friendica
/
friendica
mirror of https://github.com/friendica/friendica
6
0
Fork 1
Code Issues Packages Projects Releases 1 Wiki Activity

Merge pull request #12773 from MrPetovan/bug/return-xss 

Ensure arbitrary HTTPException messages are HTML escaped
This commit is contained in:
Philipp 2023-02-05 20:02:57 +01:00 committed by GitHub
parent 544348c25a 9e4adabb58
commit bb92870ebb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 122 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/App/BaseURL.php
View File

@ -341,7 +341,7 @@ class BaseURL
public function redirect(string $toUrl = '', bool $ssl = false) public function redirect(string $toUrl = '', bool $ssl = false)
{ {
if (!empty(parse_url($toUrl, PHP_URL_SCHEME))) { if (!empty(parse_url($toUrl, PHP_URL_SCHEME))) {
throw new HTTPException\InternalServerErrorException("'$toUrl is not a relative path, please use System::externalRedirectTo"); throw new HTTPException\InternalServerErrorException("$toUrl is not a relative path, please use System::externalRedirectTo");
} }
$redirectTo = $this->get($ssl) . '/' . ltrim($toUrl, '/'); $redirectTo = $this->get($ssl) . '/' . ltrim($toUrl, '/');

11
src/Module/Item/Display.php
View File

@ -37,6 +37,7 @@ use Friendica\Model\Post;
use Friendica\Model\Profile; use Friendica\Model\Profile;
use Friendica\Model\User; use Friendica\Model\User;
use Friendica\Module\Response; use Friendica\Module\Response;
use Friendica\Module\Special\DisplayNotFound;
use Friendica\Navigation\Notifications\Repository\Notification; use Friendica\Navigation\Notifications\Repository\Notification;
use Friendica\Navigation\Notifications\Repository\Notify; use Friendica\Navigation\Notifications\Repository\Notify;
use Friendica\Protocol\ActivityPub; use Friendica\Protocol\ActivityPub;
@ -246,14 +247,8 @@ class Display extends BaseModule
if (empty($item)) { if (empty($item)) {
$this->page['aside'] = ''; $this->page['aside'] = '';
throw new HTTPException\NotFoundException($this->t('Unfortunately, the requested conversation isn\'t available to you.</p> $displayNotFound = new DisplayNotFound($this->l10n, $this->baseUrl, $this->args, $this->logger, $this->profiler, $this->response, $this->server, $this->parameters);
<p>Possible reasons include:</p> return $displayNotFound->content();
<ul>
<li>The top-level post isn\'t visible.</li>
<li>The top-level post was deleted.</li>
<li>The node has blocked the top-level author or the author of the shared post.</li>
<li>You have ignored or blocked the top-level author or the author of the shared post.</li>
</ul><p>'));
} }
$item['uri-id'] = $item['parent-uri-id']; $item['uri-id'] = $item['parent-uri-id'];

49
src/Module/Special/DisplayNotFound.php Normal file
View File

@ -0,0 +1,49 @@
<?php
/**
* @copyright Copyright (C) 2010-2023, the Friendica project
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
*/
namespace Friendica\Module\Special;
use Friendica\Core\Renderer;
/**
* This is a special case of the HTTPException module where the message is intended to be HTML.
* This module should be called directly from the Display module and shouldn't be routed to.
*/
class DisplayNotFound extends \Friendica\BaseModule
{
protected function content(array $request = []): string
{
$tpl = Renderer::getMarkupTemplate('special/displaynotfound.tpl');
return Renderer::replaceMacros($tpl, [
'$l10n' => [
'title' => $this->t('Not Found'),
'message' => $this->t("<p>Unfortunately, the requested conversation isn't available to you.</p>
<p>Possible reasons include:</p>
<ul>
<li>The top-level post isn't visible.</li>
<li>The top-level post was deleted.</li>
<li>The node has blocked the top-level author or the author of the shared post.</li>
<li>You have ignored or blocked the top-level author or the author of the shared post.</li>
</ul>"),
]
]);
}
}

1
src/Module/Special/HTTPException.php
View File

@ -104,6 +104,7 @@ class HTTPException
$tpl = Renderer::getMarkupTemplate('http_status.tpl'); $tpl = Renderer::getMarkupTemplate('http_status.tpl');
$content = Renderer::replaceMacros($tpl, $vars); $content = Renderer::replaceMacros($tpl, $vars);
} catch (\Exception $e) { } catch (\Exception $e) {
$vars = array_map('htmlentities', $vars);
$content = "<h1>{$vars['$title']}</h1><p>{$vars['$message']}</p>"; $content = "<h1>{$vars['$title']}</h1><p>{$vars['$message']}</p>";
if ($this->isSiteAdmin) { if ($this->isSiteAdmin) {
$content .= "<p>{$vars['$thrown']}</p>"; $content .= "<p>{$vars['$thrown']}</p>";

118
view/lang/C/messages.po
View File

@ -8,7 +8,7 @@ msgid ""
msgstr "" msgstr ""
"Project-Id-Version: 2023.03-dev\n" "Project-Id-Version: 2023.03-dev\n"
"Report-Msgid-Bugs-To: \n" "Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2023-01-23 06:47+0000\n" "POT-Creation-Date: 2023-02-04 19:53-0500\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n" "Language-Team: LANGUAGE <LL@li.org>\n"
@ -1925,39 +1925,39 @@ msgstr ""
msgid "last" msgid "last"
msgstr "" msgstr ""
#: src/Content/Text/BBCode.php:1015 src/Content/Text/BBCode.php:1877 #: src/Content/Text/BBCode.php:949 src/Content/Text/BBCode.php:1811
#: src/Content/Text/BBCode.php:1878 #: src/Content/Text/BBCode.php:1812
msgid "Image/photo" msgid "Image/photo"
msgstr "" msgstr ""
#: src/Content/Text/BBCode.php:1232 #: src/Content/Text/BBCode.php:1166
#, php-format #, php-format
msgid "" msgid ""
"<a href=\"%1$s\" target=\"_blank\" rel=\"noopener noreferrer\">%2$s</a> %3$s" "<a href=\"%1$s\" target=\"_blank\" rel=\"noopener noreferrer\">%2$s</a> %3$s"
msgstr "" msgstr ""
#: src/Content/Text/BBCode.php:1257 src/Model/Item.php:3572 #: src/Content/Text/BBCode.php:1191 src/Model/Item.php:3572
#: src/Model/Item.php:3578 src/Model/Item.php:3579 #: src/Model/Item.php:3578 src/Model/Item.php:3579
msgid "Link to source" msgid "Link to source"
msgstr "" msgstr ""
#: src/Content/Text/BBCode.php:1795 src/Content/Text/HTML.php:929 #: src/Content/Text/BBCode.php:1729 src/Content/Text/HTML.php:929
msgid "Click to open/close" msgid "Click to open/close"
msgstr "" msgstr ""
#: src/Content/Text/BBCode.php:1826 #: src/Content/Text/BBCode.php:1760
msgid "$1 wrote:" msgid "$1 wrote:"
msgstr "" msgstr ""
#: src/Content/Text/BBCode.php:1882 src/Content/Text/BBCode.php:1883 #: src/Content/Text/BBCode.php:1816 src/Content/Text/BBCode.php:1817
msgid "Encrypted content" msgid "Encrypted content"
msgstr "" msgstr ""
#: src/Content/Text/BBCode.php:2110 #: src/Content/Text/BBCode.php:2044
msgid "Invalid source protocol" msgid "Invalid source protocol"
msgstr "" msgstr ""
#: src/Content/Text/BBCode.php:2125 #: src/Content/Text/BBCode.php:2059
msgid "Invalid link protocol" msgid "Invalid link protocol"
msgstr "" msgstr ""
@ -2896,68 +2896,68 @@ msgstr ""
msgid "Forum" msgid "Forum"
msgstr "" msgstr ""
#: src/Model/Contact.php:2929 #: src/Model/Contact.php:2942
msgid "Disallowed profile URL." msgid "Disallowed profile URL."
msgstr "" msgstr ""
#: src/Model/Contact.php:2934 src/Module/Friendica.php:83 #: src/Model/Contact.php:2947 src/Module/Friendica.php:83
msgid "Blocked domain" msgid "Blocked domain"
msgstr "" msgstr ""
#: src/Model/Contact.php:2939 #: src/Model/Contact.php:2952
msgid "Connect URL missing." msgid "Connect URL missing."
msgstr "" msgstr ""
#: src/Model/Contact.php:2948 #: src/Model/Contact.php:2961
msgid "" msgid ""
"The contact could not be added. Please check the relevant network " "The contact could not be added. Please check the relevant network "
"credentials in your Settings -> Social Networks page." "credentials in your Settings -> Social Networks page."
msgstr "" msgstr ""
#: src/Model/Contact.php:2966 #: src/Model/Contact.php:2979
#, php-format #, php-format
msgid "Expected network %s does not match actual network %s" msgid "Expected network %s does not match actual network %s"
msgstr "" msgstr ""
#: src/Model/Contact.php:2983 #: src/Model/Contact.php:2996
msgid "The profile address specified does not provide adequate information." msgid "The profile address specified does not provide adequate information."
msgstr "" msgstr ""
#: src/Model/Contact.php:2985 #: src/Model/Contact.php:2998
msgid "No compatible communication protocols or feeds were discovered." msgid "No compatible communication protocols or feeds were discovered."
msgstr "" msgstr ""
#: src/Model/Contact.php:2988 #: src/Model/Contact.php:3001
msgid "An author or name was not found." msgid "An author or name was not found."
msgstr "" msgstr ""
#: src/Model/Contact.php:2991 #: src/Model/Contact.php:3004
msgid "No browser URL could be matched to this address." msgid "No browser URL could be matched to this address."
msgstr "" msgstr ""
#: src/Model/Contact.php:2994 #: src/Model/Contact.php:3007
msgid "" msgid ""
"Unable to match @-style Identity Address with a known protocol or email " "Unable to match @-style Identity Address with a known protocol or email "
"contact." "contact."
msgstr "" msgstr ""
#: src/Model/Contact.php:2995 #: src/Model/Contact.php:3008
msgid "Use mailto: in front of address to force email check." msgid "Use mailto: in front of address to force email check."
msgstr "" msgstr ""
#: src/Model/Contact.php:3001 #: src/Model/Contact.php:3014
msgid "" msgid ""
"The profile address specified belongs to a network which has been disabled " "The profile address specified belongs to a network which has been disabled "
"on this site." "on this site."
msgstr "" msgstr ""
#: src/Model/Contact.php:3006 #: src/Model/Contact.php:3019
msgid "" msgid ""
"Limited profile. This person will be unable to receive direct/personal " "Limited profile. This person will be unable to receive direct/personal "
"notifications from you." "notifications from you."
msgstr "" msgstr ""
#: src/Model/Contact.php:3071 #: src/Model/Contact.php:3084
msgid "Unable to retrieve contact information." msgid "Unable to retrieve contact information."
msgstr "" msgstr ""
@ -3188,7 +3188,7 @@ msgstr ""
msgid "[no subject]" msgid "[no subject]"
msgstr "" msgstr ""
#: src/Model/Photo.php:1178 src/Module/Media/Photo/Upload.php:198 #: src/Model/Photo.php:1184 src/Module/Media/Photo/Upload.php:198
msgid "Wall Photos" msgid "Wall Photos"
msgstr "" msgstr ""
@ -5373,26 +5373,26 @@ msgstr ""
msgid "User registrations waiting for confirmation" msgid "User registrations waiting for confirmation"
msgstr "" msgstr ""
#: src/Module/BaseApi.php:255 src/Module/BaseApi.php:271 #: src/Module/BaseApi.php:266 src/Module/BaseApi.php:282
#: src/Module/BaseApi.php:287 #: src/Module/BaseApi.php:298
msgid "Too Many Requests" msgid "Too Many Requests"
msgstr "" msgstr ""
#: src/Module/BaseApi.php:256 #: src/Module/BaseApi.php:267
#, php-format #, php-format
msgid "Daily posting limit of %d post reached. The post was rejected." msgid "Daily posting limit of %d post reached. The post was rejected."
msgid_plural "Daily posting limit of %d posts reached. The post was rejected." msgid_plural "Daily posting limit of %d posts reached. The post was rejected."
msgstr[0] "" msgstr[0] ""
msgstr[1] "" msgstr[1] ""
#: src/Module/BaseApi.php:272 #: src/Module/BaseApi.php:283
#, php-format #, php-format
msgid "Weekly posting limit of %d post reached. The post was rejected." msgid "Weekly posting limit of %d post reached. The post was rejected."
msgid_plural "Weekly posting limit of %d posts reached. The post was rejected." msgid_plural "Weekly posting limit of %d posts reached. The post was rejected."
msgstr[0] "" msgstr[0] ""
msgstr[1] "" msgstr[1] ""
#: src/Module/BaseApi.php:288 #: src/Module/BaseApi.php:299
#, php-format #, php-format
msgid "Monthly posting limit of %d post reached. The post was rejected." msgid "Monthly posting limit of %d post reached. The post was rejected."
msgid_plural "" msgid_plural ""
@ -5875,7 +5875,7 @@ msgstr[1] ""
#: src/Module/Contact/Follow.php:69 src/Module/Contact/Redir.php:62 #: src/Module/Contact/Follow.php:69 src/Module/Contact/Redir.php:62
#: src/Module/Contact/Redir.php:222 src/Module/Conversation/Community.php:194 #: src/Module/Contact/Redir.php:222 src/Module/Conversation/Community.php:194
#: src/Module/Debug/ItemBody.php:38 src/Module/Diaspora/Receive.php:57 #: src/Module/Debug/ItemBody.php:38 src/Module/Diaspora/Receive.php:57
#: src/Module/Item/Display.php:95 src/Module/Item/Feed.php:59 #: src/Module/Item/Display.php:96 src/Module/Item/Feed.php:59
#: src/Module/Item/Follow.php:41 src/Module/Item/Ignore.php:41 #: src/Module/Item/Follow.php:41 src/Module/Item/Ignore.php:41
#: src/Module/Item/Pin.php:41 src/Module/Item/Pin.php:56 #: src/Module/Item/Pin.php:41 src/Module/Item/Pin.php:56
#: src/Module/Item/Star.php:42 src/Module/Update/Display.php:37 #: src/Module/Item/Star.php:42 src/Module/Update/Display.php:37
@ -7158,24 +7158,10 @@ msgid ""
"<a href=\"/settings/display\">Theme Customization settings</a>." "<a href=\"/settings/display\">Theme Customization settings</a>."
msgstr "" msgstr ""
#: src/Module/Item/Display.php:135 src/Module/Update/Display.php:55 #: src/Module/Item/Display.php:136 src/Module/Update/Display.php:55
msgid "The requested item doesn't exist or has been deleted." msgid "The requested item doesn't exist or has been deleted."
msgstr "" msgstr ""
#: src/Module/Item/Display.php:249
msgid ""
"Unfortunately, the requested conversation isn't available to you.</p>\n"
"<p>Possible reasons include:</p>\n"
"<ul>\n"
"\t<li>The top-level post isn't visible.</li>\n"
"\t<li>The top-level post was deleted.</li>\n"
"\t<li>The node has blocked the top-level author or the author of the shared "
"post.</li>\n"
"\t<li>You have ignored or blocked the top-level author or the author of the "
"shared post.</li>\n"
"</ul><p>"
msgstr ""
#: src/Module/Item/Feed.php:86 #: src/Module/Item/Feed.php:86
msgid "The feed for this item is unavailable." msgid "The feed for this item is unavailable."
msgstr "" msgstr ""
@ -8068,7 +8054,7 @@ msgstr ""
msgid "Unsupported or missing response type" msgid "Unsupported or missing response type"
msgstr "" msgstr ""
#: src/Module/OAuth/Authorize.php:59 src/Module/OAuth/Token.php:76 #: src/Module/OAuth/Authorize.php:59 src/Module/OAuth/Token.php:77
msgid "Incomplete request data" msgid "Incomplete request data"
msgstr "" msgstr ""
@ -8079,11 +8065,11 @@ msgid ""
"close this window: %s" "close this window: %s"
msgstr "" msgstr ""
#: src/Module/OAuth/Token.php:81 #: src/Module/OAuth/Token.php:82
msgid "Invalid data or unknown client" msgid "Invalid data or unknown client"
msgstr "" msgstr ""
#: src/Module/OAuth/Token.php:100 #: src/Module/OAuth/Token.php:104
msgid "Unsupported or missing grant type" msgid "Unsupported or missing grant type"
msgstr "" msgstr ""
@ -8264,20 +8250,20 @@ msgstr ""
#: src/Module/Profile/Conversations.php:106 #: src/Module/Profile/Conversations.php:106
#: src/Module/Profile/Conversations.php:109 src/Module/Profile/Profile.php:351 #: src/Module/Profile/Conversations.php:109 src/Module/Profile/Profile.php:351
#: src/Module/Profile/Profile.php:354 src/Protocol/Feed.php:1025 #: src/Module/Profile/Profile.php:354 src/Protocol/Feed.php:1026
#: src/Protocol/OStatus.php:1045 #: src/Protocol/OStatus.php:1007
#, php-format #, php-format
msgid "%s's timeline" msgid "%s's timeline"
msgstr "" msgstr ""
#: src/Module/Profile/Conversations.php:107 src/Module/Profile/Profile.php:352 #: src/Module/Profile/Conversations.php:107 src/Module/Profile/Profile.php:352
#: src/Protocol/Feed.php:1029 src/Protocol/OStatus.php:1050 #: src/Protocol/Feed.php:1030 src/Protocol/OStatus.php:1012
#, php-format #, php-format
msgid "%s's posts" msgid "%s's posts"
msgstr "" msgstr ""
#: src/Module/Profile/Conversations.php:108 src/Module/Profile/Profile.php:353 #: src/Module/Profile/Conversations.php:108 src/Module/Profile/Profile.php:353
#: src/Protocol/Feed.php:1032 src/Protocol/OStatus.php:1054 #: src/Protocol/Feed.php:1033 src/Protocol/OStatus.php:1016
#, php-format #, php-format
msgid "%s's comments" msgid "%s's comments"
msgstr "" msgstr ""
@ -10359,6 +10345,24 @@ msgid ""
"e.g. Mastodon." "e.g. Mastodon."
msgstr "" msgstr ""
#: src/Module/Special/DisplayNotFound.php:37
msgid "Not Found"
msgstr ""
#: src/Module/Special/DisplayNotFound.php:38
msgid ""
"<p>Unfortunately, the requested conversation isn't available to you.</p>\n"
"<p>Possible reasons include:</p>\n"
"<ul>\n"
"\t<li>The top-level post isn't visible.</li>\n"
"\t<li>The top-level post was deleted.</li>\n"
"\t<li>The node has blocked the top-level author or the author of the shared "
"post.</li>\n"
"\t<li>You have ignored or blocked the top-level author or the author of the "
"shared post.</li>\n"
"</ul>"
msgstr ""
#: src/Module/Special/HTTPException.php:78 #: src/Module/Special/HTTPException.php:78
msgid "Stack trace:" msgid "Stack trace:"
msgstr "" msgstr ""
@ -11332,21 +11336,21 @@ msgstr ""
msgid "(no subject)" msgid "(no subject)"
msgstr "" msgstr ""
#: src/Protocol/OStatus.php:1470 #: src/Protocol/OStatus.php:1388
#, php-format #, php-format
msgid "%s is now following %s." msgid "%s is now following %s."
msgstr "" msgstr ""
#: src/Protocol/OStatus.php:1471 #: src/Protocol/OStatus.php:1389
msgid "following" msgid "following"
msgstr "" msgstr ""
#: src/Protocol/OStatus.php:1474 #: src/Protocol/OStatus.php:1392
#, php-format #, php-format
msgid "%s stopped following %s." msgid "%s stopped following %s."
msgstr "" msgstr ""
#: src/Protocol/OStatus.php:1475 #: src/Protocol/OStatus.php:1393
msgid "stopped following" msgid "stopped following"
msgstr "" msgstr ""

2
view/templates/exception.tpl
View File

@ -1,7 +1,7 @@
<div id="exception" class="generic-page-wrapper"> <div id="exception" class="generic-page-wrapper">
<img class="hare" src="images/friendica-404_svg_flexy-o-hare.png"/> <img class="hare" src="images/friendica-404_svg_flexy-o-hare.png"/>
<h1>{{$title}}</h1> <h1>{{$title}}</h1>
<p>{{$message nofilter}}</p> <p>{{$message}}</p>
{{if $thrown}} {{if $thrown}}
<pre>{{$thrown}} <pre>{{$thrown}}
{{$stack_trace}} {{$stack_trace}}

2
view/templates/http_status.tpl
View File

@ -4,7 +4,7 @@
</head> </head>
<body> <body>
<h1>{{$title}}</h1> <h1>{{$title}}</h1>
<p>{{$message nofilter}}</p> <p>{{$message}}</p>
{{if $trace}} {{if $trace}}
<pre>{{$trace nofilter}}</pre> <pre>{{$trace nofilter}}</pre>
{{/if}} {{/if}}

5
view/templates/special/displaynotfound.tpl Normal file
View File

@ -0,0 +1,5 @@
<div id="exception" class="generic-page-wrapper">
<img class="hare" src="images/friendica-404_svg_flexy-o-hare.png"/>
<h1>{{$title}}</h1>
{{$message nofilter}}
</div>