From b59dacb806c9246668db7a004b931513f4e4076b Mon Sep 17 00:00:00 2001 From: Mikael Nordfeldth Date: Tue, 23 Feb 2016 14:00:59 +0100 Subject: [PATCH] getAliases for Profile and Notice Also move fancyurlfix into site-wide $config['fix']['fancyurls'] TODO: getByUri should make use of this directly I guess? --- classes/Managed_DataObject.php | 49 ++++++++++++++++++++ lib/default.php | 3 ++ plugins/WebFinger/WebFingerPlugin.php | 4 +- plugins/WebFinger/lib/webfingerresource.php | 51 ++++----------------- 4 files changed, 63 insertions(+), 44 deletions(-) diff --git a/classes/Managed_DataObject.php b/classes/Managed_DataObject.php index 31ae6614fb..cab7edd5c7 100644 --- a/classes/Managed_DataObject.php +++ b/classes/Managed_DataObject.php @@ -412,6 +412,55 @@ abstract class Managed_DataObject extends Memcached_DataObject return intval($this->id); } + /** + * WARNING: Only use this on Profile and Notice. We should probably do + * this with traits/"implements" or whatever, but that's over the top + * right now, I'm just throwing this in here to avoid code duplication + * in Profile and Notice classes. + */ + public function getAliases() + { + $aliases = array(); + $aliases[$this->getUri()] = $this->getID(); + + try { + $aliases[$this->getUrl()] = $this->getID(); + } catch (InvalidUrlException $e) { + // getUrl failed because no valid URL could be returned, just ignore it + } + + if (common_config('fix', 'fancyurls')) { + /** + * Here we add some hacky hotfixes for remote lookups that have been taught the + * (at least now) wrong URI but it's still obviously the same user. Such as: + * - https://site.example/user/1 even if the client requests https://site.example/index.php/user/1 + * - https://site.example/user/1 even if the client requests https://site.example//index.php/user/1 + * - https://site.example/index.php/user/1 even if the client requests https://site.example/user/1 + * - https://site.example/index.php/user/1 even if the client requests https://site.example///index.php/user/1 + */ + foreach ($aliases as $alias=>$id) { + try { + // get a "fancy url" version of the alias, even without index.php/ + $alt_url = common_fake_local_fancy_url($alias); + // store this as well so remote sites can be sure we really are the same profile + $aliases[$alt_url] = $id; + } catch (Exception $e) { + // Apparently we couldn't rewrite that, the $alias was as the function wanted it to be + } + + try { + // get a non-"fancy url" version of the alias, i.e. add index.php/ + $alt_url = common_fake_local_nonfancy_url($alias); + // store this as well so remote sites can be sure we really are the same profile + $aliases[$alt_url] = $id; + } catch (Exception $e) { + // Apparently we couldn't rewrite that, the $alias was as the function wanted it to be + } + } + } + return $aliases; + } + // 'update' won't write key columns, so we have to do it ourselves. // This also automatically calls "update" _before_ it sets the keys. // FIXME: This only works with single-column primary keys so far! Beware! diff --git a/lib/default.php b/lib/default.php index 1b420684b6..f8ce3bd4fe 100644 --- a/lib/default.php +++ b/lib/default.php @@ -81,6 +81,9 @@ $default = 'log_queries' => false, // true to log all DB queries 'log_slow_queries' => 0, // if set, log queries taking over N seconds 'mysql_foreign_keys' => false), // if set, enables experimental foreign key support on MySQL + 'fix' => + array('fancyurls' => true, // makes sure aliases in WebFinger etc. are not f'd by index.php/ URLs + ), 'syslog' => array('appname' => 'statusnet', # for syslog 'priority' => 'debug', # XXX: currently ignored diff --git a/plugins/WebFinger/WebFingerPlugin.php b/plugins/WebFinger/WebFingerPlugin.php index fd25482c7a..d902947d93 100644 --- a/plugins/WebFinger/WebFingerPlugin.php +++ b/plugins/WebFinger/WebFingerPlugin.php @@ -36,12 +36,10 @@ class WebFingerPlugin extends Plugin const OAUTH_AUTHORIZE_REL = 'http://apinamespace.org/oauth/authorize'; public $http_alias = false; - public $fancyurlfix = true; // adds + interprets some extra aliases related to 'index.php/' URLs public function initialize() { common_config_set('webfinger', 'http_alias', $this->http_alias); - common_config_set('webfinger', 'fancyurlfix', $this->fancyurlfix); } public function onRouterInitialized($m) @@ -106,7 +104,7 @@ class WebFingerPlugin extends Plugin $user = User::getByUri($resource); $profile = $user->getProfile(); } catch (NoResultException $e) { - if (common_config('webfinger', 'fancyurlfix')) { + if (common_config('fix', 'fancyurls')) { try { try { // if it's a /index.php/ url // common_fake_local_fancy_url can throw an exception diff --git a/plugins/WebFinger/lib/webfingerresource.php b/plugins/WebFinger/lib/webfingerresource.php index e04d3b407f..3afbd41713 100644 --- a/plugins/WebFinger/lib/webfingerresource.php +++ b/plugins/WebFinger/lib/webfingerresource.php @@ -31,49 +31,18 @@ abstract class WebFingerResource public function getAliases() { - $aliases = array(); + $aliases = $this->object->getAliases(); - // Add the URI as an identity, this is _not_ necessarily an HTTP url - $uri = $this->object->getUri(); - $aliases[$uri] = true; - if (common_config('webfinger', 'http_alias') - && strtolower(parse_url($uri, PHP_URL_SCHEME)) === 'https') { - $aliases[preg_replace('/^https:/', 'http:', $uri, 1)] = true; - } - - try { - $aliases[$this->object->getUrl()] = true; - } catch (InvalidUrlException $e) { - // getUrl failed because no valid URL could be returned, just ignore it - } - - if (common_config('webfinger', 'fancyurlfix')) { - /** - * Here we add some hacky hotfixes for remote lookups that have been taught the - * (at least now) wrong URI but it's still obviously the same user. Such as: - * - https://site.example/user/1 even if the client requests https://site.example/index.php/user/1 - * - https://site.example/user/1 even if the client requests https://site.example//index.php/user/1 - * - https://site.example/index.php/user/1 even if the client requests https://site.example/user/1 - * - https://site.example/index.php/user/1 even if the client requests https://site.example///index.php/user/1 - */ - foreach(array_keys($aliases) as $alias) { - try { - // get a "fancy url" version of the alias, even without index.php/ - $alt_url = common_fake_local_fancy_url($alias); - // store this as well so remote sites can be sure we really are the same profile - $aliases[$alt_url] = true; - } catch (Exception $e) { - // Apparently we couldn't rewrite that, the $alias was as the function wanted it to be - } - - try { - // get a non-"fancy url" version of the alias, i.e. add index.php/ - $alt_url = common_fake_local_nonfancy_url($alias); - // store this as well so remote sites can be sure we really are the same profile - $aliases[$alt_url] = true; - } catch (Exception $e) { - // Apparently we couldn't rewrite that, the $alias was as the function wanted it to be + // Some sites have changed from http to https and still want + // (because remote sites look for it) verify that they are still + // the same identity as they were on HTTP. Should NOT be used if + // you've run HTTPS all the time! + if (common_config('webfinger', 'http_alias')) { + foreach ($aliases as $alias=>$id) { + if (!strtolower(parse_url($alias, PHP_URL_SCHEME)) === 'https') { + continue; } + $aliases[preg_replace('/^https:/', 'http:', $alias, 1)] = $id; } }