From 95507cf90fda35bb90fd32db4e7786765f7498e2 Mon Sep 17 00:00:00 2001 From: Friendika Date: Tue, 4 Jan 2011 23:18:52 -0800 Subject: [PATCH 1/5] secure admin hijacking from openid --- mod/register.php | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/mod/register.php b/mod/register.php index 68c7297c90..fcc9ebcab5 100644 --- a/mod/register.php +++ b/mod/register.php @@ -37,8 +37,13 @@ function register_post(&$a) { $openid_url = ((x($_POST,'openid_url')) ? notags(trim($_POST['openid_url'])) : ''); $photo = ((x($_POST,'photo')) ? notags(trim($_POST['photo'])) : ''); + $tmp_str = $openid_url; if((! x($username)) || (! x($email)) || (! x($nickname))) { if($openid_url) { + if(! validate_url($tmp_str)) { + notice( t('Invalid OpenID url') . EOL); + return; + } $_SESSION['register'] = 1; $_SESSION['openid'] = $openid_url; require_once('library/openid.php'); @@ -82,6 +87,12 @@ function register_post(&$a) { if((! valid_email($email)) || (! validate_email($email))) $err .= t('Not a valid email address.') . EOL; + // Disallow somebody creating an account using openid that uses the admin email address, + // since openid bypasses email verification. + + if((x($a->config,'admin_email')) && (strcasecmp($email,$a->config['admin_email']) == 0) && strlen($openid_url)) + $err .= t('Cannot use that email.') . EOL; + $nickname = $_POST['nickname'] = strtolower($nickname); if(! preg_match("/^[a-z][a-z0-9\-\_]*$/",$nickname)) From f257569713aa61b8510e6205a490eeae9c11ba5c Mon Sep 17 00:00:00 2001 From: Friendika Date: Tue, 4 Jan 2011 23:31:51 -0800 Subject: [PATCH 2/5] couple minor issues with reg queue --- mod/notifications.php | 2 +- mod/ping.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/mod/notifications.php b/mod/notifications.php index c425d092ed..ef72023636 100644 --- a/mod/notifications.php +++ b/mod/notifications.php @@ -126,7 +126,7 @@ function notifications_content(&$a) { else notice( t('No notifications.') . EOL); - if ($a->config['register_policy'] = REGISTER_APPROVE && + if ($a->config['register_policy'] == REGISTER_APPROVE && $a->config['admin_email'] === $a->user['email']){ $o .= load_view_file('view/registrations-top.tpl'); diff --git a/mod/ping.php b/mod/ping.php index 00c4a31051..cb067f3feb 100644 --- a/mod/ping.php +++ b/mod/ping.php @@ -25,8 +25,8 @@ function ping_init(&$a) { ); $intro = $r[0]['total']; - if ($a->config['register_policy'] = REGISTER_APPROVE && - $a->config['admin_email'] = $a->user['email']){ + if ($a->config['register_policy'] == REGISTER_APPROVE && + $a->config['admin_email'] === $a->user['email']){ $r = q("SELECT COUNT(*) AS `total` FROM `register`"); $register = $r[0]['total']; } else { From 1b0ddc928d2dbeeeab80d6beec1abc0e7a29bdb5 Mon Sep 17 00:00:00 2001 From: Friendika Date: Wed, 5 Jan 2011 01:53:34 -0800 Subject: [PATCH 3/5] make home tab work from remote profile, fix link in comment notify emails --- include/nav.php | 6 +++++- index.php | 3 +++ mod/dfrn_notify.php | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/include/nav.php b/include/nav.php index 74b4defc38..1bde702bef 100644 --- a/include/nav.php +++ b/include/nav.php @@ -15,8 +15,12 @@ $a->page['nav'] .= "\r\n"; + // This should take you home from a remote profile connection + + $homelink = ((x($_SESSION,'visitor_home')) ? $_SESSION['visitor_home'] : ''); + if(($a->module != 'home') && (! (local_user()))) - $a->page['nav'] .= '' . t('Home') . "\r\n"; + $a->page['nav'] .= '' . t('Home') . "\r\n"; if(($a->config['register_policy'] == REGISTER_OPEN) && (! local_user()) && (! remote_user())) $a->page['nav'] .= '' . t('Register') . "\r\n"; diff --git a/index.php b/index.php index 456c0a1443..38684a00a0 100644 --- a/index.php +++ b/index.php @@ -183,6 +183,9 @@ elseif(local_user()) if(isset($homebase)) $a->page['content'] .= ''; +// now that we've been through the module content, see if the page reported +// a permission problem and if so, a 403 response would seem to be in order. + if(stristr($_SESSION['sysmsg'], t('Permission denied'))) { header($_SERVER["SERVER_PROTOCOL"] . ' 403 ' . t('Permission denied.')); } diff --git a/mod/dfrn_notify.php b/mod/dfrn_notify.php index e4aabba5a1..49356d358c 100644 --- a/mod/dfrn_notify.php +++ b/mod/dfrn_notify.php @@ -363,7 +363,7 @@ function dfrn_notify_post(&$a) { '$username' => $importer['username'], '$email' => $importer['email'], '$from' => $from, - '$display' => $a->get_baseurl() . '/display/' . $r, + '$display' => $a->get_baseurl() . '/display/' . $importer['nickname'] . '/' . $r, '$body' => strip_tags(bbcode(stripslashes($datarray['body']))) )); From 16d26826105e9658d2409698709869f396e37a8f Mon Sep 17 00:00:00 2001 From: Friendika Date: Wed, 5 Jan 2011 02:32:18 -0800 Subject: [PATCH 4/5] fix geolocation --- view/jot_geotag.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/view/jot_geotag.tpl b/view/jot_geotag.tpl index 4145c3111e..b0f71e73bf 100644 --- a/view/jot_geotag.tpl +++ b/view/jot_geotag.tpl @@ -1,7 +1,7 @@ if(navigator.geolocation) { navigator.geolocation.getCurrentPosition(function(position) { - $('#jot-coord').val(position.coords.latitude + position.coords.longitude); + $('#jot-coord').val(position.coords.latitude + ' ' + position.coords.longitude); $('#profile-nolocation-wrapper').show(); }); } From b358e8afe21443a8f7e14573953a9780ba1d592d Mon Sep 17 00:00:00 2001 From: Friendika Date: Wed, 5 Jan 2011 04:00:36 -0800 Subject: [PATCH 5/5] make the name stand out just a bit more --- view/theme/duepuntozero/style.css | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/view/theme/duepuntozero/style.css b/view/theme/duepuntozero/style.css index dafc24360d..72e0be00cc 100644 --- a/view/theme/duepuntozero/style.css +++ b/view/theme/duepuntozero/style.css @@ -1826,3 +1826,7 @@ a.mail-list-link { /* end from defautlt */ +.fn { + padding: 0px 0px 5px 0px; + font-size: 120%; +} \ No newline at end of file