Merge pull request #7052 from MrPetovan/bug/atom-display-security

Move item feed display after permission checking in mod/display
2022.09-rc
Michael Vogel 2019-04-28 08:34:43 +02:00 zatwierdzone przez GitHub
commit 8f8730a39e
Nie znaleziono w bazie danych klucza dla tego podpisu
ID klucza GPG: 4AEE18F83AFDEB23
1 zmienionych plików z 10 dodań i 16 usunięć

Wyświetl plik

@ -36,20 +36,6 @@ function display_init(App $a)
$nick = (($a->argc > 1) ? $a->argv[1] : ''); $nick = (($a->argc > 1) ? $a->argv[1] : '');
if ($a->argc == 3) {
if (substr($a->argv[2], -5) == '.atom') {
$item_id = substr($a->argv[2], 0, -5);
displayShowFeed($item_id, false);
}
}
if ($a->argc == 4) {
if ($a->argv[3] == 'conversation.atom') {
$item_id = $a->argv[2];
displayShowFeed($item_id, true);
}
}
$item = null; $item = null;
$item_user = local_user(); $item_user = local_user();
@ -81,14 +67,22 @@ function display_init(App $a)
if (!DBA::isResult($item)) { if (!DBA::isResult($item)) {
$item = Item::selectFirstForUser(local_user(), $fields, ['guid' => $a->argv[1], 'private' => [0, 2], 'uid' => 0]); $item = Item::selectFirstForUser(local_user(), $fields, ['guid' => $a->argv[1], 'private' => [0, 2], 'uid' => 0]);
} }
} elseif (($a->argc == 3) && ($nick == 'feed-item')) { } elseif ($a->argc >= 3 && $nick == 'feed-item') {
$item = Item::selectFirstForUser(local_user(), $fields, ['id' => $a->argv[2], 'private' => [0, 2], 'uid' => 0]); $item_id = $a->argv[2];
if (substr($item_id, -5) == '.atom') {
$item_id = substr($item_id, 0, -5);
}
$item = Item::selectFirstForUser(local_user(), $fields, ['id' => $item_id, 'private' => [0, 2], 'uid' => 0]);
} }
if (!DBA::isResult($item)) { if (!DBA::isResult($item)) {
System::httpExit(404); System::httpExit(404);
} }
if ($a->argc >= 3 && $nick == 'feed-item') {
displayShowFeed($item['id'], $a->argc > 3 && $a->argv[3] == 'conversation.atom');
}
if (!empty($_SERVER['HTTP_ACCEPT']) && strstr($_SERVER['HTTP_ACCEPT'], 'application/atom+xml')) { if (!empty($_SERVER['HTTP_ACCEPT']) && strstr($_SERVER['HTTP_ACCEPT'], 'application/atom+xml')) {
Logger::log('Directly serving XML for id '.$item["id"], Logger::DEBUG); Logger::log('Directly serving XML for id '.$item["id"], Logger::DEBUG);
displayShowFeed($item["id"], false); displayShowFeed($item["id"], false);