diff --git a/boot.php b/boot.php index ba731ddee2..22a4e39be5 100755 --- a/boot.php +++ b/boot.php @@ -379,11 +379,22 @@ class App { $scheme = $this->scheme; - if(x($this->config,'ssl_policy')) { - if(($ssl) || ($this->config['ssl_policy'] == SSL_POLICY_FULL)) - $scheme = 'https'; - if(($this->config['ssl_policy'] == SSL_POLICY_SELFSIGN) && (local_user() || x($_POST,'auth-params'))) + if((x($this->config,'system')) && (x($this->config['system'],'ssl_policy'))) { + if($this->config['system']['ssl_policy'] == SSL_POLICY_FULL) $scheme = 'https'; + +// We need to populate the $ssl flag across the entire program before turning this on. +// Basically, we'll have $ssl = true on any links which can only be seen by a logged in user +// (and also the login link). Anything seen by an outsider will have it turned off. +// At present, setting SSL_POLICY_SELFSIGN will only force remote contacts to update their +// contact links to this site with "http:" if they are currently using "https:" + +// if($this->config['system']['ssl_policy'] == SSL_POLICY_SELFSIGN) { +// if($ssl) +// $scheme = 'https'; +// else +// $scheme = 'http'; +// } } $this->baseurl = $scheme . "://" . $this->hostname . ((isset($this->path) && strlen($this->path)) ? '/' . $this->path : '' ); diff --git a/include/items.php b/include/items.php index 70c72ae165..4b1523ff65 100755 --- a/include/items.php +++ b/include/items.php @@ -1046,6 +1046,21 @@ function dfrn_deliver($owner,$contact,$atom, $dissolve = false) { if(! $rino_enable) $rino = 0; + $ssl_val = intval(get_config('system','ssl_policy')); + $ssl_policy = ''; + switch($ssl_val){ + case SSL_POLICY_FULL: + $ssl_policy = 'full'; + break; + case SSL_POLICY_SELFSIGN: + $ssl_policy = 'self'; + break; + case SSL_POLICY_NONE: + default: + $ssl_policy = 'none'; + break; + } + $url = $contact['notify'] . '&dfrn_id=' . $idtosend . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . (($rino) ? '&rino=1' : ''); logger('dfrn_deliver: ' . $url); @@ -1118,6 +1133,8 @@ function dfrn_deliver($owner,$contact,$atom, $dissolve = false) { $postvars['perm'] = 'r'; } + $postvars['ssl_policy'] = $ssl_policy; + if($rino && $rino_allowed && (! $dissolve)) { $key = substr(random_string(),0,16); $data = bin2hex(aes_encrypt($postvars['data'],$key)); diff --git a/mod/admin.php b/mod/admin.php index 93714bb5f9..2b8d9bcd23 100755 --- a/mod/admin.php +++ b/mod/admin.php @@ -151,11 +151,7 @@ function admin_page_summary(&$a) { $r = q("SELECT COUNT(id) as `count` FROM `register`"); $pending = $r[0]['count']; - - - - - + $t = get_markup_template("admin_summary.tpl"); return replace_macros($t, array( '$title' => t('Administration'), @@ -210,7 +206,7 @@ function admin_page_site_post(&$a){ $dfrn_only = ((x($_POST,'dfrn_only')) ? True : False); $ostatus_disabled = !((x($_POST,'ostatus_disabled')) ? True : False); $diaspora_enabled = ((x($_POST,'diaspora_enabled')) ? True : False); - + $ssl_policy = ((x($_POST,'ssl_policy')) ? intval($_POST['ssl_policy']) : 0); set_config('config','sitename',$sitename); if ($banner==""){ @@ -222,6 +218,7 @@ function admin_page_site_post(&$a){ } else { set_config('system','banner', $banner); } + set_config('system','ssl_policy',$ssl_policy); set_config('system','language', $language); set_config('system','theme', $theme); set_config('system','maximagesize', $maximagesize); @@ -305,6 +302,12 @@ function admin_page_site(&$a) { REGISTER_APPROVE => t("Requires approval"), REGISTER_OPEN => t("Open") ); + + $ssl_choices = array( + SSL_POLICY_NONE => t("No SSL policy, links will track page SSL state"), + SSL_POLICY_FULL => t("Force all links to use SSL"), + SSL_POLICY_SELFSIGN => t("Self-signed certificate, use SSL for local links only (discouraged)") + ); $t = get_markup_template("admin_site.tpl"); return replace_macros($t, array( @@ -322,7 +325,7 @@ function admin_page_site(&$a) { '$banner' => array('banner', t("Banner/Logo"), $banner, ""), '$language' => array('language', t("System language"), get_config('system','language'), "", $lang_choices), '$theme' => array('theme', t("System theme"), get_config('system','theme'), t("Default system theme - may be over-ridden by user profiles"), $theme_choices), - + '$ssl_policy' => array('ssl_policy', t("SSL link policy"), get_config('system','ssl_policy'), t("Determines whether generated links should be forced to use SSL"), $ssl_choices), '$maximagesize' => array('maximagesize', t("Maximum image size"), get_config('system','maximagesize'), t("Maximum size in bytes of uploaded images. Default is 0, which means no limits.")), '$register_policy' => array('register_policy', t("Register policy"), $a->config['register_policy'], "", $register_choices), diff --git a/mod/dfrn_notify.php b/mod/dfrn_notify.php index 0c0c27e3d6..3dbdc5b328 100755 --- a/mod/dfrn_notify.php +++ b/mod/dfrn_notify.php @@ -14,6 +14,7 @@ function dfrn_notify_post(&$a) { $key = ((x($_POST,'key')) ? $_POST['key'] : ''); $dissolve = ((x($_POST,'dissolve')) ? intval($_POST['dissolve']) : 0); $perm = ((x($_POST,'perm')) ? notags(trim($_POST['perm'])) : 'r'); + $ssl_policy = ((x($_POST,'ssl_policy')) ? notags(trim($_POST['ssl_policy'])): 'none'); $writable = (-1); if($dfrn_version >= 2.21) { @@ -94,6 +95,65 @@ function dfrn_notify_post(&$a) { $importer['writable'] = $writable; } + // if contact's ssl policy changed, update our links + + $ssl_changed = false; + + if($ssl_policy == 'self' && strstr($importer['url'],'https:')) { + $ssl_changed = true; + $importer['url'] = str_replace('https:','http:',$importer['url']); + $importer['nurl'] = normalise_link($importer['url']); + $importer['photo'] = str_replace('https:','http:',$importer['photo']); + $importer['thumb'] = str_replace('https:','http:',$importer['thumb']); + $importer['micro'] = str_replace('https:','http:',$importer['micro']); + $importer['request'] = str_replace('https:','http:',$importer['request']); + $importer['notify'] = str_replace('https:','http:',$importer['notify']); + $importer['poll'] = str_replace('https:','http:',$importer['poll']); + $importer['confirm'] = str_replace('https:','http:',$importer['confirm']); + $importer['poco'] = str_replace('https:','http:',$importer['poco']); + } + + if($ssl_policy == 'full' && strstr($importer['url'],'http:')) { + $ssl_changed = true; + $importer['url'] = str_replace('http:','https:',$importer['url']); + $importer['nurl'] = normalise_link($importer['url']); + $importer['photo'] = str_replace('http:','https:',$importer['photo']); + $importer['thumb'] = str_replace('http:','https:',$importer['thumb']); + $importer['micro'] = str_replace('http:','https:',$importer['micro']); + $importer['request'] = str_replace('http:','https:',$importer['request']); + $importer['notify'] = str_replace('http:','https:',$importer['notify']); + $importer['poll'] = str_replace('http:','https:',$importer['poll']); + $importer['confirm'] = str_replace('http:','https:',$importer['confirm']); + $importer['poco'] = str_replace('http:','https:',$importer['poco']); + } + + if($ssl_changed) { + q("update contact set + url = '%s', + nurl = '%s', + photo = '%s', + thumb = '%s', + micro = '%s', + request = '%s', + notify = '%s', + poll = '%s', + confirm = '%s', + poco = '%s' + where id = %d limit 1", + dbesc($importer['url']), + dbesc($importer['nurl']), + dbesc($importer['photo']), + dbesc($importer['thumb']), + dbesc($importer['micro']), + dbesc($importer['request']), + dbesc($importer['notify']), + dbesc($importer['poll']), + dbesc($importer['confirm']), + dbesc($importer['poco']), + intval($importer['id']) + ); + } + logger('dfrn_notify: received notify from ' . $importer['name'] . ' for ' . $importer['username']); logger('dfrn_notify: data: ' . $data, LOGGER_DATA); diff --git a/view/admin_site.tpl b/view/admin_site.tpl index 9a12298454..01fe893c65 100755 --- a/view/admin_site.tpl +++ b/view/admin_site.tpl @@ -7,6 +7,7 @@ {{ inc field_textarea.tpl with $field=$banner }}{{ endinc }} {{ inc field_select.tpl with $field=$language }}{{ endinc }} {{ inc field_select.tpl with $field=$theme }}{{ endinc }} + {{ inc field_select.tpl with $field=$ssl_policy }}{{ endinc }}