Security issue: Encoding of GUID in itemcache to avoid directory bypassing with a...

diff --git a/include/items.php b/include/items.php
index b1ee854aef9fae75eafa697b206d58d0c3def48f..e0e0c842b7055736149684dea857b3ebc20df342 100644 (file)
--- a/include/items.php
+++ b/include/items.php
@@ -1412,7 +1412,7 @@ function item_store($arr,$force_parent = false, $notify = false) {
        if (!$deleted) {
 
                // Store the fresh generated item into the cache
-               $cachefile = get_cachefile($arr["guid"]."-".hash("md5", $arr['body']));
+               $cachefile = get_cachefile(urlencode($arr["guid"])."-".hash("md5", $arr['body']));
 
                if (($cachefile != '') AND !file_exists($cachefile)) {
                        $s = prepare_text($arr['body']);

diff --git a/include/tags.php b/include/tags.php
index fbb9e6ff776fdbe28850b683076c78555eb68bce..ea7eed84c3b137a3ba125a3bd20d101391f35be4 100644 (file)
--- a/include/tags.php
+++ b/include/tags.php
@@ -26,7 +26,7 @@ function create_tags_from_item($itemid) {
        if ($message["deleted"])
                return;
 
-       $cachefile = get_cachefile($message["guid"]."-".hash("md5", $message['body']));
+       $cachefile = get_cachefile(urlencode($message["guid"])."-".hash("md5", $message['body']));
 
        if (($cachefile != '') AND !file_exists($cachefile)) {
                $s = prepare_text($message['body']);

diff --git a/include/text.php b/include/text.php
index b20afd93360e771c3e51b3ec979d71b42f271ee8..9fef4aebb59f761ae4bd81aadd342f5d8eaefc86 100644 (file)
--- a/include/text.php
+++ b/include/text.php
@@ -1330,8 +1330,7 @@ function prepare_body(&$item,$attach = false, $preview = false) {
        $item['mentions'] = $mentions;
 
 
-       //$cachefile = get_cachefile($item["guid"]."-".strtotime($item["edited"])."-".hash("crc32", $item['body']));
-       $cachefile = get_cachefile($item["guid"]."-".hash("md5", $item['body']));
+       $cachefile = get_cachefile(urlencode($item["guid"])."-".hash("md5", $item['body']));
 
        if (($cachefile != '')) {
                if (file_exists($cachefile)) {

diff --git a/mod/item.php b/mod/item.php
index 0e2fce7bf79c750da6d3d16f5320a92b931fa6ce..cd23de60d56637013701cef4a2635d248566efa8 100644 (file)
--- a/mod/item.php
+++ b/mod/item.php
@@ -807,7 +807,7 @@ function item_post(&$a) {
                file_tag_update_pconfig($uid,$categories_old,$categories_new,'category');
 
                // Store the fresh generated item into the cache
-               $cachefile = get_cachefile($datarray["guid"]."-".hash("md5", $datarray['body']));
+               $cachefile = get_cachefile(urlencode($datarray["guid"])."-".hash("md5", $datarray['body']));
 
                if (($cachefile != '') AND !file_exists($cachefile)) {
                        $s = prepare_text($datarray['body']);

diff --git a/mod/parse_url.php b/mod/parse_url.php
index 4953b8f4cb23efc5a492e51858cd0168f4a830a6..c5f010ac117ad2fa7c1aea43a406639ba244c337 100644 (file)
--- a/mod/parse_url.php
+++ b/mod/parse_url.php
@@ -186,6 +186,9 @@ function parseurl_getsiteinfo($url, $no_guessing = false, $do_oembed = true, $co
                                case "twitter:image":
                                        $siteinfo["image"] = $attr["content"];
                                        break;
+                               case "twitter:image:src":
+                                       $siteinfo["image"] = $attr["content"];
+                                       break;
                                case "twitter:card":
                                        if (($siteinfo["type"] == "") OR ($attr["content"] == "photo"))
                                                $siteinfo["type"] = $attr["content"];