From 6a376c29d85cb3e3b5ccf99bc604da472a7191c7 Mon Sep 17 00:00:00 2001 From: Michael Date: Wed, 25 Sep 2019 05:57:32 +0000 Subject: [PATCH 1/3] Fix session size problems --- mod/dfrn_poll.php | 4 ++-- src/Core/Session.php | 4 +++- src/Model/Profile.php | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/mod/dfrn_poll.php b/mod/dfrn_poll.php index 6c849cb80..d805bcfd4 100644 --- a/mod/dfrn_poll.php +++ b/mod/dfrn_poll.php @@ -114,7 +114,7 @@ function dfrn_poll_init(App $a) $_SESSION['remote'] = []; } - $_SESSION['remote'][] = ['cid' => $r[0]['id'], 'uid' => $r[0]['uid'], 'url' => $r[0]['url']]; + $_SESSION['remote'][$r[0]['uid']] = ['cid' => $r[0]['id'], 'uid' => $r[0]['uid']]; $_SESSION['visitor_id'] = $r[0]['id']; $_SESSION['visitor_home'] = $r[0]['url']; @@ -521,7 +521,7 @@ function dfrn_poll_content(App $a) $_SESSION['remote'] = []; } - $_SESSION['remote'][] = ['cid' => $r[0]['id'], 'uid' => $r[0]['uid'], 'url' => $r[0]['url']]; + $_SESSION['remote'][$r[0]['uid']] = ['cid' => $r[0]['id'], 'uid' => $r[0]['uid']]; $_SESSION['visitor_id'] = $r[0]['id']; $_SESSION['visitor_home'] = $r[0]['url']; $_SESSION['visitor_visiting'] = $r[0]['uid']; diff --git a/src/Core/Session.php b/src/Core/Session.php index 8186c4745..cccd6951d 100644 --- a/src/Core/Session.php +++ b/src/Core/Session.php @@ -128,7 +128,9 @@ class Session continue; } - $_SESSION['remote'][] = ['cid' => $contact['id'], 'uid' => $contact['uid'], 'url' => $_SESSION['my_url']]; + /// @todo Change it to this format to save space + // $_SESSION['remote'][$contact['uid']] = $contact['id']; + $_SESSION['remote'][$contact['uid']] = ['cid' => $contact['id'], 'uid' => $contact['uid']]; } DBA::close($remote_contacts); diff --git a/src/Model/Profile.php b/src/Model/Profile.php index 37f7028a5..ab9b7fd00 100644 --- a/src/Model/Profile.php +++ b/src/Model/Profile.php @@ -1130,7 +1130,7 @@ class Profile continue; } - $_SESSION['remote'][] = ['cid' => $contact['id'], 'uid' => $contact['uid'], 'url' => $visitor['url']]; + $_SESSION['remote'][$contact['uid']] = ['cid' => $contact['id'], 'uid' => $contact['uid']]; } $a->contact = $visitor; From 1a1745c9fa20883e65948040a92866998d78e1ec Mon Sep 17 00:00:00 2001 From: Michael Date: Wed, 25 Sep 2019 06:46:28 +0000 Subject: [PATCH 2/3] Security improvements --- boot.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/boot.php b/boot.php index 4c9a1a5e8..224eba1f4 100644 --- a/boot.php +++ b/boot.php @@ -413,7 +413,7 @@ function public_contact() * * @return int|bool visitor_id or false */ -function remote_user($uid = 0) +function remote_user($uid = null) { // You cannot be both local and remote. // Unncommented by rabuzarus because remote authentication to local @@ -426,15 +426,15 @@ function remote_user($uid = 0) return false; } - if (!empty($uid) && !empty($_SESSION['remote'])) { + if (!is_null($uid) && !empty($_SESSION['remote'])) { + /// @todo replace it with this: + // if (!empty($_SESSION['remote'][$uid])) ... foreach ($_SESSION['remote'] as $visitor) { if ($visitor['uid'] == $uid) { return $visitor['cid']; } } - } - - if (!empty($_SESSION['visitor_id'])) { + } elseif (is_null($uid) && !empty($_SESSION['visitor_id'])) { return intval($_SESSION['visitor_id']); } From d5c37001cde425968a2aa186db44e3f3bf1d2b0e Mon Sep 17 00:00:00 2001 From: Michael Date: Wed, 25 Sep 2019 07:02:07 +0000 Subject: [PATCH 3/3] Empty the "remote" variable, avoid being remote to yourself --- src/Core/Session.php | 3 ++- src/Model/Profile.php | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/Core/Session.php b/src/Core/Session.php index cccd6951d..9927fca18 100644 --- a/src/Core/Session.php +++ b/src/Core/Session.php @@ -120,9 +120,10 @@ class Session 'my_url' => $a->getBaseURL() . '/profile/' . $user_record['nickname'], 'my_address' => $user_record['nickname'] . '@' . substr($a->getBaseURL(), strpos($a->getBaseURL(), '://') + 3), 'addr' => defaults($_SERVER, 'REMOTE_ADDR', '0.0.0.0'), + 'remote' => [] ]); - $remote_contacts = DBA::select('contact', ['id', 'uid'], ['nurl' => Strings::normaliseLink($_SESSION['my_url']), 'rel' => [Contact::FOLLOWER, Contact::FRIEND]]); + $remote_contacts = DBA::select('contact', ['id', 'uid'], ['nurl' => Strings::normaliseLink($_SESSION['my_url']), 'rel' => [Contact::FOLLOWER, Contact::FRIEND], 'self' => false]); while ($contact = DBA::fetch($remote_contacts)) { if (($contact['uid'] == 0) || Contact::isBlockedByUser($contact['id'], $contact['uid'])) { continue; diff --git a/src/Model/Profile.php b/src/Model/Profile.php index ab9b7fd00..290b6d349 100644 --- a/src/Model/Profile.php +++ b/src/Model/Profile.php @@ -1124,7 +1124,7 @@ class Profile /// @todo replace this and the query for this variable with some cleaner functionality $_SESSION['remote'] = []; - $remote_contacts = DBA::select('contact', ['id', 'uid'], ['nurl' => $visitor['nurl'], 'rel' => [Contact::FOLLOWER, Contact::FRIEND]]); + $remote_contacts = DBA::select('contact', ['id', 'uid'], ['nurl' => $visitor['nurl'], 'rel' => [Contact::FOLLOWER, Contact::FRIEND], 'self' => false]); while ($contact = DBA::fetch($remote_contacts)) { if (($contact['uid'] == 0) || Contact::isBlockedByUser($visitor['id'], $contact['uid'])) { continue;