From 527e050ecc1037973595fd5de12682cfa9e19d64 Mon Sep 17 00:00:00 2001
From: Friendika <info@friendika.com>
Date: Wed, 16 Feb 2011 17:32:15 -0800
Subject: [PATCH] sanitise all incoming url's - also stop them from getting
 mangled by simplepie

---
 boot.php                |   7 ++++++-
 images/remote-link.gif  | Bin 0 -> 357 bytes
 include/items.php       |   4 ++--
 mod/follow.php          |  38 +++++++++++++++++++++++---------------
 simplepie/simplepie.inc |   1 +
 5 files changed, 32 insertions(+), 18 deletions(-)
 create mode 100644 images/remote-link.gif

diff --git a/boot.php b/boot.php
index dcf5b1c1aa..322a4e3074 100644
--- a/boot.php
+++ b/boot.php
@@ -2453,7 +2453,12 @@ if(! function_exists('get_plink')) {
 function get_plink($item) {
 	$a = get_app();	
 	$plink = (((x($item,'plink')) && (! $item['private'])) ? '<div class="wall-item-links-wrapper"><a href="' 
-			. $item['plink'] . '" title="' . t('link to source') . '"><img src="' . $a->get_baseurl() . '/images/link-icon.gif" alt="' . t('link to source') . '" /></a></div>' : '');
+			. $item['plink'] . '" title="' . t('link to source') . '"><img src="' . $a->get_baseurl() . '/images/remote-link.gif" alt="' . t('link to source') . '" /></a></div>' : '');
 	return $plink;
 }}
 
+if(! function_exists('unamp')) {
+function unamp($s) {
+	return str_replace('&amp;', '&', $s);
+}}
+
diff --git a/images/remote-link.gif b/images/remote-link.gif
new file mode 100644
index 0000000000000000000000000000000000000000..008397fe8d957604ef4be8ec2ab96f4f1b6805b0
GIT binary patch
literal 357
zcmZ?wbhEHb6krfwSgORp5ci)U?F>WOMTV4b3~7HD(*851{pZR#$B_jj|BDp;mnyp|
zUG`t5?7u?gf7P1*8nyq8Td$e4UNZ%vwrj?%|4m!}JN5q0S^mF!=l|Ya|8KtdfBWVC
zC-46~`|$ty$NxWn|Nr^tKkb0xPZmZl273k_1|R_WiGi)@!2ALa9jVsVB}SDx20Bw$
zs0L=FxkRj4TE!A$bCb*5L5-WE!?&VlLVy@EtNRwl?pDUm7mqVaTx2-Jm7*(z6xjF`
zm1MbC7$kX;1(l=(loWZHne2TkrYK1W@bhsqx-l-8$|f(e+?7!{Qb|EcXuS&~yRhJ1
TAtCl1&Z$RI-H*FDGFSrur~JTp

literal 0
HcmV?d00001

diff --git a/include/items.php b/include/items.php
index 153debd7d3..0951adbae1 100644
--- a/include/items.php
+++ b/include/items.php
@@ -350,7 +350,7 @@ function get_atom_elements($feed,$item) {
 			'[youtube]$1[/youtube]', $res['body']);
 
 		$res['body'] = oembed_html2bbcode($res['body']);
-	
+
 		$config = HTMLPurifier_Config::createDefault();
 		$config->set('Cache.DefinitionImpl', null);
 
@@ -363,7 +363,7 @@ function get_atom_elements($feed,$item) {
 
 		$res['body'] = html2bbcode($res['body']);
 	}
-	
+
 	$allow = $item->get_item_tags(NAMESPACE_DFRN,'comment-allow');
 	if($allow && $allow[0]['data'] == 1)
 		$res['last-child'] = 1;
diff --git a/mod/follow.php b/mod/follow.php
index eaee7d5aca..763ffb1b01 100644
--- a/mod/follow.php
+++ b/mod/follow.php
@@ -19,15 +19,15 @@ function follow_post(&$a) {
 		if(count($links)) {
 			foreach($links as $link) {
 				if($link['@attributes']['rel'] === NAMESPACE_DFRN)
-					$dfrn = $link['@attributes']['href'];
+					$dfrn = unamp($link['@attributes']['href']);
 				if($link['@attributes']['rel'] === 'salmon')
-					$notify = $link['@attributes']['href'];
+					$notify = unamp($link['@attributes']['href']);
 				if($link['@attributes']['rel'] === NAMESPACE_FEED)
-					$poll = $link['@attributes']['href'];
+					$poll = unamp($link['@attributes']['href']);
 				if($link['@attributes']['rel'] === 'http://microformats.org/profile/hcard')
-					$hcard = $link['@attributes']['href'];
+					$hcard = unamp($link['@attributes']['href']);
 				if($link['@attributes']['rel'] === 'http://webfinger.net/rel/profile-page')
-					$profile = $link['@attributes']['href'];
+					$profile = unamp($link['@attributes']['href']);
 
 			}
 
@@ -43,10 +43,10 @@ function follow_post(&$a) {
 					if(strpos($link['@attributes']['href'],'@') === false) {
 						if(isset($profile)) {
 							if($link['@attributes']['href'] !== $profile)
-								$alias = $link['@attributes']['href'];
+								$alias = unamp($link['@attributes']['href']);
 						}
 						else
-							$profile = $link['@attributes']['href'];
+							$profile = unamp($link['@attributes']['href']);
 					}
 				}
 			}
@@ -103,7 +103,7 @@ function follow_post(&$a) {
 		$ret = scrape_feed($url);
 
 		if(count($ret) && ($ret['feed_atom'] || $ret['feed_rss'])) {
-			$poll = ((x($ret,'feed_atom')) ? $ret['feed_atom'] : $ret['feed_rss']);
+			$poll = ((x($ret,'feed_atom')) ? unamp($ret['feed_atom']) : unamp($ret['feed_rss']));
 			$vcard = array();
 			require_once('simplepie/simplepie.inc');
 		    $feed = new SimplePie();
@@ -116,27 +116,31 @@ function follow_post(&$a) {
 			$vcard['photo'] = $feed->get_image_url();
 			$author = $feed->get_author();
 			if($author) {			
-				$vcard['fn'] = trim($author->get_name());
-				$vcard['nick'] = strtolower($vcard['fn']);
+				$vcard['fn'] = unxmlify(trim($author->get_name()));
+				$vcard['nick'] = strtolower(notags(unxmlify($vcard['fn'])));
 				if(strpos($vcard['nick'],' '))
 					$vcard['nick'] = trim(substr($vcard['nick'],0,strpos($vcard['nick'],' ')));
-				$email = $author->get_email();
+				$email = unxmlify($author->get_email());
 			}
 			else {
 				$item = $feed->get_item(0);
 				if($item) {
 					$author = $item->get_author();
 					if($author) {			
-						$vcard['fn'] = trim($author->get_name());
-						$vcard['nick'] = strtolower($vcard['fn']);
+						$vcard['fn'] = trim(unxmlify($author->get_name()));
+						if(! $vcard['fn'])
+							$vcard['fn'] = trim(unxmlify($author->get_email()));
+						if(strpos($vcard['fn'],'@') !== false)
+							$vcard['fn'] = substr($vcard['fn'],0,strpos($vcard['fn'],'@'));
+						$vcard['nick'] = strtolower(unxmlify($vcard['fn']));
 						if(strpos($vcard['nick'],' '))
 							$vcard['nick'] = trim(substr($vcard['nick'],0,strpos($vcard['nick'],' ')));
-						$email = $author->get_email();
+						$email = unxmlify($author->get_email());
 					}
 					if(! $vcard['photo']) {
 						$rawmedia = $item->get_item_tags('http://search.yahoo.com/mrss/','thumbnail');
 						if($rawmedia && $rawmedia[0]['attribs']['']['url'])
-							$vcard['photo'] = $rawmedia[0]['attribs']['']['url'];
+							$vcard['photo'] = unxmlify($rawmedia[0]['attribs']['']['url']);
 					}
 				}
 			}
@@ -150,6 +154,9 @@ function follow_post(&$a) {
 
 	logger('follow: poll=' . $poll . ' notify=' . $notify . ' profile=' . $profile . ' vcard=' . print_r($vcard,true));
 
+	$vcard['fn'] = notags($vcard['fn']);
+	$vcard['nick'] = notags($vcard['nick']);
+
 	// do we have enough information?
 	
 	if(! ((x($vcard['fn'])) && ($poll) && ($profile))) {
@@ -157,6 +164,7 @@ function follow_post(&$a) {
 		goaway($_SESSION['return_url']);
 	}
 
+
 	if(! $notify) {
 		notice( t('Limited profile. This person will be unable to receive direct/personal notifications from you.') . EOL);
 	}
diff --git a/simplepie/simplepie.inc b/simplepie/simplepie.inc
index 185e17bccf..c3ba02b7db 100644
--- a/simplepie/simplepie.inc
+++ b/simplepie/simplepie.inc
@@ -9226,6 +9226,7 @@ class SimplePie_Misc
 
 	function absolutize_url($relative, $base)
 	{
+return $relative;
 		$iri = SimplePie_IRI::absolutize(new SimplePie_IRI($base), $relative);
 		return $iri->get_iri();
 	}