]> git.mxchange.org Git - friendica.git/blobdiff - mod/dfrn_poll.php
projects / friendica.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Rewrite Proxy module
[friendica.git] / mod / dfrn_poll.php
diff --git a/mod/dfrn_poll.php b/mod/dfrn_poll.php
index d6bc1727e70f6d04b020e1e6c38f6e9907ce7650..6b2016886db462274ad9da07712f11de6505c43b 100644 (file)
--- a/mod/dfrn_poll.php
+++ b/mod/dfrn_poll.php
@@ -3,19 +3,20 @@
 /**
  * @file mod/dfrn_poll.php
  */
+
 use Friendica\App;
 use Friendica\Core\Config;
 use Friendica\Core\L10n;
+use Friendica\Core\Logger;
 use Friendica\Core\System;
-use Friendica\Database\DBM;
+use Friendica\Database\DBA;
 use Friendica\Module\Login;
 use Friendica\Protocol\DFRN;
 use Friendica\Protocol\OStatus;
 use Friendica\Util\Network;
+use Friendica\Util\Strings;
 use Friendica\Util\XML;
 
-require_once 'include/items.php';
-
 function dfrn_poll_init(App $a)
 {
        Login::sessionAuth();
@@ -28,10 +29,11 @@ function dfrn_poll_init(App $a)
        $sec             = defaults($_GET, 'sec'            , '');
        $dfrn_version    = (float) defaults($_GET, 'dfrn_version'   , 2.0);
        $perm            = defaults($_GET, 'perm'           , 'r');
-       $quiet                   = x($_GET, 'quiet');
+       $quiet                   = !empty($_GET['quiet']);
 
        // Possibly it is an OStatus compatible server that requests a user feed
-       if (($a->argc > 1) && ($dfrn_id == '') && !strstr($_SERVER["HTTP_USER_AGENT"], 'Friendica')) {
+       $user_agent = defaults($_SERVER, 'HTTP_USER_AGENT', '');
+       if (($a->argc > 1) && ($dfrn_id == '') && !strstr($user_agent, 'Friendica')) {
                $nickname = $a->argv[1];
                header("Content-type: application/atom+xml");
                echo OStatus::feed($nickname, $last_update, 10);
@@ -47,7 +49,7 @@ function dfrn_poll_init(App $a)
 
        $hidewall = false;
 
-       if (($dfrn_id === '') && (!x($_POST, 'dfrn_id'))) {
+       if (($dfrn_id === '') && empty($_POST['dfrn_id'])) {
                if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
                        System::httpExit(403);
                }
@@ -55,7 +57,7 @@ function dfrn_poll_init(App $a)
                $user = '';
                if ($a->argc > 1) {
                        $r = q("SELECT `hidewall`,`nickname` FROM `user` WHERE `user`.`nickname` = '%s' LIMIT 1",
-                               dbesc($a->argv[1])
+                               DBA::escape($a->argv[1])
                        );
                        if (!$r) {
                                System::httpExit(404);
@@ -66,7 +68,7 @@ function dfrn_poll_init(App $a)
                        $user = $r[0]['nickname'];
                }
 
-               logger('dfrn_poll: public feed request from ' . $_SERVER['REMOTE_ADDR'] . ' for ' . $user);
+               Logger::log('dfrn_poll: public feed request from ' . $_SERVER['REMOTE_ADDR'] . ' for ' . $user);
                header("Content-type: application/atom+xml");
                echo DFRN::feed('', $user, $last_update, 0, $hidewall);
                killme();
@@ -76,19 +78,19 @@ function dfrn_poll_init(App $a)
                $sql_extra = '';
                switch ($direction) {
                        case -1:
-                               $sql_extra = sprintf(" AND ( `dfrn-id` = '%s' OR `issued-id` = '%s' ) ", dbesc($dfrn_id), dbesc($dfrn_id));
+                               $sql_extra = sprintf(" AND ( `dfrn-id` = '%s' OR `issued-id` = '%s' ) ", DBA::escape($dfrn_id), DBA::escape($dfrn_id));
                                $my_id = $dfrn_id;
                                break;
                        case 0:
-                               $sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
+                               $sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
                                $my_id = '1:' . $dfrn_id;
                                break;
                        case 1:
-                               $sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
+                               $sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
                                $my_id = '0:' . $dfrn_id;
                                break;
                        default:
-                               goaway(System::baseUrl());
+                               $a->internalRedirect();
                                break; // NOTREACHED
                }
 
@@ -96,20 +98,20 @@ function dfrn_poll_init(App $a)
                        FROM `contact` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid`
                        WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0
                        AND `user`.`nickname` = '%s' $sql_extra LIMIT 1",
-                       dbesc($a->argv[1])
+                       DBA::escape($a->argv[1])
                );
 
-               if (DBM::is_result($r)) {
+               if (DBA::isResult($r)) {
                        $s = Network::fetchUrl($r[0]['poll'] . '?dfrn_id=' . $my_id . '&type=profile-check');
 
-                       logger("dfrn_poll: old profile returns " . $s, LOGGER_DATA);
+                       Logger::log("dfrn_poll: old profile returns " . $s, Logger::DATA);
 
                        if (strlen($s)) {
                                $xml = XML::parseString($s);
 
-                               if ((int) $xml->status === 1) {
+                               if ((int)$xml->status === 1) {
                                        $_SESSION['authenticated'] = 1;
-                                       if (!x($_SESSION, 'remote')) {
+                                       if (empty($_SESSION['remote'])) {
                                                $_SESSION['remote'] = [];
                                        }
 
@@ -128,24 +130,29 @@ function dfrn_poll_init(App $a)
                                        $session_id = session_id();
                                        $expire = time() + 86400;
                                        q("UPDATE `session` SET `expire` = '%s' WHERE `sid` = '%s'",
-                                               dbesc($expire),
-                                               dbesc($session_id)
+                                               DBA::escape($expire),
+                                               DBA::escape($session_id)
                                        );
                                }
                        }
-                       $profile = $r[0]['nickname'];
-                       goaway((strlen($destination_url)) ? $destination_url : System::baseUrl() . '/profile/' . $profile);
+
+                       $profile = (count($r) > 0 && isset($r[0]['nickname']) ? $r[0]['nickname'] : '');
+                       if (!empty($destination_url)) {
+                               System::externalRedirect($destination_url);
+                       } else {
+                               $a->internalRedirect('profile/' . $profile);
+                       }
                }
-               goaway(System::baseUrl());
+               $a->internalRedirect();
        }
 
        if ($type === 'profile-check' && $dfrn_version < 2.2) {
                if ((strlen($challenge)) && (strlen($sec))) {
-                       dba::delete('profile_check', ["`expire` < ?", time()]);
+                       DBA::delete('profile_check', ["`expire` < ?", time()]);
                        $r = q("SELECT * FROM `profile_check` WHERE `sec` = '%s' ORDER BY `expire` DESC LIMIT 1",
-                               dbesc($sec)
+                               DBA::escape($sec)
                        );
-                       if (!DBM::is_result($r)) {
+                       if (!DBA::isResult($r)) {
                                System::xmlExit(3, 'No ticket');
                                // NOTREACHED
                        }
@@ -158,7 +165,7 @@ function dfrn_poll_init(App $a)
                        $c = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
                                intval($r[0]['cid'])
                        );
-                       if (!DBM::is_result($c)) {
+                       if (!DBA::isResult($c)) {
                                System::xmlExit(3, 'No profile');
                        }
 
@@ -184,7 +191,7 @@ function dfrn_poll_init(App $a)
                        }
 
                        if ($final_dfrn_id != $orig_id) {
-                               logger('profile_check: ' . $final_dfrn_id . ' != ' . $orig_id, LOGGER_DEBUG);
+                               Logger::log('profile_check: ' . $final_dfrn_id . ' != ' . $orig_id, Logger::DEBUG);
                                // did not decode properly - cannot trust this site
                                System::xmlExit(3, 'Bad decryption');
                        }
@@ -206,10 +213,10 @@ function dfrn_poll_init(App $a)
                                        break;
                        }
 
-                       dba::delete('profile_check', ["`expire` < ?", time()]);
+                       DBA::delete('profile_check', ["`expire` < ?", time()]);
                        $r = q("SELECT * FROM `profile_check` WHERE `dfrn_id` = '%s' ORDER BY `expire` DESC",
-                               dbesc($dfrn_id));
-                       if (DBM::is_result($r)) {
+                               DBA::escape($dfrn_id));
+                       if (DBA::isResult($r)) {
                                System::xmlExit(1);
                                return; // NOTREACHED
                        }
@@ -221,23 +228,23 @@ function dfrn_poll_init(App $a)
 
 function dfrn_poll_post(App $a)
 {
-       $dfrn_id      = x($_POST,'dfrn_id')      ? $_POST['dfrn_id']              : '';
-       $challenge    = x($_POST,'challenge')    ? $_POST['challenge']            : '';
-       $url          = x($_POST,'url')          ? $_POST['url']                  : '';
-       $sec          = x($_POST,'sec')          ? $_POST['sec']                  : '';
-       $ptype        = x($_POST,'type')         ? $_POST['type']                 : '';
-       $dfrn_version = x($_POST,'dfrn_version') ? (float) $_POST['dfrn_version'] : 2.0;
-       $perm         = x($_POST,'perm')         ? $_POST['perm']                 : 'r';
+       $dfrn_id      = defaults($_POST, 'dfrn_id'  , '');
+       $challenge    = defaults($_POST, 'challenge', '');
+       $url          = defaults($_POST, 'url'      , '');
+       $sec          = defaults($_POST, 'sec'      , '');
+       $ptype        = defaults($_POST, 'type'     , '');
+       $perm         = defaults($_POST, 'perm'     , 'r');
+       $dfrn_version = !empty($_POST['dfrn_version']) ? (float) $_POST['dfrn_version'] : 2.0;
 
        if ($ptype === 'profile-check') {
                if (strlen($challenge) && strlen($sec)) {
-                       logger('dfrn_poll: POST: profile-check');
+                       Logger::log('dfrn_poll: POST: profile-check');
 
-                       dba::delete('profile_check', ["`expire` < ?", time()]);
+                       DBA::delete('profile_check', ["`expire` < ?", time()]);
                        $r = q("SELECT * FROM `profile_check` WHERE `sec` = '%s' ORDER BY `expire` DESC LIMIT 1",
-                               dbesc($sec)
+                               DBA::escape($sec)
                        );
-                       if (!DBM::is_result($r)) {
+                       if (!DBA::isResult($r)) {
                                System::xmlExit(3, 'No ticket');
                                // NOTREACHED
                        }
@@ -250,7 +257,7 @@ function dfrn_poll_post(App $a)
                        $c = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
                                intval($r[0]['cid'])
                        );
-                       if (!DBM::is_result($c)) {
+                       if (!DBA::isResult($c)) {
                                System::xmlExit(3, 'No profile');
                        }
 
@@ -276,7 +283,7 @@ function dfrn_poll_post(App $a)
                        }
 
                        if ($final_dfrn_id != $orig_id) {
-                               logger('profile_check: ' . $final_dfrn_id . ' != ' . $orig_id, LOGGER_DEBUG);
+                               Logger::log('profile_check: ' . $final_dfrn_id . ' != ' . $orig_id, Logger::DEBUG);
                                // did not decode properly - cannot trust this site
                                System::xmlExit(3, 'Bad decryption');
                        }
@@ -295,40 +302,40 @@ function dfrn_poll_post(App $a)
        }
 
        $r = q("SELECT * FROM `challenge` WHERE `dfrn-id` = '%s' AND `challenge` = '%s' LIMIT 1",
-               dbesc($dfrn_id),
-               dbesc($challenge)
+               DBA::escape($dfrn_id),
+               DBA::escape($challenge)
        );
 
-       if (!DBM::is_result($r)) {
+       if (!DBA::isResult($r)) {
                killme();
        }
 
        $type = $r[0]['type'];
        $last_update = $r[0]['last_update'];
 
-       dba::delete('challenge', ['dfrn-id' => $dfrn_id, 'challenge' => $challenge]);
+       DBA::delete('challenge', ['dfrn-id' => $dfrn_id, 'challenge' => $challenge]);
 
        $sql_extra = '';
        switch ($direction) {
                case -1:
-                       $sql_extra = sprintf(" AND `issued-id` = '%s' ", dbesc($dfrn_id));
+                       $sql_extra = sprintf(" AND `issued-id` = '%s' ", DBA::escape($dfrn_id));
                        $my_id = $dfrn_id;
                        break;
                case 0:
-                       $sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
+                       $sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
                        $my_id = '1:' . $dfrn_id;
                        break;
                case 1:
-                       $sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
+                       $sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
                        $my_id = '0:' . $dfrn_id;
                        break;
                default:
-                       goaway(System::baseUrl());
+                       $a->internalRedirect();
                        break; // NOTREACHED
        }
 
        $r = q("SELECT * FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 $sql_extra LIMIT 1");
-       if (!DBM::is_result($r)) {
+       if (!DBA::isResult($r)) {
                killme();
        }
 
@@ -338,13 +345,13 @@ function dfrn_poll_post(App $a)
 
        if ($type === 'reputation' && strlen($url)) {
                $r = q("SELECT * FROM `contact` WHERE `url` = '%s' AND `uid` = %d LIMIT 1",
-                       dbesc($url),
+                       DBA::escape($url),
                        intval($owner_uid)
                );
                $reputation = 0;
                $text = '';
 
-               if (DBM::is_result($r)) {
+               if (DBA::isResult($r)) {
                        $reputation = $r[0]['rating'];
                        $text = $r[0]['reason'];
 
@@ -365,7 +372,7 @@ function dfrn_poll_post(App $a)
                // NOTREACHED
        } else {
                // Update the writable flag if it changed
-               logger('dfrn_poll: post request feed: ' . print_r($_POST, true), LOGGER_DATA);
+               Logger::log('dfrn_poll: post request feed: ' . print_r($_POST, true), Logger::DATA);
                if ($dfrn_version >= 2.21) {
                        if ($perm === 'rw') {
                                $writable = 1;
@@ -390,14 +397,13 @@ function dfrn_poll_post(App $a)
 
 function dfrn_poll_content(App $a)
 {
-       $dfrn_id         = x($_GET,'dfrn_id')         ? $_GET['dfrn_id']              : '';
-       $type            = x($_GET,'type')            ? $_GET['type']                 : 'data';
-       $last_update     = x($_GET,'last_update')     ? $_GET['last_update']          : '';
-       $destination_url = x($_GET,'destination_url') ? $_GET['destination_url']      : '';
-       $sec             = x($_GET,'sec')             ? $_GET['sec']                  : '';
-       $dfrn_version    = x($_GET,'dfrn_version')    ? (float) $_GET['dfrn_version'] : 2.0;
-       $perm            = x($_GET,'perm')            ? $_GET['perm']                 : 'r';
-       $quiet           = x($_GET,'quiet')           ? true                          : false;
+       $dfrn_id         = defaults($_GET, 'dfrn_id'        , '');
+       $type            = defaults($_GET, 'type'           , 'data');
+       $last_update     = defaults($_GET, 'last_update'    , '');
+       $destination_url = defaults($_GET, 'destination_url', '');
+       $sec             = defaults($_GET, 'sec'            , '');
+       $dfrn_version    = !empty($_GET['dfrn_version'])    ? (float) $_GET['dfrn_version'] : 2.0;
+       $quiet           = !empty($_GET['quiet']);
 
        $direction = -1;
        if (strpos($dfrn_id, ':') == 1) {
@@ -407,20 +413,20 @@ function dfrn_poll_content(App $a)
 
        if ($dfrn_id != '') {
                // initial communication from external contact
-               $hash = random_string();
+               $hash = Strings::getRandomHex();
 
                $status = 0;
 
-               dba::delete('challenge', ["`expire` < ?", time()]);
+               DBA::delete('challenge', ["`expire` < ?", time()]);
 
                if ($type !== 'profile') {
                        $r = q("INSERT INTO `challenge` ( `challenge`, `dfrn-id`, `expire` , `type`, `last_update` )
                                VALUES( '%s', '%s', '%s', '%s', '%s' ) ",
-                               dbesc($hash),
-                               dbesc($dfrn_id),
+                               DBA::escape($hash),
+                               DBA::escape($dfrn_id),
                                intval(time() + 60 ),
-                               dbesc($type),
-                               dbesc($last_update)
+                               DBA::escape($type),
+                               DBA::escape($last_update)
                        );
                }
 
@@ -428,23 +434,23 @@ function dfrn_poll_content(App $a)
                switch ($direction) {
                        case -1:
                                if ($type === 'profile') {
-                                       $sql_extra = sprintf(" AND ( `dfrn-id` = '%s' OR `issued-id` = '%s' ) ", dbesc($dfrn_id), dbesc($dfrn_id));
+                                       $sql_extra = sprintf(" AND (`dfrn-id` = '%s' OR `issued-id` = '%s') ", DBA::escape($dfrn_id), DBA::escape($dfrn_id));
                                } else {
-                                       $sql_extra = sprintf(" AND `issued-id` = '%s' ", dbesc($dfrn_id));
+                                       $sql_extra = sprintf(" AND `issued-id` = '%s' ", DBA::escape($dfrn_id));
                                }
 
                                $my_id = $dfrn_id;
                                break;
                        case 0:
-                               $sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
+                               $sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
                                $my_id = '1:' . $dfrn_id;
                                break;
                        case 1:
-                               $sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id));
+                               $sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", DBA::escape($dfrn_id));
                                $my_id = '0:' . $dfrn_id;
                                break;
                        default:
-                               goaway(System::baseUrl());
+                               $a->internalRedirect();
                                break; // NOTREACHED
                }
 
@@ -454,9 +460,9 @@ function dfrn_poll_content(App $a)
                        FROM `contact` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid`
                        WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0
                        AND `user`.`nickname` = '%s' $sql_extra LIMIT 1",
-                       dbesc($nickname)
+                       DBA::escape($nickname)
                );
-               if (DBM::is_result($r)) {
+               if (DBA::isResult($r)) {
                        $challenge = '';
                        $encrypted_id = '';
                        $id_str = $my_id . '.' . mt_rand(1000, 9999);
@@ -478,6 +484,12 @@ function dfrn_poll_content(App $a)
                }
 
                if (($type === 'profile') && (strlen($sec))) {
+                       // heluecht: I don't know why we don't fail immediately when the user or contact hadn't been found.
+                       // Since it doesn't make sense to continue from this point on, we now fail here. This should be safe.
+                       if (!DBA::isResult($r)) {
+                               System::httpExit(404, ["title" => L10n::t('Page not found.')]);
+                       }
+
                        // URL reply
                        if ($dfrn_version < 2.2) {
                                $s = Network::fetchUrl($r[0]['poll']
@@ -494,41 +506,22 @@ function dfrn_poll_content(App $a)
                                        'dfrn_version' => DFRN_PROTOCOL_VERSION,
                                        'challenge' => $challenge,
                                        'sec' => $sec
-                               ]);
+                               ])->getBody();
                        }
 
-                       $profile = ((DBM::is_result($r) && $r[0]['nickname']) ? $r[0]['nickname'] : $nickname);
-
-                       switch ($destination_url) {
-                               case 'profile':
-                                       $dest = System::baseUrl() . '/profile/' . $profile . '?f=&tab=profile';
-                                       break;
-                               case 'photos':
-                                       $dest = System::baseUrl() . '/photos/' . $profile;
-                                       break;
-                               case 'status':
-                               case '':
-                                       $dest = System::baseUrl() . '/profile/' . $profile;
-                                       break;
-                               default:
-                                       $appendix = (strstr($destination_url, '?') ? '&f=&redir=1' : '?f=&redir=1');
-                                       $dest = $destination_url . $appendix;
-                                       break;
-                       }
-
-                       logger("dfrn_poll: sec profile: " . $s, LOGGER_DATA);
+                       Logger::log("dfrn_poll: sec profile: " . $s, Logger::DATA);
 
                        if (strlen($s) && strstr($s, '<?xml')) {
                                $xml = XML::parseString($s);
 
-                               logger('dfrn_poll: profile: parsed xml: ' . print_r($xml, true), LOGGER_DATA);
+                               Logger::log('dfrn_poll: profile: parsed xml: ' . print_r($xml, true), Logger::DATA);
 
-                               logger('dfrn_poll: secure profile: challenge: ' . $xml->challenge . ' expecting ' . $hash);
-                               logger('dfrn_poll: secure profile: sec: ' . $xml->sec . ' expecting ' . $sec);
+                               Logger::log('dfrn_poll: secure profile: challenge: ' . $xml->challenge . ' expecting ' . $hash);
+                               Logger::log('dfrn_poll: secure profile: sec: ' . $xml->sec . ' expecting ' . $sec);
 
                                if (((int) $xml->status == 0) && ($xml->challenge == $hash) && ($xml->sec == $sec)) {
                                        $_SESSION['authenticated'] = 1;
-                                       if (!x($_SESSION, 'remote')) {
+                                       if (empty($_SESSION['remote'])) {
                                                $_SESSION['remote'] = [];
                                        }
 
@@ -545,14 +538,30 @@ function dfrn_poll_content(App $a)
                                        $session_id = session_id();
                                        $expire = time() + 86400;
                                        q("UPDATE `session` SET `expire` = '%s' WHERE `sid` = '%s'",
-                                               dbesc($expire),
-                                               dbesc($session_id)
+                                               DBA::escape($expire),
+                                               DBA::escape($session_id)
                                        );
                                }
+                       }
+
+                       $profile = ((DBA::isResult($r) && $r[0]['nickname']) ? $r[0]['nickname'] : $nickname);
 
-                               goaway($dest);
+                       switch ($destination_url) {
+                               case 'profile':
+                                       $a->internalRedirect('profile/' . $profile . '?f=&tab=profile');
+                                       break;
+                               case 'photos':
+                                       $a->internalRedirect('photos/' . $profile);
+                                       break;
+                               case 'status':
+                               case '':
+                                       $a->internalRedirect('profile/' . $profile);
+                                       break;
+                               default:
+                                       $appendix = (strstr($destination_url, '?') ? '&f=&redir=1' : '?f=&redir=1');
+                                       $a->redirect($destination_url . $appendix);
+                                       break;
                        }
-                       goaway($dest);
                        // NOTREACHED
                } else {
                        // XML reply
Unnamed repository; edit this file 'description' to name the repository.