From 4d5f8e7876e291bd309963e9a56dc1a8ad5a5f89 Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Wed, 9 Mar 2011 15:46:24 -0800 Subject: [PATCH 1/3] Ticket #3076: fix regression in password recovery when email address given that doesn't match Was triggering errors due to use of common_canonical_nickname() on arbitrary input without checking for exceptions about invalid nicknames (which didn't exist long ago in the before time) --- actions/recoverpassword.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/actions/recoverpassword.php b/actions/recoverpassword.php index 9019d6fb22..a73872bfdb 100644 --- a/actions/recoverpassword.php +++ b/actions/recoverpassword.php @@ -282,7 +282,11 @@ class RecoverpasswordAction extends Action $user = User::staticGet('email', common_canonical_email($nore)); if (!$user) { - $user = User::staticGet('nickname', common_canonical_nickname($nore)); + try { + $user = User::staticGet('nickname', common_canonical_nickname($nore)); + } catch (NicknameException $e) { + // invalid + } } # See if it's an unconfirmed email address From b7548fb9e2236c20271a40a39b721e314478c431 Mon Sep 17 00:00:00 2001 From: Zach Copley Date: Thu, 10 Mar 2011 18:08:14 +0000 Subject: [PATCH 2/3] Show a reasonable error message when an image is bad, instead of letting the exception continue bubbling up. --- actions/newapplication.php | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/actions/newapplication.php b/actions/newapplication.php index eb13593536..657c7bcb71 100644 --- a/actions/newapplication.php +++ b/actions/newapplication.php @@ -22,7 +22,7 @@ * @category Applications * @package StatusNet * @author Zach Copley - * @copyright 2008-2009 StatusNet, Inc. + * @copyright 2008-2011 StatusNet, Inc. * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @link http://status.net/ */ @@ -290,7 +290,13 @@ class NewApplicationAction extends OwnerDesignAction $app->query('ROLLBACK'); } - $app->uploadLogo(); + try { + $app->uploadLogo(); + } catch (Exception $e) { + $app->query('ROLLBACK'); + $this->showForm(_('Invalid image.')); + return; + } $app->query('COMMIT'); From e985a41a7ee56a81bbc3150cbb2abb9cf69b0d8a Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Tue, 15 Mar 2011 10:09:20 -0700 Subject: [PATCH 3/3] Suppress PHP warnings/notices during AtomPub XML parsing to avoid HTTP header problems when given bad input. If display_errors is on, typical settings would cause PHP error messages to spew to output before the HTTP headers for setting a 400 error go through. Also switched from deprecated static DOMDocument::loadXML() to non-static call. --- actions/apitimelineuser.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/actions/apitimelineuser.php b/actions/apitimelineuser.php index 66984b5abd..3fe73c691c 100644 --- a/actions/apitimelineuser.php +++ b/actions/apitimelineuser.php @@ -322,8 +322,11 @@ class ApiTimelineUserAction extends ApiBareAuthAction $this->clientError(_('Atom post must not be empty.')); } - $dom = DOMDocument::loadXML($xml); - if (!$dom) { + $old = error_reporting(error_reporting() & ~(E_WARNING | E_NOTICE)); + $dom = new DOMDocument(); + $ok = $dom->loadXML($xml); + error_reporting($old); + if (!$ok) { // TRANS: Client error displayed attempting to post an API that is not well-formed XML. $this->clientError(_('Atom post must be well-formed XML.')); }