Merge pull request #2932 from Hypolite/issue/missing-private-image-src

Fix Friendica private image URL replacing
This commit is contained in:
Michael Vogel 2016-12-09 15:54:11 +01:00 committed by GitHub
commit af42e5e481
5 changed files with 109 additions and 87 deletions

View file

@ -16,77 +16,78 @@ Example: To set the directory value please add this line to your .htconfig.php:
$a->config['system']['directory'] = 'http://dir.friendi.ca'; $a->config['system']['directory'] = 'http://dir.friendi.ca';
## Jabber ## ## jabber ##
* debug (Boolean) - Enable debug level for the jabber account synchronisation. * **debug** (Boolean) - Enable debug level for the jabber account synchronisation.
* logfile - Logfile for the jabber account synchronisation. * **logfile** - Logfile for the jabber account synchronisation.
## System ## ## system ##
* birthday_input_format - Default value is "ymd". * **allowed_link_protocols** (Array) - Allowed protocols in links URLs, add at your own risk. http is always allowed.
* block_local_dir (Boolean) - Blocks the access to the directory of the local users. * **birthday_input_format** - Default value is "ymd".
* default_service_class - * **block_local_dir** (Boolean) - Blocks the access to the directory of the local users.
* delivery_batch_count - Number of deliveries per process. Default value is 1. (Disabled when using the worker) * **default_service_class** -
* diaspora_test (Boolean) - For development only. Disables the message transfer. * **delivery_batch_count** - Number of deliveries per process. Default value is 1. (Disabled when using the worker)
* directory - The path to global directory. If not set then "http://dir.friendi.ca" is used. * **diaspora_test** (Boolean) - For development only. Disables the message transfer.
* disable_email_validation (Boolean) - Disables the check if a mail address is in a valid format and can be resolved via DNS. * **directory** - The path to global directory. If not set then "http://dir.friendi.ca" is used.
* disable_url_validation (Boolean) - Disables the DNS lookup of an URL. * **disable_email_validation** (Boolean) - Disables the check if a mail address is in a valid format and can be resolved via DNS.
* event_input_format - Default value is "ymd". * **disable_url_validation** (Boolean) - Disables the DNS lookup of an URL.
* frontend_worker_timeout - Value in minutes after we think that a frontend task was killed by the webserver. Default value is 10. * **event_input_format** - Default value is "ymd".
* ignore_cache (Boolean) - For development only. Disables the item cache. * **frontend_worker_timeout** - Value in minutes after we think that a frontend task was killed by the webserver. Default value is 10.
* like_no_comment (Boolean) - Don't update the "commented" value of an item when it is liked. * **ignore_cache** (Boolean) - For development only. Disables the item cache.
* local_block (Boolean) - Used in conjunction with "block_public". * **like_no_comment** (Boolean) - Don't update the "commented" value of an item when it is liked.
* local_search (Boolean) - Blocks the search for not logged in users to prevent crawlers from blocking your system. * **local_block** (Boolean) - Used in conjunction with "block_public".
* max_connections - The poller process isn't started when the maximum level of the possible database connections are used. When the system can't detect the maximum numbers of connection then this value can be used. * **local_search** (Boolean) - Blocks the search for not logged in users to prevent crawlers from blocking your system.
* max_connections_level - The maximum level of connections that are allowed to let the poller start. It is a percentage value. Default value is 75. * **max_connections** - The poller process isn't started when the maximum level of the possible database connections are used. When the system can't detect the maximum numbers of connection then this value can be used.
* max_contact_queue - Default value is 500. * **max_connections_level** - The maximum level of connections that are allowed to let the poller start. It is a percentage value. Default value is 75.
* max_batch_queue - Default value is 1000. * **max_contact_queue** - Default value is 500.
* max_processes_backend - Maximum number of concurrent database processes for background tasks. Default value is 5. * **max_batch_queue** - Default value is 1000.
* max_processes_frontend - Maximum number of concurrent database processes for foreground tasks. Default value is 20. * **max_processes_backend** - Maximum number of concurrent database processes for background tasks. Default value is 5.
* memcache (Boolean) - Use memcache. To use memcache the PECL extension "memcache" has to be installed and activated. * **max_processes_frontend** - Maximum number of concurrent database processes for foreground tasks. Default value is 20.
* memcache_host - Hostname of the memcache daemon. Default is '127.0.0.1'. * **memcache** (Boolean) - Use memcache. To use memcache the PECL extension "memcache" has to be installed and activated.
* memcache_port- Portnumberof the memcache daemon. Default is 11211. * **memcache_host** - Hostname of the memcache daemon. Default is '127.0.0.1'.
* no_oembed (Boolean) - Don't use OEmbed to fetch more information about a link. * **memcache_port** - Portnumberof the memcache daemon. Default is 11211.
* no_oembed_rich_content (Boolean) - Don't show the rich content (e.g. embedded PDF). * **no_oembed** (Boolean) - Don't use OEmbed to fetch more information about a link.
* no_smilies (Boolean) - Don't show smilies. * **no_oembed_rich_content** (Boolean) - Don't show the rich content (e.g. embedded PDF).
* no_view_full_size (Boolean) - Don't add the link "View full size" under a resized image. * **no_smilies** (Boolean) - Don't show smilies.
* optimize_items (Boolean) - Triggers an SQL command to optimize the item table before expiring items. * **no_view_full_size** (Boolean) - Don't add the link "View full size" under a resized image.
* ostatus_poll_timeframe - Defines how old an item can be to try to complete the conversation with it. * **optimize_items** (Boolean) - Triggers an SQL command to optimize the item table before expiring items.
* paranoia (Boolean) - Log out users if their IP address changed. * **ostatus_poll_timeframe** - Defines how old an item can be to try to complete the conversation with it.
* permit_crawling (Boolean) - Restricts the search for not logged in users to one search per minute. * **paranoia** (Boolean) - Log out users if their IP address changed.
* profiler (Boolean) - Enable internal timings to help optimize code. Needed for "rendertime" addon. Default is false. * **permit_crawling** (Boolean) - Restricts the search for not logged in users to one search per minute.
* free_crawls - Number of "free" searches when "permit_crawling" is activated (Default value is 10) * **profiler** (Boolean) - Enable internal timings to help optimize code. Needed for "rendertime" addon. Default is false.
* crawl_permit_period - Period in seconds between allowed searches when the number of free searches is reached and "permit_crawling" is activated (Default value is 60) * **free_crawls** - Number of "free" searches when "permit_crawling" is activated (Default value is 10)
* png_quality - Default value is 8. * **crawl_permit_period** - Period in seconds between allowed searches when the number of free searches is reached and "permit_crawling" is activated (Default value is 60)
* proc_windows (Boolean) - Should be enabled if Friendica is running under Windows. * **png_quality** - Default value is 8.
* proxy_cache_time - Time after which the cache is cleared. Default value is one day. * **proc_windows** (Boolean) - Should be enabled if Friendica is running under Windows.
* pushpoll_frequency - * **proxy_cache_time** - Time after which the cache is cleared. Default value is one day.
* qsearch_limit - Default value is 100. * **pushpoll_frequency** -
* relay_server - Experimental Diaspora feature. Address of the relay server where public posts should be send to. For example https://podrelay.net * **qsearch_limit** - Default value is 100.
* relay_subscribe (Boolean) - Enables the receiving of public posts from the relay. They will be included in the search and on the community page when it is set up to show all public items. * **relay_server** - Experimental Diaspora feature. Address of the relay server where public posts should be send to. For example https://podrelay.net
* relay_scope - Can be "all" or "tags". "all" means that every public post should be received. "tags" means that only posts with selected tags should be received. * **relay_subscribe** (Boolean) - Enables the receiving of public posts from the relay. They will be included in the search and on the community page when it is set up to show all public items.
* relay_server_tags - Comma separated list of tags for the "tags" subscription (see "relay_scrope") * **relay_scope** - Can be "all" or "tags". "all" means that every public post should be received. "tags" means that only posts with selected tags should be received.
* relay_user_tags (Boolean) - If enabled, the tags from the saved searches will used for the "tags" subscription in addition to the "relay_server_tags". * **relay_server_tags** - Comma separated list of tags for the "tags" subscription (see "relay_scrope")
* remove_multiplicated_lines (Boolean) - If enabled, multiple linefeeds in items are stripped to a single one. * **relay_user_tags** (Boolean) - If enabled, the tags from the saved searches will used for the "tags" subscription in addition to the "relay_server_tags".
* show_unsupported_addons (Boolean) - Show all addons including the unsupported ones. * **remove_multiplicated_lines** (Boolean) - If enabled, multiple linefeeds in items are stripped to a single one.
* show_unsupported_themes (Boolean) - Show all themes including the unsupported ones. * **show_unsupported_addons** (Boolean) - Show all addons including the unsupported ones.
* throttle_limit_day - Maximum number of posts that a user can send per day with the API. * **show_unsupported_themes** (Boolean) - Show all themes including the unsupported ones.
* throttle_limit_week - Maximum number of posts that a user can send per week with the API. * **throttle_limit_day** - Maximum number of posts that a user can send per day with the API.
* throttle_limit_month - Maximum number of posts that a user can send per month with the API. * **throttle_limit_week** - Maximum number of posts that a user can send per week with the API.
* wall-to-wall_share (Boolean) - Displays forwarded posts like "wall-to-wall" posts. * **throttle_limit_month** - Maximum number of posts that a user can send per month with the API.
* worker_cooldown - Cooldown time after each worker function call. Default value is 0 seconds. * **wall-to-wall_share** (Boolean) - Displays forwarded posts like "wall-to-wall" posts.
* xrd_timeout - Timeout for fetching the XRD links. Default value is 20 seconds. * **worker_cooldown** - Cooldown time after each worker function call. Default value is 0 seconds.
* **xrd_timeout** - Timeout for fetching the XRD links. Default value is 20 seconds.
## service_class ## ## service_class ##
* upgrade_link - * **upgrade_link** -
## experimentals ## ## experimentals ##
* exp_themes (Boolean) - Show experimental themes as well. * **exp_themes** (Boolean) - Show experimental themes as well.
## theme ## ## theme ##
* hide_eventlist (Boolean) - Don't show the birthdays and events on the profile and network page * **hide_eventlist** (Boolean) - Don't show the birthdays and events on the profile and network page
# Administrator Options # # Administrator Options #

View file

@ -78,3 +78,6 @@ $a->config['system']['no_regfullname'] = true;
// Location of the global directory // Location of the global directory
$a->config['system']['directory'] = 'http://dir.friendi.ca'; $a->config['system']['directory'] = 'http://dir.friendi.ca';
// Allowed protocols in link URLs; HTTP protocols always are accepted
$a->config['system']['allowed_link_protocols'] = array('ftp', 'ftps', 'mailto', 'cid', 'gopher');

View file

@ -1,4 +1,6 @@
<?php <?php
use \Friendica\Core\Config;
require_once("include/oembed.php"); require_once("include/oembed.php");
require_once('include/event.php'); require_once('include/event.php');
require_once('include/map.php'); require_once('include/map.php');
@ -1161,11 +1163,24 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true, $simplehtml = fal
$Text = preg_replace('/\&quot\;/','"',$Text); $Text = preg_replace('/\&quot\;/','"',$Text);
// fix any escaped ampersands that may have been converted into links // fix any escaped ampersands that may have been converted into links
$Text = preg_replace("/\<([^>]*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism",'<$1$2=$3&$4>',$Text); $Text = preg_replace('/\<([^>]*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism', '<$1$2=$3&$4>', $Text);
$Text = preg_replace("/\<([^>]*?)(src|href)=\"(?!http|ftp|mailto|gopher|cid)(.*?)\>/ism",'<$1$2="">',$Text);
if($saved_image) // sanitizes src attributes (only relative redir URIs or http URLs)
$Text = preg_replace('#<([^>]*?)(src)="(?!http|redir)(.*?)"(.*?)>#ism', '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text);
// sanitize href attributes (only whitelisted protocols URLs)
// default value for backward compatibility
$allowed_link_protocols = Config::get('system', 'allowed_link_protocols', array('ftp', 'mailto', 'gopher', 'cid'));
// Always allowed protocol even if config isn't set or not including it
$allowed_link_protocols[] = 'http';
$regex = '#<([^>]*?)(href)="(?!' . implode('|', $allowed_link_protocols) . ')(.*?)"(.*?)>#ism';
$Text = preg_replace($regex, '<$1$2="javascript:void(0)"$4 class="invalid-href" title="' . t('Invalid link protocol') . '">', $Text);
if($saved_image) {
$Text = bb_replace_images($Text, $saved_image); $Text = bb_replace_images($Text, $saved_image);
}
// Clean up the HTML by loading and saving the HTML with the DOM. // Clean up the HTML by loading and saving the HTML with the DOM.
// Bad structured html can break a whole page. // Bad structured html can break a whole page.

View file

@ -1170,33 +1170,29 @@ function link_compare($a,$b) {
return false; return false;
}} }}
if(! function_exists('redir_private_images')) {
/** /**
* Find any non-embedded images in private items and add redir links to them * @brief Find any non-embedded images in private items and add redir links to them
* *
* @param App $a * @param App $a
* @param array $item * @param array &$item The field array of an item row
*/ */
function redir_private_images($a, &$item) { function redir_private_images($a, &$item)
{
$matches = false; $matches = false;
$cnt = preg_match_all('|\[img\](http[^\[]*?/photo/[a-fA-F0-9]+?(-[0-9]\.[\w]+?)?)\[\/img\]|', $item['body'], $matches, PREG_SET_ORDER); $cnt = preg_match_all('|\[img\](http[^\[]*?/photo/[a-fA-F0-9]+?(-[0-9]\.[\w]+?)?)\[\/img\]|', $item['body'], $matches, PREG_SET_ORDER);
if($cnt) { if ($cnt) {
//logger("redir_private_images: matches = " . print_r($matches, true)); foreach ($matches as $mtch) {
foreach($matches as $mtch) { if (strpos($mtch[1], '/redir') !== false) {
if(strpos($mtch[1], '/redir') !== false)
continue; continue;
if((local_user() == $item['uid']) && ($item['private'] != 0) && ($item['contact-id'] != $a->contact['id']) && ($item['network'] == NETWORK_DFRN)) {
//logger("redir_private_images: redir");
$img_url = 'redir?f=1&quiet=1&url=' . $mtch[1] . '&conurl=' . $item['author-link'];
$item['body'] = str_replace($mtch[0], "[img]".$img_url."[/img]", $item['body']);
}
}
} }
}} if ((local_user() == $item['uid']) && ($item['private'] != 0) && ($item['contact-id'] != $a->contact['id']) && ($item['network'] == NETWORK_DFRN)) {
$img_url = 'redir?f=1&quiet=1&url=' . urlencode($mtch[1]) . '&conurl=' . urlencode($item['author-link']);
$item['body'] = str_replace($mtch[0], '[img]' . $img_url . '[/img]', $item['body']);
}
}
}
}
function put_item_in_cache(&$item, $update = false) { function put_item_in_cache(&$item, $update = false) {

View file

@ -481,3 +481,10 @@ td.pendingnote > p > span {
border-left: 5px solid #f00; border-left: 5px solid #f00;
font-weight: bold; font-weight: bold;
} }
/* src/href attributes filter error display */
.invalid-src { border: 1px dotted red;}
.invalid-href { border-bottom: 1px dotted red;}
.invalid-src:after,
.invalid-href:after { content: '⚠️'}
img.invalid-src:after { vertical-align: top;}