significantly enhanced profile security

diff --git a/include/dba.php b/include/dba.php
index 4e3f11f7befbfbfa15666dafc698a88912ef9c9c..fd403b56097c63908d0fab2abdc918ce0aeb153e 100644 (file)
--- a/include/dba.php
+++ b/include/dba.php
@@ -1,12 +1,15 @@
 <?php
 
-// MySQL database class
-//
-// For debugging, insert 'dbg(x);' anywhere in the program flow.
-// x = 1: display db success/failure following content
-// x = 2: display full queries following content
-// x = 3: display full queries using echo; which will mess up display
-//        really bad but will return output in stubborn cases.
+/**
+ *
+ * MySQL database class
+ *
+ * For debugging, insert 'dbg(1);' anywhere in the program flow.
+ * dbg(0); will turn it off. Logging is performed at LOGGER_DATA level.
+ * When logging, all binary info is converted to text and html entities are escaped so that 
+ * the debugging stream is safe to view within both terminals and web pages.
+ *
+ */
  
 if(! class_exists('dba')) { 
 class dba {
@@ -51,6 +54,13 @@ class dba {
                        logger('dba: ' . $str );
                }
                else {
+
+                       /*
+                        * If dbfail.out exists, we will write any failed calls directly to it,
+                        * regardless of any logging that may or may nor be in effect.
+                        * These usually indicate SQL syntax errors that need to be resolved.
+                        */
+
                        if($result === false) {
                                logger('dba: ' . printable($sql) . ' returned false.');
                                if(file_exists('dbfail.out'))

diff --git a/mod/dfrn_poll.php b/mod/dfrn_poll.php
index de3d00aea04a28d6e23f2704bf53ea66bbb1fd35..20fdc8f79c0159ea79759ed206e025961c8347e9 100644 (file)
--- a/mod/dfrn_poll.php
+++ b/mod/dfrn_poll.php
@@ -7,12 +7,12 @@ require_once('include/auth.php');
 function dfrn_poll_init(&$a) {
 
        $dfrn_id         = ((x($_GET,'dfrn_id'))         ? $_GET['dfrn_id']              : '');
-       $type            = ((x($_GET,'type'))            ? $_GET['type']                 : '');
+       $type            = ((x($_GET,'type'))            ? $_GET['type']                 : 'data');
        $last_update     = ((x($_GET,'last_update'))     ? $_GET['last_update']          : '');
        $destination_url = ((x($_GET,'destination_url')) ? $_GET['destination_url']      : '');
-       $sec             = ((x($_GET,'sec'))             ? intval($_GET['sec'])          : 0);
-       $dfrn_version    = ((x($_GET,'dfrn_version'))    ? (float) $_GET['dfrn_version'] : 0);
-
+       $challenge       = ((x($_GET,'challenge'))       ? $_GET['challenge']            : '');
+       $sec             = ((x($_GET,'sec'))             ? $_GET['sec']                  : '');
+       $dfrn_version    = ((x($_GET,'dfrn_version'))    ? (float) $_GET['dfrn_version'] : 2.0);
 
        $direction = (-1);
 
@@ -29,7 +29,7 @@ function dfrn_poll_init(&$a) {
                killme();
        }
 
-       if((isset($type)) && ($type === 'profile')) {
+       if(($type === 'profile') && (! strlen($sec))) {
 
                $sql_extra = '';
                switch($direction) {
@@ -61,6 +61,8 @@ function dfrn_poll_init(&$a) {
 
                        $s = fetch_url($r[0]['poll'] . '?dfrn_id=' . $my_id . '&type=profile-check');
 
+                       logger("dfrn_poll: old profile returns " . $s, LOGGER_DATA);
+
                        if(strlen($s)) {
 
                                $xml = simplexml_load_string($s);
@@ -85,30 +87,87 @@ function dfrn_poll_init(&$a) {
 
        }
 
-       if((isset($type)) && ($type === 'profile-check')) {
+       if($type === 'profile-check') {
 
-               switch($direction) {
-                       case 1:
-                               $dfrn_id = '0:' . $dfrn_id;
-                               break;
-                       case 0:
-                               $dfrn_id = '1:' . $dfrn_id;
-                               break;
-                       default:
-                               break;
+               if((strlen($challenge)) && (strlen($sec))) {
+
+                       q("DELETE FROM `profile_check` WHERE `expire` < " . intval(time()));
+                       $r = q("SELECT * FROM `profile_check` WHERE `sec` = '%s' ORDER BY `expire` DESC LIMIT 1",
+                               dbesc($sec)
+                       );
+                       if(! count($r)) {
+                               xml_status(3);
+                               // NOTREACHED
+                       }
+                       $orig_id = $r[0]['dfrn_id'];
+                       if(strpos(':',$orig_id))
+                               $orig_id = substr($orig_id,2);
+
+                       $c = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
+                               intval($r[0]['cid'])
+                       );
+                       if(! count($c)) {
+                               xml_status(3);
+                       }
+                       $contact = $c[0];
+
+                       $sent_dfrn_id = hex2bin($dfrn_id);
+                       $challenge    = hex2bin($challenge);
+
+                       $final_dfrn_id = '';
+
+                       if(($contact['duplex']) && strlen($contact['prvkey'])) {
+                               openssl_private_decrypt($sent_dfrn_id,$final_dfrn_id,$contact['prvkey']);
+                               openssl_private_decrypt($challenge,$decoded_challenge,$contact['prvkey']);
+                       }
+                       else {
+                               openssl_public_decrypt($sent_dfrn_id,$final_dfrn_id,$contact['pubkey']);
+                               openssl_public_decrypt($challenge,$decoded_challenge,$contact['pubkey']);
+                       }
+
+                       $final_dfrn_id = substr($final_dfrn_id, 0, strpos($final_dfrn_id, '.'));
+
+                       if(strpos($final_dfrn_id,':') == 1)
+                               $final_dfrn_id = substr($final_dfrn_id,2);
+
+                       if($final_dfrn_id != $orig_id) {
+
+                               // did not decode properly - cannot trust this site 
+                               xml_status(3);
+                       }
+
+                       header("Content-type: text/xml");
+                       echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?><dfrn_poll><status>0</status><challenge>$decoded_challenge</challenge><sec>$sec</sec></dfrn_poll>";
+                       killme();
+                       // NOTREACHED
                }
-               q("DELETE FROM `profile_check` WHERE `expire` < " . intval(time()));
-               $r = q("SELECT * FROM `profile_check` WHERE `dfrn_id` = '%s' ORDER BY `expire` DESC",
-                       dbesc($dfrn_id));
-               if(count($r)) {
-                       xml_status(1);
+               else {
+                               // old protocol
+
+                       switch($direction) {
+                               case 1:
+                                       $dfrn_id = '0:' . $dfrn_id;
+                                       break;
+                               case 0:
+                                       $dfrn_id = '1:' . $dfrn_id;
+                                       break;
+                               default:
+                                       break;
+                       }
+
+
+                       q("DELETE FROM `profile_check` WHERE `expire` < " . intval(time()));
+                       $r = q("SELECT * FROM `profile_check` WHERE `dfrn_id` = '%s' ORDER BY `expire` DESC",
+                               dbesc($dfrn_id));
+                       if(count($r)) {
+                               xml_status(1);
+                               return; // NOTREACHED
+                       }
+                       xml_status(0);
                        return; // NOTREACHED
                }
-               xml_status(0);
-               return; // NOTREACHED
        }
 
-
 }
 
 
@@ -118,7 +177,7 @@ function dfrn_poll_post(&$a) {
        $dfrn_id      = ((x($_POST,'dfrn_id'))      ? $_POST['dfrn_id']              : '');
        $challenge    = ((x($_POST,'challenge'))    ? $_POST['challenge']            : '');
        $url          = ((x($_POST,'url'))          ? $_POST['url']                  : '');
-       $dfrn_version = ((x($_POST,'dfrn_version')) ? (float) $_POST['dfrn_version'] : 0);
+       $dfrn_version = ((x($_POST,'dfrn_version')) ? (float) $_POST['dfrn_version'] : 2.0);
 
        $direction    = (-1);
        if(strpos($dfrn_id,':') == 1) {
@@ -213,11 +272,12 @@ function dfrn_poll_post(&$a) {
 
 function dfrn_poll_content(&$a) {
 
-       $dfrn_id      = ((x($_GET,'dfrn_id'))      ? $_GET['dfrn_id']              : '');
-       $type         = ((x($_GET,'type'))         ? $_GET['type']                 : 'data');
-       $last_update  = ((x($_GET,'last_update'))  ? $_GET['last_update']          : '');
-       $dfrn_version = ((x($_GET,'dfrn_version')) ? (float) $_GET['dfrn_version'] : 2.0);
-       $sec          = ((x($_GET,'sec'))          ? intval($_GET['sec'])          : 0);
+       $dfrn_id         = ((x($_GET,'dfrn_id'))         ? $_GET['dfrn_id']              : '');
+       $type            = ((x($_GET,'type'))            ? $_GET['type']                 : 'data');
+       $last_update     = ((x($_GET,'last_update'))     ? $_GET['last_update']          : '');
+       $destination_url = ((x($_GET,'destination_url')) ? $_GET['destination_url']      : '');
+       $sec             = ((x($_GET,'sec'))             ? $_GET['sec']                  : '');
+       $dfrn_version    = ((x($_GET,'dfrn_version'))    ? (float) $_GET['dfrn_version'] : 2.0);
 
        $direction = (-1);
        if(strpos($dfrn_id,':') == 1) {
@@ -234,19 +294,23 @@ function dfrn_poll_content(&$a) {
 
                $r = q("DELETE FROM `challenge` WHERE `expire` < " . intval(time()));
 
-               $r = q("INSERT INTO `challenge` ( `challenge`, `dfrn-id`, `expire` , `type`, `last_update` )
-                       VALUES( '%s', '%s', '%s', '%s', '%s' ) ",
-                       dbesc($hash),
-                       dbesc($dfrn_id),
-                       intval(time() + 60 ),
-                       dbesc($type),
-                       dbesc($last_update)
-               );
-
+               if($type !== 'profile') {
+                       $r = q("INSERT INTO `challenge` ( `challenge`, `dfrn-id`, `expire` , `type`, `last_update` )
+                               VALUES( '%s', '%s', '%s', '%s', '%s' ) ",
+                               dbesc($hash),
+                               dbesc($dfrn_id),
+                               intval(time() + 60 ),
+                               dbesc($type),
+                               dbesc($last_update)
+                       );
+               }
                $sql_extra = '';
                switch($direction) {
                        case (-1):
-                               $sql_extra = sprintf(" AND `issued-id` = '%s' ", dbesc($dfrn_id));
+                               if($type === 'profile')
+                                       $sql_extra = sprintf(" AND ( `dfrn-id` = '%s' OR `issued-id` = '%s' ) ", dbesc($dfrn_id),dbesc($dfrn_id));
+                               else
+                                       $sql_extra = sprintf(" AND `issued-id` = '%s' ", dbesc($dfrn_id));
                                $my_id = $dfrn_id;
                                break;
                        case 0:
@@ -262,7 +326,12 @@ function dfrn_poll_content(&$a) {
                                break; // NOTREACHED
                }
 
-               $r = q("SELECT * FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 $sql_extra LIMIT 1");
+               $r = q("SELECT `contact`.*, `user`.`username`, `user`.`nickname` 
+                       FROM `contact` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid`
+                       WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0 
+                       AND `user`.`nickname` = '%s' $sql_extra LIMIT 1",
+                       dbesc($a->argv[1])
+               );
 
                if(count($r)) {
 
@@ -270,7 +339,6 @@ function dfrn_poll_content(&$a) {
                        $encrypted_id = '';
                        $id_str = $my_id . '.' . mt_rand(1000,9999);
 
-
                        if($r[0]['duplex'] && strlen($r[0]['pubkey'])) {
                                openssl_public_encrypt($hash,$challenge,$r[0]['pubkey']);
                                openssl_public_encrypt($id_str,$encrypted_id,$r[0]['pubkey']);
@@ -287,15 +355,61 @@ function dfrn_poll_content(&$a) {
                        $status = 1;
                }
 
-               header("Content-type: text/xml");
-               echo '<?xml version="1.0" encoding="UTF-8"?>' . "\r\n"
-                       . '<dfrn_poll>' . "\r\n"
-                       . "\t" . '<status>' . $status . '</status>' . "\r\n"
-                       . "\t" . '<dfrn_version>' . DFRN_PROTOCOL_VERSION . '</dfrn_version>' . "\r\n"
-                       . "\t" . '<dfrn_id>' . $encrypted_id . '</dfrn_id>' . "\r\n"
-                       . "\t" . '<challenge>' . $challenge . '</challenge>' . "\r\n"
-                       . '</dfrn_poll>' . "\r\n" ;
-               killme();
+               if(($type === 'profile') && (strlen($sec))) {
+                       // URL reply
+
+                       $s = fetch_url($r[0]['poll'] 
+                               . '?dfrn_id=' . $encrypted_id 
+                               . '&type=profile-check'
+                               . '&dfrn_version=' . DFRN_PROTOCOL_VERSION
+                               . '&challenge=' . $challenge
+                               . '&sec=' . $sec
+                       );
+
+                       logger("dfrn_poll: sec profile: " . $s, LOGGER_DATA);
+
+                       if(strlen($s) && strstr($s,'<?xml')) {
+
+                               $xml = simplexml_load_string($s);
+
+                               logger('dfrn_poll: profile: parsed xml: ' . print_r($xml,true), LOGGER_DATA);
+
+                               logger('dfrn_poll: secure profile: challenge: ' . $xml->challenge . ' expecting ' . $hash);
+                               logger('dfrn_poll: secure profile: sec: ' . $xml->sec . ' expecting ' . $sec);
+ 
+                               
+                               if(((int) $xml->status == 0) && ($xml->challenge == $hash)  && ($xml->sec == $sec)) {
+                                       $_SESSION['authenticated'] = 1;
+                                       $_SESSION['visitor_id'] = $r[0]['id'];
+                                       notice( $r[0]['username'] . t(' welcomes ') . $r[0]['name'] . EOL);
+                                       // Visitors get 1 day session.
+                                       $session_id = session_id();
+                                       $expire = time() + 86400;
+                                       q("UPDATE `session` SET `expire` = '%s' WHERE `sid` = '%s' LIMIT 1",
+                                               dbesc($expire),
+                                               dbesc($session_id)
+                                       ); 
+                               }
+                               $profile = $r[0]['nickname'];
+                               goaway((strlen($destination_url)) ? $destination_url : $a->get_baseurl() . '/profile/' . $profile);
+                       }
+                       goaway($a->get_baseurl());
+                       // NOTREACHED
+
+               }
+               else {
+                       // XML reply
+                       header("Content-type: text/xml");
+                       echo '<?xml version="1.0" encoding="UTF-8"?>' . "\r\n"
+                               . '<dfrn_poll>' . "\r\n"
+                               . "\t" . '<status>' . $status . '</status>' . "\r\n"
+                               . "\t" . '<dfrn_version>' . DFRN_PROTOCOL_VERSION . '</dfrn_version>' . "\r\n"
+                               . "\t" . '<dfrn_id>' . $encrypted_id . '</dfrn_id>' . "\r\n"
+                               . "\t" . '<challenge>' . $challenge . '</challenge>' . "\r\n"
+                               . '</dfrn_poll>' . "\r\n" ;
+                       killme();
+                       // NOTREACHED
+               }
        }
 }
 

diff --git a/mod/redir.php b/mod/redir.php
index f95c52c96e50a09e9cd9f70184b28b21ba569ac6..cc58b9cd126ed73d10679564b7d1beb6856fa5b0 100644 (file)
--- a/mod/redir.php
+++ b/mod/redir.php
@@ -4,10 +4,13 @@ function redir_init(&$a) {
 
        if((! local_user()) || (! ($a->argc == 2)) || (! intval($a->argv[1])))
                goaway($a->get_baseurl());
+       $cid = $a->argv[1];
+
        $r = q("SELECT `network`, `issued-id`, `dfrn-id`, `duplex`, `poll` FROM `contact` WHERE `id` = %d AND `uid` = %d LIMIT 1",
-               intval($a->argv[1]),
+               intval($cid),
                intval(local_user())
        );
+
        if((! count($r)) || ($r[0]['network'] !== 'dfrn'))
                goaway($a->get_baseurl());
 
@@ -21,12 +24,20 @@ function redir_init(&$a) {
                $orig_id = $r[0]['dfrn-id'];
                $dfrn_id = '0:' . $orig_id;
        }
-       q("INSERT INTO `profile_check` ( `uid`, `dfrn_id`, `expire`)
-               VALUES( %d, '%s', %d )",
-               intval($_SESSION['uid']),
+
+       $sec = random_string();
+
+       q("INSERT INTO `profile_check` ( `uid`, `cid`, `dfrn_id`, `sec`, `expire`)
+               VALUES( %d, %s, '%s', '%s', %d )",
+               intval(local_user()),
+               intval($cid),
                dbesc($dfrn_id),
-               intval(time() + 45));
+               dbesc($sec),
+               intval(time() + 45)
+       );
+
        goaway ($r[0]['poll'] . '?dfrn_id=' . $dfrn_id 
-               . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile&sec=1');
+//             . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile');
+               . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile&sec=' . $sec);
        
 }