From f23a877cd8ad8d583b74c312c7e9baa842b5a86a Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 15:38:48 -0500 Subject: [PATCH 01/19] Discovery::lookup now throws an exception --- plugins/OStatus/classes/Ostatus_profile.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/OStatus/classes/Ostatus_profile.php b/plugins/OStatus/classes/Ostatus_profile.php index 35539bff77..7b1aec76ba 100644 --- a/plugins/OStatus/classes/Ostatus_profile.php +++ b/plugins/OStatus/classes/Ostatus_profile.php @@ -1288,9 +1288,9 @@ class Ostatus_profile extends Memcached_DataObject $disco = new Discovery(); - $result = $disco->lookup($addr); - - if (!$result) { + try { + $result = $disco->lookup($addr); + } catch (Exception $e) { self::cacheSet(sprintf('ostatus_profile:webfinger:%s', $addr), null); return null; } From e4c462570f8010f751caf214f329617c08bf7105 Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 15:39:30 -0500 Subject: [PATCH 02/19] move salmon posting to send application/magic-envelope+xml per http://salmon-protocol.googlecode.com/svn/trunk/draft-panzer-salmon-00.html#RPF --- plugins/OStatus/lib/magicenvelope.php | 22 ++++++++++++++++++++++ plugins/OStatus/lib/salmon.php | 18 +++++++++++------- plugins/OStatus/lib/salmonaction.php | 26 ++++++++++++++------------ 3 files changed, 47 insertions(+), 19 deletions(-) diff --git a/plugins/OStatus/lib/magicenvelope.php b/plugins/OStatus/lib/magicenvelope.php index f33119b8f7..230d81ba1f 100644 --- a/plugins/OStatus/lib/magicenvelope.php +++ b/plugins/OStatus/lib/magicenvelope.php @@ -83,6 +83,28 @@ class MagicEnvelope } + public function toXML($env) { + $dom = new DOMDocument(); + + $envelope = $dom->createElementNS(MagicEnvelope::NS, 'me:env'); + $envelope->setAttribute('xmlns:me', MagicEnvelope::NS); + $data = $dom->createElementNS(MagicEnvelope::NS, 'me:data', $env['data']); + $data->setAttribute('type', $env['data_type']); + $envelope->appendChild($data); + $enc = $dom->createElementNS(MagicEnvelope::NS, 'me:encoding', $env['encoding']); + $envelope->appendChild($enc); + $alg = $dom->createElementNS(MagicEnvelope::NS, 'me:alg', $env['alg']); + $envelope->appendChild($alg); + $sig = $dom->createElementNS(MagicEnvelope::NS, 'me:sig', $env['sig']); + $envelope->appendChild($sig); + + $dom->appendChild($envelope); + + + return $dom->saveXML(); + } + + public function unfold($env) { $dom = new DOMDocument(); diff --git a/plugins/OStatus/lib/salmon.php b/plugins/OStatus/lib/salmon.php index 6e24595441..68883a410f 100644 --- a/plugins/OStatus/lib/salmon.php +++ b/plugins/OStatus/lib/salmon.php @@ -48,12 +48,17 @@ class Salmon return false; } - if (!common_config('ostatus', 'skip_signatures')) { + try { $xml = $this->createMagicEnv($xml, $actor); + } catch (Exception $e) { + common_log(LOG_ERR, "Salmon unable to sign: " . $e->getMessage()); + return false; } - $headers = array('Content-Type: application/atom+xml'); + $headers = array('Content-Type: application/magic-envelope+xml'); + common_log(LOG_DEBUG, "Salmon: going to post " . $xml); + try { $client = new HTTPClient(); $client->setBody($xml); @@ -72,7 +77,6 @@ class Salmon public function createMagicEnv($text, $actor) { - common_log(LOG_DEBUG, "Got actor as : ". print_r($actor, true)); $magic_env = new MagicEnvelope(); $user = User::staticGet('id', $actor->id); @@ -84,7 +88,6 @@ class Salmon $magickey = new Magicsig(); $magickey->generate($user->id); } - common_log(LOG_DEBUG, "Salmon: Loaded key for ". $user->id); } else { throw new Exception("Salmon invalid actor for signing"); } @@ -95,15 +98,16 @@ class Salmon common_log(LOG_ERR, "Salmon signing failed: ". $e->getMessage()); return $text; } - return $magic_env->unfold($env); + return $magic_env->toXML($env); } - public function verifyMagicEnv($dom) + public function verifyMagicEnv($text) { + common_log(LOG_DEBUG, "Going to verify ". $text); $magic_env = new MagicEnvelope(); - $env = $magic_env->fromDom($dom); + $env = $magic_env->parse($text); return $magic_env->verify($env); } diff --git a/plugins/OStatus/lib/salmonaction.php b/plugins/OStatus/lib/salmonaction.php index a03169101b..9ca350e671 100644 --- a/plugins/OStatus/lib/salmonaction.php +++ b/plugins/OStatus/lib/salmonaction.php @@ -41,29 +41,31 @@ class SalmonAction extends Action $this->clientError(_m('This method requires a POST.')); } - if (empty($_SERVER['CONTENT_TYPE']) || $_SERVER['CONTENT_TYPE'] != 'application/atom+xml') { - $this->clientError(_m('Salmon requires application/atom+xml')); + if (empty($_SERVER['CONTENT_TYPE']) || $_SERVER['CONTENT_TYPE'] != 'application/magic-envelope+xml') { + $this->clientError(_m('Salmon requires application/magic-envelope+xml')); } $xml = file_get_contents('php://input'); - $dom = DOMDocument::loadXML($xml); + // Check the signature + $salmon = new Salmon; + if (!$salmon->verifyMagicEnv($xml)) { + common_log(LOG_DEBUG, "Salmon signature verification failed."); + $this->clientError(_m('Salmon signature verification failed.')); + } else { + $env = MagicEnvelope::parse($xml); + $xml = MagicEnvelope::unfold($env); + } + + + $dom = DOMDocument::loadXML($xml); if ($dom->documentElement->namespaceURI != Activity::ATOM || $dom->documentElement->localName != 'entry') { common_log(LOG_DEBUG, "Got invalid Salmon post: $xml"); $this->clientError(_m('Salmon post must be an Atom entry.')); } - // Check the signature - $salmon = new Salmon; - if (!common_config('ostatus', 'skip_signatures')) { - if (!$salmon->verifyMagicEnv($dom)) { - common_log(LOG_DEBUG, "Salmon signature verification failed."); - $this->clientError(_m('Salmon signature verification failed.')); - } - } - $this->act = new Activity($dom->documentElement); return true; } From b0acaeafe345e925a9a5bf44f4ad86567eee14c2 Mon Sep 17 00:00:00 2001 From: Zach Copley Date: Fri, 26 Feb 2010 13:06:06 -0800 Subject: [PATCH 03/19] Check for conversation with unique conversation ID --- lib/noticelist.php | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/lib/noticelist.php b/lib/noticelist.php index 28a563d875..7d1d2828fc 100644 --- a/lib/noticelist.php +++ b/lib/noticelist.php @@ -540,16 +540,13 @@ class NoticeListItem extends Widget function showContext() { $hasConversation = false; - if( !empty($this->notice->conversation) - && $this->notice->conversation != $this->notice->id){ - $hasConversation = true; - }else{ - $conversation = Notice::conversationStream($this->notice->id, 1, 1); - if($conversation->N > 0){ + if (!empty($this->notice->conversation)) { + $conversation = Notice::conversationStream($this->notice->conversation, 1, 1); + if ($conversation->N > 0) { $hasConversation = true; } } - if ($hasConversation){ + if ($hasConversation) { $this->out->text(' '); $convurl = common_local_url('conversation', array('id' => $this->notice->conversation)); From c82cee18769763d105304f09de9b6b4079e48aae Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 16:25:47 -0500 Subject: [PATCH 04/19] removing some extraneous debug logging --- plugins/OStatus/lib/salmon.php | 4 ---- 1 file changed, 4 deletions(-) diff --git a/plugins/OStatus/lib/salmon.php b/plugins/OStatus/lib/salmon.php index 68883a410f..3d3341bc63 100644 --- a/plugins/OStatus/lib/salmon.php +++ b/plugins/OStatus/lib/salmon.php @@ -57,8 +57,6 @@ class Salmon $headers = array('Content-Type: application/magic-envelope+xml'); - common_log(LOG_DEBUG, "Salmon: going to post " . $xml); - try { $client = new HTTPClient(); $client->setBody($xml); @@ -95,7 +93,6 @@ class Salmon try { $env = $magic_env->signMessage($text, 'application/atom+xml', $magickey->toString()); } catch (Exception $e) { - common_log(LOG_ERR, "Salmon signing failed: ". $e->getMessage()); return $text; } return $magic_env->toXML($env); @@ -104,7 +101,6 @@ class Salmon public function verifyMagicEnv($text) { - common_log(LOG_DEBUG, "Going to verify ". $text); $magic_env = new MagicEnvelope(); $env = $magic_env->parse($text); From 0ecf435dc5df3d6424fc7bd0438d2856aa07c1da Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 16:50:00 -0500 Subject: [PATCH 05/19] adding sequenceKeys() to magicsig --- plugins/OStatus/classes/Magicsig.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/plugins/OStatus/classes/Magicsig.php b/plugins/OStatus/classes/Magicsig.php index 751527c819..dee193cd5a 100644 --- a/plugins/OStatus/classes/Magicsig.php +++ b/plugins/OStatus/classes/Magicsig.php @@ -84,6 +84,10 @@ class Magicsig extends Memcached_DataObject return array('user_id' => 'K'); } + function sequenceKeys() { + return array(false, false, false); + } + function insert() { $this->keypair = $this->toString(); From 6ee7660a585faf290dc1650a714d280b40ac3a2d Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 16:51:50 -0500 Subject: [PATCH 06/19] should be sequenceKey (singular) --- plugins/OStatus/classes/HubSub.php | 2 +- plugins/OStatus/classes/Magicsig.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/OStatus/classes/HubSub.php b/plugins/OStatus/classes/HubSub.php index 1ac181feeb..e599d83a96 100644 --- a/plugins/OStatus/classes/HubSub.php +++ b/plugins/OStatus/classes/HubSub.php @@ -99,7 +99,7 @@ class HubSub extends Memcached_DataObject return array_keys($this->keyTypes()); } - function sequenceKeys() + function sequenceKey() { return array(false, false, false); } diff --git a/plugins/OStatus/classes/Magicsig.php b/plugins/OStatus/classes/Magicsig.php index dee193cd5a..d47dcf1434 100644 --- a/plugins/OStatus/classes/Magicsig.php +++ b/plugins/OStatus/classes/Magicsig.php @@ -84,7 +84,7 @@ class Magicsig extends Memcached_DataObject return array('user_id' => 'K'); } - function sequenceKeys() { + function sequenceKey() { return array(false, false, false); } From 1cf08c7ad7704cd92d59f319573e831d1115e996 Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 17:09:50 -0500 Subject: [PATCH 07/19] MagicEnvelope::parse shouldn't be called statically --- plugins/OStatus/lib/salmonaction.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/plugins/OStatus/lib/salmonaction.php b/plugins/OStatus/lib/salmonaction.php index 9ca350e671..fa9dc3b1da 100644 --- a/plugins/OStatus/lib/salmonaction.php +++ b/plugins/OStatus/lib/salmonaction.php @@ -54,8 +54,9 @@ class SalmonAction extends Action common_log(LOG_DEBUG, "Salmon signature verification failed."); $this->clientError(_m('Salmon signature verification failed.')); } else { - $env = MagicEnvelope::parse($xml); - $xml = MagicEnvelope::unfold($env); + $magic_env = new MagicEnvelope(); + $env = $magic_env->parse($xml); + $xml = $magic_env->unfold($env); } From 4b696cf51f39cd2e1cec4fddaec4f82e675df8d3 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Fri, 26 Feb 2010 17:28:44 -0500 Subject: [PATCH 08/19] add a flag to impede adding sessions to URLs (for permanent stuff) --- lib/util.php | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/lib/util.php b/lib/util.php index 8381bc63c0..32061ec04c 100644 --- a/lib/util.php +++ b/lib/util.php @@ -856,7 +856,7 @@ function common_relative_profile($sender, $nickname, $dt=null) return null; } -function common_local_url($action, $args=null, $params=null, $fragment=null) +function common_local_url($action, $args=null, $params=null, $fragment=null, $addSession=true) { $r = Router::get(); $path = $r->build($action, $args, $params, $fragment); @@ -864,12 +864,12 @@ function common_local_url($action, $args=null, $params=null, $fragment=null) $ssl = common_is_sensitive($action); if (common_config('site','fancy')) { - $url = common_path(mb_substr($path, 1), $ssl); + $url = common_path(mb_substr($path, 1), $ssl, $addSession); } else { if (mb_strpos($path, '/index.php') === 0) { - $url = common_path(mb_substr($path, 1), $ssl); + $url = common_path(mb_substr($path, 1), $ssl, $addSession); } else { - $url = common_path('index.php'.$path, $ssl); + $url = common_path('index.php'.$path, $ssl, $addSession); } } return $url; @@ -888,7 +888,7 @@ function common_is_sensitive($action) return $ssl; } -function common_path($relative, $ssl=false) +function common_path($relative, $ssl=false, $addSession=true) { $pathpart = (common_config('site', 'path')) ? common_config('site', 'path')."/" : ''; @@ -912,7 +912,9 @@ function common_path($relative, $ssl=false) } } - $relative = common_inject_session($relative, $serverpart); + if ($addSession) { + $relative = common_inject_session($relative, $serverpart); + } return $proto.'://'.$serverpart.'/'.$pathpart.$relative; } @@ -1134,14 +1136,15 @@ function common_broadcast_profile(Profile $profile) function common_profile_url($nickname) { - return common_local_url('showstream', array('nickname' => $nickname)); + return common_local_url('showstream', array('nickname' => $nickname), + null, null, false); } // Should make up a reasonable root URL function common_root_url($ssl=false) { - $url = common_path('', $ssl); + $url = common_path('', $ssl, false); $i = strpos($url, '?'); if ($i !== false) { $url = substr($url, 0, $i); @@ -1426,7 +1429,8 @@ function common_remove_magic_from_request() function common_user_uri(&$user) { - return common_local_url('userbyid', array('id' => $user->id)); + return common_local_url('userbyid', array('id' => $user->id), + null, null, false); } function common_notice_uri(&$notice) From d3fc8e22193a86fc71ba21462db89c30fa2abc4b Mon Sep 17 00:00:00 2001 From: Zach Copley Date: Fri, 26 Feb 2010 14:47:38 -0800 Subject: [PATCH 09/19] Pull conversation URL from Conversation instead of assuming it's local --- lib/noticelist.php | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/lib/noticelist.php b/lib/noticelist.php index 7d1d2828fc..88a9252414 100644 --- a/lib/noticelist.php +++ b/lib/noticelist.php @@ -541,18 +541,39 @@ class NoticeListItem extends Widget { $hasConversation = false; if (!empty($this->notice->conversation)) { - $conversation = Notice::conversationStream($this->notice->conversation, 1, 1); + $conversation = Notice::conversationStream( + $this->notice->conversation, + 1, + 1 + ); if ($conversation->N > 0) { $hasConversation = true; } } if ($hasConversation) { - $this->out->text(' '); - $convurl = common_local_url('conversation', - array('id' => $this->notice->conversation)); - $this->out->element('a', array('href' => $convurl.'#notice-'.$this->notice->id, - 'class' => 'response'), - _('in context')); + $conv = Conversation::staticGet( + 'id', + $this->notice->conversation + ); + $convurl = $conv->uri; + if (!empty($convurl)) { + $this->out->text(' '); + $this->out->element( + 'a', + array( + 'href' => $convurl.'#notice-'.$this->notice->id, + 'class' => 'response'), + _('in context') + ); + } else { + $msg = sprintf( + "Couldn't find Conversation ID %d to make 'in context'" + . "link for Notice ID %d", + $this->notice->conversation, + $this->notice->id + ); + common_log(LOG_WARNING, $msg); + } } } From a5cfda850537e5e55d61f381cfac7d5100aa3bea Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Fri, 26 Feb 2010 17:47:39 -0500 Subject: [PATCH 10/19] blow cache on known replies --- classes/Notice.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/classes/Notice.php b/classes/Notice.php index ac4640534c..2d02a9a19f 100644 --- a/classes/Notice.php +++ b/classes/Notice.php @@ -944,6 +944,8 @@ class Notice extends Memcached_DataObject $reply->profile_id = $user->id; $id = $reply->insert(); + + self::blow('reply:stream:%d', $user->id); } } From ee7603b09f162188caaf1d319a70e7fd5d6aa385 Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 17:52:12 -0500 Subject: [PATCH 11/19] better return check in Magicsig::staticGet() --- plugins/OStatus/classes/Magicsig.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/plugins/OStatus/classes/Magicsig.php b/plugins/OStatus/classes/Magicsig.php index d47dcf1434..30da63c364 100644 --- a/plugins/OStatus/classes/Magicsig.php +++ b/plugins/OStatus/classes/Magicsig.php @@ -50,7 +50,11 @@ class Magicsig extends Memcached_DataObject public /*static*/ function staticGet($k, $v=null) { $obj = parent::staticGet(__CLASS__, $k, $v); - return Magicsig::fromString($obj->keypair); + if (!empty($obj)) { + return Magicsig::fromString($obj->keypair); + } + + return $obj; } From 21edb98a32cf67b9f754c9a74414f113cb71cb37 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Fri, 26 Feb 2010 18:26:52 -0500 Subject: [PATCH 12/19] change function name --- plugins/OStatus/classes/Magicsig.php | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/plugins/OStatus/classes/Magicsig.php b/plugins/OStatus/classes/Magicsig.php index 30da63c364..7a804a47ae 100644 --- a/plugins/OStatus/classes/Magicsig.php +++ b/plugins/OStatus/classes/Magicsig.php @@ -33,20 +33,20 @@ class Magicsig extends Memcached_DataObject { const PUBLICKEYREL = 'magic-public-key'; - + public $__table = 'magicsig'; public $user_id; public $keypair; public $alg; - + private $_rsa; public function __construct($alg = 'RSA-SHA256') { $this->alg = $alg; } - + public /*static*/ function staticGet($k, $v=null) { $obj = parent::staticGet(__CLASS__, $k, $v); @@ -57,7 +57,6 @@ class Magicsig extends Memcached_DataObject return $obj; } - function table() { return array( @@ -77,7 +76,6 @@ class Magicsig extends Memcached_DataObject 64, false)); } - function keys() { return array_keys($this->keyTypes()); @@ -114,7 +112,6 @@ class Magicsig extends Memcached_DataObject $this->insert(); } - public function toString($full_pair = true) { $public_key = $this->_rsa->_public_key; @@ -127,15 +124,15 @@ class Magicsig extends Memcached_DataObject $private_exp = '.' . base64_url_encode($private_key->getExponent()); } - return 'RSA.' . $mod . '.' . $exp . $private_exp; + return 'RSA.' . $mod . '.' . $exp . $private_exp; } - + public static function fromString($text) { PEAR::pushErrorHandling(PEAR_ERROR_RETURN); $magic_sig = new Magicsig(); - + // remove whitespace $text = preg_replace('/\s+/', '', $text); @@ -143,7 +140,7 @@ class Magicsig extends Memcached_DataObject if (!preg_match('/RSA\.([^\.]+)\.([^\.]+)(.([^\.]+))?/', $text, $matches)) { return false; } - + $mod = base64_url_decode($matches[1]); $exp = base64_url_decode($matches[2]); if ($matches[4]) { @@ -185,10 +182,10 @@ class Magicsig extends Memcached_DataObject } } - + public function sign($bytes) { - $sig = $this->_rsa->createSign($bytes, null, 'sha256'); + $sig = $this->_rsa->createSign($bytes, null, 'magicsig_sha256'); if ($this->_rsa->isError()) { $error = $this->_rsa->getLastError(); common_log(LOG_DEBUG, 'RSA Error: '. $error->getMessage()); @@ -200,7 +197,7 @@ class Magicsig extends Memcached_DataObject public function verify($signed_bytes, $signature) { - $result = $this->_rsa->validateSign($signed_bytes, $signature, null, 'sha256'); + $result = $this->_rsa->validateSign($signed_bytes, $signature, null, 'magicsig_sha256'); if ($this->_rsa->isError()) { $error = $this->keypair->getLastError(); common_log(LOG_DEBUG, 'RSA Error: '. $error->getMessage()); @@ -208,12 +205,12 @@ class Magicsig extends Memcached_DataObject } return $result; } - + } // Define a sha256 function for hashing // (Crypt_RSA should really be updated to use hash() ) -function sha256($bytes) +function magicsig_sha256($bytes) { return hash('sha256', $bytes); } From 831eb0d2b6e35073992106a792f2878bb98e6aa4 Mon Sep 17 00:00:00 2001 From: James Walker Date: Fri, 26 Feb 2010 18:22:08 -0500 Subject: [PATCH 13/19] renaming sha256 to prevent conflict --- plugins/OStatus/classes/Magicsig.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/plugins/OStatus/classes/Magicsig.php b/plugins/OStatus/classes/Magicsig.php index 30da63c364..96900d8761 100644 --- a/plugins/OStatus/classes/Magicsig.php +++ b/plugins/OStatus/classes/Magicsig.php @@ -181,14 +181,15 @@ class Magicsig extends Memcached_DataObject switch ($this->alg) { case 'RSA-SHA256': - return 'sha256'; + return 'magicsig_sha256'; } } public function sign($bytes) { - $sig = $this->_rsa->createSign($bytes, null, 'sha256'); + $hash = $this->getHash(); + $sig = $this->_rsa->createSign($bytes, null, $hash); if ($this->_rsa->isError()) { $error = $this->_rsa->getLastError(); common_log(LOG_DEBUG, 'RSA Error: '. $error->getMessage()); @@ -200,7 +201,8 @@ class Magicsig extends Memcached_DataObject public function verify($signed_bytes, $signature) { - $result = $this->_rsa->validateSign($signed_bytes, $signature, null, 'sha256'); + $hash = $this->getHash(); + $result = $this->_rsa->validateSign($signed_bytes, $signature, null, $hash); if ($this->_rsa->isError()) { $error = $this->keypair->getLastError(); common_log(LOG_DEBUG, 'RSA Error: '. $error->getMessage()); @@ -213,7 +215,7 @@ class Magicsig extends Memcached_DataObject // Define a sha256 function for hashing // (Crypt_RSA should really be updated to use hash() ) -function sha256($bytes) +function magicsig_sha256($bytes) { return hash('sha256', $bytes); } From 2344db1ae5b061ee80b0793f70f072cbee3a18f3 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Fri, 26 Feb 2010 18:28:33 -0500 Subject: [PATCH 14/19] Revert "change function name" This reverts commit 21edb98a32cf67b9f754c9a74414f113cb71cb37. --- plugins/OStatus/classes/Magicsig.php | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/plugins/OStatus/classes/Magicsig.php b/plugins/OStatus/classes/Magicsig.php index 7a804a47ae..30da63c364 100644 --- a/plugins/OStatus/classes/Magicsig.php +++ b/plugins/OStatus/classes/Magicsig.php @@ -33,20 +33,20 @@ class Magicsig extends Memcached_DataObject { const PUBLICKEYREL = 'magic-public-key'; - + public $__table = 'magicsig'; public $user_id; public $keypair; public $alg; - + private $_rsa; public function __construct($alg = 'RSA-SHA256') { $this->alg = $alg; } - + public /*static*/ function staticGet($k, $v=null) { $obj = parent::staticGet(__CLASS__, $k, $v); @@ -57,6 +57,7 @@ class Magicsig extends Memcached_DataObject return $obj; } + function table() { return array( @@ -76,6 +77,7 @@ class Magicsig extends Memcached_DataObject 64, false)); } + function keys() { return array_keys($this->keyTypes()); @@ -112,6 +114,7 @@ class Magicsig extends Memcached_DataObject $this->insert(); } + public function toString($full_pair = true) { $public_key = $this->_rsa->_public_key; @@ -124,15 +127,15 @@ class Magicsig extends Memcached_DataObject $private_exp = '.' . base64_url_encode($private_key->getExponent()); } - return 'RSA.' . $mod . '.' . $exp . $private_exp; + return 'RSA.' . $mod . '.' . $exp . $private_exp; } - + public static function fromString($text) { PEAR::pushErrorHandling(PEAR_ERROR_RETURN); $magic_sig = new Magicsig(); - + // remove whitespace $text = preg_replace('/\s+/', '', $text); @@ -140,7 +143,7 @@ class Magicsig extends Memcached_DataObject if (!preg_match('/RSA\.([^\.]+)\.([^\.]+)(.([^\.]+))?/', $text, $matches)) { return false; } - + $mod = base64_url_decode($matches[1]); $exp = base64_url_decode($matches[2]); if ($matches[4]) { @@ -182,10 +185,10 @@ class Magicsig extends Memcached_DataObject } } - + public function sign($bytes) { - $sig = $this->_rsa->createSign($bytes, null, 'magicsig_sha256'); + $sig = $this->_rsa->createSign($bytes, null, 'sha256'); if ($this->_rsa->isError()) { $error = $this->_rsa->getLastError(); common_log(LOG_DEBUG, 'RSA Error: '. $error->getMessage()); @@ -197,7 +200,7 @@ class Magicsig extends Memcached_DataObject public function verify($signed_bytes, $signature) { - $result = $this->_rsa->validateSign($signed_bytes, $signature, null, 'magicsig_sha256'); + $result = $this->_rsa->validateSign($signed_bytes, $signature, null, 'sha256'); if ($this->_rsa->isError()) { $error = $this->keypair->getLastError(); common_log(LOG_DEBUG, 'RSA Error: '. $error->getMessage()); @@ -205,12 +208,12 @@ class Magicsig extends Memcached_DataObject } return $result; } - + } // Define a sha256 function for hashing // (Crypt_RSA should really be updated to use hash() ) -function magicsig_sha256($bytes) +function sha256($bytes) { return hash('sha256', $bytes); } From 31ecc8619830746cadada92b5d7ab83c529bf3b3 Mon Sep 17 00:00:00 2001 From: Sarven Capadisli Date: Sat, 27 Feb 2010 16:59:33 +0100 Subject: [PATCH 15/19] Fixes entity_tags alignment --- theme/base/css/display.css | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/theme/base/css/display.css b/theme/base/css/display.css index 52f97f6b12..f32c57ea45 100644 --- a/theme/base/css/display.css +++ b/theme/base/css/display.css @@ -799,8 +799,8 @@ list-style-type:none; display:inline; } .entity_tags li { -float:left; -margin-right:11px; +display:inline; +margin-right:7px; } .aside .section { From babca69f67d6aa2f7d491f84a4982b772056ebcb Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Sat, 27 Feb 2010 11:04:24 -0500 Subject: [PATCH 16/19] add bugfix to version number. --- lib/common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/common.php b/lib/common.php index 2dbe3b3c53..546f6bbe4b 100644 --- a/lib/common.php +++ b/lib/common.php @@ -22,7 +22,7 @@ if (!defined('STATUSNET') && !defined('LACONICA')) { exit(1); } //exit with 200 response, if this is checking fancy from the installer if (isset($_REQUEST['p']) && $_REQUEST['p'] == 'check-fancy') { exit; } -define('STATUSNET_VERSION', '0.9.0beta6'); +define('STATUSNET_VERSION', '0.9.0beta6+bugfix1'); define('LACONICA_VERSION', STATUSNET_VERSION); // compatibility define('STATUSNET_CODENAME', 'Stand'); From 55f27feb78a8ae5c6a829623f89bf3f89016aa08 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Sat, 27 Feb 2010 15:03:17 -0500 Subject: [PATCH 17/19] Plugin to restrict too many registrations from one IP We throttle registrations by IP. We record IP address of each registration, and if too many registrations have been done by the same IP address in the time interval, we reject the registration. --- .../RegisterThrottlePlugin.php | 249 ++++++++++++++++++ plugins/RegisterThrottle/Registration_ip.php | 124 +++++++++ 2 files changed, 373 insertions(+) create mode 100644 plugins/RegisterThrottle/RegisterThrottlePlugin.php create mode 100644 plugins/RegisterThrottle/Registration_ip.php diff --git a/plugins/RegisterThrottle/RegisterThrottlePlugin.php b/plugins/RegisterThrottle/RegisterThrottlePlugin.php new file mode 100644 index 0000000000..05709b7807 --- /dev/null +++ b/plugins/RegisterThrottle/RegisterThrottlePlugin.php @@ -0,0 +1,249 @@ +. + * + * @category Spam + * @package StatusNet + * @author Evan Prodromou + * @copyright 2010 StatusNet, Inc. + * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0 + * @link http://status.net/ + */ + +if (!defined('STATUSNET')) { + exit(1); +} + +/** + * Throttle registration by IP address + * + * We a) record IP address of registrants and b) throttle registrations. + * + * @category Spam + * @package StatusNet + * @author Evan Prodromou + * @copyright 2010 StatusNet, Inc. + * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0 + * @link http://status.net/ + */ + +class RegisterThrottlePlugin extends Plugin +{ + /** + * Array of time spans in seconds to limits. + * + * Default is 3 registrations per hour, 5 per day, 10 per week. + */ + + public $regLimits = array(604800 => 10, // per week + 86400 => 5, // per day + 3600 => 3); // per hour + + /** + * Database schema setup + * + * We store user registrations in a table registration_ip. + * + * @return boolean hook value; true means continue processing, false means stop. + */ + + function onCheckSchema() + { + $schema = Schema::get(); + + // For storing user-submitted flags on profiles + + $schema->ensureTable('registration_ip', + array(new ColumnDef('user_id', 'integer', null, + false, 'PRI'), + new ColumnDef('ipaddress', 'varchar', 15, false, 'MUL'), + new ColumnDef('created', 'timestamp', null, false, 'MUL'))); + + return true; + } + + /** + * Load related modules when needed + * + * @param string $cls Name of the class to be loaded + * + * @return boolean hook value; true means continue processing, false means stop. + */ + + function onAutoload($cls) + { + $dir = dirname(__FILE__); + + switch ($cls) + { + case 'Registration_ip': + include_once $dir . '/'.$cls.'.php'; + return false; + default: + return true; + } + } + + /** + * Called when someone tries to register. + * + * We check the IP here to determine if it goes over any of our + * configured limits. + * + * @param Action $action Action that is being executed + * + * @return boolean hook value + * + */ + + function onStartRegistrationTry($action) + { + $ipaddress = $this->_getIpAddress(); + + if (empty($ipaddress)) { + throw new ServerException(_m('Cannot find IP address.')); + } + + foreach ($this->regLimits as $seconds => $limit) { + + $this->debug("Checking $seconds ($limit)"); + + $reg = $this->_getNthReg($ipaddress, $limit); + + if (!empty($reg)) { + $this->debug("Got a {$limit}th registration."); + $regtime = strtotime($reg->created); + $now = time(); + $this->debug("Comparing {$regtime} to {$now}"); + if ($now - $regtime < $seconds) { + throw new Exception(_("Too many registrations. Take a break and try again later.")); + } + } + } + + return true; + } + + /** + * Called after someone registers. + * + * We record the successful registration and IP address. + * + * @param Action $action Action that is being executed + * + * @return boolean hook value + * + */ + + function onEndRegistrationTry($action) + { + $ipaddress = $this->_getIpAddress(); + + if (empty($ipaddress)) { + throw new ServerException(_m('Cannot find IP address.')); + } + + $user = common_current_user(); + + if (empty($user)) { + throw new ServerException(_m('Cannot find user after successful registration.')); + } + + $reg = new Registration_ip(); + + $reg->user_id = $user->id; + $reg->ipaddress = $ipaddress; + + $result = $reg->insert(); + + if (!$result) { + common_log_db_error($reg, 'INSERT', __FILE__); + // @todo throw an exception? + } + + return true; + } + + /** + * Check the version of the plugin. + * + * @param array &$versions Version array. + * + * @return boolean hook value + */ + + function onPluginVersion(&$versions) + { + $versions[] = array('name' => 'RegisterThrottle', + 'version' => STATUSNET_VERSION, + 'author' => 'Evan Prodromou', + 'homepage' => 'http://status.net/wiki/Plugin:RegisterThrottle', + 'description' => + _m('Throttles excessive registration from a single IP.')); + return true; + } + + /** + * Gets the current IP address. + * + * @return string IP address or null if not found. + */ + + private function _getIpAddress() + { + $keys = array('HTTP_X_FORWARDED_FOR', + 'CLIENT-IP', + 'REMOTE_ADDR'); + + foreach ($keys as $k) { + if (!empty($_SERVER[$k])) { + return $_SERVER[$k]; + } + } + + return null; + } + + /** + * Gets the Nth registration with the given IP address. + * + * @param string $ipaddress Address to key on + * @param integer $n Nth address + * + * @return Registration_ip nth registration or null if not found. + */ + + private function _getNthReg($ipaddress, $n) + { + $reg = new Registration_ip(); + + $reg->ipaddress = $ipaddress; + + $reg->orderBy('created DESC'); + $reg->limit($n - 1, 1); + + if ($reg->find(true)) { + return $reg; + } else { + return null; + } + } +} diff --git a/plugins/RegisterThrottle/Registration_ip.php b/plugins/RegisterThrottle/Registration_ip.php new file mode 100644 index 0000000000..7e61d089e7 --- /dev/null +++ b/plugins/RegisterThrottle/Registration_ip.php @@ -0,0 +1,124 @@ + + * @license http://www.fsf.org/licensing/licenses/agpl.html AGPLv3 + * @link http://status.net/ + * + * StatusNet - the distributed open-source microblogging tool + * Copyright (C) 2010, StatusNet, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +if (!defined('STATUSNET')) { + exit(1); +} + +require_once INSTALLDIR . '/classes/Memcached_DataObject.php'; + +/** + * Data class for storing IP addresses of new registrants. + * + * @category Spam + * @package StatusNet + * @author Evan Prodromou + * @license http://www.fsf.org/licensing/licenses/agpl.html AGPLv3 + * @link http://status.net/ + */ + +class Registration_ip extends Memcached_DataObject +{ + public $__table = 'registration_ip'; // table name + public $user_id; // int(4) primary_key not_null + public $ipaddress; // varchar(15) + public $created; // timestamp + + /** + * Get an instance by key + * + * @param string $k Key to use to lookup (usually 'user_id' for this class) + * @param mixed $v Value to lookup + * + * @return User_greeting_count object found, or null for no hits + * + */ + + function staticGet($k, $v=null) + { + return Memcached_DataObject::staticGet('Registration_ip', $k, $v); + } + + /** + * return table definition for DB_DataObject + * + * @return array array of column definitions + */ + + function table() + { + return array('user_id' => DB_DATAOBJECT_INT + DB_DATAOBJECT_NOTNULL, + 'ipaddress' => DB_DATAOBJECT_STR + DB_DATAOBJECT_NOTNULL, + 'created' => DB_DATAOBJECT_MYSQLTIMESTAMP + DB_DATAOBJECT_NOTNULL); + } + + /** + * return key definitions for DB_DataObject + * + * DB_DataObject needs to know about keys that the table has; this function + * defines them. + * + * @return array key definitions + */ + + function keys() + { + return array('user_id' => 'K'); + } + + /** + * return key definitions for Memcached_DataObject + * + * Our caching system uses the same key definitions, but uses a different + * method to get them. + * + * @return array key definitions + */ + + function keyTypes() + { + return $this->keys(); + } + + /** + * Magic formula for non-autoincrementing integer primary keys + * + * If a table has a single integer column as its primary key, DB_DataObject + * assumes that the column is auto-incrementing and makes a sequence table + * to do this incrementation. Since we don't need this for our class, we + * overload this method and return the magic formula that DB_DataObject needs. + * + * @return array magic three-false array that stops auto-incrementing. + */ + + function sequenceKey() + { + return array(false, false, false); + } +} From 4d9daf21493e75354190667e5c1ab3140b46dee1 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Sat, 27 Feb 2010 16:06:46 -0500 Subject: [PATCH 18/19] Use notice for context when deciding who @nickname refers to In a federated system, "@nickname" is insufficient to uniquely identify a user. However, it's a very convenient idiom. We need to guess from context who 'nickname' refers to. Previously, we were using the sender's profile (or what we knew about them) as the only context. So, we assumed that they'd be mentioning to someone they followed, or someone who followed them, or someone on their own server. Now, we include the notice information for context. We check to see if the notice is a reply to another notice, and if the author of the original notice has the nickname 'nickname', then the mention is probably for them. Alternately, if the original notice mentions someone with nickname 'nickname', then this notice is probably referring to _them_. Doing this kind of context sleuthing means we have to render the content very late in the notice-saving process. --- classes/Notice.php | 12 +++++------ lib/util.php | 51 ++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 51 insertions(+), 12 deletions(-) diff --git a/classes/Notice.php b/classes/Notice.php index 2d02a9a19f..6614f3d558 100644 --- a/classes/Notice.php +++ b/classes/Notice.php @@ -282,12 +282,6 @@ class Notice extends Memcached_DataObject $notice->content = $final; - if (!empty($rendered)) { - $notice->rendered = $rendered; - } else { - $notice->rendered = common_render_content($final, $notice); - } - $notice->source = $source; $notice->uri = $uri; $notice->url = $url; @@ -315,6 +309,12 @@ class Notice extends Memcached_DataObject $notice->location_ns = $location_ns; } + if (!empty($rendered)) { + $notice->rendered = $rendered; + } else { + $notice->rendered = common_render_content($final, $notice); + } + if (Event::handle('StartNoticeSave', array(&$notice))) { // XXX: some of these functions write to the DB diff --git a/lib/util.php b/lib/util.php index 32061ec04c..d12a7920d2 100644 --- a/lib/util.php +++ b/lib/util.php @@ -426,14 +426,14 @@ function common_render_content($text, $notice) { $r = common_render_text($text); $id = $notice->profile_id; - $r = common_linkify_mentions($id, $r); + $r = common_linkify_mentions($r, $notice); $r = preg_replace('/(^|[\s\.\,\:\;]+)!([A-Za-z0-9]{1,64})/e', "'\\1!'.common_group_link($id, '\\2')", $r); return $r; } -function common_linkify_mentions($profile_id, $text) +function common_linkify_mentions($text, $notice) { - $mentions = common_find_mentions($profile_id, $text); + $mentions = common_find_mentions($text, $notice); // We need to go through in reverse order by position, // so our positions stay valid despite our fudging with the @@ -487,11 +487,11 @@ function common_linkify_mention($mention) return $output; } -function common_find_mentions($profile_id, $text) +function common_find_mentions($text, $notice) { $mentions = array(); - $sender = Profile::staticGet('id', $profile_id); + $sender = Profile::staticGet('id', $notice->profile_id); if (empty($sender)) { return $mentions; @@ -499,6 +499,30 @@ function common_find_mentions($profile_id, $text) if (Event::handle('StartFindMentions', array($sender, $text, &$mentions))) { + // Get the context of the original notice, if any + + $originalAuthor = null; + $originalNotice = null; + $originalMentions = array(); + + // Is it a reply? + + if (!empty($notice) && !empty($notice->reply_to)) { + $originalNotice = Notice::staticGet('id', $notice->reply_to); + if (!empty($originalNotice)) { + $originalAuthor = Profile::staticGet('id', $originalNotice->profile_id); + + $ids = $originalNotice->getReplies(); + + foreach ($ids as $id) { + $repliedTo = Profile::staticGet('id', $id); + if (!empty($repliedTo)) { + $originalMentions[$repliedTo->nickname] = $repliedTo; + } + } + } + } + preg_match_all('/^T ([A-Z0-9]{1,64}) /', $text, $tmatches, @@ -514,7 +538,22 @@ function common_find_mentions($profile_id, $text) foreach ($matches as $match) { $nickname = common_canonical_nickname($match[0]); - $mentioned = common_relative_profile($sender, $nickname); + + // Try to get a profile for this nickname. + // Start with conversation context, then go to + // sender context. + + if (!empty($originalAuthor) && $originalAuthor->nickname == $nickname) { + + $mentioned = $originalAuthor; + + } else if (!empty($originalMentions) && + array_key_exists($nickname, $originalMentions)) { + + $mention = $originalMentions[$nickname]; + } else { + $mentioned = common_relative_profile($sender, $nickname); + } if (!empty($mentioned)) { From 04c4facba9230f40726c5891dcac21d928fbb2ab Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Sat, 27 Feb 2010 16:30:38 -0500 Subject: [PATCH 19/19] fix call of common_find_mentions() in Notice::saveReplies() --- classes/Notice.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/classes/Notice.php b/classes/Notice.php index 6614f3d558..3702dbcfa8 100644 --- a/classes/Notice.php +++ b/classes/Notice.php @@ -973,7 +973,10 @@ class Notice extends Memcached_DataObject $sender = Profile::staticGet($this->profile_id); - $mentions = common_find_mentions($this->profile_id, $this->content); + // @todo ideally this parser information would only + // be calculated once. + + $mentions = common_find_mentions($this->content, $this); $replied = array();