Mirrors
/
movim
mirror of https://github.com/movim/movim
3
0
Fork 0
Code Releases Activity
Browse Source

Fix a security issue regarding replied posts in Publish 

Fix share url feature with publish
pull/987/head
Timothée Jaussoin 5 years ago
parent
f75118c4e7
commit
f629383502
9 changed files with 178 additions and 97 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 48
      app/widgets/Publish/Publish.php
  2. 7
      app/widgets/Publish/publish.js
  3. 2
      app/widgets/Publish/publish.tpl
  4. 4
      app/widgets/PublishBrief/PublishBrief.php
  5. 2
      app/widgets/SendTo/_sendto_share.tpl
  6. 12
      app/widgets/Share/Share.php
  7. 2
      app/widgets/Share/share.js
  8. 196
      composer.lock
  9. 2
      src/Movim/Route.php

48
app/widgets/Publish/Publish.php
View File

@ -5,6 +5,7 @@ use Moxl\Xec\Action\Microblog\CommentCreateNode;
use Moxl\Xec\Action\Pubsub\Subscribe;
use Movim\Widget\Base;
use Movim\Session;
use Michelf\MarkdownExtra;
use Respect\Validation\Validator;
@ -276,6 +277,17 @@ class Publish extends Base
}
}
public function ajaxTryResolveShareUrl($id)
{
$session = Session::start();
$shareUrl = $session->get('share_url');
if ($shareUrl) {
$this->ajaxAddEmbed($id, $shareUrl);
$session->remove('share_url');
}
}
public function ajaxHttpRemoveEmbed($id, $embedId)
{
$draft = $this->user->drafts()->find($id);
@ -305,6 +317,19 @@ class Publish extends Base
}
}
public function ajaxClearReply($id)
{
$draft = $this->user->drafts()->find($id);
if ($draft) {
$draft->reply_id = null;
$draft->save();
$this->rpc('MovimUtils.redirect', $this->route('publish', $draft->server, $draft->node, $draft->nodeid));
}
}
public function prepareEmbed(DraftEmbed $embed)
{
$view = $this->tpl();
@ -352,7 +377,9 @@ class Publish extends Base
$server = $this->get('s') ?? $this->user->id;
$node = $this->get('n') ?? $microblog;
$nodeId = $this->get('i') ?? '';
$replyId = $this->get('r');
$replyServer = $this->get('rs');
$replyNode = $this->get('rn');
$replyNodeId = $this->get('ri');
if ($node == $microblog) {
$this->view->assign('icon', App\Contact::firstOrNew(['id' => $server]));
@ -380,15 +407,20 @@ class Publish extends Base
$draft->tryFillPost();
}
$replyId = $draft->reply_id ?? $replyId;
// Reply
$reply = null;
if ($replyId) {
// Todo protect ?
$reply = Post::find($replyId);
if ($replyServer && $replyNode && $replyNodeId) {
$reply = Post::where('server', $replyServer)
->where('node', $replyNode)
->where('nodeid', $replyNodeId)
->first();
} elseif ($draft->reply_id) {
$reply = Post::find($draft->reply_id);
}
if ($reply) {
$draft->reply_id = $reply->id;
}
if ($reply) {
$draft->reply_id = $reply->id;
} else {
$draft->reply_id = null;
}

7
app/widgets/Publish/publish.js
View File

@ -5,6 +5,8 @@ var Publish = {
init: function() {
let id = document.querySelector('#publish input[name=id]').value;
Publish_ajaxTryResolveShareUrl(id);
document.querySelector('#publish textarea[name=title]').addEventListener('keyup', function(event) {
if (Publish.titleTimeout) clearTimeout(Publish.titleTimeout);
document.querySelector('#publish textarea[name=title] + label span.save').classList.remove('saved');
@ -47,6 +49,11 @@ var Publish = {
Publish_ajaxPublish(id);
},
clearReply: function() {
let id = document.querySelector('#publish input[name=id]').value;
Publish_ajaxClearReply(id);
},
addUrl: function() {
let id = document.querySelector('#publish input[name=id]').value;
var url = document.querySelector('#url').value;

2
app/widgets/Publish/publish.tpl
View File

@ -70,7 +70,7 @@
{if="isset($replyblock)"}
<li>
<span class="control icon gray active"
onclick="MovimUtils.redirect('{$c->route('publish', [$draft->server, $draft->node, $draft->nodeid])}')">
onclick="Publish.clearReply()">
<i class="material-icons">close</i>
</span>
<div>

4
app/widgets/PublishBrief/PublishBrief.php
View File

@ -289,8 +289,8 @@ class PublishBrief extends Base
public function ajaxClearEmbed()
{
$session = Session::start();
$session->remove('share_url');
//$session = Session::start();
//$session->remove('share_url');
$p = Cache::c('draft');
if ($p && $p->link) {

2
app/widgets/SendTo/_sendto_share.tpl
View File

@ -12,7 +12,7 @@
{if="$c->getUser()->hasPubsub()"}
<li>
<span class="control icon active gray"
onclick="MovimUtils.redirect('{$c->route('publish', [$c->getUser()->id, 'urn:xmpp:microblog:0', '', $post->id])}')">
onclick="MovimUtils.redirect('{$c->route('publish', [$c->getUser()->id, 'urn:xmpp:microblog:0', '', $post->server, $post->node, $post->nodeid])}')">
<i class="material-icons">share</i>
</span>
<div>

12
app/widgets/Share/Share.php
View File

@ -12,15 +12,19 @@ class Share extends Base
$this->addjs('share.js');
}
public function ajaxHttpGet($link)
public function ajaxGet($link)
{
$validate_url = Validator::url();
$validateUrl = Validator::url();
if ($validate_url->validate($link)
if ($validateUrl->validate($link)
&& substr($link, 0, 4) == 'http') {
// Pre-resolve the link
(new \App\Url)->resolve($link);
$session = Session::start();
$session->set('share_url', $link);
$this->rpc('Share.redirect', $this->route('news'));
$this->rpc('Share.redirect', $this->route('publish'));
} else {
$uri = \explodeXMPPURI($link);

2
app/widgets/Share/share.js
View File

@ -3,7 +3,7 @@ var Share = {
var parts = MovimUtils.urlParts();
if (parts.params[0]) {
document.querySelector('h4').innerHTML = parts.params[0];
Share_ajaxHttpGet(parts.params[0]);
Share_ajaxGet(parts.params[0]);
}
},
redirect: function(url) {

196
composer.lock
View File

@ -674,32 +674,32 @@
},
{
"name": "doctrine/dbal",
"version": "2.12.1",
"version": "2.13.0",
"source": {
"type": "git",
"url": "https://github.com/doctrine/dbal.git",
"reference": "adce7a954a1c2f14f85e94aed90c8489af204086"
"reference": "67d56d3203b33db29834e6b2fcdbfdc50535d796"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/doctrine/dbal/zipball/adce7a954a1c2f14f85e94aed90c8489af204086",
"reference": "adce7a954a1c2f14f85e94aed90c8489af204086",
"url": "https://api.github.com/repos/doctrine/dbal/zipball/67d56d3203b33db29834e6b2fcdbfdc50535d796",
"reference": "67d56d3203b33db29834e6b2fcdbfdc50535d796",
"shasum": ""
},
"require": {
"doctrine/cache": "^1.0",
"doctrine/deprecations": "^0.5.3",
"doctrine/event-manager": "^1.0",
"ext-pdo": "*",
"php": "^7.3 || ^8"
"php": "^7.1 || ^8"
},
"require-dev": {
"doctrine/coding-standard": "^8.1",
"jetbrains/phpstorm-stubs": "^2019.1",
"phpstan/phpstan": "^0.12.40",
"phpunit/phpunit": "^9.4",
"psalm/plugin-phpunit": "^0.10.0",
"doctrine/coding-standard": "8.2.0",
"jetbrains/phpstorm-stubs": "2020.2",
"phpstan/phpstan": "0.12.81",
"phpunit/phpunit": "^7.5.20|^8.5|9.5.0",
"symfony/console": "^2.0.5|^3.0|^4.0|^5.0",
"vimeo/psalm": "^3.17.2"
"vimeo/psalm": "4.6.4"
},
"suggest": {
"symfony/console": "For helpful console commands such as SQL execution and import of files."
@ -708,11 +708,6 @@
"bin/doctrine-dbal"
],
"type": "library",
"extra": {
"branch-alias": {
"dev-master": "4.0.x-dev"
}
},
"autoload": {
"psr-4": {
"Doctrine\\DBAL\\": "lib/Doctrine/DBAL"
@ -765,7 +760,7 @@
],
"support": {
"issues": "https://github.com/doctrine/dbal/issues",
"source": "https://github.com/doctrine/dbal/tree/2.12.1"
"source": "https://github.com/doctrine/dbal/tree/2.13.0"
},
"funding": [
{
@ -781,7 +776,50 @@
"type": "tidelift"
}
],
"time": "2020-11-14T20:26:58+00:00"
"time": "2021-03-28T18:10:53+00:00"
},
{
"name": "doctrine/deprecations",
"version": "v0.5.3",
"source": {
"type": "git",
"url": "https://github.com/doctrine/deprecations.git",
"reference": "9504165960a1f83cc1480e2be1dd0a0478561314"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/doctrine/deprecations/zipball/9504165960a1f83cc1480e2be1dd0a0478561314",
"reference": "9504165960a1f83cc1480e2be1dd0a0478561314",
"shasum": ""
},
"require": {
"php": "^7.1|^8.0"
},
"require-dev": {
"doctrine/coding-standard": "^6.0|^7.0|^8.0",
"phpunit/phpunit": "^7.0|^8.0|^9.0",
"psr/log": "^1.0"
},
"suggest": {
"psr/log": "Allows logging deprecations via PSR-3 logger implementation"
},
"type": "library",
"autoload": {
"psr-4": {
"Doctrine\\Deprecations\\": "lib/Doctrine/Deprecations"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"description": "A small layer on top of trigger_error(E_USER_DEPRECATED) or PSR-3 logging with options to disable all deprecations or selectively for packages.",
"homepage": "https://www.doctrine-project.org/",
"support": {
"issues": "https://github.com/doctrine/deprecations/issues",
"source": "https://github.com/doctrine/deprecations/tree/v0.5.3"
},
"time": "2021-03-21T12:59:47+00:00"
},
{
"name": "doctrine/event-manager",
@ -974,16 +1012,16 @@
},
{
"name": "embed/embed",
"version": "v3.4.13",
"version": "v3.4.14",
"source": {
"type": "git",
"url": "https://github.com/oscarotero/Embed.git",
"reference": "99f6d95aebd94251573e4f4febf14bc6aba28697"
"reference": "f944eef58227af79d217b48c763ae931cf417828"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/oscarotero/Embed/zipball/99f6d95aebd94251573e4f4febf14bc6aba28697",
"reference": "99f6d95aebd94251573e4f4febf14bc6aba28697",
"url": "https://api.github.com/repos/oscarotero/Embed/zipball/f944eef58227af79d217b48c763ae931cf417828",
"reference": "f944eef58227af79d217b48c763ae931cf417828",
"shasum": ""
},
"require": {
@ -1027,9 +1065,9 @@
"support": {
"email": "oom@oscarotero.com",
"issues": "https://github.com/oscarotero/Embed/issues",
"source": "https://github.com/oscarotero/Embed/tree/v3.4.13"
"source": "https://github.com/oscarotero/Embed/tree/v3.4.14"
},
"time": "2020-12-24T09:42:20+00:00"
"time": "2021-04-01T15:13:19+00:00"
},
{
"name": "evenement/evenement",
@ -1275,7 +1313,7 @@
},
{
"name": "illuminate/bus",
"version": "v8.33.1",
"version": "v8.35.1",
"source": {
"type": "git",
"url": "https://github.com/illuminate/bus.git",
@ -1328,16 +1366,16 @@
},
{
"name": "illuminate/collections",
"version": "v8.33.1",
"version": "v8.35.1",
"source": {
"type": "git",
"url": "https://github.com/illuminate/collections.git",
"reference": "d7cc717a00064b40fa63a8ad522042005e1de1ed"
"reference": "0a7a96520928b61df1750b4e1909588f10ae2abe"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/illuminate/collections/zipball/d7cc717a00064b40fa63a8ad522042005e1de1ed",
"reference": "d7cc717a00064b40fa63a8ad522042005e1de1ed",
"url": "https://api.github.com/repos/illuminate/collections/zipball/0a7a96520928b61df1750b4e1909588f10ae2abe",
"reference": "0a7a96520928b61df1750b4e1909588f10ae2abe",
"shasum": ""
},
"require": {
@ -1378,11 +1416,11 @@
"issues": "https://github.com/laravel/framework/issues",
"source": "https://github.com/laravel/framework"
},
"time": "2021-03-08T17:22:22+00:00"
"time": "2021-03-25T14:54:04+00:00"
},
{
"name": "illuminate/container",
"version": "v8.33.1",
"version": "v8.35.1",
"source": {
"type": "git",
"url": "https://github.com/illuminate/container.git",
@ -1433,7 +1471,7 @@
},
{
"name": "illuminate/contracts",
"version": "v8.33.1",
"version": "v8.35.1",
"source": {
"type": "git",
"url": "https://github.com/illuminate/contracts.git",
@ -1481,16 +1519,16 @@
},
{
"name": "illuminate/database",
"version": "v8.33.1",
"version": "v8.35.1",
"source": {
"type": "git",
"url": "https://github.com/illuminate/database.git",
"reference": "5f5eda38a5a8080be666453e2f44f037afd82471"
"reference": "dc8033979aea3d471d2a37694b6ade00a299a0f1"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/illuminate/database/zipball/5f5eda38a5a8080be666453e2f44f037afd82471",
"reference": "5f5eda38a5a8080be666453e2f44f037afd82471",
"url": "https://api.github.com/repos/illuminate/database/zipball/dc8033979aea3d471d2a37694b6ade00a299a0f1",
"reference": "dc8033979aea3d471d2a37694b6ade00a299a0f1",
"shasum": ""
},
"require": {
@ -1545,11 +1583,11 @@
"issues": "https://github.com/laravel/framework/issues",
"source": "https://github.com/laravel/framework"
},
"time": "2021-03-16T17:05:22+00:00"
"time": "2021-03-30T13:58:56+00:00"
},
{
"name": "illuminate/events",
"version": "v8.33.1",
"version": "v8.35.1",
"source": {
"type": "git",
"url": "https://github.com/illuminate/events.git",
@ -1604,7 +1642,7 @@
},
{
"name": "illuminate/macroable",
"version": "v8.33.1",
"version": "v8.35.1",
"source": {
"type": "git",
"url": "https://github.com/illuminate/macroable.git",
@ -1650,16 +1688,16 @@
},
{
"name": "illuminate/pipeline",
"version": "v8.33.1",
"version": "v8.35.1",
"source": {
"type": "git",
"url": "https://github.com/illuminate/pipeline.git",
"reference": "d406237ea39f6c655569551a8bfb2d00ace6e43d"
"reference": "23aeff5b26ae4aee3f370835c76bd0f4e93f71d2"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/illuminate/pipeline/zipball/d406237ea39f6c655569551a8bfb2d00ace6e43d",
"reference": "d406237ea39f6c655569551a8bfb2d00ace6e43d",
"url": "https://api.github.com/repos/illuminate/pipeline/zipball/23aeff5b26ae4aee3f370835c76bd0f4e93f71d2",
"reference": "23aeff5b26ae4aee3f370835c76bd0f4e93f71d2",
"shasum": ""
},
"require": {
@ -1694,20 +1732,20 @@
"issues": "https://github.com/laravel/framework/issues",
"source": "https://github.com/laravel/framework"
},
"time": "2020-10-27T15:20:30+00:00"
"time": "2021-03-26T18:39:16+00:00"
},
{
"name": "illuminate/support",
"version": "v8.33.1",
"version": "v8.35.1",
"source": {
"type": "git",
"url": "https://github.com/illuminate/support.git",
"reference": "cd8f6b6622b97cb63bfbe4d78a268b6956c82a22"
"reference": "8eee1bc181c87cfdac32b4d876ab44da9894771c"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/illuminate/support/zipball/cd8f6b6622b97cb63bfbe4d78a268b6956c82a22",
"reference": "cd8f6b6622b97cb63bfbe4d78a268b6956c82a22",
"url": "https://api.github.com/repos/illuminate/support/zipball/8eee1bc181c87cfdac32b4d876ab44da9894771c",
"reference": "8eee1bc181c87cfdac32b4d876ab44da9894771c",
"shasum": ""
},
"require": {
@ -1762,7 +1800,7 @@
"issues": "https://github.com/laravel/framework/issues",
"source": "https://github.com/laravel/framework"
},
"time": "2021-03-16T14:21:03+00:00"
"time": "2021-03-30T13:39:44+00:00"
},
{
"name": "michelf/php-markdown",
@ -3486,16 +3524,16 @@
},
{
"name": "symfony/console",
"version": "v5.2.5",
"version": "v5.2.6",
"source": {
"type": "git",
"url": "https://github.com/symfony/console.git",
"reference": "938ebbadae1b0a9c9d1ec313f87f9708609f1b79"
"reference": "35f039df40a3b335ebf310f244cb242b3a83ac8d"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/console/zipball/938ebbadae1b0a9c9d1ec313f87f9708609f1b79",
"reference": "938ebbadae1b0a9c9d1ec313f87f9708609f1b79",
"url": "https://api.github.com/repos/symfony/console/zipball/35f039df40a3b335ebf310f244cb242b3a83ac8d",
"reference": "35f039df40a3b335ebf310f244cb242b3a83ac8d",
"shasum": ""
},
"require": {
@ -3563,7 +3601,7 @@
"terminal"
],
"support": {
"source": "https://github.com/symfony/console/tree/v5.2.5"
"source": "https://github.com/symfony/console/tree/v5.2.6"
},
"funding": [
{
@ -3579,7 +3617,7 @@
"type": "tidelift"
}
],
"time": "2021-03-06T13:42:15+00:00"
"time": "2021-03-28T09:42:18+00:00"
},
{
"name": "symfony/deprecation-contracts",
@ -3650,16 +3688,16 @@
},
{
"name": "symfony/filesystem",
"version": "v5.2.4",
"version": "v5.2.6",
"source": {
"type": "git",
"url": "https://github.com/symfony/filesystem.git",
"reference": "710d364200997a5afde34d9fe57bd52f3cc1e108"
"reference": "8c86a82f51658188119e62cff0a050a12d09836f"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/filesystem/zipball/710d364200997a5afde34d9fe57bd52f3cc1e108",
"reference": "710d364200997a5afde34d9fe57bd52f3cc1e108",
"url": "https://api.github.com/repos/symfony/filesystem/zipball/8c86a82f51658188119e62cff0a050a12d09836f",
"reference": "8c86a82f51658188119e62cff0a050a12d09836f",
"shasum": ""
},
"require": {
@ -3692,7 +3730,7 @@
"description": "Provides basic utilities for the filesystem",
"homepage": "https://symfony.com",
"support": {
"source": "https://github.com/symfony/filesystem/tree/v5.2.4"
"source": "https://github.com/symfony/filesystem/tree/v5.2.6"
},
"funding": [
{
@ -3708,7 +3746,7 @@
"type": "tidelift"
}
],
"time": "2021-02-12T10:38:38+00:00"
"time": "2021-03-28T14:30:26+00:00"
},
{
"name": "symfony/http-foundation",
@ -4271,16 +4309,16 @@
},
{
"name": "symfony/routing",
"version": "v5.2.4",
"version": "v5.2.6",
"source": {
"type": "git",
"url": "https://github.com/symfony/routing.git",
"reference": "cafa138128dfd6ab6be1abf6279169957b34f662"
"reference": "31fba555f178afd04d54fd26953501b2c3f0c6e6"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/routing/zipball/cafa138128dfd6ab6be1abf6279169957b34f662",
"reference": "cafa138128dfd6ab6be1abf6279169957b34f662",
"url": "https://api.github.com/repos/symfony/routing/zipball/31fba555f178afd04d54fd26953501b2c3f0c6e6",
"reference": "31fba555f178afd04d54fd26953501b2c3f0c6e6",
"shasum": ""
},
"require": {
@ -4341,7 +4379,7 @@
"url"
],
"support": {
"source": "https://github.com/symfony/routing/tree/v5.2.4"
"source": "https://github.com/symfony/routing/tree/v5.2.6"
},
"funding": [
{
@ -4357,7 +4395,7 @@
"type": "tidelift"
}
],
"time": "2021-02-22T15:48:39+00:00"
"time": "2021-03-14T13:53:33+00:00"
},
{
"name": "symfony/service-contracts",
@ -4440,16 +4478,16 @@
},
{
"name": "symfony/string",
"version": "v5.2.4",
"version": "v5.2.6",
"source": {
"type": "git",
"url": "https://github.com/symfony/string.git",
"reference": "4e78d7d47061fa183639927ec40d607973699609"
"reference": "ad0bd91bce2054103f5eaa18ebeba8d3bc2a0572"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/string/zipball/4e78d7d47061fa183639927ec40d607973699609",
"reference": "4e78d7d47061fa183639927ec40d607973699609",
"url": "https://api.github.com/repos/symfony/string/zipball/ad0bd91bce2054103f5eaa18ebeba8d3bc2a0572",
"reference": "ad0bd91bce2054103f5eaa18ebeba8d3bc2a0572",
"shasum": ""
},
"require": {
@ -4503,7 +4541,7 @@
"utf8"
],
"support": {
"source": "https://github.com/symfony/string/tree/v5.2.4"
"source": "https://github.com/symfony/string/tree/v5.2.6"
},
"funding": [
{
@ -4519,20 +4557,20 @@
"type": "tidelift"
}
],
"time": "2021-02-16T10:20:28+00:00"
"time": "2021-03-17T17:12:15+00:00"
},
{
"name": "symfony/translation",
"version": "v5.2.5",
"version": "v5.2.6",
"source": {
"type": "git",
"url": "https://github.com/symfony/translation.git",
"reference": "0947ab1e3aabd22a6bef393874b2555d2bb976da"
"reference": "2cc7f45d96db9adfcf89adf4401d9dfed509f4e1"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/translation/zipball/0947ab1e3aabd22a6bef393874b2555d2bb976da",
"reference": "0947ab1e3aabd22a6bef393874b2555d2bb976da",
"url": "https://api.github.com/repos/symfony/translation/zipball/2cc7f45d96db9adfcf89adf4401d9dfed509f4e1",
"reference": "2cc7f45d96db9adfcf89adf4401d9dfed509f4e1",
"shasum": ""
},
"require": {
@ -4596,7 +4634,7 @@
"description": "Provides tools to internationalize your application",
"homepage": "https://symfony.com",
"support": {
"source": "https://github.com/symfony/translation/tree/v5.2.5"
"source": "https://github.com/symfony/translation/tree/v5.2.6"
},
"funding": [
{
@ -4612,7 +4650,7 @@
"type": "tidelift"
}
],
"time": "2021-03-06T07:59:01+00:00"
"time": "2021-03-23T19:33:48+00:00"
},
{
"name": "symfony/translation-contracts",

2
src/Movim/Route.php
View File

@ -40,7 +40,7 @@ class Route extends Base
'post' => ['s', 'n', 'i'],
'picture' => ['url'],
'popuptest' => false,
'publish' => ['s', 'n', 'i', 'r'],
'publish' => ['s', 'n', 'i', 'rs', 'rn', 'ri'],
'room' => ['r'],
'share' => ['url'],
'subscriptions' => false,

Write Preview
Loading…
Cancel
Save