['verb']) { - case Activity::POST: - switch ($obj['object-type']) { - case Activity\ObjectType::EVENT: - $post_type = DI::l10n()->t('event'); - break; - default: - $post_type = DI::l10n()->t('status'); - } - break; - default: - if ($obj['resource-id']) { - $post_type = DI::l10n()->t('photo'); - $m=[]; preg_match("/\[url=([^]]*)\]/", $obj['body'], $m); - $rr['plink'] = $m[1]; - } else { - $post_type = DI::l10n()->t('status'); - } - // Let's break everthing ... ;-) - break; - } - $plink = '[url=' . $obj['plink'] . ']' . $post_type . '[/url]'; - - $parsedobj = XML::parseString($xmlhead.$item['object']); - - $tag = sprintf('#[url=%s]%s[/url]', $parsedobj->id, $parsedobj->content); - $item['body'] = DI::l10n()->t('%1$s tagged %2$s\'s %3$s with %4$s', $author, $objauthor, $plink, $tag); - } - - if ($activity->match($item['verb'], Activity::FAVORITE)) { - if ($item['object-type'] == "") { - return; - } - - $Aname = $item['author-name']; - $Alink = $item['author-link']; - - $xmlhead = "<" . "?xml version='1.0' encoding='UTF-8' ?" . ">"; - - $obj = XML::parseString($xmlhead.$item['object']); - if (strlen($obj->id)) { - $fields = ['author-link', 'author-name', 'plink']; - $target = Item::selectFirst($fields, ['uri' => $obj->id, 'uid' => $item['uid']]); - if (DBA::isResult($target) && $target['plink']) { - $Bname = $target['author-name']; - $Blink = $target['author-link']; - $A = '[url=' . Contact::magicLink($Alink) . ']' . $Aname . '[/url]'; - $B = '[url=' . Contact::magicLink($Blink) . ']' . $Bname . '[/url]'; - $P = '[url=' . $target['plink'] . ']' . DI::l10n()->t('post/item') . '[/url]'; - $item['body'] = DI::l10n()->t('%1$s marked %2$s\'s %3$s as favorite', $A, $B, $P)."\n"; - } + $tag = sprintf('#[url=%s]%s[/url]', $parsedobj->id, $parsedobj->content); + $item['body'] = DI::l10n()->t('%1$s tagged %2$s\'s %3$s with %4$s', $author, $objauthor, $plink, $tag); } } + $matches = null; if (preg_match_all('/@\[url=(.*?)\]/is', $item['body'], $matches, PREG_SET_ORDER)) { foreach ($matches as $mtch) { From afc87838628994edd839cc5f3b8b9236adb129d3 Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 5 Apr 2020 07:08:20 +0000 Subject: [PATCH 5/6] Code formatting --- include/conversation.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/conversation.php b/include/conversation.php index 5dd7e147e..1a93d119f 100644 --- a/include/conversation.php +++ b/include/conversation.php @@ -149,11 +149,11 @@ function localize_item(&$item) $activity = DI::activity(); if (stristr($item['verb'], Activity::POKE)) { - $verb = urldecode(substr($item['verb'],strpos($item['verb'],'#')+1)); + $verb = urldecode(substr($item['verb'], strpos($item['verb'],'#') + 1)); if (!$verb) { return; } - if ($item['object-type']=="" || $item['object-type']!== Activity\ObjectType::PERSON) { + if ($item['object-type'] == "" || $item['object-type'] !== Activity\ObjectType::PERSON) { return; } @@ -162,7 +162,7 @@ function localize_item(&$item) $xmlhead = "<" . "?xml version='1.0' encoding='UTF-8' ?" . ">"; - $obj = XML::parseString($xmlhead.$item['object']); + $obj = XML::parseString($xmlhead . $item['object']); $Bname = $obj->title; $Blink = $obj->id; @@ -198,7 +198,7 @@ function localize_item(&$item) } - if ($activity->match($item['verb'], Activity::TAG)) { + if ($activity->match($item['verb'], Activity::TAG)) { $fields = ['author-id', 'author-link', 'author-name', 'author-network', 'verb', 'object-type', 'resource-id', 'body', 'plink']; $obj = Item::selectFirst($fields, ['uri' => $item['parent-uri']]); From 09cc3bfd0a67eea5a8e2b670c23be51c1f0d7299 Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 5 Apr 2020 07:11:47 +0000 Subject: [PATCH 6/6] Some more code standards --- include/conversation.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/conversation.php b/include/conversation.php index 1a93d119f..ad2dd55de 100644 --- a/include/conversation.php +++ b/include/conversation.php @@ -189,12 +189,12 @@ function localize_item(&$item) $txt = DI::l10n()->t('%1$s poked %2$s'); // now translate the verb - $poked_t = trim(sprintf($txt, "", "")); + $poked_t = trim(sprintf($txt, '', '')); $txt = str_replace($poked_t, DI::l10n()->t($verb), $txt); // then do the sprintf on the translation string - $item['body'] = sprintf($txt, $A, $B). "\n\n\n" . $Bphoto; + $item['body'] = sprintf($txt, $A, $B) . "\n\n\n" . $Bphoto; }