$message .= _('Try subscribing to more people, [join a group](%%action.groups%%) or post something yourself.');
} else {
// TRANS: %1$s is user nickname, %2$s is user nickname, %2$s is user nickname prefixed with "@"
- $message .= sprintf(_('You can try to [nudge %1$s](../%2$s) from his profile or [post something to his or her attention](%%%%action.newnotice%%%%?status_textarea=%3$s).'), $this->user->nickname, $this->user->nickname, '@' . $this->user->nickname);
+ $message .= sprintf(_('You can try to [nudge %1$s](../%2$s) from their profile or [post something to their attention](%%%%action.newnotice%%%%?status_textarea=%3$s).'), $this->user->nickname, $this->user->nickname, '@' . $this->user->nickname);
}
} else {
- $message .= sprintf(_('Why not [register an account](%%%%action.register%%%%) and then nudge %s or post a notice to his or her attention.'), $this->user->nickname);
+ $message .= sprintf(_('Why not [register an account](%%%%action.register%%%%) and then nudge %s or post a notice to their attention.'), $this->user->nickname);
}
$this->elementStart('div', 'guide');
}
/**
- * Notifies a user when his notice is favorited.
+ * Notifies a user when their notice is favorited.
*
* @param class $notice favorited notice
* @param class $user user declaring a favorite
* Handler for remote subscription finish callback
*
* When a remote user subscribes a local user, a redirect to this action is
- * issued after the remote user authorized his service to subscribe.
+ * issued after the remote user authorized their service to subscribe.
*
* @category Action
* @package Laconica
}
if (!$other->email || !$other->emailnotifynudge) {
- $this->clientError(_('This user doesn\'t allow nudges or hasn\'t confirmed or set his email yet.'));
+ $this->clientError(_('This user doesn\'t allow nudges or hasn\'t confirmed or set their email yet.'));
return;
}
function showEmptyListMessage()
{
- $message = sprintf(_('This is the timeline showing replies to %1$s but %2$s hasn\'t received a notice to his attention yet.'), $this->user->nickname, $this->user->nickname) . ' ';
+ $message = sprintf(_('This is the timeline showing replies to %1$s but %2$s hasn\'t received a notice to their attention yet.'), $this->user->nickname, $this->user->nickname) . ' ';
if (common_logged_in()) {
$current_user = common_current_user();
if ($this->user->id === $current_user->id) {
$message .= _('You can engage other users in a conversation, subscribe to more people or [join groups](%%action.groups%%).');
} else {
- $message .= sprintf(_('You can try to [nudge %1$s](../%2$s) or [post something to his or her attention](%%%%action.newnotice%%%%?status_textarea=%3$s).'), $this->user->nickname, $this->user->nickname, '@' . $this->user->nickname);
+ $message .= sprintf(_('You can try to [nudge %1$s](../%2$s) or [post something to their attention](%%%%action.newnotice%%%%?status_textarea=%3$s).'), $this->user->nickname, $this->user->nickname, '@' . $this->user->nickname);
}
}
else {
- $message .= sprintf(_('Why not [register an account](%%%%action.register%%%%) and then nudge %s or post a notice to his or her attention.'), $this->user->nickname);
+ $message .= sprintf(_('Why not [register an account](%%%%action.register%%%%) and then nudge %s or post a notice to their attention.'), $this->user->nickname);
}
$this->elementStart('div', 'guide');
if (!empty($cur) && $cur->id == $this->user->id) {
// Show imported/gateway notices as well as local if
- // the user is looking at his own favorites
+ // the user is looking at their own favorites
$this->notice = $this->user->favoriteNotices(true, ($this->page-1)*NOTICES_PER_PAGE,
NOTICES_PER_PAGE + 1);
if ($this->user->id === $current_user->id) {
$message = _('You haven\'t chosen any favorite notices yet. Click the fave button on notices you like to bookmark them for later or shed a spotlight on them.');
} else {
- $message = sprintf(_('%s hasn\'t added any notices to his favorites yet. Post something interesting they would add to their favorites :)'), $this->user->nickname);
+ $message = sprintf(_('%s hasn\'t added any favorite notices yet. Post something interesting they would add to their favorites :)'), $this->user->nickname);
}
}
else {
- $message = sprintf(_('%s hasn\'t added any notices to his favorites yet. Why not [register an account](%%%%action.register%%%%) and then post something interesting they would add to their favorites :)'), $this->user->nickname);
+ $message = sprintf(_('%s hasn\'t added any favorite notices yet. Why not [register an account](%%%%action.register%%%%) and then post something interesting they would add to their favorites :)'), $this->user->nickname);
}
$this->elementStart('div', 'guide');
if ($this->user->id === $current_user->id) {
$message .= _('Seen anything interesting recently? You haven\'t posted any notices yet, now would be a good time to start :)');
} else {
- $message .= sprintf(_('You can try to nudge %1$s or [post something to his or her attention](%%%%action.newnotice%%%%?status_textarea=%2$s).'), $this->user->nickname, '@' . $this->user->nickname);
+ $message .= sprintf(_('You can try to nudge %1$s or [post something to their attention](%%%%action.newnotice%%%%?status_textarea=%2$s).'), $this->user->nickname, '@' . $this->user->nickname);
}
}
else {
- $message .= sprintf(_('Why not [register an account](%%%%action.register%%%%) and then nudge %s or post a notice to his or her attention.'), $this->user->nickname);
+ $message .= sprintf(_('Why not [register an account](%%%%action.register%%%%) and then nudge %s or post a notice to their attention.'), $this->user->nickname);
}
$this->elementStart('div', 'guide');
*/
require_once INSTALLDIR.'/classes/Memcached_DataObject.php';
-/* We keep the first three 20-notice pages, plus one for pagination check,
+/* We keep 200 notices, the max number of notices available per API request,
* in the memcached cache. */
-define('NOTICE_CACHE_WINDOW', 61);
+define('NOTICE_CACHE_WINDOW', 200);
define('MAX_BOXCARS', 128);
if ($this->id == $other->id) {
common_log(LOG_WARNING,
sprintf(
- "Profile ID %d (%s) tried to block his or herself.",
+ "Profile ID %d (%s) tried to block themself.",
$this->id,
$this->nickname
)
}
$calculated_sig = $this->getMessageSignature($message);
- return $calculated_sig == $sig;
+
+ return $this->constantTimeCompare($calculated_sig, $sig);
+ }
+
+ /**
+ * String comparison function which will complete in a constant time
+ * for strings of any given matching length, to help prevent an attacker
+ * from distinguishing how much of a signature token they have guessed
+ * correctly.
+ *
+ * For this usage, it's assumed that the length of the string is known,
+ * so we may safely short-circuit on mismatched lengths which will be known
+ * to be invalid by the attacker.
+ *
+ * http://lists.openid.net/pipermail/openid-security/2010-July/001156.html
+ * http://rdist.root.org/2010/01/07/timing-independent-array-comparison/
+ */
+ private function constantTimeCompare($a, $b)
+ {
+ $len = strlen($a);
+ if (strlen($b) !== $len) {
+ // Short-circuit on length mismatch; attackers will already know
+ // the correct target length so this is safe.
+ return false;
+ }
+ if ($len == 0) {
+ // 0-length valid input shouldn't really happen. :)
+ return true;
+ }
+ $result = 0;
+ for ($i = 0; $i < strlen($a); $i++) {
+ // We use scary bitwise operations to avoid logical short-circuits
+ // in lower-level code.
+ $result |= ord($a{$i}) ^ ord($b{$i});
+ }
+ return ($result == 0);
}
}
public function check_signature(&$request, $consumer, $token, $signature) {
$built = $this->build_signature($request, $consumer, $token);
return $built == $signature;
+
+ // Check for zero length, although unlikely here
+ if (strlen($built) == 0 || strlen($signature) == 0) {
+ return false;
+ }
+
+ if (strlen($built) != strlen($signature)) {
+ return false;
+ }
+
+ $result = 0;
+
+ // Avoid a timing leak with a (hopefully) time insensitive compare
+ for ($i = 0; $i < strlen($signature); $i++) {
+ $result |= ord($built{$i}) ^ ord($signature{$i});
+ }
+
+ return $result == 0;
}
}/*}}}*/
*/
static function validateUri($uri)
{
+ // Check mailto: URIs first
+
+ if (preg_match('/^mailto:(.*)$/', $uri, $match)) {
+ return Validate::email($match[1], common_config('email', 'check_domain'));
+ }
+
if (Validate::uri($uri)) {
return true;
}
* @link http://status.net/
*/
-@import url(base.css) screen, projection, tv, print;
+@import url(base.css);
@media screen, projection, tv {
html {
* @link http://status.net/
*/
-@import url(../../base/css/display.css) screen, projection, tv, print;
+@import url(../../base/css/display.css);
@media screen, projection, tv {
body,
* @link http://status.net/
*/
-@import url(../../base/css/display.css) screen, projection, tv, print;
+@import url(../../base/css/display.css);
@media screen, projection, tv {
body,
* @link http://status.net/
*/
-@import url(base.css) screen, projection, tv, print;
+@import url(base.css);
@media screen, projection, tv {
html {