From 6695b4a203ab03941c8b3305a3e55cc02b85a5ac Mon Sep 17 00:00:00 2001 From: Mike Macgirvin Date: Mon, 19 Jul 2010 06:58:03 -0700 Subject: [PATCH] more bugs --- boot.php | 6 ++---- include/items.php | 4 ++-- include/notifier.php | 2 +- include/security.php | 2 +- mod/contacts.php | 6 +++--- mod/dfrn_confirm.php | 4 ++-- mod/dfrn_notify.php | 4 ++-- mod/dfrn_poll.php | 2 +- mod/item.php | 4 ++-- mod/network.php | 4 ++-- mod/profile.php | 4 ++-- mod/register.php | 4 ++-- view/acl_selectors.php | 4 +++- 13 files changed, 25 insertions(+), 25 deletions(-) diff --git a/boot.php b/boot.php index 1a60ee173d..56d85f6382 100644 --- a/boot.php +++ b/boot.php @@ -205,12 +205,10 @@ function notags($string) { return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string)); }} -// The PHP built-in tag escape function has traditionally been buggy if(! function_exists('escape_tags')) { function escape_tags($string) { - return(str_replace( - array('&', '"', "'", '<', '>'), - array('&', '"', ''', '<', '>'), $string)); + + return(htmlspecialchars($string)); }} if(! function_exists('login')) { diff --git a/include/items.php b/include/items.php index d583ffecc3..937fc39fd9 100644 --- a/include/items.php +++ b/include/items.php @@ -63,7 +63,7 @@ function get_feed_for(&$a,$dfrn_id,$owner_id,$last_update) { `contact`.`id` AS `contact-id`, `contact`.`uid` AS `contact-uid` FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id` WHERE `item`.`uid` = %d AND `item`.`visible` = 1 AND `item`.`deleted` = 0 - AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0 + AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0 AND `item`.`edited` > '%s' $sql_extra ORDER BY `parent` ASC, `created` ASC LIMIT 0, 300", @@ -114,7 +114,7 @@ function get_feed_for(&$a,$dfrn_id,$owner_id,$last_update) { '$published' => xmlify(datetime_convert('UTC', 'UTC', $item['created'] . '+00:00' , 'Y-m-d\TH:i:s\Z')), '$updated' => xmlify(datetime_convert('UTC', 'UTC', $item['edited'] . '+00:00' , 'Y-m-d\TH:i:s\Z')), '$content' =>xmlify($item['body']), - '$comment_allow' => (($item['last-child'] && strlen($contact['dfrn-id'] && (! $contact['blocked']))) ? 1 : 0) + '$comment_allow' => (($item['last-child'] && strlen($contact['dfrn-id'])) ? 1 : 0) )); } else { diff --git a/include/notifier.php b/include/notifier.php index b8eef3971f..bd787dbfb8 100644 --- a/include/notifier.php +++ b/include/notifier.php @@ -96,7 +96,7 @@ dbg(3); $conversant_str = dbesc(implode(', ',$conversants)); } - $r = q("SELECT * FROM `contact` WHERE `id` IN ( $conversant_str ) AND `blocked` = 0 "); + $r = q("SELECT * FROM `contact` WHERE `id` IN ( $conversant_str ) AND `blocked` = 0 AND `pending` = 0"); if( ! count($r)) killme(); diff --git a/include/security.php b/include/security.php index 8b34525349..a71391dbac 100644 --- a/include/security.php +++ b/include/security.php @@ -6,7 +6,7 @@ function can_write_wall(&$a,$owner) { if((local_user()) && ($_SESSION['uid'] == $owner)) return true; - $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `id` = %d AND `blocked` = 0", + $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `id` = %d AND `blocked` = 0 AND `pending` = 0 LIMIT 1", intval($owner), intval($_SESSION['visitor_id']) ); diff --git a/mod/contacts.php b/mod/contacts.php index 585ac14232..4f48c1c3d5 100644 --- a/mod/contacts.php +++ b/mod/contacts.php @@ -119,7 +119,7 @@ function contacts_content(&$a) { $p['id']); } } - if($intval($contact_id)) + if(intval($contact_id)) q("DELETE FROM `item` WHERE `contact-id` = %d LIMIT 1", intval($contact_id) ); @@ -184,7 +184,7 @@ function contacts_content(&$a) { return $o; } -dbg(2); + if(($a->argc == 2) && ($a->argv[1] == 'all')) $sql_extra = ''; else @@ -212,7 +212,7 @@ dbg(2); break; } - $r = q("SELECT * FROM `contact` WHERE `uid` = %d $sql_extra $sql_extra2 ", + $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `pending` = 0 $sql_extra $sql_extra2 ", intval($_SESSION['uid'])); if(count($r)) { diff --git a/mod/dfrn_confirm.php b/mod/dfrn_confirm.php index e02fbf3d0a..1a3947d970 100644 --- a/mod/dfrn_confirm.php +++ b/mod/dfrn_confirm.php @@ -136,7 +136,7 @@ function dfrn_confirm_post(&$a) { $thumb = $a->get_baseurl() . '/images/default-profile-sm.jpg'; } - $r = q("UPDATE `contact` SET `photo` = '%s', `thumb` = '%s', `blocked` = 0 WHERE `id` = %d LIMIT 1", + $r = q("UPDATE `contact` SET `photo` = '%s', `thumb` = '%s', `blocked` = 0, `pending` = 0 WHERE `id` = %d LIMIT 1", dbesc($photo), dbesc($thumb), intval($dfrn_record) @@ -361,7 +361,7 @@ function dfrn_confirm_post(&$a) { $thumb = $a->get_baseurl() . '/images/default-profile-sm.jpg'; } - $r = q("UPDATE `contact` SET `photo` = '%s', `thumb` = '%s', `blocked` = 0 WHERE `id` = %d LIMIT 1", + $r = q("UPDATE `contact` SET `photo` = '%s', `thumb` = '%s', `blocked` = 0, `pending` = 0 WHERE `id` = %d LIMIT 1", dbesc($photo), dbesc($thumb), intval($contact_id) diff --git a/mod/dfrn_notify.php b/mod/dfrn_notify.php index 1d7ca3a505..ead49982be 100644 --- a/mod/dfrn_notify.php +++ b/mod/dfrn_notify.php @@ -143,7 +143,7 @@ dbg(3); $datarray = get_atom_elements($item); - $datarray['parent-uri'] = $item['uri'] + $datarray['parent-uri'] = $item_id; $datarray['uid'] = $importer['uid']; $datarray['contact-id'] = $importer['id']; $r = post_remote($a,$datarray); @@ -176,7 +176,7 @@ function dfrn_notify_content(&$a) { intval(time() + 60 ) ); - $r = q("SELECT * FROM `contact` WHERE `issued-id` = '%s' AND `blocked` = 0 LIMIT 1", + $r = q("SELECT * FROM `contact` WHERE `issued-id` = '%s' AND `blocked` = 0 AND `pending` = 0 LIMIT 1", dbesc($_GET['dfrn_id'])); if((! count($r)) || (! strlen($r[0]['prvkey']))) $status = 1; diff --git a/mod/dfrn_poll.php b/mod/dfrn_poll.php index 6b4c50ad2e..e3da6c9526 100644 --- a/mod/dfrn_poll.php +++ b/mod/dfrn_poll.php @@ -165,7 +165,7 @@ function dfrn_poll_content(&$a) { dbesc($last_update) ); - $r = q("SELECT * FROM `contact` WHERE `issued-id` = '%s' AND `blocked` = 0 LIMIT 1", + $r = q("SELECT * FROM `contact` WHERE `issued-id` = '%s' AND `blocked` = 0 AND `pending` = 0 LIMIT 1", dbesc($_GET['dfrn_id'])); if((! count($r)) || (! strlen($r[0]['prvkey']))) $status = 1; diff --git a/mod/item.php b/mod/item.php index 4de9dc59f8..e0497af7a5 100644 --- a/mod/item.php +++ b/mod/item.php @@ -5,7 +5,7 @@ function sanitise_acl(&$item) { } function item_post(&$a) { -dbg(3); + if((! local_user()) && (! remote_user())) return; @@ -170,6 +170,6 @@ dbg(3); array(),$foo)); } -// goaway($a->get_baseurl() . "/" . $_POST['return'] ); + goaway($a->get_baseurl() . "/" . $_POST['return'] ); return; // NOTREACHED } \ No newline at end of file diff --git a/mod/network.php b/mod/network.php index 3ccd8be485..51b528832a 100644 --- a/mod/network.php +++ b/mod/network.php @@ -40,7 +40,7 @@ function network_content(&$a) { $r = q("SELECT COUNT(*) AS `total` FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id` WHERE `item`.`uid` = %d AND `item`.`visible` = 1 AND `item`.`deleted` = 0 - AND `contact`.`blocked` = 0 + AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0 $sql_extra ", intval($_SESSION['uid']) ); @@ -54,7 +54,7 @@ function network_content(&$a) { `contact`.`id` AS `cid`, `contact`.`uid` AS `contact-uid` FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id` WHERE `item`.`uid` = %d AND `item`.`visible` = 1 AND `item`.`deleted` = 0 - AND `contact`.`blocked` = 0 + AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0 $sql_extra ORDER BY `parent` DESC, `created` ASC LIMIT %d ,%d ", intval($_SESSION['uid']), diff --git a/mod/profile.php b/mod/profile.php index 7a3858ba26..5cd13d5961 100644 --- a/mod/profile.php +++ b/mod/profile.php @@ -155,7 +155,7 @@ function profile_content(&$a) { $r = q("SELECT COUNT(*) AS `total` FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id` WHERE `item`.`uid` = %d AND `item`.`visible` = 1 AND `item`.`deleted` = 0 - AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0 + AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0 $sql_extra ", intval($a->profile['uid']) @@ -171,7 +171,7 @@ function profile_content(&$a) { `contact`.`id` AS `cid`, `contact`.`uid` AS `contact-uid` FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id` WHERE `item`.`uid` = %d AND `item`.`visible` = 1 AND `item`.`deleted` = 0 - AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0 + AND `item`.`type` != 'remote' AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0 $sql_extra ORDER BY `parent` DESC, `id` ASC LIMIT %d ,%d ", intval($a->profile['uid']), diff --git a/mod/register.php b/mod/register.php index 2e5d02273a..53ead682f1 100644 --- a/mod/register.php +++ b/mod/register.php @@ -123,9 +123,9 @@ function register_post(&$a) { intval($newuid)); return; } - $r = q("INSERT INTO `contact` ( `uid`, `created`, `self`, `name`, `photo`, `thumb`, `blocked`, `url`, + $r = q("INSERT INTO `contact` ( `uid`, `created`, `self`, `name`, `photo`, `thumb`, `blocked`, `pending`, `url`, `request`, `notify`, `poll`, `confirm` ) - VALUES ( %d, '%s', 1, '%s', '%s', '%s', 0, '%s', '%s', '%s', '%s', '%s' ) ", + VALUES ( %d, '%s', 1, '%s', '%s', '%s', 0, 0, '%s', '%s', '%s', '%s', '%s' ) ", intval($newuid), datetime_convert(), dbesc($username), diff --git a/view/acl_selectors.php b/view/acl_selectors.php index e3ee8c8792..09ce24d0e5 100644 --- a/view/acl_selectors.php +++ b/view/acl_selectors.php @@ -36,7 +36,9 @@ function contact_select($selname,$selclass,$preselected = false,$size = 4) { $o .= "