Commit Graph

1843 Commits

Author SHA1 Message Date
Joshua Wise
89ba820246 Escape argument to prevent SQL injection attack in
User::getTaggedSubscriptions()

This change escapes the $tag argument to prevent a SQL injection
attack in User::getTaggedSubscriptions(). The parameter was not
escaped higher up the stack, so this vulnerability could be exploited.
2013-07-16 10:47:29 -07:00
Joshua Wise
4a30da924a Escape argument to User::getTaggedSubscribers() to preven SQL injection
This change escapes the argument to User::getTaggedSubscribers() to
prevent SQL injection attacks.

Both code paths up the stack fail to escape this parameter, so this is
a potential SQL injection attack.
2013-07-16 10:43:56 -07:00
Joshua Wise
e54cb6958a Escape query parameters in Profile_tag::getTagged()
This patch escapes query parameters in Profile_tag::getTagged(). This
is an extra security step; since these parameters come out of the
database, it's unlikely that they would have dangerous data in them.
2013-07-16 10:35:44 -07:00
Joshua Wise
5b118b3781 Escape SQL parameter in Profile_tag::moveTag()
This change adds additional escapes for arguments to
Profile_tag::moveTag(). The arguments are canonicalized in the API and
Web UI paths higher up the stack, but this change makes sure that no
other paths can introduce SQL injection errors.
2013-07-16 10:27:30 -07:00
Joshua Wise
c5a710e081 Escape $tag passed to Profile::getTaggedSubscribers()
This patch escapes the $tag parameter in
Profile::getTaggedSubscribers(). The parameter is not escaped either
in actions/subscriptions.php or in actions/apiuserfollowers.php. So
there is a potential for SQL injection here.
2013-07-16 10:14:38 -07:00
Joshua Wise
3fb2c06cba Potential SQL injection in Local_group::setNickname()
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.

Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
2013-07-16 10:11:26 -07:00
Joshua Wise
783e400d94 Potential SQL injection in Local_group::setNickname()
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.

Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
2013-07-16 10:09:16 -07:00
Evan Prodromou
e502bba259 Slightly more robust group-membership conversion 2013-06-30 12:07:55 -04:00
Evan Prodromou
8cc4660bd9 Better ID for notice activity 2013-06-15 12:07:52 -04:00
Evan Prodromou
7a5bd495c5 Better ID for notice activity 2013-06-15 12:07:34 -04:00
Evan Prodromou
bb0cf686df Pass null to Profile::profileInfo() 2013-06-08 21:12:29 -04:00
Evan Prodromou
806f7d439a Bad variable in Message::asActivity() 2013-06-08 21:07:51 -04:00
Evan Prodromou
f189d0b438 Bad variable in Message::asActivity() 2013-06-08 21:04:51 -04:00
Evan Prodromou
96d7b68c50 Store direct messages as an activity 2013-06-08 17:54:27 -04:00
Evan Prodromou
9fd2c3e1c9 Store direct messages as an activity 2013-06-08 17:45:49 -04:00
Evan Prodromou
14a111189d Merge remote-tracking branch 'origin/master' 2013-06-08 14:57:20 -04:00
Evan Prodromou
2252a9ffaf Throw exception if subscription is invalid 2013-06-08 14:56:57 -04:00
Evan Prodromou
08eca420ca Add generator to JSON output 2013-06-07 11:35:06 -04:00
Evan Prodromou
fe2c0a9687 Add generator to JSON output 2013-06-07 11:34:54 -04:00
Evan Prodromou
25823f6e5b Some better context for notices as arrays 2013-06-07 03:11:33 -04:00
Evan Prodromou
6164940e8c Some better context for notices as arrays 2013-06-07 03:11:23 -04:00
Evan Prodromou
7229533b0f Use real attachments for JSON output 2013-06-05 09:39:43 -04:00
Evan Prodromou
772383e84b Use real attachments for JSON output 2013-06-05 09:39:13 -04:00
Evan Prodromou
15d466ebe6 Don't add content as title for notes 2013-06-04 19:53:07 -04:00
Evan Prodromou
736bc9cc96 Don't add content as title for notes 2013-06-04 19:52:38 -04:00
Evan Prodromou
b493f3839c Use better type, title for service 2013-06-04 16:31:17 -04:00
Evan Prodromou
08c72a00e8 Use better type, title for service 2013-06-04 16:30:40 -04:00
Evan Prodromou
04f6e4ce7b Better registrationActivity 2013-06-04 15:21:33 -04:00
Evan Prodromou
d81b257290 Better registrationActivity 2013-06-04 15:20:00 -04:00
Evan Prodromou
fa1a1851db Add an ID to registered service 2013-06-03 09:11:29 -04:00
Evan Prodromou
9f94ed81ee Add an ID to registered service 2013-06-03 08:55:00 -04:00
Evan Prodromou
7ad5ed1db9 Merge branch 'master' of gitorious.org:statusnet/mainline 2013-06-02 15:24:57 -04:00
Evan Prodromou
49d265faa0 Add a registration activity to the end of every backup 2013-06-02 14:41:41 -04:00
Evan Prodromou
cbb5586ab7 Add a registration activity to the end of every backup 2013-06-02 14:38:00 -04:00
Evan Prodromou
ea8151688e Throw an exception converting fave to activity for non-existent notice or profile 2013-05-24 09:27:21 -04:00
Evan Prodromou
b359854150 Throw an exception converting fave to activity for non-existent notice or profile 2013-05-24 09:26:58 -04:00
Evan Prodromou
c5ef1e661e By default Notice::asActivity has a null argument 2013-04-14 12:02:52 -04:00
Evan Prodromou
6f424eb80f If there's an exception in notice distribution, continue 2012-11-25 10:39:49 -05:00
Evan Prodromou
1c3c269ab4 cache key for member_ids 2012-07-04 14:39:26 -04:00
Evan Prodromou
69fb79caae Cache IDs rather than profile objects 2012-07-04 14:38:06 -04:00
Evan Prodromou
642b1044cc Better user group member queries 2012-07-04 14:12:11 -04:00
Evan Prodromou
acf52a3041 Hide stuff if there's an exception getting the profile 2012-05-04 23:37:12 -04:00
Evan Prodromou
5f2b62927c let author see own spam 2012-04-23 21:25:53 -04:00
Evan Prodromou
4746016dd5 Don't convert deleted notices into repeats in Notice::asActivity() 2012-04-23 19:15:12 -04:00
Evan Prodromou
04ad0838be Add spam-training, spam-reviewing rights
Replaced the check for a moderator role in certain spam-training and
-reviewing points. Make sure modhelpers can check, too.
2012-03-25 13:18:16 -04:00
Evan Prodromou
3e46a9b164 Make blocks work for non-subscription deliveries 2012-03-23 12:55:51 -04:00
Evan Prodromou
3b09465fc4 flush anonymous scope when a profile is silenced 2012-03-22 11:37:59 -04:00
Evan Prodromou
d98a4be24e Merge branch '1.0.x' 2012-03-21 16:40:51 -04:00
Evan Prodromou
1c625bd040 show correct conversation notice count 2012-03-21 16:40:42 -04:00
Evan Prodromou
8706d8d351 double-check profile 2012-03-21 13:05:15 -04:00
Evan Prodromou
ad1649e4ba Pass profile down to spam-hiding function 2012-03-21 13:02:45 -04:00
Evan Prodromou
d942072a6c Optionally hide spam from timelines
For sites with a lot of spam, this will hide that spam from timelines for everyone but moderators.
2012-03-21 10:26:00 -04:00
Evan Prodromou
d2d75823a4 Use this for scope check 2012-03-20 21:13:35 -04:00
Evan Prodromou
b65db93d29 New events for overriding scope checks 2012-03-20 16:39:43 -04:00
Evan Prodromou
b4da5f3785 Merge branch 'master' into 1.0.x
Conflicts:
	plugins/Blacklist/BlacklistPlugin.php
2012-03-08 06:08:11 -06:00
Evan Prodromou
3117c38044 Revert "when silencing, blow scope for not-logged-in users"
This reverts commit 04f71a42d3.
2011-12-31 09:35:22 -08:00
Evan Prodromou
70f9d41c4c Revert "Hide posts by silenced users"
This reverts commit d22fc7423c.
2011-12-31 09:34:42 -08:00
Evan Prodromou
04f71a42d3 when silencing, blow scope for not-logged-in users 2011-12-31 09:15:32 -08:00
Evan Prodromou
d22fc7423c Hide posts by silenced users 2011-12-31 08:56:54 -08:00
Siebrand Mazeland
2624afbcd4 Crazy gettext way to support two plurals in one string. 2011-12-28 12:44:42 +01:00
Siebrand Mazeland
eb124c5a67 Add missing space between two sentences. 2011-12-28 12:35:03 +01:00
Michele macno Azzolari
ad2fd9abd4 Fix whitescreen on recoverpassword with unknown user 2011-12-02 15:48:29 -05:00
Evan Prodromou
499e7d7c41 Squashed commit of the following:
commit 74c5e4cce42ae601c07b447e100f097c15ebf9d2
Author: Evan Prodromou <evan@status.net>
Date:   Thu Oct 20 12:48:52 2011 -0400

    Add back in some optimization indices lost in schema conversion

commit ef5c2acfcd123b25910a1c8bb4ae01a3f9608e5e
Author: Evan Prodromou <evan@status.net>
Date:   Thu Oct 20 12:29:57 2011 -0400

    restore some of the lost optimized indices on notice table
2011-10-20 12:50:39 -04:00
Evan Prodromou
22fead1b46 Squashed commit of the following:
commit fb1dfa9e98ded23fb5bdebae6465424a8cb8acd6
Author: Evan Prodromou <evan@status.net>
Date:   Thu Oct 20 10:40:07 2011 -0400

    Use popular notice stream for favorited page

commit e1d409ff738e39061ad35589d546ce9bed456975
Author: Evan Prodromou <evan@status.net>
Date:   Thu Oct 20 10:32:23 2011 -0400

    Use a caching stream for popular notice section

    Instead of a big cached query, we now use a caching notice stream for
    the popular notice section. It uses a single-table query at the
    bottom, then scopes the notices and filters for silenced users. This
    should be much nicer to our database servers.

    Also clears the popular cache when someone favors or disfavors
    something. A nice optimization would be to save the last weights and
    re-calculate them at invalidation time, adding the new notice (or not)
    depending on its own score. That will have to wait for another day,
    though.

commit e9b7ab4c26c95e755adaff53c3957dcfca31c16b
Author: Evan Prodromou <evan@status.net>
Date:   Thu Oct 20 10:31:14 2011 -0400

    Let CachingNoticeStream users skip the ';last' optimization
2011-10-20 10:40:39 -04:00
Brion Vibber
69e95bb9c8 Merge branch 'compound-keys-fix' into 1.0.x 2011-09-30 11:55:36 -07:00
Evan Prodromou
e3c010a870 try to check whether file exists over and over and over 2011-09-30 13:03:42 -04:00
Evan Prodromou
cd3bc8f4ef correct groups from Profile::getGroups() 2011-09-30 11:38:06 -04:00
Zach Copley
ba4bda9beb Fix display of group admin avatars 2011-09-30 00:57:54 +00:00
Brion Vibber
1d15037d6a Further fixes to Managed_DataObject::_allCacheKeys(): now uses self::multicacheKey() to generate the (possibly compound) keys, which makes it match the order of the keys used when calling pkeyGet().
This should resolve the issues darkip was reporting with user_im_prefs entries returning null immediately after insertion (seen with memcached off, so it was happening even with the built-in in-process cache in the Cache base class).

What was happening was that the initial pkeyGet() would end up saving a negative cache entry under the form with the fields sorted in the key, as via multicacheKey():

    'statusnet:blaguette:user_im_prefs:screenname,transport:brionv,sms' => 'N;'

then we'd do an insert() on the new entry, saving cache entries for the non-sorted key names returned by _allCacheKeys():

    'statusnet:blaguette:user_im_prefs:transport,screenname:sms,brionv' => 'O...'
    'statusnet:blaguette:user_im_prefs:user_id,transport:1234,sms' => 'O...'

but the next query via pkeyGet() still saw the negative lookup cache from before, and came back with null.

Now, _allCacheKeys() sorts the fields in the keys by using the same key-builder function, and queries pick up the same thing you just inserted. :)
2011-09-29 15:21:52 -07:00
Evan Prodromou
699a90f11c Show Event attendees in mini-list 2011-09-29 15:12:30 -04:00
Brion Vibber
69765a0550 Fix for caching with compound keys: add Managed_DataObject::_allCacheKeys() to override the one in Memcached_DataObject.
Memcached_DataObject doesn't quite fully understand unique indexes, and can't properly build cache keys for compound unique or primary keys.
Managed_DataObject has more information in its schema data, so we can build a proper list.
2011-09-28 18:32:43 -07:00
Evan Prodromou
c70c7db1c5 Remove unique key on file_thumbnail.url
We're getting "DB error: already exists" on thumbnails coming from
embed.ly. We don't need this to be unique, so let's avoid that.
2011-09-28 15:48:20 -04:00
Evan Prodromou
9143d4f384 Merge branch '1.0.x' into testing 2011-09-27 11:33:13 -04:00
Evan Prodromou
5ccae1313c Query errors in Profile_tag 2011-09-27 11:32:05 -04:00
Evan Prodromou
88c00facc8 fix getOtherTags() to not use joinAdd() 2011-09-27 10:51:02 -04:00
Evan Prodromou
707f90d012 missed an AND 2011-09-27 10:47:13 -04:00
Evan Prodromou
ce044c40fb rewrite Profile_tag::getTagsArray() so it doesn't use joinAdd() 2011-09-27 09:42:34 -04:00
Zach Copley
ec53e68cf2 Merge branch 'testing' of gitorious.org:statusnet/mainline into testing 2011-09-27 04:33:00 +00:00
Zach Copley
3b28f226c7 Facebook bridge back in business with new JS-SDK and OAuth 2.0 flow.
Might be better to rewrite the login mechanism to use server side flow
now that Facebook provides it.
2011-09-27 04:09:47 +00:00
Evan Prodromou
8c710ad2c1 Merge commit 'refs/merge-requests/158' of git://gitorious.org/statusnet/mainline into merge-requests/158
Conflicts:
	classes/Profile_list.php
	lib/peopletagnoticestream.php
2011-09-26 17:11:49 -04:00
Evan Prodromou
ea1a11a087 site-wide option to enable old-school settings 2011-09-24 09:46:13 -04:00
Evan Prodromou
ddc121c085 New table for all old-school UI prefs 2011-09-24 07:12:34 -04:00
Evan Prodromou
02a30cf47c start using stream mode prefs instead of separate parameter 2011-09-23 17:50:38 -04:00
Evan Prodromou
8fa816c324 don't use potentially bad Profile values 2011-09-22 16:29:31 -04:00
Evan Prodromou
a28a6d2f72 fixup bad class constant in Notice 2011-09-19 16:11:43 -04:00
Evan Prodromou
2c1911bfae Short-circuit bugs by defining Profile::getProfile() 2011-09-18 19:29:23 -04:00
Evan Prodromou
48625da04b Automatically add or drop fulltext indexes 2011-09-18 18:28:44 -04:00
Zach Copley
3bf3b6686c Remove fulltext indexes from notice and profile tables. The default
for fulltext search is 'like' (MySQLLikeSearch) which doesn't require
them.
2011-09-18 14:17:41 -07:00
Evan Prodromou
8f78743198 correct the URI-generation for group memberships 2011-09-12 13:36:12 -04:00
Evan Prodromou
a740556e3f is_int() -> \!is_null() 2011-09-08 13:05:17 -04:00
Evan Prodromou
5680eb74d0 default scope value is null, determined by site/private 2011-09-08 12:38:11 -04:00
Evan Prodromou
3056b109a2 Quietly skip trying to load config if there's an error in DB 2011-09-08 12:01:06 -04:00
Evan Prodromou
9948523c33 Merge branch 'master' into testing 2011-09-08 09:03:33 -04:00
Zach Copley
e59b30c14b Fix E_NOTICE from attempt to access undefined array key 2011-09-07 21:45:49 -07:00
Siebrand Mazeland
23eb49a017 Update translator documentation and i18n. 2011-08-30 11:43:27 +02:00
Siebrand Mazeland
5a37d0bdc6 Add translator documentation. 2011-08-30 11:04:54 +02:00
Siebrand Mazeland
c4fd560b32 Fix i18n issues
Remove trailing whitespace and convert leading tabs to spaces
2011-08-30 11:03:26 +02:00
Evan Prodromou
a2ea31bc80 Merge branch '1.0.x' of gitorious.org:statusnet/mainline into 1.0.x 2011-08-27 18:22:03 -04:00
Evan Prodromou
51764be5a1 For fave count, don't use distinct 2011-08-27 18:21:44 -04:00
Zach Copley
e26d3b0ede Merge branch '1.0.x' of gitorious.org:statusnet/mainline into 1.0.x
* '1.0.x' of gitorious.org:statusnet/mainline:
  Issue #546: enable case-insensitive searching in MySQL
  remove more groupnav
  remove group nav
  shorter title for tag cloud section on groups
  remove group nav
  move pending queue to sidebar
  Move group logo edit from object nav to block actions
  Show blocked users from group in section
2011-08-27 14:27:15 -07:00
Dan Scott
db9ac1a531 Issue #546: enable case-insensitive searching in MySQL
MySQL needs the collation utf8_general_ci to support case-insensitive
searching. lib/mysqlschema.php already supports a 'collate' attribute on
a per-column basis, so we just need to take advantage of that attribute
on the columns we want to search and Bob (and BOB, and bOB) is your
uncle.

Signed-off-by: Dan Scott <dan@coffeecode.net>
2011-08-27 16:36:58 -04:00
Evan Prodromou
804c343a9f move pending queue to sidebar 2011-08-27 16:05:58 -04:00
Evan Prodromou
330af9991f Show blocked users from group in section 2011-08-27 15:46:05 -04:00
Zach Copley
32fa6dd7a2 Fix logging level in log msg 2011-08-27 12:42:09 -07:00
Evan Prodromou
f81c1f7554 use an array of profiles rather than a looping cursor for profile lists 2011-08-27 12:53:15 -04:00
Evan Prodromou
4f86e05d03 wrap use of repeated element in existence check 2011-08-27 10:02:11 -04:00
Evan Prodromou
34a0525b67 Profile uses joinAdd() with explicit arguments 2011-08-26 11:48:40 -04:00
Evan Prodromou
a47c372ac4 explicit join for subscribers to a profile list 2011-08-26 11:39:06 -04:00
Evan Prodromou
b83af83b82 return links for foreign keys 2011-08-26 11:37:45 -04:00
Evan Prodromou
968cef0fc6 strtolower() the class name in cache keys for listGet() 2011-08-24 17:30:17 -04:00
Zach Copley
307a75e3a7 Fix deprecated call-time pass by references 2011-08-23 09:52:48 -07:00
Zach Copley
1507c32454 Fix warnings - function arguments should expect values instead of references 2011-08-23 09:49:32 -07:00
Evan Prodromou
b73eaa44de emit fewer notices for group joins 2011-08-23 11:49:45 -04:00
Evan Prodromou
5c3bc19968 Re-add lost verb column for Notice 2011-08-23 11:42:18 -04:00
Evan Prodromou
be4d9082f9 Merge branch '1.0.x' into activity 2011-08-23 00:41:03 -04:00
Evan Prodromou
2ea17b0749 use references for Notice::_setFaves() and Notice::_setRepeats() 2011-08-23 00:40:54 -04:00
Evan Prodromou
c712eefe14 Merge branch '1.0.x' into activity 2011-08-23 00:17:39 -04:00
Evan Prodromou
ce5b44158e Get primary key for default value in Memcached_DataObject::staticGet() 2011-08-23 00:14:20 -04:00
Evan Prodromou
01c2c31c1e Merge branch '1.0.x' into activity
Conflicts:
	db/core.php
2011-08-22 18:13:02 -04:00
Evan Prodromou
feb9030fb9 Remove sequenceKey() since we now use Managed_DataObject 2011-08-22 18:05:37 -04:00
Evan Prodromou
7c6399a51a Remove now-unused statusnet.ini 2011-08-22 18:03:05 -04:00
Evan Prodromou
6ed88dee94 forgot Group_member::schemaDef() 2011-08-22 18:02:29 -04:00
Evan Prodromou
9ca3c3d1c3 move core schema to class files 2011-08-22 17:52:02 -04:00
Evan Prodromou
34d0e1088d add URI members to social activity classes 2011-08-22 16:36:23 -04:00
Evan Prodromou
48bb784400 add a verb column to the notice table 2011-08-22 16:02:14 -04:00
Evan Prodromou
2f1751568a pre-fill repeats of notices 2011-08-22 12:39:37 -04:00
Evan Prodromou
d3399e93e8 use listGet() for ConversationNoticeStream 2011-08-22 12:25:04 -04:00
Evan Prodromou
0a17e7cf9f Merge remote-tracking branch 'gitorious/1.0.x' into 1.0.x
Conflicts:
	classes/Memcached_DataObject.php
2011-08-22 11:25:13 -04:00
Siebrand Mazeland
73806460ce Add translator documentation.
Fix incorrect i18n.
Whitespace updates.
2011-08-19 17:38:43 +02:00
Evan Prodromou
ac268773bf Pass correct notice id to Memcached_DataObject::listGet() in getFaves() 2011-08-08 12:01:39 -04:00
Evan Prodromou
f405ffa507 Corrected pkeys for listGet() 2011-08-08 12:01:15 -04:00
Evan Prodromou
ed31052d26 Store pkeys in cache for listGet()
I was storing the full objects in the cache for the listGet()
function. I've changed it to store only pkeys, and use pivotGet() to
get all the corresponding values.

This also required changing pivotGet() so it can get objects with
multi-column pkeys, which complicated the whole thing quite a bit. But
it seems to work OK.
2011-08-08 10:22:20 -04:00
Evan Prodromou
16042387a0 pre-fill the addressees of notices in a list 2011-08-03 00:59:09 -04:00
Evan Prodromou
ba6235a446 Get faves in Notice and pre-fill 2011-08-03 00:04:18 -04:00
Evan Prodromou
dfbdd481fa Pre-fill Notice attachments 2011-08-02 23:12:21 -04:00
Evan Prodromou
9a84907d17 Remove unused File::getAttachments() 2011-08-02 23:11:41 -04:00
Evan Prodromou
d918ee95f4 pre-fetch groups for notices 2011-08-02 18:13:56 -04:00
Evan Prodromou
447ae92eca only do a db call if need to fetch some in listGet() 2011-08-02 18:12:46 -04:00
Evan Prodromou
435c08a753 add listGet() method 2011-08-02 17:20:51 -04:00
Evan Prodromou
5081c56ea4 remove some debugging stuff in Profile::fillAvatars() 2011-08-02 13:14:11 -04:00
Evan Prodromou
af49545e95 reduce the number of calls to get profile groups 2011-08-02 12:14:55 -04:00
Evan Prodromou
06e2422517 pre-fill avatars for Profiles in a notice list 2011-08-02 11:54:27 -04:00
Evan Prodromou
e05f423bea properly cache nulls for pivotGet() 2011-08-02 11:54:10 -04:00
Evan Prodromou
14fe22e430 define Reply::pkeyGet() 2011-08-02 11:15:20 -04:00
Evan Prodromou
02880f5a8c use pkeyGet() instead of getReplies() checking addressee scope 2011-08-02 11:09:30 -04:00
Evan Prodromou
9a78d70441 remove debugging statement in Memcached_DataObject::multiGet() 2011-08-02 10:58:25 -04:00
Evan Prodromou
72ed297214 New method Memcached_DataObject::pivotGet()
This method lets you get all the objects with a given variable key and
another set of "fixed" keys. A good example is getting all the avatars
for a notice list; the avatar size stays the same, but the IDs change.

Since it's very similar to multiGet(), I refactored that function to
use pivotGet().

And, yes, I realize these are kind of hard to follow.
2011-08-02 10:46:29 -04:00
Evan Prodromou
200e18cd71 reduce the number of queries required to get a notice's groups 2011-08-01 16:59:43 -04:00
Evan Prodromou
a3ef80941e use multiGet() for a profile's groups 2011-08-01 15:18:29 -04:00
Evan Prodromou
874f1db389 Pre-fill profiles in notice streams 2011-08-01 14:51:59 -04:00