GNUsocial
/
gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity

Remove "magic quotes" code and avoid wrong order implode 

"Magic quotes" were removed in PHP 5.4, no need to mitigate it anymore.

Avoid implode() with the join()-like order of arguments which was deprecated
since PHP 7.4 and implicitly since PHP 5.3.
Also avoid implode() with an implicit separator for stylistic reasons.

mktime() with no arguments has been deprecated since PHP 5.1.
This commit is contained in:
Alexei Sorokin 2020-09-15 14:59:27 +03:00
parent 2ef944d5c4
commit 8079a476b6
6 changed files with 95 additions and 156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
extlib/DB/DataObject/Cast.php
View File

@ -175,9 +175,9 @@ class DB_DataObject_Cast
$args = func_get_args(); $args = func_get_args();
switch (count($args)) { switch (count($args)) {
case 0: // no args = now! case 0: // no args = now!
$datetime = date('Y-m-d G:i:s', mktime()); $datetime = date('Y-m-d G:i:s', time());
// no break
// no break
case 1: case 1:
// continue on from 0 args. // continue on from 0 args.
if (!isset($datetime)) { if (!isset($datetime)) {
@ -300,9 +300,9 @@ class DB_DataObject_Cast
$args = func_get_args(); $args = func_get_args();
switch (count($args)) { switch (count($args)) {
case 0: // no args = now! case 0: // no args = now!
$time = date('G:i:s', mktime()); $time = date('G:i:s', time());
// no break
// no break
case 1: case 1:
// continue on from 0 args. // continue on from 0 args.
if (!isset($time)) { if (!isset($time)) {
@ -440,10 +440,10 @@ class DB_DataObject_Cast
case 'mssql': case 'mssql':
// copied from the old DB mssql code...?? not sure how safe this is. // copied from the old DB mssql code...?? not sure how safe this is.
return "'" . str_replace( return "'" . str_replace(
array("'", "\\\r\n", "\\\n"), array("'", "\\\r\n", "\\\n"),
array("''", "\\\\\r\n\r\n", "\\\\\n\n"), array("''", "\\\\\r\n\r\n", "\\\\\n\n"),
$this->value $this->value
) . "'"; ) . "'";
default: default:

62
lib/api/apioauthaction.php
View File

@ -1,46 +1,41 @@
<?php <?php
// This file is part of GNU social - https://www.gnu.org/software/social
//
// GNU social is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// GNU social is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with GNU social. If not, see <http://www.gnu.org/licenses/>.
/** /**
* StatusNet, the distributed open-source microblogging tool
*
* Base action for OAuth API endpoints * Base action for OAuth API endpoints
* *
* PHP version 5
*
* LICENCE: This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* @category API * @category API
* @package StatusNet * @package GNUsocial
* @author Zach Copley <zach@status.net> * @author Zach Copley <zach@status.net>
* @copyright 2010 StatusNet, Inc. * @copyright 2010 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
* @link http://status.net/
*/ */
if (!defined('STATUSNET')) { defined('GNUSOCIAL') || die();
exit(1);
}
require_once INSTALLDIR . '/lib/api/apiaction.php'; require_once INSTALLDIR . '/lib/api/apiaction.php';
/** /**
* Base action for API OAuth enpoints. Clean up the * Base action for API OAuth enpoints. Clean up the
* request. Some other common functions. * request. Some other common functions.
* *
* @category API * @category API
* @package StatusNet * @package GNUsocial
* @author Zach Copley <zach@status.net> * @author Zach Copley <zach@status.net>
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
* @link http://status.net/
*/ */
class ApiOAuthAction extends ApiAction class ApiOAuthAction extends ApiAction
{ {
@ -49,7 +44,7 @@ class ApiOAuthAction extends ApiAction
* *
* @return boolean false * @return boolean false
*/ */
function isReadOnly($args) public function isReadOnly($args)
{ {
return false; return false;
} }
@ -66,14 +61,8 @@ class ApiOAuthAction extends ApiAction
* I'm looking at you, p parameter. * I'm looking at you, p parameter.
*/ */
static function cleanRequest() public static function cleanRequest()
{ {
// kill evil effects of magical slashing
if (get_magic_quotes_gpc() == 1) {
$_POST = array_map('stripslashes', $_POST);
$_GET = array_map('stripslashes', $_GET);
}
// strip out the p param added in index.php // strip out the p param added in index.php
unset($_GET['p']); unset($_GET['p']);
unset($_POST['p']); unset($_POST['p']);
@ -89,5 +78,4 @@ class ApiOAuthAction extends ApiAction
$_SERVER['QUERY_STRING'] = implode('&', $queryArray); $_SERVER['QUERY_STRING'] = implode('&', $queryArray);
} }
} }

2
lib/util/common.php
View File

@ -36,7 +36,7 @@ try {
// TRANS: Error message displayed when no configuration file was found for a StatusNet installation. // TRANS: Error message displayed when no configuration file was found for a StatusNet installation.
// TRANS: Is followed by a list of directories (separated by HTML breaks). // TRANS: Is followed by a list of directories (separated by HTML breaks).
echo '<p>'. _('I looked for configuration files in the following places:') .'<br /> '; echo '<p>'. _('I looked for configuration files in the following places:') .'<br /> ';
echo implode($e->configFiles, '<br />'); echo implode('<br />', $e->configFiles);
// TRANS: Error message displayed when no configuration file was found for a StatusNet installation. // TRANS: Error message displayed when no configuration file was found for a StatusNet installation.
echo '<p>'. _('You may wish to run the installer to fix this.') .'</p>'; echo '<p>'. _('You may wish to run the installer to fix this.') .'</p>';
// @todo FIXME Link should be in a para? // @todo FIXME Link should be in a para?

33
lib/util/util.php
View File

@ -1498,7 +1498,7 @@ function common_fake_local_nonfancy_url($url)
// remove the first element, which is the full matching string // remove the first element, which is the full matching string
array_shift($matches); array_shift($matches);
return implode($matches); return implode('', $matches);
} }
function common_inject_session($url, $serverpart = null) function common_inject_session($url, $serverpart = null)
@ -2178,42 +2178,19 @@ function common_config_append($main, $sub, $value)
} }
/** /**
* Pull arguments from a GET/POST/REQUEST array with first-level input checks: * Pull arguments from a GET/POST/REQUEST array and replace invalid in UTF-8
* strips "magic quotes" slashes if necessary, * sequences with question marks.
* and replaces invalid in UTF-8 sequences with question marks.
* *
* @param array $from * @param array $from
* @return array * @return array
*/ */
function common_copy_args(array $from): array function common_copy_args(array $from): array
{ {
$strip = get_magic_quotes_gpc(); return array_map(function ($v) {
return array_map(function ($v) use ($strip) { return is_array($v) ? common_copy_args($v) : mb_scrub($v);
if (is_array($v)) {
return common_copy_args($v);
} else {
if ($strip) {
$v = stripslashes($v);
}
return mb_scrub($v);
}
}, $from); }, $from);
} }
/**
* Neutralise the evil effects of magic_quotes_gpc in the current request.
* This is used before handing a request off to OAuthRequest::from_request.
* @fixme Doesn't consider vars other than _POST and _GET?
* @fixme Can't be undone and could corrupt data if run twice.
*/
function common_remove_magic_from_request()
{
if (get_magic_quotes_gpc()) {
$_POST=array_map('stripslashes', $_POST);
$_GET=array_map('stripslashes', $_GET);
}
}
function common_user_uri(&$user) function common_user_uri(&$user)
{ {
return common_local_url( return common_local_url(

113
plugins/DomainWhitelist/DomainWhitelistPlugin.php
View File

@ -1,50 +1,41 @@
<?php <?php
// This file is part of GNU social - https://www.gnu.org/software/social
//
// GNU social is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// GNU social is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with GNU social. If not, see <http://www.gnu.org/licenses/>.
/** /**
* StatusNet - the distributed open-source microblogging tool
* Copyright (C) 2011, StatusNet, Inc.
*
* Restrict the email addresses in a domain to a select whitelist * Restrict the email addresses in a domain to a select whitelist
* *
* PHP version 5
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* @category Cache * @category Cache
* @package StatusNet * @package GNUsocial
* @author Evan Prodromou <evan@status.net> * @author Evan Prodromou <evan@status.net>
* @author Zach Copley <zach@status.net> * @author Zach Copley <zach@status.net>
* @copyright 2011 StatusNet, Inc. * @copyright 2011 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0 * @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
* @link http://status.net/
*/ */
if (!defined('STATUSNET')) { defined('GNUSOCIAL') || die();
// This check helps protect against security problems;
// your code file can't be executed directly from the web.
exit(1);
}
/** /**
* Restrict the email addresses to a domain whitelist * Restrict the email addresses to a domain whitelist
* *
* @category General * @category General
* @package StatusNet * @package GNUsocial
* @author Evan Prodromou <evan@status.net> * @author Evan Prodromou <evan@status.net>
* @author Zach Copley <zach@status.net> * @author Zach Copley <zach@status.net>
* @copyright 2011 StatusNet, Inc. * @copyright 2011 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0 * @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
* @link http://status.net/
*/ */
class DomainWhitelistPlugin extends Plugin class DomainWhitelistPlugin extends Plugin
{ {
@ -56,7 +47,8 @@ class DomainWhitelistPlugin extends Plugin
* *
* @return String the absolute path * @return String the absolute path
*/ */
protected function getPath() { protected function getPath()
{
return preg_replace('/^' . preg_quote(INSTALLDIR, '/') . '\//', '', dirname(__FILE__)); return preg_replace('/^' . preg_quote(INSTALLDIR, '/') . '\//', '', dirname(__FILE__));
} }
@ -67,7 +59,8 @@ class DomainWhitelistPlugin extends Plugin
* *
* @return boolean hook flag * @return boolean hook flag
*/ */
function onEndShowStatusNetScripts($action) { public function onEndShowStatusNetScripts($action)
{
$name = $action->arg('action'); $name = $action->arg('action');
if ($name == 'invite') { if ($name == 'invite') {
$action->script($this->getPath() . '/js/whitelistinvite.js'); $action->script($this->getPath() . '/js/whitelistinvite.js');
@ -75,13 +68,13 @@ class DomainWhitelistPlugin extends Plugin
return true; return true;
} }
function onRequireValidatedEmailPlugin_Override($user, &$knownGood) public function onRequireValidatedEmailPlugin_Override($user, &$knownGood)
{ {
$knownGood = (!empty($user->email) && $this->matchesWhitelist($user->email)); $knownGood = (!empty($user->email) && $this->matchesWhitelist($user->email));
return true; return true;
} }
function onEndValidateUserEmail($user, $email, &$valid) public function onEndValidateUserEmail($user, $email, &$valid)
{ {
if ($valid) { // it's otherwise valid if ($valid) { // it's otherwise valid
if (!$this->matchesWhitelist($email)) { if (!$this->matchesWhitelist($email)) {
@ -89,14 +82,18 @@ class DomainWhitelistPlugin extends Plugin
if (count($whitelist) == 1) { if (count($whitelist) == 1) {
// TRANS: Client exception thrown when a given e-mailaddress is not in the domain whitelist. // TRANS: Client exception thrown when a given e-mailaddress is not in the domain whitelist.
// TRANS: %s is a whitelisted e-mail domain. // TRANS: %s is a whitelisted e-mail domain.
$message = sprintf(_m('Email address must be in this domain: %s.'), $message = sprintf(
$whitelist[0]); _m('Email address must be in this domain: %s.'),
$whitelist[0]
);
} else { } else {
// TRANS: Client exception thrown when a given e-mailaddress is not in the domain whitelist. // TRANS: Client exception thrown when a given e-mailaddress is not in the domain whitelist.
// TRANS: %s are whitelisted e-mail domains separated by comma's (localisable). // TRANS: %s are whitelisted e-mail domains separated by comma's (localisable).
$message = sprintf(_m('Email address must be in one of these domains: %s.'), $message = sprintf(
// TRANS: Separator for whitelisted domains. _m('Email address must be in one of these domains: %s.'),
implode(_m('SEPARATOR',', '), $whitelist)); // TRANS: Separator for whitelisted domains.
implode(_m('SEPARATOR', ', '), $whitelist)
);
} }
throw new ClientException($message); throw new ClientException($message);
} }
@ -104,7 +101,7 @@ class DomainWhitelistPlugin extends Plugin
return true; return true;
} }
function onStartAddEmailAddress($user, $email) public function onStartAddEmailAddress($user, $email)
{ {
if (!$this->matchesWhitelist($email)) { if (!$this->matchesWhitelist($email)) {
// TRANS: Exception thrown when an e-mail address does not match the site's domain whitelist. // TRANS: Exception thrown when an e-mail address does not match the site's domain whitelist.
@ -114,7 +111,7 @@ class DomainWhitelistPlugin extends Plugin
return true; return true;
} }
function onEndValidateEmailInvite($user, $email, &$valid) public function onEndValidateEmailInvite($user, $email, &$valid)
{ {
if ($valid) { if ($valid) {
$valid = $this->matchesWhitelist($email); $valid = $this->matchesWhitelist($email);
@ -123,7 +120,7 @@ class DomainWhitelistPlugin extends Plugin
return true; return true;
} }
function matchesWhitelist($email) public function matchesWhitelist($email)
{ {
$whitelist = $this->getWhitelist(); $whitelist = $this->getWhitelist();
@ -143,13 +140,13 @@ class DomainWhitelistPlugin extends Plugin
* @param string $email and email address * @param string $email and email address
* @return string the domain * @return string the domain
*/ */
function domainFromEmail($email) public function domainFromEmail($email)
{ {
$parts = explode('@', $email); $parts = explode('@', $email);
return strtolower(trim($parts[1])); return strtolower(trim($parts[1]));
} }
function getWhitelist() public function getWhitelist()
{ {
$whitelist = common_config('email', 'whitelist'); $whitelist = common_config('email', 'whitelist');
@ -169,7 +166,7 @@ class DomainWhitelistPlugin extends Plugin
* @param string $domain domain to check * @param string $domain domain to check
* @return boolean whether to include the domain * @return boolean whether to include the domain
*/ */
function userDomainFilter($domain) public function userDomainFilter($domain)
{ {
$user = common_current_user(); $user = common_current_user();
$userDomain = $this->domainFromEmail($user->email); $userDomain = $this->domainFromEmail($user->email);
@ -190,7 +187,7 @@ class DomainWhitelistPlugin extends Plugin
* @param array $whitelist whitelist of allowed email domains * @param array $whitelist whitelist of allowed email domains
* @return array an ordered or sorted version of the whitelist * @return array an ordered or sorted version of the whitelist
*/ */
function sortWhitelist($whitelist) public function sortWhitelist($whitelist)
{ {
$whitelist = array_unique($whitelist); $whitelist = array_unique($whitelist);
natcasesort($whitelist); natcasesort($whitelist);
@ -223,7 +220,7 @@ class DomainWhitelistPlugin extends Plugin
* @param action $action the invite action * @param action $action the invite action
* @return boolean hook value * @return boolean hook value
*/ */
function onStartShowInviteForm($action) public function onStartShowInviteForm($action)
{ {
$this->showConfirmDialog($action); $this->showConfirmDialog($action);
$form = new WhitelistInviteForm($action, $this->getWhitelist()); $form = new WhitelistInviteForm($action, $this->getWhitelist());
@ -231,7 +228,7 @@ class DomainWhitelistPlugin extends Plugin
return false; return false;
} }
function showConfirmDialog($action) public function showConfirmDialog($action)
{ {
// For JQuery UI modal dialog // For JQuery UI modal dialog
$action->elementStart( $action->elementStart(
@ -252,21 +249,21 @@ class DomainWhitelistPlugin extends Plugin
* @param action &$action the invite action * @param action &$action the invite action
* @return boolean hook value * @return boolean hook value
*/ */
function onStartSendInvitations(&$action) public function onStartSendInvitations(&$action)
{ {
$emails = array(); $emails = [];
$usernames = $action->arg('username'); $usernames = $action->arg('username');
$domains = $action->arg('domain'); $domains = $action->arg('domain');
for($i = 0; $i < count($usernames); $i++) { foreach ($usernames as $key => $username) {
if (!empty($usernames[$i])) { if (!empty($username)) {
$emails[] = $usernames[$i] . '@' . $domains[$i] . "\n"; $emails[] = $username . '@' . $domains[$key] . "\n";
} }
} }
$action->args['addresses'] = implode($emails); $action->args['addresses'] = implode('', $emails);
return true; return true;
} }
public function onPluginVersion(array &$versions): bool public function onPluginVersion(array &$versions): bool

25
public/install.php
View File

@ -70,7 +70,6 @@ class Posted
/** /**
* The given POST parameter value, in its original form. * The given POST parameter value, in its original form.
* Magic quotes are stripped, if provided.
* Missing value will give null. * Missing value will give null.
* *
* @param string $name * @param string $name
@ -78,29 +77,7 @@ class Posted
*/ */
public function raw(string $name) public function raw(string $name)
{ {
if (isset($_POST[$name])) { return filter_input(INPUT_POST, $name);
return $this->dequote($_POST[$name]);
} else {
return null;
}
}
/**
* If necessary, strip magic quotes from the given value.
*
* @param mixed $val
* @return mixed
*/
public function dequote($val)
{
if (get_magic_quotes_gpc()) {
if (is_string($val)) {
return stripslashes($val);
} elseif (is_array($val)) {
return array_map([$this, 'dequote'], $val);
}
}
return $val;
} }
} }