wamo
/
gnu-social
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove "magic quotes" code and avoid wrong order implode

Browse Source 
"Magic quotes" were removed in PHP 5.4, no need to mitigate it anymore.

Avoid implode() with the join()-like order of arguments which was deprecated
since PHP 7.4 and implicitly since PHP 5.3.
Also avoid implode() with an implicit separator for stylistic reasons.

mktime() with no arguments has been deprecated since PHP 5.1.
master
Alexei Sorokin 3 years ago committed by Diogo Peralta Cordeiro
parent 22f6d3ce14
commit ae4f3176b1
6 changed files with 95 additions and 156 deletions
Show Stats Download Patch File Download Diff File

16
extlib/DB/DataObject/Cast.php
Unescape Escape View File

@ -175,9 +175,9 @@ class DB_DataObject_Cast
$args = func_get_args();
switch (count($args)) {
case 0: // no args = now!
$datetime = date('Y-m-d G:i:s', mktime());
$datetime = date('Y-m-d G:i:s', time());
// no break
// no break
case 1:
// continue on from 0 args.
if (!isset($datetime)) {
@ -300,9 +300,9 @@ class DB_DataObject_Cast
$args = func_get_args();
switch (count($args)) {
case 0: // no args = now!
$time = date('G:i:s', mktime());
$time = date('G:i:s', time());
// no break
// no break
case 1:
// continue on from 0 args.
if (!isset($time)) {
@ -440,10 +440,10 @@ class DB_DataObject_Cast
case 'mssql':
// copied from the old DB mssql code...?? not sure how safe this is.
return "'" . str_replace(
array("'", "\\\r\n", "\\\n"),
array("''", "\\\\\r\n\r\n", "\\\\\n\n"),
$this->value
) . "'";
array("'", "\\\r\n", "\\\n"),
array("''", "\\\\\r\n\r\n", "\\\\\n\n"),
$this->value
) . "'";
default:

62
lib/api/apioauthaction.php
Unescape Escape View File

@ -1,46 +1,41 @@
<?php
// This file is part of GNU social - https://www.gnu.org/software/social
//
// GNU social is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// GNU social is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with GNU social. If not, see <http://www.gnu.org/licenses/>.
/**
* StatusNet, the distributed open-source microblogging tool
*
* Base action for OAuth API endpoints
*
* PHP version 5
*
* LICENCE: This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* @category API
* @package StatusNet
* @package GNUsocial
* @author Zach Copley <zach@status.net>
* @copyright 2010 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
* @link http://status.net/
* @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
*/
if (!defined('STATUSNET')) {
exit(1);
}
defined('GNUSOCIAL') || die();
require_once INSTALLDIR . '/lib/api/apiaction.php';
/**
* Base action for API OAuth enpoints. Clean up the
* request. Some other common functions.
*
* @category API
* @package StatusNet
* @author Zach Copley <zach@status.net>
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
* @link http://status.net/
* @category API
* @package GNUsocial
* @author Zach Copley <zach@status.net>
* @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
*/
class ApiOAuthAction extends ApiAction
{
@ -49,7 +44,7 @@ class ApiOAuthAction extends ApiAction
*
* @return boolean false
*/
function isReadOnly($args)
public function isReadOnly($args)
{
return false;
}
@ -66,14 +61,8 @@ class ApiOAuthAction extends ApiAction
* I'm looking at you, p parameter.
*/
static function cleanRequest()
public static function cleanRequest()
{
// kill evil effects of magical slashing
if (get_magic_quotes_gpc() == 1) {
$_POST = array_map('stripslashes', $_POST);
$_GET = array_map('stripslashes', $_GET);
}
// strip out the p param added in index.php
unset($_GET['p']);
unset($_POST['p']);
@ -89,5 +78,4 @@ class ApiOAuthAction extends ApiAction
$_SERVER['QUERY_STRING'] = implode('&', $queryArray);
}
}

2
lib/util/common.php
Unescape Escape View File

@ -36,7 +36,7 @@ try {
// TRANS: Error message displayed when no configuration file was found for a StatusNet installation.
// TRANS: Is followed by a list of directories (separated by HTML breaks).
echo '<p>'. _('I looked for configuration files in the following places:') .'<br /> ';
echo implode($e->configFiles, '<br />');
echo implode('<br />', $e->configFiles);
// TRANS: Error message displayed when no configuration file was found for a StatusNet installation.
echo '<p>'. _('You may wish to run the installer to fix this.') .'</p>';
// @todo FIXME Link should be in a para?

33
lib/util/util.php
Unescape Escape View File

@ -1498,7 +1498,7 @@ function common_fake_local_nonfancy_url($url)
// remove the first element, which is the full matching string
array_shift($matches);
return implode($matches);
return implode('', $matches);
}
function common_inject_session($url, $serverpart = null)
@ -2178,42 +2178,19 @@ function common_config_append($main, $sub, $value)
}
/**
* Pull arguments from a GET/POST/REQUEST array with first-level input checks:
* strips "magic quotes" slashes if necessary,
* and replaces invalid in UTF-8 sequences with question marks.
* Pull arguments from a GET/POST/REQUEST array and replace invalid in UTF-8
* sequences with question marks.
*
* @param array $from
* @return array
*/
function common_copy_args(array $from): array
{
$strip = get_magic_quotes_gpc();
return array_map(function ($v) use ($strip) {
if (is_array($v)) {
return common_copy_args($v);
} else {
if ($strip) {
$v = stripslashes($v);
}
return mb_scrub($v);
}
return array_map(function ($v) {
return is_array($v) ? common_copy_args($v) : mb_scrub($v);
}, $from);
}
/**
* Neutralise the evil effects of magic_quotes_gpc in the current request.
* This is used before handing a request off to OAuthRequest::from_request.
* @fixme Doesn't consider vars other than _POST and _GET?
* @fixme Can't be undone and could corrupt data if run twice.
*/
function common_remove_magic_from_request()
{
if (get_magic_quotes_gpc()) {
$_POST=array_map('stripslashes', $_POST);
$_GET=array_map('stripslashes', $_GET);
}
}
function common_user_uri(&$user)
{
return common_local_url(

113
plugins/DomainWhitelist/DomainWhitelistPlugin.php
Unescape Escape View File

@ -1,50 +1,41 @@
<?php
// This file is part of GNU social - https://www.gnu.org/software/social
//
// GNU social is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// GNU social is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with GNU social. If not, see <http://www.gnu.org/licenses/>.
/**
* StatusNet - the distributed open-source microblogging tool
* Copyright (C) 2011, StatusNet, Inc.
*
* Restrict the email addresses in a domain to a select whitelist
*
* PHP version 5
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* @category Cache
* @package StatusNet
* @package GNUsocial
* @author Evan Prodromou <evan@status.net>
* @author Zach Copley <zach@status.net>
* @copyright 2011 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
* @link http://status.net/
* @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
*/
if (!defined('STATUSNET')) {
// This check helps protect against security problems;
// your code file can't be executed directly from the web.
exit(1);
}
defined('GNUSOCIAL') || die();
/**
* Restrict the email addresses to a domain whitelist
*
* @category General
* @package StatusNet
* @package GNUsocial
* @author Evan Prodromou <evan@status.net>
* @author Zach Copley <zach@status.net>
* @copyright 2011 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
* @link http://status.net/
* @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later
*/
class DomainWhitelistPlugin extends Plugin
{
@ -56,7 +47,8 @@ class DomainWhitelistPlugin extends Plugin
*
* @return String the absolute path
*/
protected function getPath() {
protected function getPath()
{
return preg_replace('/^' . preg_quote(INSTALLDIR, '/') . '\//', '', dirname(__FILE__));
}
@ -67,7 +59,8 @@ class DomainWhitelistPlugin extends Plugin
*
* @return boolean hook flag
*/
function onEndShowStatusNetScripts($action) {
public function onEndShowStatusNetScripts($action)
{
$name = $action->arg('action');
if ($name == 'invite') {
$action->script($this->getPath() . '/js/whitelistinvite.js');
@ -75,13 +68,13 @@ class DomainWhitelistPlugin extends Plugin
return true;
}
function onRequireValidatedEmailPlugin_Override($user, &$knownGood)
public function onRequireValidatedEmailPlugin_Override($user, &$knownGood)
{
$knownGood = (!empty($user->email) && $this->matchesWhitelist($user->email));
return true;
}
function onEndValidateUserEmail($user, $email, &$valid)
public function onEndValidateUserEmail($user, $email, &$valid)
{
if ($valid) { // it's otherwise valid
if (!$this->matchesWhitelist($email)) {
@ -89,14 +82,18 @@ class DomainWhitelistPlugin extends Plugin
if (count($whitelist) == 1) {
// TRANS: Client exception thrown when a given e-mailaddress is not in the domain whitelist.
// TRANS: %s is a whitelisted e-mail domain.
$message = sprintf(_m('Email address must be in this domain: %s.'),
$whitelist[0]);
$message = sprintf(
_m('Email address must be in this domain: %s.'),
$whitelist[0]
);
} else {
// TRANS: Client exception thrown when a given e-mailaddress is not in the domain whitelist.
// TRANS: %s are whitelisted e-mail domains separated by comma's (localisable).
$message = sprintf(_m('Email address must be in one of these domains: %s.'),
// TRANS: Separator for whitelisted domains.
implode(_m('SEPARATOR',', '), $whitelist));
$message = sprintf(
_m('Email address must be in one of these domains: %s.'),
// TRANS: Separator for whitelisted domains.
implode(_m('SEPARATOR', ', '), $whitelist)
);
}
throw new ClientException($message);
}
@ -104,7 +101,7 @@ class DomainWhitelistPlugin extends Plugin
return true;
}
function onStartAddEmailAddress($user, $email)
public function onStartAddEmailAddress($user, $email)
{
if (!$this->matchesWhitelist($email)) {
// TRANS: Exception thrown when an e-mail address does not match the site's domain whitelist.
@ -114,7 +111,7 @@ class DomainWhitelistPlugin extends Plugin
return true;
}
function onEndValidateEmailInvite($user, $email, &$valid)
public function onEndValidateEmailInvite($user, $email, &$valid)
{
if ($valid) {
$valid = $this->matchesWhitelist($email);
@ -123,7 +120,7 @@ class DomainWhitelistPlugin extends Plugin
return true;
}
function matchesWhitelist($email)
public function matchesWhitelist($email)
{
$whitelist = $this->getWhitelist();
@ -143,13 +140,13 @@ class DomainWhitelistPlugin extends Plugin
* @param string $email and email address
* @return string the domain
*/
function domainFromEmail($email)
public function domainFromEmail($email)
{
$parts = explode('@', $email);
return strtolower(trim($parts[1]));
}
function getWhitelist()
public function getWhitelist()
{
$whitelist = common_config('email', 'whitelist');
@ -169,7 +166,7 @@ class DomainWhitelistPlugin extends Plugin
* @param string $domain domain to check
* @return boolean whether to include the domain
*/
function userDomainFilter($domain)
public function userDomainFilter($domain)
{
$user = common_current_user();
$userDomain = $this->domainFromEmail($user->email);
@ -190,7 +187,7 @@ class DomainWhitelistPlugin extends Plugin
* @param array $whitelist whitelist of allowed email domains
* @return array an ordered or sorted version of the whitelist
*/
function sortWhitelist($whitelist)
public function sortWhitelist($whitelist)
{
$whitelist = array_unique($whitelist);
natcasesort($whitelist);
@ -223,7 +220,7 @@ class DomainWhitelistPlugin extends Plugin
* @param action $action the invite action
* @return boolean hook value
*/
function onStartShowInviteForm($action)
public function onStartShowInviteForm($action)
{
$this->showConfirmDialog($action);
$form = new WhitelistInviteForm($action, $this->getWhitelist());
@ -231,7 +228,7 @@ class DomainWhitelistPlugin extends Plugin
return false;
}
function showConfirmDialog($action)
public function showConfirmDialog($action)
{
// For JQuery UI modal dialog
$action->elementStart(
@ -252,21 +249,21 @@ class DomainWhitelistPlugin extends Plugin
* @param action &$action the invite action
* @return boolean hook value
*/
function onStartSendInvitations(&$action)
public function onStartSendInvitations(&$action)
{
$emails = array();
$usernames = $action->arg('username');
$domains = $action->arg('domain');
$emails = [];
$usernames = $action->arg('username');
$domains = $action->arg('domain');
for($i = 0; $i < count($usernames); $i++) {
if (!empty($usernames[$i])) {
$emails[] = $usernames[$i] . '@' . $domains[$i] . "\n";
}
}
foreach ($usernames as $key => $username) {
if (!empty($username)) {
$emails[] = $username . '@' . $domains[$key] . "\n";
}
}
$action->args['addresses'] = implode($emails);
$action->args['addresses'] = implode('', $emails);
return true;
return true;
}
public function onPluginVersion(array &$versions): bool

25
public/install.php
Unescape Escape View File

@ -70,7 +70,6 @@ class Posted
/**
* The given POST parameter value, in its original form.
* Magic quotes are stripped, if provided.
* Missing value will give null.
*
* @param string $name
@ -78,29 +77,7 @@ class Posted
*/
public function raw(string $name)
{
if (isset($_POST[$name])) {
return $this->dequote($_POST[$name]);
} else {
return null;
}
}
/**
* If necessary, strip magic quotes from the given value.
*
* @param mixed $val
* @return mixed
*/
public function dequote($val)
{
if (get_magic_quotes_gpc()) {
if (is_string($val)) {
return stripslashes($val);
} elseif (is_array($val)) {
return array_map([$this, 'dequote'], $val);
}
}
return $val;
return filter_input(INPUT_POST, $name);
}
}

Write Preview
Loading…
Cancel
Save