1. 29 Aug, 2013 1 commit
  2. 21 Aug, 2013 2 commits
    • mmn's avatar
      Woops, forgot auto_increment (comes with 'serial') · 40fe10e0
      mmn authored
      There are still some classes not ported (like Yammer import)
      40fe10e0
    • mmn's avatar
      IMPORTANT: Making prev. Memcached_DataObject working again with schemaDef · 3a7261f7
      mmn authored
      Lots of the Memcached_DataObject classes stopped working when upgraded to
      Managed_DataObject because they lacked schemaDef().
      
      I have _hopefully_ made it so that all the references to the table uses
      each class' schemaDef, rather than the more manual ColumnDef stuff. Not
      all plugins have been tested thoroughly yet.
      
      NOTE: This is applied with getKV calls instead of staticGet, as it was
      important for PHP Strict Standards compliance to avoid calling the non-
      static functions statically. (unfortunately DB and DB_DataObject still do
      this within themselves...)
      3a7261f7
  3. 20 Aug, 2013 1 commit
  4. 19 Aug, 2013 1 commit
    • mmn's avatar
      Don't use DB_DataObject::factory (statically at least) · 0785cc24
      mmn authored
      Not all instances of this has been fixed, but at least the ones
      in the base class of Memcached_DataObject.
      
      Avatar fix (in classes/Profile.php) requires a pkeyGet function
      in the Avatar class (or as in this tree, the parent class of
      Managed_DataObject)
      0785cc24
  5. 18 Aug, 2013 5 commits
    • mmn's avatar
      Managed_DataObject now has listGet for all classes · 97ce71e5
      mmn authored
      97ce71e5
    • mmn's avatar
      3ce5631b
    • mmn's avatar
      pkeyGet is now static and more similar to getKV · 861e838a
      mmn authored
      Memcached_DataObject now defines
         * pkeyGetClass to avoid collision with Managed_DataObject pkeyGet
         * getClassKV to avoid collision with Managed_DataObject getKV
      861e838a
    • mmn's avatar
      The overloaded DB_DataObject function staticGet is now called getKV · 2a4dc77a
      mmn authored
      I used this hacky sed-command (run it from your GNU Social root, or change the first grep's path to where it actually lies) to do a rough fix on all ::staticGet calls and rename them to ::getKV
      
         sed -i -s -e '/DataObject::staticGet/I!s/::staticGet/::getKV/Ig' $(grep -R ::staticGet `pwd`/* | grep -v -e '^extlib' | grep -v DataObject:: |grep -v "function staticGet"|cut -d: -f1 |sort |uniq)
      
      If you're applying this, remember to change the Managed_DataObject and Memcached_DataObject function definitions of staticGet to getKV!
      
      This might of course take some getting used to, or modification fo StatusNet plugins, but the result is that all the static calls (to staticGet) are now properly made without breaking PHP Strict Standards. Standards are there to be followed (and they caused some very bad confusion when used with get_called_class)
      
      Reasonably any plugin or code that tests for the definition of 'GNUSOCIAL' or similar will take this change into consideration.
      2a4dc77a
    • mmn's avatar
      Updating all Memcached_DataObject extended classes to Managed_DataObject · e95f77d3
      mmn authored
      In some brief tests, this causes no problems.
      
      In this state however, you would need to modify DB_DataObject to have a static declaration of staticget (and probably pkeyGet). The next commit will change the staticGet overload to a unique function name (like getKV for getKeyValue), which means we can properly call the function by PHP Strict Standards.
      e95f77d3
  6. 12 Aug, 2013 7 commits
    • mmn's avatar
      staticGet for sub-Managed_DataObject classes now calls parent · 1a9a8ea7
      mmn authored
      The parent class for our database objects, Managed_DataObject, has a
      dynamically assigned class in staticGet which objects get put into,
      leaving us with less code to do the same thing.
      
      We will probably have to move away from the DB_DataObject 'staticGet'
      call as it is nowadays deprecated.
      1a9a8ea7
    • mmn's avatar
      Managed_DataObject gets dynamic class detection for staticGet · d115cddf
      mmn authored
      Compatibility: get_called_class is implemented in PHP >= 5.3.0
      d115cddf
    • mmn's avatar
      staticGet is a static function · 3394efca
      mmn authored
      We always call staticGet statically, so we define it statically. Next
      step is to remove a bunch of definitions of 'staticGet' from classes
      that can instead fall back to a parent class in Managed_DataObject.
      
      The ampersand is removed as we're returning a class anyway, which does
      not need a reference (and when we return false, it means nothing).
      3394efca
    • mmn's avatar
      Default to NOT ask for current location for new users · 794163c3
      mmn authored
      It may be a bad experience for new users to immediately when trying
      out the service be asked for their geographical position. Instead,
      let them opt-in for this behaviour.
      794163c3
    • mmn's avatar
      fix typo on provider_url · bd60ab2e
      mmn authored
      bd60ab2e
    • mmn's avatar
      56cfd2bf
    • mmn's avatar
      if parameters are not 0, null then limit will be PROFILES_PER_PAGE · f433f7ce
      mmn authored
      If you look at classes/User_group.php on line 412 in the current code, you can see that a call to $profile->getGroups() is made. This implies getGroups($offset=0, $limit=PROFILES_PER_PAGE) only giving a limited amount of groups.
      
      This means only the first 20 groups in an ascending numerical order by locally stored User_group->id will be addressable with the bangtag syntax.
      
      I solved this by making the getGroups() call to the same one made in Profile->isMember(), i.e. $profile->getGroups(0, null);
      f433f7ce
  7. 16 Jul, 2013 7 commits
    • Joshua Wise's avatar
      Escape argument to prevent SQL injection attack in · 89ba8202
      Joshua Wise authored
      User::getTaggedSubscriptions()
      
      This change escapes the $tag argument to prevent a SQL injection
      attack in User::getTaggedSubscriptions(). The parameter was not
      escaped higher up the stack, so this vulnerability could be exploited.
      89ba8202
    • Joshua Wise's avatar
      Escape argument to User::getTaggedSubscribers() to preven SQL injection · 4a30da92
      Joshua Wise authored
      This change escapes the argument to User::getTaggedSubscribers() to
      prevent SQL injection attacks.
      
      Both code paths up the stack fail to escape this parameter, so this is
      a potential SQL injection attack.
      4a30da92
    • Joshua Wise's avatar
      Escape query parameters in Profile_tag::getTagged() · e54cb695
      Joshua Wise authored
      This patch escapes query parameters in Profile_tag::getTagged(). This
      is an extra security step; since these parameters come out of the
      database, it's unlikely that they would have dangerous data in them.
      e54cb695
    • Joshua Wise's avatar
      Escape SQL parameter in Profile_tag::moveTag() · 5b118b37
      Joshua Wise authored
      This change adds additional escapes for arguments to
      Profile_tag::moveTag(). The arguments are canonicalized in the API and
      Web UI paths higher up the stack, but this change makes sure that no
      other paths can introduce SQL injection errors.
      5b118b37
    • Joshua Wise's avatar
      Escape $tag passed to Profile::getTaggedSubscribers() · c5a710e0
      Joshua Wise authored
      This patch escapes the $tag parameter in
      Profile::getTaggedSubscribers(). The parameter is not escaped either
      in actions/subscriptions.php or in actions/apiuserfollowers.php. So
      there is a potential for SQL injection here.
      c5a710e0
    • Joshua Wise's avatar
      Potential SQL injection in Local_group::setNickname() · 3fb2c06c
      Joshua Wise authored
      This change escapes a parameter in Local_group::setNickname(). Review
      of the code paths that call this function sanitize the parameter
      higher up the stack, but it's escaped here to prevent mistakes later.
      
      Note that nickname parameters are normally alphanum strings, so
      there's not much danger in double-escaping them.
      3fb2c06c
    • Joshua Wise's avatar
      Potential SQL injection in Local_group::setNickname() · 783e400d
      Joshua Wise authored
      This change escapes a parameter in Local_group::setNickname(). Review
      of the code paths that call this function sanitize the parameter
      higher up the stack, but it's escaped here to prevent mistakes later.
      
      Note that nickname parameters are normally alphanum strings, so
      there's not much danger in double-escaping them.
      783e400d
  8. 30 Jun, 2013 1 commit
  9. 15 Jun, 2013 2 commits
  10. 09 Jun, 2013 3 commits
  11. 08 Jun, 2013 3 commits
  12. 07 Jun, 2013 4 commits
  13. 05 Jun, 2013 2 commits
  14. 04 Jun, 2013 1 commit