]> git.mxchange.org Git - quix0rs-gnu-social.git/blob - lib/rss10action.php
projects / quix0rs-gnu-social.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
XSS vulnerability when remote-subscribing
[quix0rs-gnu-social.git] / lib / rss10action.php
1 <?php
2 /**
3  * StatusNet, the distributed open-source microblogging tool
4  *
5  * Base class for RSS 1.0 feed actions
6  *
7  * PHP version 5
8  *
9  * LICENCE: This program is free software: you can redistribute it and/or modify
10  * it under the terms of the GNU Affero General Public License as published by
11  * the Free Software Foundation, either version 3 of the License, or
12  * (at your option) any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU Affero General Public License for more details.
18  *
19  * You should have received a copy of the GNU Affero General Public License
20  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
21  *
22  * @category  Mail
23  * @package   StatusNet
24  * @author    Evan Prodromou <evan@status.net>
25  * @author    Earle Martin <earle@downlode.org>
26  * @copyright 2008-9 StatusNet, Inc.
27  * @license   http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
28  * @link      http://status.net/
29  */
30
31 if (!defined('GNUSOCIAL')) { exit(1); }
32
33 define('DEFAULT_RSS_LIMIT', 48);
34
35 class Rss10Action extends ManagedAction
36 {
37     // This will contain the details of each feed item's author and be used to generate SIOC data.
38
39     var $creators = array();
40     var $limit = DEFAULT_RSS_LIMIT;
41     var $notices = null;
42     var $tags_already_output = array();
43
44     public function isReadOnly($args)
45     {
46         return true;
47     }
48
49     protected function doPreparation()
50     {
51         $this->limit = $this->int('limit');
52
53         if (empty($this->limit)) {
54             $this->limit = DEFAULT_RSS_LIMIT;
55         }
56
57         if (common_config('site', 'private')) {
58             if (!isset($_SERVER['PHP_AUTH_USER'])) {
59
60                 // This header makes basic auth go
61                 header('WWW-Authenticate: Basic realm="GNU social RSS"');
62
63                 // If the user hits cancel -- bam!
64                 $this->show_basic_auth_error();
65                 // the above calls 'exit'
66             } else {
67                 $nickname = $_SERVER['PHP_AUTH_USER'];
68                 $password = $_SERVER['PHP_AUTH_PW'];
69
70                 if (!common_check_user($nickname, $password)) {
71                     // basic authentication failed
72                     list($proxy, $ip) = common_client_ip();
73
74                     common_log(LOG_WARNING, "Failed RSS auth attempt, nickname = $nickname, proxy = $proxy, ip = $ip.");
75                     $this->show_basic_auth_error();
76                     // the above calls 'exit'
77                 }
78             }
79         }
80
81         $this->doStreamPreparation();
82
83         $this->notices = $this->getNotices($this->limit);
84     }
85
86     protected function doStreamPreparation()
87     {
88         // for example if we need to set $this->target or something
89     }
90
91     function show_basic_auth_error()
92     {
93         header('HTTP/1.1 401 Unauthorized');
94         header('Content-Type: application/xml; charset=utf-8');
95         $this->startXML();
96         $this->elementStart('hash');
97         $this->element('error', null, 'Could not authenticate you.');
98         $this->element('request', null, $_SERVER['REQUEST_URI']);
99         $this->elementEnd('hash');
100         $this->endXML();
101         exit;
102     }
103
104     /**
105      * Get the notices to output in this stream.
106      *
107      * @return array an array of Notice objects sorted in reverse chron
108      */
109
110     protected function getNotices()
111     {
112         return array();
113     }
114
115     /**
116      * Get a description of the channel
117      *
118      * Returns an array with the following
119      * @return array
120      */
121
122     function getChannel()
123     {
124         return array('url' => '',
125                      'title' => '',
126                      'link' => '',
127                      'description' => '');
128     }
129
130     function getImage()
131     {
132         return null;
133     }
134
135     function showPage()
136     {
137         $this->initRss();
138         $this->showChannel();
139         $this->showImage();
140
141         if (count($this->notices)) {
142             foreach ($this->notices as $n) {
143                 try {
144                     $this->showItem($n);
145                 } catch (Exception $e) {
146                     // log exceptions and continue
147                     common_log(LOG_ERR, $e->getMessage());
148                     continue;
149                 }
150             }
151         }
152
153         $this->showCreators();
154         $this->endRss();
155     }
156
157     function showChannel()
158     {
159
160         $channel = $this->getChannel();
161         $image = $this->getImage();
162
163         $this->elementStart('channel', array('rdf:about' => $channel['url']));
164         $this->element('title', null, $channel['title']);
165         $this->element('link', null, $channel['link']);
166         $this->element('description', null, $channel['description']);
167         $this->element('cc:licence', array('rdf:resource' => common_config('license','url')));
168
169         if ($image) {
170             $this->element('image', array('rdf:resource' => $image));
171         }
172
173         $this->elementStart('items');
174         $this->elementStart('rdf:Seq');
175
176         if (count($this->notices)) {
177             foreach ($this->notices as $notice) {
178                 $this->element('rdf:li', array('rdf:resource' => $notice->uri));
179             }
180         }
181
182         $this->elementEnd('rdf:Seq');
183         $this->elementEnd('items');
184
185         $this->elementEnd('channel');
186     }
187
188     function showImage()
189     {
190         $image = $this->getImage();
191         if ($image) {
192             $channel = $this->getChannel();
193             $this->elementStart('image', array('rdf:about' => $image));
194             $this->element('title', null, $channel['title']);
195             $this->element('link', null, $channel['link']);
196             $this->element('url', null, $image);
197             $this->elementEnd('image');
198         }
199     }
200
201     function showItem($notice)
202     {
203         $profile = $notice->getProfile();
204         $nurl = common_local_url('shownotice', array('notice' => $notice->id));
205         $creator_uri = common_profile_uri($profile);
206         $this->elementStart('item', array('rdf:about' => $notice->uri,
207                             'rdf:type' => 'http://rdfs.org/sioc/types#MicroblogPost'));
208         $title = $profile->nickname . ': ' . common_xml_safe_str(trim($notice->content));
209         $this->element('title', null, $title);
210         $this->element('link', null, $nurl);
211         $this->element('description', null, $profile->nickname."'s status on ".common_exact_date($notice->created));
212         if ($notice->rendered) {
213             $this->element('content:encoded', null, common_xml_safe_str($notice->rendered));
214         }
215         $this->element('dc:date', null, common_date_w3dtf($notice->created));
216         $this->element('dc:creator', null, ($profile->fullname) ? $profile->fullname : $profile->nickname);
217         $this->element('foaf:maker', array('rdf:resource' => $creator_uri));
218         $this->element('sioc:has_creator', array('rdf:resource' => $creator_uri.'#acct'));
219         try {
220             $location = Notice_location::locFromStored($notice);
221             if (isset($location->lat) && isset($location->lon)) {
222                 $location_uri = $location->getRdfURL();
223                 $attrs = array('geo:lat' => $location->lat,
224                                'geo:long' => $location->lon);
225                 if (strlen($location_uri)) {
226                     $attrs['rdf:resource'] = $location_uri;
227                 }
228                 $this->element('statusnet:origin', $attrs);
229             }
230         } catch (ServerException $e) {
231             // No result, so no location data
232         }
233         $this->element('statusnet:postIcon', array('rdf:resource' => $profile->avatarUrl()));
234         $this->element('cc:licence', array('rdf:resource' => common_config('license', 'url')));
235         if ($notice->reply_to) {
236             $replyurl = common_local_url('shownotice', array('notice' => $notice->reply_to));
237             $this->element('sioc:reply_of', array('rdf:resource' => $replyurl));
238         }
239         if (!empty($notice->conversation)) {
240             $conversationurl = common_local_url('conversation',
241                                          array('id' => $notice->conversation));
242             $this->element('sioc:has_discussion', array('rdf:resource' => $conversationurl));
243         }
244         $attachments = $notice->attachments();
245         if($attachments){
246             foreach($attachments as $attachment){
247                 try {
248                     $enclosure = $attachment->getEnclosure();
249                     $attribs = array('rdf:resource' => $enclosure->url);
250                     if ($enclosure->title) {
251                         $attribs['dc:title'] = $enclosure->title;
252                     }
253                     if ($enclosure->modified) {
254                         $attribs['dc:date'] = common_date_w3dtf($enclosure->modified);
255                     }
256                     if ($enclosure->size) {
257                         $attribs['enc:length'] = $enclosure->size;
258                     }
259                     if ($enclosure->mimetype) {
260                         $attribs['enc:type'] = $enclosure->mimetype;
261                     }
262                     $this->element('enc:enclosure', $attribs);
263                 } catch (ServerException $e) {
264                     // There was not enough metadata available
265                 }
266                 $this->element('sioc:links_to', array('rdf:resource'=>$attachment->url));
267             }
268         }
269
270         $tag = new Notice_tag();
271         $tag->notice_id = $notice->id;
272         if ($tag->find()) {
273             $entry['tags']=array();
274             while ($tag->fetch()) {
275                 $tagpage = common_local_url('tag', array('tag' => $tag->tag));
276
277                 if ( in_array($tag, $this->tags_already_output) ) {
278                     $this->element('ctag:tagged', array('rdf:resource'=>$tagpage.'#concept'));
279                     continue;
280                 }
281
282                 $tagrss  = common_local_url('tagrss', array('tag' => $tag->tag));
283                 $this->elementStart('ctag:tagged');
284                 $this->elementStart('ctag:Tag', array('rdf:about'=>$tagpage.'#concept', 'ctag:label'=>$tag->tag));
285                 $this->element('foaf:page', array('rdf:resource'=>$tagpage));
286                 $this->element('rdfs:seeAlso', array('rdf:resource'=>$tagrss));
287                 $this->elementEnd('ctag:Tag');
288                 $this->elementEnd('ctag:tagged');
289
290                 $this->tags_already_output[] = $tag->tag;
291             }
292         }
293         $this->elementEnd('item');
294         $this->creators[$creator_uri] = $profile;
295     }
296
297     function showCreators()
298     {
299         foreach ($this->creators as $uri => $profile) {
300             $id = $profile->id;
301             $nickname = $profile->nickname;
302             $this->elementStart('foaf:Agent', array('rdf:about' => $uri));
303             $this->element('foaf:nick', null, $nickname);
304             if ($profile->fullname) {
305                 $this->element('foaf:name', null, $profile->fullname);
306             }
307             $this->element('foaf:holdsAccount', array('rdf:resource' => $uri.'#acct'));
308             $avatar = $profile->avatarUrl();
309             $this->element('foaf:depiction', array('rdf:resource' => $avatar));
310             $this->elementEnd('foaf:Agent');
311         }
312     }
313
314     function initRss()
315     {
316         $channel = $this->getChannel();
317         header('Content-Type: application/rdf+xml');
318
319         $this->startXml();
320         $this->elementStart('rdf:RDF', array('xmlns:rdf' =>
321                                               'http://www.w3.org/1999/02/22-rdf-syntax-ns#',
322                                               'xmlns:dc' =>
323                                               'http://purl.org/dc/elements/1.1/',
324                                               'xmlns:cc' =>
325                                               'http://creativecommons.org/ns#',
326                                               'xmlns:content' =>
327                                               'http://purl.org/rss/1.0/modules/content/',
328                                               'xmlns:ctag' =>
329                                               'http://commontag.org/ns#',
330                                               'xmlns:foaf' =>
331                                               'http://xmlns.com/foaf/0.1/',
332                                               'xmlns:enc' =>
333                                               'http://purl.oclc.org/net/rss_2.0/enc#',
334                                               'xmlns:sioc' =>
335                                               'http://rdfs.org/sioc/ns#',
336                                               'xmlns:sioct' =>
337                                               'http://rdfs.org/sioc/types#',
338                                               'xmlns:rdfs' =>
339                                               'http://www.w3.org/2000/01/rdf-schema#',
340                                               'xmlns:geo' =>
341                                               'http://www.w3.org/2003/01/geo/wgs84_pos#',
342                                               'xmlns:statusnet' =>
343                                               'http://status.net/ont/',
344                                               'xmlns' => 'http://purl.org/rss/1.0/'));
345         $this->elementStart('sioc:Site', array('rdf:about' => common_root_url()));
346         $this->element('sioc:name', null, common_config('site', 'name'));
347         $this->elementStart('sioc:space_of');
348         $this->element('sioc:Container', array('rdf:about' =>
349                                                $channel['url']));
350         $this->elementEnd('sioc:space_of');
351         $this->elementEnd('sioc:Site');
352     }
353
354     function endRss()
355     {
356         $this->elementEnd('rdf:RDF');
357     }
358
359     /**
360      * When was this page last modified?
361      *
362      */
363
364     function lastModified()
365     {
366         if (empty($this->notices)) {
367             return null;
368         }
369
370         if (count($this->notices) == 0) {
371             return null;
372         }
373
374         // FIXME: doesn't handle modified profiles, avatars, deleted notices
375
376         return strtotime($this->notices[0]->created);
377     }
378 }
379
This is my personal clone from the wonderful software GNUSocial. I may fix or break things here, so use it on your own risk. :-)