We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

Commit 66518df4 authored by Brion Vibber's avatar Brion Vibber

OStatus: reject attempts to create a remote profile for a local user or group.

Some stray shadow entries were ending up getting created, which would steal group posts from remote users.
Run plugins/OStatus/scripts/fixup-shadow.php for each site to remove any existing ones.
parent 5cd020bf
......@@ -929,4 +929,41 @@ class OStatusPlugin extends Plugin
return true;
}
/**
* Utility function to check if the given URL is a canonical group profile
* page, and if so return the ID number.
*
* @param string $url
* @return mixed int or false
*/
public static function localGroupFromUrl($url)
{
$template = common_local_url('groupbyid', array('id' => '31337'));
$template = preg_quote($template, '/');
$template = str_replace('31337', '(\d+)', $template);
if (preg_match("/$template/", $url, $matches)) {
return intval($matches[1]);
}
return false;
}
/**
* Utility function to check if the given URL is a canonical user profile
* page, and if so return the ID number.
*
* @param string $url
* @return mixed int or false
*/
public static function localProfileFromUrl($url)
{
$template = common_local_url('userbyid', array('id' => '31337'));
$template = preg_quote($template, '/');
$template = str_replace('31337', '(\d+)', $template);
if (preg_match("/$template/", $url, $matches)) {
return intval($matches[1]);
}
return false;
}
}
......@@ -675,13 +675,10 @@ class Ostatus_profile extends Memcached_DataObject
}
// Is the recipient a local group?
// @fixme we need a uri on user_group
// @fixme uri on user_group isn't reliable yet
// $group = User_group::staticGet('uri', $recipient);
$template = common_local_url('groupbyid', array('id' => '31337'));
$template = preg_quote($template, '/');
$template = str_replace('31337', '(\d+)', $template);
if (preg_match("/$template/", $recipient, $matches)) {
$id = $matches[1];
$id = OStatusPlugin::localGroupFromUrl($recipient);
if ($id) {
$group = User_group::staticGet('id', $id);
if ($group) {
// Deliver to all members of this local group if allowed.
......@@ -992,7 +989,15 @@ class Ostatus_profile extends Memcached_DataObject
if (!$homeuri) {
common_log(LOG_DEBUG, __METHOD__ . " empty actor profile URI: " . var_export($activity, true));
throw new ServerException("No profile URI");
throw new Exception("No profile URI");
}
if (OStatusPlugin::localProfileFromUrl($homeuri)) {
throw new Exception("Local user can't be referenced as remote.");
}
if (OStatusPlugin::localGroupFromUrl($homeuri)) {
throw new Exception("Local group can't be referenced as remote.");
}
if (array_key_exists('feedurl', $hints)) {
......
#!/usr/bin/env php
<?php
/*
* StatusNet - a distributed open-source microblogging tool
* Copyright (C) 2010 StatusNet, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
define('INSTALLDIR', realpath(dirname(__FILE__) . '/../../..'));
$longoptions = array('dry-run');
$helptext = <<<END_OF_USERROLE_HELP
fixup_shadow.php [options]
Patches up stray ostatus_profile entries with corrupted shadow entries
for local users and groups.
--dry-run look but don't touch
END_OF_USERROLE_HELP;
require_once INSTALLDIR.'/scripts/commandline.inc';
$dry = have_option('dry-run');
$oprofile = new Ostatus_profile();
$marker = mt_rand(31337, 31337000);
$profileTemplate = common_local_url('userbyid', array('id' => $marker));
$encProfile = $oprofile->escape($profileTemplate, true);
$encProfile = str_replace($marker, '%', $encProfile);
$groupTemplate = common_local_url('groupbyid', array('id' => $marker));
$encGroup = $oprofile->escape($groupTemplate, true);
$encGroup = str_replace($marker, '%', $encGroup);
$sql = "SELECT * FROM ostatus_profile WHERE uri LIKE '%s' OR uri LIKE '%s'";
$oprofile->query(sprintf($sql, $encProfile, $encGroup));
echo "Found $oprofile->N bogus ostatus_profile entries:\n";
while ($oprofile->fetch()) {
echo "$oprofile->uri";
if ($dry) {
echo " (unchanged)\n";
} else {
echo " deleting...";
$evil = clone($oprofile);
$evil->delete();
echo " ok\n";
}
}
echo "done.\n";
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment