fix CSRF hole in API
This commit is contained in:
Leberwurscht
parent
daa56a94d3
commit
945afec656
1 changed files with 44 additions and 33 deletions
|
|
@ -12,6 +12,17 @@
|
||||||
$API = Array();
|
$API = Array();
|
||||||
$called_api = Null;
|
$called_api = Null;
|
||||||
|
|
||||||
|
function api_user() {
|
||||||
|
// It is not sufficient to use local_user() to check whether someone is allowed to use the API,
|
||||||
|
// because this will open CSRF holes (just embed an image with src=friendicasite.com/api/statuses/update?status=CSRF
|
||||||
|
// into a page, and visitors will post something without noticing it).
|
||||||
|
// Instead, use this function.
|
||||||
|
if ($_SESSION["allow_api"])
|
||||||
|
return local_user();
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
function api_date($str){
|
function api_date($str){
|
||||||
//Wed May 23 06:01:13 +0000 2007
|
//Wed May 23 06:01:13 +0000 2007
|
||||||
return datetime_convert('UTC', 'UTC', $str, "D M d H:i:s +0000 Y" );
|
return datetime_convert('UTC', 'UTC', $str, "D M d H:i:s +0000 Y" );
|
||||||
|
|
@ -89,7 +100,7 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
require_once('include/security.php');
|
require_once('include/security.php');
|
||||||
authenticate_success($record);
|
authenticate_success($record); $_SESSION["allow_api"] = true;
|
||||||
|
|
||||||
call_hooks('logged_in', $a->user);
|
call_hooks('logged_in', $a->user);
|
||||||
|
|
||||||
|
|
@ -108,11 +119,11 @@
|
||||||
if (strpos($a->query_string, $p)===0){
|
if (strpos($a->query_string, $p)===0){
|
||||||
$called_api= explode("/",$p);
|
$called_api= explode("/",$p);
|
||||||
//unset($_SERVER['PHP_AUTH_USER']);
|
//unset($_SERVER['PHP_AUTH_USER']);
|
||||||
if ($info['auth']===true && local_user()===false) {
|
if ($info['auth']===true && api_user()===false) {
|
||||||
api_login($a);
|
api_login($a);
|
||||||
}
|
}
|
||||||
|
|
||||||
load_contact_links(local_user());
|
load_contact_links(api_user());
|
||||||
|
|
||||||
logger('API call for ' . $a->user['username'] . ': ' . $a->query_string);
|
logger('API call for ' . $a->user['username'] . ': ' . $a->query_string);
|
||||||
logger('API parameters: ' . print_r($_REQUEST,true));
|
logger('API parameters: ' . print_r($_REQUEST,true));
|
||||||
|
|
@ -219,7 +230,7 @@
|
||||||
if(is_null($user) && x($_GET, 'screen_name')) {
|
if(is_null($user) && x($_GET, 'screen_name')) {
|
||||||
$user = dbesc($_GET['screen_name']);
|
$user = dbesc($_GET['screen_name']);
|
||||||
$extra_query = "AND `contact`.`nick` = '%s' ";
|
$extra_query = "AND `contact`.`nick` = '%s' ";
|
||||||
if (local_user()!==false) $extra_query .= "AND `contact`.`uid`=".intval(local_user());
|
if (api_user()!==false) $extra_query .= "AND `contact`.`uid`=".intval(api_user());
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -232,12 +243,12 @@
|
||||||
} else {
|
} else {
|
||||||
$user = dbesc($user);
|
$user = dbesc($user);
|
||||||
$extra_query = "AND `contact`.`nick` = '%s' ";
|
$extra_query = "AND `contact`.`nick` = '%s' ";
|
||||||
if (local_user()!==false) $extra_query .= "AND `contact`.`uid`=".intval(local_user());
|
if (api_user()!==false) $extra_query .= "AND `contact`.`uid`=".intval(api_user());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (! $user) {
|
if (! $user) {
|
||||||
if (local_user()===false) {
|
if (api_user()===false) {
|
||||||
api_login($a); return False;
|
api_login($a); return False;
|
||||||
} else {
|
} else {
|
||||||
$user = $_SESSION['uid'];
|
$user = $_SESSION['uid'];
|
||||||
|
|
@ -259,10 +270,10 @@
|
||||||
|
|
||||||
if($uinfo[0]['self']) {
|
if($uinfo[0]['self']) {
|
||||||
$usr = q("select * from user where uid = %d limit 1",
|
$usr = q("select * from user where uid = %d limit 1",
|
||||||
intval(local_user())
|
intval(api_user())
|
||||||
);
|
);
|
||||||
$profile = q("select * from profile where uid = %d and `is-default` = 1 limit 1",
|
$profile = q("select * from profile where uid = %d and `is-default` = 1 limit 1",
|
||||||
intval(local_user())
|
intval(api_user())
|
||||||
);
|
);
|
||||||
|
|
||||||
// count public wall messages
|
// count public wall messages
|
||||||
|
|
@ -458,7 +469,7 @@
|
||||||
* http://developer.twitter.com/doc/get/account/verify_credentials
|
* http://developer.twitter.com/doc/get/account/verify_credentials
|
||||||
*/
|
*/
|
||||||
function api_account_verify_credentials(&$a, $type){
|
function api_account_verify_credentials(&$a, $type){
|
||||||
if (local_user()===false) return false;
|
if (api_user()===false) return false;
|
||||||
$user_info = api_get_user($a);
|
$user_info = api_get_user($a);
|
||||||
|
|
||||||
return api_apply_template("user", $type, array('$user' => $user_info));
|
return api_apply_template("user", $type, array('$user' => $user_info));
|
||||||
|
|
@ -482,14 +493,14 @@
|
||||||
|
|
||||||
/*Waitman Gobble Mod*/
|
/*Waitman Gobble Mod*/
|
||||||
function api_statuses_mediap(&$a, $type) {
|
function api_statuses_mediap(&$a, $type) {
|
||||||
if (local_user()===false) {
|
if (api_user()===false) {
|
||||||
logger('api_statuses_update: no user');
|
logger('api_statuses_update: no user');
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
$user_info = api_get_user($a);
|
$user_info = api_get_user($a);
|
||||||
|
|
||||||
$_REQUEST['type'] = 'wall';
|
$_REQUEST['type'] = 'wall';
|
||||||
$_REQUEST['profile_uid'] = local_user();
|
$_REQUEST['profile_uid'] = api_user();
|
||||||
$_REQUEST['api_source'] = true;
|
$_REQUEST['api_source'] = true;
|
||||||
$txt = requestdata('status');
|
$txt = requestdata('status');
|
||||||
//$txt = urldecode(requestdata('status'));
|
//$txt = urldecode(requestdata('status'));
|
||||||
|
|
@ -525,7 +536,7 @@
|
||||||
|
|
||||||
|
|
||||||
function api_statuses_update(&$a, $type) {
|
function api_statuses_update(&$a, $type) {
|
||||||
if (local_user()===false) {
|
if (api_user()===false) {
|
||||||
logger('api_statuses_update: no user');
|
logger('api_statuses_update: no user');
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
@ -569,7 +580,7 @@
|
||||||
|
|
||||||
if(requestdata('lat') && requestdata('long'))
|
if(requestdata('lat') && requestdata('long'))
|
||||||
$_REQUEST['coord'] = sprintf("%s %s",requestdata('lat'),requestdata('long'));
|
$_REQUEST['coord'] = sprintf("%s %s",requestdata('lat'),requestdata('long'));
|
||||||
$_REQUEST['profile_uid'] = local_user();
|
$_REQUEST['profile_uid'] = api_user();
|
||||||
|
|
||||||
if($parent)
|
if($parent)
|
||||||
$_REQUEST['type'] = 'net-comment';
|
$_REQUEST['type'] = 'net-comment';
|
||||||
|
|
@ -713,7 +724,7 @@
|
||||||
* TODO: Add reply info
|
* TODO: Add reply info
|
||||||
*/
|
*/
|
||||||
function api_statuses_home_timeline(&$a, $type){
|
function api_statuses_home_timeline(&$a, $type){
|
||||||
if (local_user()===false) return false;
|
if (api_user()===false) return false;
|
||||||
|
|
||||||
$user_info = api_get_user($a);
|
$user_info = api_get_user($a);
|
||||||
// get last newtork messages
|
// get last newtork messages
|
||||||
|
|
@ -787,7 +798,7 @@
|
||||||
api_register_func('api/statuses/friends_timeline','api_statuses_home_timeline', true);
|
api_register_func('api/statuses/friends_timeline','api_statuses_home_timeline', true);
|
||||||
|
|
||||||
function api_statuses_public_timeline(&$a, $type){
|
function api_statuses_public_timeline(&$a, $type){
|
||||||
if (local_user()===false) return false;
|
if (api_user()===false) return false;
|
||||||
|
|
||||||
$user_info = api_get_user($a);
|
$user_info = api_get_user($a);
|
||||||
// get last newtork messages
|
// get last newtork messages
|
||||||
|
|
@ -869,7 +880,7 @@
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
function api_statuses_show(&$a, $type){
|
function api_statuses_show(&$a, $type){
|
||||||
if (local_user()===false) return false;
|
if (api_user()===false) return false;
|
||||||
|
|
||||||
$user_info = api_get_user($a);
|
$user_info = api_get_user($a);
|
||||||
|
|
||||||
|
|
@ -921,7 +932,7 @@
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
function api_statuses_repeat(&$a, $type){
|
function api_statuses_repeat(&$a, $type){
|
||||||
if (local_user()===false) return false;
|
if (api_user()===false) return false;
|
||||||
|
|
||||||
$user_info = api_get_user($a);
|
$user_info = api_get_user($a);
|
||||||
|
|
||||||
|
|
@ -947,7 +958,7 @@
|
||||||
|
|
||||||
if ($r[0]['body'] != "") {
|
if ($r[0]['body'] != "") {
|
||||||
$_REQUEST['body'] = html_entity_decode("♲ ", ENT_QUOTES, 'UTF-8')."[url=".$r[0]['reply_url']."]".$r[0]['reply_author']."[/url] \n".$r[0]['body'];
|
$_REQUEST['body'] = html_entity_decode("♲ ", ENT_QUOTES, 'UTF-8')."[url=".$r[0]['reply_url']."]".$r[0]['reply_author']."[/url] \n".$r[0]['body'];
|
||||||
$_REQUEST['profile_uid'] = local_user();
|
$_REQUEST['profile_uid'] = api_user();
|
||||||
$_REQUEST['type'] = 'wall';
|
$_REQUEST['type'] = 'wall';
|
||||||
$_REQUEST['api_source'] = true;
|
$_REQUEST['api_source'] = true;
|
||||||
|
|
||||||
|
|
@ -968,7 +979,7 @@
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
function api_statuses_destroy(&$a, $type){
|
function api_statuses_destroy(&$a, $type){
|
||||||
if (local_user()===false) return false;
|
if (api_user()===false) return false;
|
||||||
|
|
||||||
$user_info = api_get_user($a);
|
$user_info = api_get_user($a);
|
||||||
|
|
||||||
|
|
@ -995,7 +1006,7 @@
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
function api_statuses_mentions(&$a, $type){
|
function api_statuses_mentions(&$a, $type){
|
||||||
if (local_user()===false) return false;
|
if (api_user()===false) return false;
|
||||||
|
|
||||||
$user_info = api_get_user($a);
|
$user_info = api_get_user($a);
|
||||||
// get last newtork messages
|
// get last newtork messages
|
||||||
|
|
@ -1075,13 +1086,13 @@
|
||||||
|
|
||||||
|
|
||||||
function api_statuses_user_timeline(&$a, $type){
|
function api_statuses_user_timeline(&$a, $type){
|
||||||
if (local_user()===false) return false;
|
if (api_user()===false) return false;
|
||||||
|
|
||||||
$user_info = api_get_user($a);
|
$user_info = api_get_user($a);
|
||||||
// get last newtork messages
|
// get last newtork messages
|
||||||
|
|
||||||
|
|
||||||
logger("api_statuses_user_timeline: local_user: ". local_user() .
|
logger("api_statuses_user_timeline: api_user: ". api_user() .
|
||||||
"\nuser_info: ".print_r($user_info, true) .
|
"\nuser_info: ".print_r($user_info, true) .
|
||||||
"\n_REQUEST: ".print_r($_REQUEST, true),
|
"\n_REQUEST: ".print_r($_REQUEST, true),
|
||||||
LOGGER_DEBUG);
|
LOGGER_DEBUG);
|
||||||
|
|
@ -1113,7 +1124,7 @@
|
||||||
$sql_extra
|
$sql_extra
|
||||||
AND `item`.`id`>%d
|
AND `item`.`id`>%d
|
||||||
ORDER BY `item`.`received` DESC LIMIT %d ,%d ",
|
ORDER BY `item`.`received` DESC LIMIT %d ,%d ",
|
||||||
intval(local_user()),
|
intval(api_user()),
|
||||||
intval($user_info['id']),
|
intval($user_info['id']),
|
||||||
intval($since_id),
|
intval($since_id),
|
||||||
intval($start), intval($count)
|
intval($start), intval($count)
|
||||||
|
|
@ -1136,7 +1147,7 @@
|
||||||
|
|
||||||
|
|
||||||
function api_favorites(&$a, $type){
|
function api_favorites(&$a, $type){
|
||||||
if (local_user()===false) return false;
|
if (api_user()===false) return false;
|
||||||
|
|
||||||
$user_info = api_get_user($a);
|
$user_info = api_get_user($a);
|
||||||
// in friendica starred item are private
|
// in friendica starred item are private
|
||||||
|
|
@ -1408,7 +1419,7 @@
|
||||||
* returns: json, xml
|
* returns: json, xml
|
||||||
**/
|
**/
|
||||||
function api_statuses_f(&$a, $type, $qtype) {
|
function api_statuses_f(&$a, $type, $qtype) {
|
||||||
if (local_user()===false) return false;
|
if (api_user()===false) return false;
|
||||||
$user_info = api_get_user($a);
|
$user_info = api_get_user($a);
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -1434,7 +1445,7 @@
|
||||||
$sql_extra = sprintf(" AND ( `rel` = %d OR `rel` = %d ) ", intval(CONTACT_IS_FOLLOWER), intval(CONTACT_IS_FRIEND));
|
$sql_extra = sprintf(" AND ( `rel` = %d OR `rel` = %d ) ", intval(CONTACT_IS_FOLLOWER), intval(CONTACT_IS_FRIEND));
|
||||||
|
|
||||||
$r = q("SELECT id FROM `contact` WHERE `uid` = %d AND `self` = 0 AND `blocked` = 0 AND `pending` = 0 $sql_extra",
|
$r = q("SELECT id FROM `contact` WHERE `uid` = %d AND `self` = 0 AND `blocked` = 0 AND `pending` = 0 $sql_extra",
|
||||||
intval(local_user())
|
intval(api_user())
|
||||||
);
|
);
|
||||||
|
|
||||||
$ret = array();
|
$ret = array();
|
||||||
|
|
@ -1516,7 +1527,7 @@
|
||||||
|
|
||||||
|
|
||||||
function api_ff_ids(&$a,$type,$qtype) {
|
function api_ff_ids(&$a,$type,$qtype) {
|
||||||
if(! local_user())
|
if(! api_user())
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if($qtype == 'friends')
|
if($qtype == 'friends')
|
||||||
|
|
@ -1526,7 +1537,7 @@
|
||||||
|
|
||||||
|
|
||||||
$r = q("SELECT id FROM `contact` WHERE `uid` = %d AND `self` = 0 AND `blocked` = 0 AND `pending` = 0 $sql_extra",
|
$r = q("SELECT id FROM `contact` WHERE `uid` = %d AND `self` = 0 AND `blocked` = 0 AND `pending` = 0 $sql_extra",
|
||||||
intval(local_user())
|
intval(api_user())
|
||||||
);
|
);
|
||||||
|
|
||||||
if(is_array($r)) {
|
if(is_array($r)) {
|
||||||
|
|
@ -1559,7 +1570,7 @@
|
||||||
|
|
||||||
|
|
||||||
function api_direct_messages_new(&$a, $type) {
|
function api_direct_messages_new(&$a, $type) {
|
||||||
if (local_user()===false) return false;
|
if (api_user()===false) return false;
|
||||||
|
|
||||||
if (!x($_POST, "text") || !x($_POST,"screen_name")) return;
|
if (!x($_POST, "text") || !x($_POST,"screen_name")) return;
|
||||||
|
|
||||||
|
|
@ -1568,7 +1579,7 @@
|
||||||
require_once("include/message.php");
|
require_once("include/message.php");
|
||||||
|
|
||||||
$r = q("SELECT `id` FROM `contact` WHERE `uid`=%d AND `nick`='%s'",
|
$r = q("SELECT `id` FROM `contact` WHERE `uid`=%d AND `nick`='%s'",
|
||||||
intval(local_user()),
|
intval(api_user()),
|
||||||
dbesc($_POST['screen_name']));
|
dbesc($_POST['screen_name']));
|
||||||
|
|
||||||
$recipient = api_get_user($a, $r[0]['id']);
|
$recipient = api_get_user($a, $r[0]['id']);
|
||||||
|
|
@ -1576,7 +1587,7 @@
|
||||||
$sub = '';
|
$sub = '';
|
||||||
if (x($_REQUEST,'replyto')) {
|
if (x($_REQUEST,'replyto')) {
|
||||||
$r = q('SELECT `parent-uri`, `title` FROM `mail` WHERE `uid`=%d AND `id`=%d',
|
$r = q('SELECT `parent-uri`, `title` FROM `mail` WHERE `uid`=%d AND `id`=%d',
|
||||||
intval(local_user()),
|
intval(api_user()),
|
||||||
intval($_REQUEST['replyto']));
|
intval($_REQUEST['replyto']));
|
||||||
$replyto = $r[0]['parent-uri'];
|
$replyto = $r[0]['parent-uri'];
|
||||||
$sub = $r[0]['title'];
|
$sub = $r[0]['title'];
|
||||||
|
|
@ -1614,7 +1625,7 @@
|
||||||
api_register_func('api/direct_messages/new','api_direct_messages_new',true);
|
api_register_func('api/direct_messages/new','api_direct_messages_new',true);
|
||||||
|
|
||||||
function api_direct_messages_box(&$a, $type, $box) {
|
function api_direct_messages_box(&$a, $type, $box) {
|
||||||
if (local_user()===false) return false;
|
if (api_user()===false) return false;
|
||||||
|
|
||||||
$user_info = api_get_user($a);
|
$user_info = api_get_user($a);
|
||||||
|
|
||||||
|
|
@ -1640,7 +1651,7 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
$r = q("SELECT * FROM `mail` WHERE uid=%d AND $sql_extra ORDER BY created DESC LIMIT %d,%d",
|
$r = q("SELECT * FROM `mail` WHERE uid=%d AND $sql_extra ORDER BY created DESC LIMIT %d,%d",
|
||||||
intval(local_user()),
|
intval(api_user()),
|
||||||
intval($start), intval($count)
|
intval($start), intval($count)
|
||||||
);
|
);
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue