Merge remote-tracking branch 'upstream/develop' into network-page

This commit is contained in:
Michael 2017-09-15 06:42:33 +00:00
commit c12075a005
9 changed files with 201 additions and 235 deletions

View File

@ -44,6 +44,7 @@ Example: To set the directory value please add this line to your .htconfig.php:
* **dlogfile - location of the developer log file
* **event_input_format** - Default value is "ymd".
* **frontend_worker_timeout** - Value in minutes after we think that a frontend task was killed by the webserver. Default value is 10.
* **hsts** (Boolean) - Enables the sending of HTTP Strict Transport Security headers
* **ignore_cache** (Boolean) - For development only. Disables the item cache.
* **like_no_comment** (Boolean) - Don't update the "commented" value of an item when it is liked.
* **local_block** (Boolean) - Used in conjunction with "block_public".

View File

@ -2233,7 +2233,7 @@ $called_api = null;
//don't send title to regular StatusNET requests to avoid confusing these apps
if (x($_GET, 'getText')) {
$ret['title'] = $item['title'] ;
$ret['title'] = $item['title'];
if ($_GET['getText'] == 'html') {
$ret['text'] = bbcode($item['body'], false, false);
} elseif ($_GET['getText'] == 'plain') {
@ -2276,18 +2276,32 @@ $called_api = null;
$statushtml = trim(bbcode($body, false, false));
// Workaround for clients with limited HTML parser functionality
$search = array("<br>", "<blockquote>", "</blockquote>",
"<h1>", "</h1>", "<h2>", "</h2>",
"<h3>", "</h3>", "<h4>", "</h4>",
"<h5>", "</h5>", "<h6>", "</h6>");
$replace = array("<br>\n", "\n<blockquote>", "</blockquote>\n",
"\n<h1>", "</h1>\n", "\n<h2>", "</h2>\n",
"\n<h3>", "</h3>\n", "\n<h4>", "</h4>\n",
"\n<h5>", "</h5>\n", "\n<h6>", "</h6>\n");
$replace = array("<br>", "<br><blockquote>", "</blockquote><br>",
"<br><h1>", "</h1><br>", "<br><h2>", "</h2><br>",
"<br><h3>", "</h3><br>", "<br><h4>", "</h4><br>",
"<br><h5>", "</h5><br>", "<br><h6>", "</h6><br>");
$statushtml = str_replace($search, $replace, $statushtml);
if ($item['title'] != "") {
$statushtml = "<h4>" . bbcode($item['title']) . "</h4>\n" . $statushtml;
$statushtml = "<br><h4>" . bbcode($item['title']) . "</h4><br>" . $statushtml;
}
do {
$oldtext = $statushtml;
$statushtml = str_replace("<br><br>", "<br>", $statushtml);
} while ($oldtext != $statushtml);
if (substr($statushtml, 0, 4) == '<br>') {
$statushtml = substr($statushtml, 4);
}
if (substr($statushtml, 0, -4) == '<br>') {
$statushtml = substr($statushtml, -4);
}
// feeds without body should contain the link

View File

@ -987,7 +987,8 @@ function bbcode($Text, $preserve_nl = false, $tryoembed = true, $simplehtml = fa
// Server independent link to posts and comments
// See issue: https://github.com/diaspora/diaspora_federation/issues/75
$Text = preg_replace("=diaspora://(.*?)/([^\s\]]*)=ism", System::baseUrl()."/display/$2", $Text);
$expression = "=diaspora://.*?/post/([0-9A-Za-z\-_@.:]{15,254}[0-9A-Za-z])=ism";
$Text = preg_replace($expression, System::baseUrl()."/display/$1", $Text);
// if the HTML is used to generate plain text, then don't do this search, but replace all URL of that kind to text
// if ($simplehtml != 7) {

View File

@ -214,171 +214,32 @@ class dba {
}
}
public function q($sql, $onlyquery = false) {
$a = get_app();
if (!$this->db || !$this->connected) {
return false;
}
$this->error = '';
$connstr = ($this->connected() ? "Connected" : "Disonnected");
$stamp1 = microtime(true);
$orig_sql = $sql;
if (x($a->config,'system') && x($a->config['system'], 'db_callstack')) {
$sql = "/*".System::callstack()." */ ".$sql;
}
$columns = 0;
switch ($this->driver) {
case 'pdo':
$result = @$this->db->query($sql);
// Is used to separate between queries that returning data - or not
if (!is_bool($result)) {
$columns = $result->columnCount();
}
break;
case 'mysqli':
$result = @$this->db->query($sql);
break;
case 'mysql':
$result = @mysql_query($sql,$this->db);
break;
}
$stamp2 = microtime(true);
$duration = (float)($stamp2 - $stamp1);
$a->save_timestamp($stamp1, "database");
if (strtolower(substr($orig_sql, 0, 6)) != "select") {
$a->save_timestamp($stamp1, "database_write");
}
if (x($a->config,'system') && x($a->config['system'],'db_log')) {
if (($duration > $a->config["system"]["db_loglimit"])) {
$duration = round($duration, 3);
$backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS);
@file_put_contents($a->config["system"]["db_log"], datetime_convert()."\t".$duration."\t".
basename($backtrace[1]["file"])."\t".
$backtrace[1]["line"]."\t".$backtrace[2]["function"]."\t".
substr($sql, 0, 2000)."\n", FILE_APPEND);
}
}
switch ($this->driver) {
case 'pdo':
$errorInfo = $this->db->errorInfo();
if ($errorInfo) {
$this->error = $errorInfo[2];
$this->errorno = $errorInfo[1];
}
break;
case 'mysqli':
if ($this->db->errno) {
$this->error = $this->db->error;
$this->errorno = $this->db->errno;
}
break;
case 'mysql':
if (mysql_errno($this->db)) {
$this->error = mysql_error($this->db);
$this->errorno = mysql_errno($this->db);
}
break;
}
if (strlen($this->error)) {
logger('DB Error ('.$connstr.') '.$this->errorno.': '.$this->error);
}
if ($this->debug) {
$mesg = '';
if ($result === false) {
$mesg = 'false';
} elseif ($result === true) {
$mesg = 'true';
} else {
switch ($this->driver) {
case 'pdo':
$mesg = $result->rowCount().' results'.EOL;
break;
case 'mysqli':
$mesg = $result->num_rows.' results'.EOL;
break;
case 'mysql':
$mesg = mysql_num_rows($result).' results'.EOL;
break;
}
}
$str = 'SQL = ' . printable($sql) . EOL . 'SQL returned ' . $mesg
. (($this->error) ? ' error: ' . $this->error : '')
. EOL;
logger('dba: ' . $str );
}
/**
* If dbfail.out exists, we will write any failed calls directly to it,
* regardless of any logging that may or may nor be in effect.
* These usually indicate SQL syntax errors that need to be resolved.
* @brief execute SQL query - deprecated
*
* Please use the dba:: functions instead:
* dba::select, dba::exists, dba::insert
* dba::delete, dba::update, dba::p, dba::e
*
* @param string $sql SQL query
* @return array Query array
*/
public function q($sql) {
$ret = self::p($sql);
if ($result === false) {
logger('dba: ' . printable($sql) . ' returned false.' . "\n" . $this->error);
if (file_exists('dbfail.out')) {
file_put_contents('dbfail.out', datetime_convert() . "\n" . printable($sql) . ' returned false' . "\n" . $this->error . "\n", FILE_APPEND);
}
if (is_bool($ret)) {
return $ret;
}
if (is_bool($result)) {
return $result;
}
if ($onlyquery) {
$this->result = $result;
$columns = self::columnCount($ret);
$data = self::inArray($ret);
if ((count($data) == 0) && ($columns == 0)) {
return true;
}
$r = array();
switch ($this->driver) {
case 'pdo':
while ($x = $result->fetch(PDO::FETCH_ASSOC)) {
$r[] = $x;
}
$result->closeCursor();
break;
case 'mysqli':
while ($x = $result->fetch_array(MYSQLI_ASSOC)) {
$r[] = $x;
}
$result->free_result();
break;
case 'mysql':
while ($x = mysql_fetch_array($result, MYSQL_ASSOC)) {
$r[] = $x;
}
mysql_free_result($result);
break;
}
// PDO doesn't return "true" on successful operations - like mysqli does
// Emulate this behaviour by checking if the query returned data and had columns
// This should be reliable enough
if (($this->driver == 'pdo') && (count($r) == 0) && ($columns == 0)) {
return true;
}
//$a->save_timestamp($stamp1, "database");
if ($this->debug) {
logger('dba: ' . printable(print_r($r, true)));
}
return($r);
return $data;
}
public function dbg($dbg) {
@ -515,6 +376,10 @@ class dba {
/**
* @brief Executes a prepared statement that returns data
* @usage Example: $r = p("SELECT * FROM `item` WHERE `guid` = ?", $guid);
*
* Please only use it with complicated queries.
* For all regular queries please use dba::select or dba::exists
*
* @param string $sql SQL statement
* @return object statement object
*/
@ -540,7 +405,7 @@ class dba {
return false;
}
if (substr_count($sql, '?') != count($args)) {
if ((substr_count($sql, '?') != count($args)) && (count($args) > 0)) {
// Question: Should we continue or stop the query here?
logger('Parameter mismatch. Query "'.$sql.'" - Parameters '.print_r($args, true), LOGGER_DEBUG);
}
@ -572,6 +437,19 @@ class dba {
switch (self::$dbo->driver) {
case 'pdo':
// If there are no arguments we use "query"
if (count($args) == 0) {
if (!$retval = self::$dbo->db->query($sql)) {
$errorInfo = self::$dbo->db->errorInfo();
self::$dbo->error = $errorInfo[2];
self::$dbo->errorno = $errorInfo[1];
$retval = false;
break;
}
self::$dbo->affected_rows = $retval->rowCount();
break;
}
if (!$stmt = self::$dbo->db->prepare($sql)) {
$errorInfo = self::$dbo->db->errorInfo();
self::$dbo->error = $errorInfo[2];
@ -600,8 +478,8 @@ class dba {
$command = strtolower($parts[0]);
$can_be_prepared = in_array($command, array('select', 'update', 'insert', 'delete'));
// The fallback routine currently only works with statements that doesn't return values
if (!$can_be_prepared && $called_from_e) {
// The fallback routine is called as well when there are no arguments
if (!$can_be_prepared || (count($args) == 0)) {
$retval = self::$dbo->db->query(self::replace_parameters($sql, $args));
if (self::$dbo->db->errno) {
self::$dbo->error = self::$dbo->db->error;
@ -710,6 +588,8 @@ class dba {
/**
* @brief Executes a prepared statement like UPDATE or INSERT that doesn't return data
*
* Please use dba::delete, dba::insert, dba::update, ... instead
*
* @param string $sql SQL statement
* @return boolean Was the query successfull? False is returned only if an error occurred
*/
@ -792,6 +672,8 @@ class dba {
/**
* @brief Fetches the first row
*
* Please use dba::select or dba::exists whenever this is possible.
*
* @param string $sql SQL statement
* @return array first row of query
*/
@ -820,6 +702,26 @@ class dba {
return self::$dbo->affected_rows;
}
/**
* @brief Returns the number of columns of a statement
*
* @param object Statement object
* @return int Number of columns
*/
public static function columnCount($stmt) {
if (!is_object($stmt)) {
return 0;
}
switch (self::$dbo->driver) {
case 'pdo':
return $stmt->columnCount();
case 'mysqli':
return $stmt->field_count;
case 'mysql':
return mysql_affected_rows($stmt);
}
return 0;
}
/**
* @brief Returns the number of rows of a statement
*
@ -856,6 +758,10 @@ class dba {
case 'pdo':
return $stmt->fetch(PDO::FETCH_ASSOC);
case 'mysqli':
if (get_class($stmt) == 'mysqli_result') {
return $stmt->fetch_assoc();
}
// This code works, but is slow
// Bind the result to a result array
@ -1271,7 +1177,11 @@ class dba {
* Example:
* $table = "item";
* $fields = array("id", "uri", "uid", "network");
*
* $condition = array("uid" => 1, "network" => 'dspr');
* or:
* $condition = array("`uid` = ? AND `network` IN (?, ?)", 1, 'dfrn', 'dspr');
*
* $params = array("order" => array("id", "received" => true), "limit" => 1);
*
* $data = dba::select($table, $fields, $condition, $params);
@ -1409,43 +1319,54 @@ function dbesc($str) {
}
}
// Function: q($sql,$args);
// Description: execute SQL query with printf style args.
// Example: $r = q("SELECT * FROM `%s` WHERE `uid` = %d",
// 'user', 1);
/**
* @brief execute SQL query with printf style args - deprecated
*
* Please use the dba:: functions instead:
* dba::select, dba::exists, dba::insert
* dba::delete, dba::update, dba::p, dba::e
*
* @param $args Query parameters (1 to N parameters of different types)
* @return array Query array
*/
function q($sql) {
global $db;
$args = func_get_args();
unset($args[0]);
if ($db && $db->connected) {
$sql = $db->clean_query($sql);
$sql = $db->any_value_fallback($sql);
$stmt = @vsprintf($sql,$args); // Disabled warnings
//logger("dba: q: $stmt", LOGGER_ALL);
if ($stmt === false)
logger('dba: vsprintf error: ' . print_r(debug_backtrace(),true), LOGGER_DEBUG);
$db->log_index($stmt);
return $db->q($stmt);
if (!$db || !$db->connected) {
return false;
}
/**
*
* This will happen occasionally trying to store the
* session data after abnormal program termination
*
*/
logger('dba: no database: ' . print_r($args,true));
return false;
$sql = $db->clean_query($sql);
$sql = $db->any_value_fallback($sql);
$stmt = @vsprintf($sql, $args);
$ret = dba::p($stmt);
if (is_bool($ret)) {
return $ret;
}
$columns = dba::columnCount($ret);
$data = dba::inArray($ret);
if ((count($data) == 0) && ($columns == 0)) {
return true;
}
return $data;
}
/**
* @brief Performs a query with "dirty reads"
* @brief Performs a query with "dirty reads" - deprecated
*
* By doing dirty reads (reading uncommitted data) no locks are performed
* This function can be used to fetch data that doesn't need to be reliable.
* Please use the dba:: functions instead:
* dba::select, dba::exists, dba::insert
* dba::delete, dba::update, dba::p, dba::e
*
* @param $args Query parameters (1 to N parameters of different types)
* @return array Query array
@ -1465,9 +1386,7 @@ function qu($sql) {
$db->log_index($stmt);
$db->q("SET SESSION TRANSACTION ISOLATION LEVEL READ UNCOMMITTED;");
$retval = $db->q($stmt);
$db->q("SET SESSION TRANSACTION ISOLATION LEVEL REPEATABLE READ;");
return $retval;
}

View File

@ -31,7 +31,7 @@ function convert_to_innodb() {
$sql = sprintf("ALTER TABLE `%s` engine=InnoDB;", dbesc($table['TABLE_NAME']));
echo $sql."\n";
$result = $db->q($sql);
$result = dba::e($sql);
if (!dbm::is_result($result)) {
print_update_error($db, $sql);
}
@ -442,9 +442,9 @@ function update_structure($verbose, $action, $tables=null, $definition=null) {
// Ensure index conversion to unique removes duplicates
if ($is_unique) {
if ($ignore != "") {
$db->q("SET session old_alter_table=1;");
dba::e("SET session old_alter_table=1;");
} else {
$r = $db->q("CREATE TABLE `".$temp_name."` LIKE `".$name."`;");
$r = dba::e("CREATE TABLE `".$temp_name."` LIKE `".$name."`;");
if (!dbm::is_result($r)) {
$errors .= print_update_error($db, $sql3);
return $errors;
@ -452,25 +452,25 @@ function update_structure($verbose, $action, $tables=null, $definition=null) {
}
}
$r = @$db->q($sql3);
$r = @dba::e($sql3);
if (!dbm::is_result($r)) {
$errors .= print_update_error($db, $sql3);
}
if ($is_unique) {
if ($ignore != "") {
$db->q("SET session old_alter_table=0;");
dba::e("SET session old_alter_table=0;");
} else {
$r = $db->q("INSERT INTO `".$temp_name."` SELECT ".$field_list." FROM `".$name."`".$group_by.";");
$r = dba::e("INSERT INTO `".$temp_name."` SELECT ".$field_list." FROM `".$name."`".$group_by.";");
if (!dbm::is_result($r)) {
$errors .= print_update_error($db, $sql3);
return $errors;
}
$r = $db->q("DROP TABLE `".$name."`;");
$r = dba::e("DROP TABLE `".$name."`;");
if (!dbm::is_result($r)) {
$errors .= print_update_error($db, $sql3);
return $errors;
}
$r = $db->q("RENAME TABLE `".$temp_name."` TO `".$name."`;");
$r = dba::e("RENAME TABLE `".$temp_name."` TO `".$name."`;");
if (!dbm::is_result($r)) {
$errors .= print_update_error($db, $sql3);
return $errors;
@ -551,7 +551,7 @@ function db_create_table($name, $fields, $verbose, $action, $indexes=null) {
echo $sql.";\n";
if ($action)
$r = @$db->q($sql);
$r = @dba::e($sql);
return $r;
}

View File

@ -373,7 +373,7 @@ class ostatus {
$item["verb"] = $xpath->query('activity:verb/text()', $entry)->item(0)->nodeValue;
/// Delete a message
if ($item["verb"] == "qvitter-delete-notice" || $item["verb"] == ACTIVITY_DELETE) {
if (in_array($item["verb"], array('qvitter-delete-notice', ACTIVITY_DELETE, 'delete'))) {
// ignore "Delete" messages (by now)
logger("Ignore delete message ".print_r($item, true));
continue;
@ -411,6 +411,8 @@ class ostatus {
}
// http://activitystrea.ms/schema/1.0/rsvp-yes
// http://activitystrea.ms/schema/1.0/unfavorite
// http://mastodon.social/schema/1.0/block
if (!in_array($item["verb"], array(ACTIVITY_POST, ACTIVITY_LIKE, ACTIVITY_SHARE))) {
logger("Unhandled verb ".$item["verb"]." ".print_r($item, true));
}
@ -418,18 +420,13 @@ class ostatus {
self::processPost($xpath, $entry, $item, $importer);
if ($initialize && (count(self::$itemlist) > 0)) {
if (self::$itemlist[0]['uri'] == self::$itemlist[0]['parent-uri']) {
// We will import it everytime, when it is started by our contacts
$valid = !empty(self::$itemlist[0]['contact-id']);
if (!$valid) {
// If not, then it depends on this setting
$valid = !Config::get('system','ostatus_full_threads');
}
if ($valid) {
// But we will only import complete threads
$valid = self::$itemlist[0]['uri'] == self::$itemlist[0]['parent-uri'];
}
if ($valid) {
// Never post a thread when the only interaction by our contact was a like
$valid = false;
@ -440,6 +437,10 @@ class ostatus {
}
}
}
} else {
// But we will only import complete threads
$valid = dba::exists('item', array('uid' => $importer["uid"], 'uri' => self::$itemlist[0]['parent-uri']));
}
if ($valid) {
$default_contact = 0;
@ -477,6 +478,12 @@ class ostatus {
*/
private static function processPost($xpath, $entry, &$item, $importer) {
$item["uri"] = $xpath->query('atom:id/text()', $entry)->item(0)->nodeValue;
if (dba::exists('item', array('uid' => $importer["uid"], 'uri' => $item["uri"]))) {
logger('Post with URI '.$item["uri"].' already existed for user '.$importer["uid"].'.');
return;
}
$item["body"] = html2bbcode($xpath->query('atom:content/text()', $entry)->item(0)->nodeValue);
$item["object-type"] = $xpath->query('activity:object-type/text()', $entry)->item(0)->nodeValue;
if (($item["object-type"] == ACTIVITY_OBJ_BOOKMARK) || ($item["object-type"] == ACTIVITY_OBJ_EVENT)) {
@ -591,7 +598,12 @@ class ostatus {
}
if (isset($item["parent-uri"]) && ($related != '')) {
if (!dba::exists('item', array('uid' => $importer["uid"], 'uri' => $item['parent-uri']))) {
self::fetchRelated($related, $item["parent-uri"], $importer);
} else {
logger('Reply with URI '.$item["uri"].' already existed for user '.$importer["uid"].'.');
}
$item["type"] = 'remote-comment';
$item["gravity"] = GRAVITY_COMMENT;
} else {

View File

@ -2,6 +2,8 @@
// Session management functions. These provide database storage of PHP
// session info.
use Friendica\Core\Config;
require_once('include/cache.php');
$session_exists = 0;
@ -114,6 +116,10 @@ ini_set('session.gc_probability', $gc_probability);
ini_set('session.use_only_cookies', 1);
ini_set('session.cookie_httponly', 1);
if (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL) {
ini_set('session.cookie_secure', 1);
}
if (!get_config('system', 'disable_database_session')) {
session_set_save_handler('ref_session_open', 'ref_session_close',
'ref_session_read', 'ref_session_write',

View File

@ -489,6 +489,19 @@ $profile = $a->profile;
header("X-Friendica-Version: " . FRIENDICA_VERSION);
header("Content-type: text/html; charset=utf-8");
if (Config::get('system', 'hsts') && (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL)) {
header("Strict-Transport-Security: max-age=31536000");
}
// Some security stuff
header('X-Content-Type-Options: nosniff');
header('X-XSS-Protection: 1; mode=block');
header('X-Permitted-Cross-Domain-Policies: none');
header('X-Frame-Options: sameorigin');
// Things like embedded OSM maps don't work, when this is enabled
// header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' https: data:; media-src 'self' https:; child-src 'self' https:; object-src 'none'");
/*
* We use $_GET["mode"] for special page templates. So we will check if we have
* to load another page template than the default one.

View File

@ -71,7 +71,7 @@ function directory_content(App $a) {
$publish = ((get_config('system','publish_all')) ? '' : " AND `publish` = 1 " );
$r = $db->q("SELECT COUNT(*) AS `total` FROM `profile`
$r = q("SELECT COUNT(*) AS `total` FROM `profile`
LEFT JOIN `user` ON `user`.`uid` = `profile`.`uid`
WHERE `is-default` = 1 $publish AND `user`.`blocked` = 0 $sql_extra ");
if (dbm::is_result($r))
@ -81,11 +81,11 @@ function directory_content(App $a) {
$limit = intval($a->pager['start']).",".intval($a->pager['itemspage']);
$r = $db->q("SELECT `profile`.*, `profile`.`uid` AS `profile_uid`, `user`.`nickname`, `user`.`timezone` , `user`.`page-flags`,
$r = q("SELECT `profile`.*, `profile`.`uid` AS `profile_uid`, `user`.`nickname`, `user`.`timezone` , `user`.`page-flags`,
`contact`.`addr`, `contact`.`url` AS profile_url FROM `profile`
LEFT JOIN `user` ON `user`.`uid` = `profile`.`uid`
LEFT JOIN `contact` ON `contact`.`uid` = `user`.`uid`
WHERE `is-default` = 1 $publish AND `user`.`blocked` = 0 AND `contact`.`self` $sql_extra $order LIMIT ".$limit);
WHERE `is-default` $publish AND `user`.`blocked` = 0 AND `contact`.`self` $sql_extra $order LIMIT ".$limit);
if (dbm::is_result($r)) {
if (in_array('small', $a->argv)) {