X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=mod%2Fredir.php;h=dc086ae19a2347387c3541df6db5bff6e65f9cdb;hb=d15023fe4bbc404d71ad9deeccfb066c70db9ee5;hp=1d36065e9956ae844842e96d48bf07e2087e46b4;hpb=42775d53b2c5177cae2e0e1dacb0a32f92e4a83b;p=friendica.git diff --git a/mod/redir.php b/mod/redir.php index 1d36065e99..dc086ae19a 100644 --- a/mod/redir.php +++ b/mod/redir.php @@ -1,4 +1,23 @@ . + * + */ use Friendica\App; use Friendica\Core\Logger; @@ -8,16 +27,19 @@ use Friendica\Database\DBA; use Friendica\DI; use Friendica\Model\Contact; use Friendica\Model\Profile; -use Friendica\Util\Network; +use Friendica\Network\HTTPClient\Client\HttpClient; +use Friendica\Network\HTTPClient\Client\HttpClientOptions; use Friendica\Util\Strings; function redir_init(App $a) { + if (!Session::isAuthenticated()) { + throw new \Friendica\Network\HTTPException\ForbiddenException(DI::l10n()->t('Access denied.')); + } $url = $_GET['url'] ?? ''; - $quiet = !empty($_GET['quiet']) ? '&quiet=1' : ''; - if ($a->argc > 1 && intval($a->argv[1])) { - $cid = intval($a->argv[1]); + if (DI::args()->getArgc() > 1 && intval(DI::args()->getArgv()[1])) { + $cid = intval(DI::args()->getArgv()[1]); } else { $cid = 0; } @@ -25,102 +47,75 @@ function redir_init(App $a) { // Try magic auth before the legacy stuff redir_magic($a, $cid, $url); - if (!empty($cid)) { - $fields = ['id', 'uid', 'nurl', 'url', 'addr', 'name', 'network', 'poll', 'issued-id', 'dfrn-id', 'duplex', 'pending']; - $contact = DBA::selectFirst('contact', $fields, ['id' => $cid, 'uid' => [0, local_user()]]); - if (!DBA::isResult($contact)) { - notice(DI::l10n()->t('Contact not found.')); - DI::baseUrl()->redirect(); - } - - $contact_url = $contact['url']; - - if (!Session::isAuthenticated() // Visitors (not logged in or not remotes) can't authenticate. - || (!empty($a->contact['id']) && $a->contact['id'] == $cid)) // Local user is already authenticated. - { - $a->redirect($url ?: $contact_url); - } - - if ($contact['uid'] == 0 && local_user()) { - // Let's have a look if there is an established connection - // between the public contact we have found and the local user. - $contact = DBA::selectFirst('contact', $fields, ['nurl' => $contact['nurl'], 'uid' => local_user()]); - - if (DBA::isResult($contact)) { - $cid = $contact['id']; - } - - if (!empty($a->contact['id']) && $a->contact['id'] == $cid) { - // Local user is already authenticated. - $target_url = $url ?: $contact_url; - Logger::log($contact['name'] . " is already authenticated. Redirecting to " . $target_url, Logger::DEBUG); - $a->redirect($target_url); - } - } - - if (remote_user()) { - $host = substr(DI::baseUrl()->getUrlPath() . (DI::baseUrl()->getUrlPath() ? '/' . DI::baseUrl()->getUrlPath() : ''), strpos(DI::baseUrl()->getUrlPath(), '://') + 3); - $remotehost = substr($contact['addr'], strpos($contact['addr'], '@') + 1); - - // On a local instance we have to check if the local user has already authenticated - // with the local contact. Otherwise the local user would ask the local contact - // for authentification everytime he/she is visiting a profile page of the local - // contact. - if (($host == $remotehost) && (Session::getRemoteContactID(Session::get('visitor_visiting')) == Session::get('visitor_id'))) { - // Remote user is already authenticated. - $target_url = $url ?: $contact_url; - Logger::log($contact['name'] . " is already authenticated. Redirecting to " . $target_url, Logger::DEBUG); - $a->redirect($target_url); - } - } + if (empty($cid)) { + throw new \Friendica\Network\HTTPException\BadRequestException(DI::l10n()->t('Bad Request.')); + } - // Doing remote auth with dfrn. - if (local_user() && (!empty($contact['dfrn-id']) || !empty($contact['issued-id'])) && empty($contact['pending'])) { - $dfrn_id = $orig_id = (($contact['issued-id']) ? $contact['issued-id'] : $contact['dfrn-id']); + $fields = ['id', 'uid', 'nurl', 'url', 'addr', 'name']; + $contact = DBA::selectFirst('contact', $fields, ['id' => $cid, 'uid' => [0, local_user()]]); + if (!DBA::isResult($contact)) { + throw new \Friendica\Network\HTTPException\NotFoundException(DI::l10n()->t('Contact not found.')); + } - if ($contact['duplex'] && $contact['issued-id']) { - $orig_id = $contact['issued-id']; - $dfrn_id = '1:' . $orig_id; - } - if ($contact['duplex'] && $contact['dfrn-id']) { - $orig_id = $contact['dfrn-id']; - $dfrn_id = '0:' . $orig_id; - } + $contact_url = $contact['url']; - $sec = Strings::getRandomHex(); + if (!empty($a->getContactId()) && $a->getContactId() == $cid) { + // Local user is already authenticated. + redir_check_url($contact_url, $url); + $a->redirect($url ?: $contact_url); + } - $fields = ['uid' => local_user(), 'cid' => $cid, 'dfrn_id' => $dfrn_id, - 'sec' => $sec, 'expire' => time() + 45]; - DBA::insert('profile_check', $fields); + if ($contact['uid'] == 0 && local_user()) { + // Let's have a look if there is an established connection + // between the public contact we have found and the local user. + $contact = DBA::selectFirst('contact', $fields, ['nurl' => $contact['nurl'], 'uid' => local_user()]); - Logger::log('mod_redir: ' . $contact['name'] . ' ' . $sec, Logger::DEBUG); + if (DBA::isResult($contact)) { + $cid = $contact['id']; + } - $dest = (!empty($url) ? '&destination_url=' . $url : ''); + if (!empty($a->getContactId()) && $a->getContactId() == $cid) { + // Local user is already authenticated. + redir_check_url($contact_url, $url); + $target_url = $url ?: $contact_url; + Logger::info($contact['name'] . " is already authenticated. Redirecting to " . $target_url); + $a->redirect($target_url); + } + } - System::externalRedirect($contact['poll'] . '?dfrn_id=' . $dfrn_id - . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile&sec=' . $sec . $dest . $quiet); + if (remote_user()) { + $host = substr(DI::baseUrl()->getUrlPath() . (DI::baseUrl()->getUrlPath() ? '/' . DI::baseUrl()->getUrlPath() : ''), strpos(DI::baseUrl()->getUrlPath(), '://') + 3); + $remotehost = substr($contact['addr'], strpos($contact['addr'], '@') + 1); + + // On a local instance we have to check if the local user has already authenticated + // with the local contact. Otherwise the local user would ask the local contact + // for authentification everytime he/she is visiting a profile page of the local + // contact. + if (($host == $remotehost) && (Session::getRemoteContactID(Session::get('visitor_visiting')) == Session::get('visitor_id'))) { + // Remote user is already authenticated. + redir_check_url($contact_url, $url); + $target_url = $url ?: $contact_url; + Logger::info($contact['name'] . " is already authenticated. Redirecting to " . $target_url); + $a->redirect($target_url); } + } - $url = $url ?: $contact_url; + if (empty($url)) { + throw new \Friendica\Network\HTTPException\BadRequestException(DI::l10n()->t('Bad Request.')); } // If we don't have a connected contact, redirect with // the 'zrl' parameter. - if (!empty($url)) { - $my_profile = Profile::getMyURL(); + $my_profile = Profile::getMyURL(); - if (!empty($my_profile) && !Strings::compareLink($my_profile, $url)) { - $separator = strpos($url, '?') ? '&' : '?'; - - $url .= $separator . 'zrl=' . urlencode($my_profile); - } + if (!empty($my_profile) && !Strings::compareLink($my_profile, $url)) { + $separator = strpos($url, '?') ? '&' : '?'; - Logger::log('redirecting to ' . $url, Logger::DEBUG); - $a->redirect($url); + $url .= $separator . 'zrl=' . urlencode($my_profile); } - notice(DI::l10n()->t('Contact not found.')); - DI::baseUrl()->redirect(); + Logger::info('redirecting to ' . $url); + $a->redirect($url); } function redir_magic($a, $cid, $url) @@ -133,15 +128,10 @@ function redir_magic($a, $cid, $url) $contact = DBA::selectFirst('contact', ['url'], ['id' => $cid]); if (!DBA::isResult($contact)) { Logger::info('Contact not found', ['id' => $cid]); - // Shouldn't happen under normal conditions - notice(DI::l10n()->t('Contact not found.')); - if (!empty($url)) { - System::externalRedirect($url); - } else { - DI::baseUrl()->redirect(); - } + throw new \Friendica\Network\HTTPException\NotFoundException(DI::l10n()->t('Contact not found.')); } else { $contact_url = $contact['url']; + redir_check_url($contact_url, $url); $target_url = $url ?: $contact_url; } @@ -154,7 +144,7 @@ function redir_magic($a, $cid, $url) } // Test for magic auth on the target system - $serverret = Network::curl($basepath . '/magic'); + $serverret = DI::httpClient()->head($basepath . '/magic', [HttpClientOptions::ACCEPT_CONTENT => HttpClient::ACCEPT_HTML]); if ($serverret->isSuccess()) { $separator = strpos($target_url, '?') ? '&' : '?'; $target_url .= $separator . 'zrl=' . urlencode($visitor) . '&addr=' . urlencode($contact_url); @@ -165,3 +155,24 @@ function redir_magic($a, $cid, $url) Logger::info('No magic for contact', ['contact' => $contact_url]); } } + +function redir_check_url(string $contact_url, string $url) +{ + if (empty($contact_url) || empty($url)) { + return; + } + + $url_host = parse_url($url, PHP_URL_HOST); + if (empty($url_host)) { + $url_host = parse_url(DI::baseUrl(), PHP_URL_HOST); + } + + $contact_url_host = parse_url($contact_url, PHP_URL_HOST); + + if ($url_host == $contact_url_host) { + return; + } + + Logger::error('URL check host mismatch', ['contact' => $contact_url, 'url' => $url]); + throw new \Friendica\Network\HTTPException\ForbiddenException(DI::l10n()->t('Access denied.')); +}