function dfrn_poll_init(&$a) { $dfrn_id = ''; if (x($_GET, 'dfrn_id')) { $dfrn_id = $a->config['dfrn_poll_dfrn_id'] = $_GET['dfrn_id']; } if (x($_GET, 'type')) { $type = $a->config['dfrn_poll_type'] = $_GET['type']; } if (x($_GET, 'last_update')) { $last_update = $a->config['dfrn_poll_last_update'] = $_GET['last_update']; } $dfrn_version = x($_GET, 'dfrn_version') ? $_GET['dfrn_version'] : '1.0'; $destination_url = x($_GET, 'destination_url') ? $_GET['destination_url'] : ''; if ($dfrn_id == '' && !x($_POST, 'dfrn_id') && $a->argc > 1) { $o = get_feed_for($a, '*', $a->argv[1], $last_update); echo $o; killme(); } if (x($type) && $type == 'profile') { $r = q("SELECT `contact`.*, `user`.`nickname` \n\t\t\tFROM `contact` LEFT JOIN `user` ON `user`.`uid` = 1\n\t\t\tWHERE ( `dfrn-id` = '%s' OR ( `issued-id` = '%s' AND `duplex` = 1 )) LIMIT 1", dbesc($dfrn_id), dbesc($dfrn_id)); if (count($r)) { $s = fetch_url($r[0]['poll'] . '?dfrn_id=' . $dfrn_id . '&type=profile-check'); if (strlen($s)) { $xml = simplexml_load_string($s); if ((int) $xml->status == 1) { $_SESSION['authenticated'] = 1; $_SESSION['visitor_id'] = $r[0]['id']; notice(t('Hi ') . $r[0]['name'] . EOL); // Visitors get 1 day session. $session_id = session_id(); $expire = time() + 86400; q("UPDATE `session` SET `expire` = '%s' WHERE `sid` = '%s' LIMIT 1", dbesc($expire), dbesc($session_id)); } } $profile = $r[0]['nickname']; goaway(strlen($destination_url) ? $destination_url : $a->get_baseurl() . '/profile/' . $profile); } goaway($a->get_baseurl()); } if (x($type) && $type == 'profile-check') { q("DELETE FROM `profile_check` WHERE `expire` < " . intval(time())); $r = q("SELECT * FROM `profile_check` WHERE `dfrn_id` = '%s' ORDER BY `expire` DESC", dbesc($dfrn_id)); if (count($r)) { xml_status(1); return; // NOTREACHED } xml_status(0); return; // NOTREACHED } }
function ping_init(&$a) { if (!local_user()) { xml_status(0); } $r = q("SELECT COUNT(*) AS `total` FROM `item` \n\t\tWHERE `unseen` = 1 AND `visible` = 1 AND `deleted` = 0 "); $network = $r[0]['total']; $r = q("SELECT COUNT(*) AS `total` FROM `item` \n\t\tWHERE `unseen` = 1 AND `visible` = 1 AND `deleted` = 0 AND `type` != 'remote' "); $home = $r[0]['total']; $r = q("SELECT COUNT(*) AS `total` FROM `intro` \n\t\tWHERE `blocked` = 0 AND `ignore` = 0 "); $intro = $r[0]['total']; $myurl = $a->get_baseurl() . '/profile/' . $user['nickname']; $r = q("SELECT COUNT(*) AS `total` FROM `mail`\n\t\tWHERE `seen` = 0 AND `from-url` != '%s' ", dbesc($myurl)); $mail = $r[0]['total']; header("Content-type: text/xml"); echo "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\r\n<result><intro>{$intro}</intro><mail>{$mail}</mail><net>{$network}</net><home>{$home}</home></result>\r\n"; killme(); }
function dfrn_poll_post(&$a) { $dfrn_id = x($_POST, 'dfrn_id') ? $_POST['dfrn_id'] : ''; $challenge = x($_POST, 'challenge') ? $_POST['challenge'] : ''; $url = x($_POST, 'url') ? $_POST['url'] : ''; $sec = x($_POST, 'sec') ? $_POST['sec'] : ''; $ptype = x($_POST, 'type') ? $_POST['type'] : ''; $dfrn_version = x($_POST, 'dfrn_version') ? (double) $_POST['dfrn_version'] : 2.0; $perm = x($_POST, 'perm') ? $_POST['perm'] : 'r'; if ($ptype === 'profile-check') { if (strlen($challenge) && strlen($sec)) { logger('dfrn_poll: POST: profile-check'); q("DELETE FROM `profile_check` WHERE `expire` < " . intval(time())); $r = q("SELECT * FROM `profile_check` WHERE `sec` = '%s' ORDER BY `expire` DESC LIMIT 1", dbesc($sec)); if (!count($r)) { xml_status(3, 'No ticket'); // NOTREACHED } $orig_id = $r[0]['dfrn_id']; if (strpos($orig_id, ':')) { $orig_id = substr($orig_id, 2); } $c = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1", intval($r[0]['cid'])); if (!count($c)) { xml_status(3, 'No profile'); } $contact = $c[0]; $sent_dfrn_id = hex2bin($dfrn_id); $challenge = hex2bin($challenge); $final_dfrn_id = ''; if ($contact['duplex'] && strlen($contact['prvkey'])) { openssl_private_decrypt($sent_dfrn_id, $final_dfrn_id, $contact['prvkey']); openssl_private_decrypt($challenge, $decoded_challenge, $contact['prvkey']); } else { openssl_public_decrypt($sent_dfrn_id, $final_dfrn_id, $contact['pubkey']); openssl_public_decrypt($challenge, $decoded_challenge, $contact['pubkey']); } $final_dfrn_id = substr($final_dfrn_id, 0, strpos($final_dfrn_id, '.')); if (strpos($final_dfrn_id, ':') == 1) { $final_dfrn_id = substr($final_dfrn_id, 2); } if ($final_dfrn_id != $orig_id) { logger('profile_check: ' . $final_dfrn_id . ' != ' . $orig_id, LOGGER_DEBUG); // did not decode properly - cannot trust this site xml_status(3, 'Bad decryption'); } header("Content-type: text/xml"); echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?><dfrn_poll><status>0</status><challenge>{$decoded_challenge}</challenge><sec>{$sec}</sec></dfrn_poll>"; killme(); // NOTREACHED } } $direction = -1; if (strpos($dfrn_id, ':') == 1) { $direction = intval(substr($dfrn_id, 0, 1)); $dfrn_id = substr($dfrn_id, 2); } $r = q("SELECT * FROM `challenge` WHERE `dfrn-id` = '%s' AND `challenge` = '%s' LIMIT 1", dbesc($dfrn_id), dbesc($challenge)); if (!count($r)) { killme(); } $type = $r[0]['type']; $last_update = $r[0]['last_update']; $r = q("DELETE FROM `challenge` WHERE `dfrn-id` = '%s' AND `challenge` = '%s' LIMIT 1", dbesc($dfrn_id), dbesc($challenge)); $sql_extra = ''; switch ($direction) { case -1: $sql_extra = sprintf(" AND `issued-id` = '%s' ", dbesc($dfrn_id)); $my_id = $dfrn_id; break; case 0: $sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); $my_id = '1:' . $dfrn_id; break; case 1: $sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); $my_id = '0:' . $dfrn_id; break; default: goaway(z_root()); break; // NOTREACHED } $r = q("SELECT * FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 {$sql_extra} LIMIT 1"); if (!count($r)) { killme(); } $contact = $r[0]; $owner_uid = $r[0]['uid']; $contact_id = $r[0]['id']; if ($type === 'reputation' && strlen($url)) { $r = q("SELECT * FROM `contact` WHERE `url` = '%s' AND `uid` = %d LIMIT 1", dbesc($url), intval($owner_uid)); $reputation = 0; $text = ''; if (count($r)) { $reputation = $r[0]['rating']; $text = $r[0]['reason']; if ($r[0]['id'] == $contact_id) { // inquiring about own reputation not allowed $reputation = 0; $text = ''; } } echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\t\t<reputation>\n\t\t\t<url>{$url}</url>\n\t\t\t<rating>{$reputation}</rating>\n\t\t\t<description>{$text}</description>\n\t\t</reputation>\n\t\t"; killme(); // NOTREACHED } else { // Update the writable flag if it changed logger('dfrn_poll: post request feed: ' . print_r($_POST, true), LOGGER_DATA); if ($dfrn_version >= 2.21) { if ($perm === 'rw') { $writable = 1; } else { $writable = 0; } if ($writable != $contact['writable']) { q("UPDATE `contact` SET `writable` = %d WHERE `id` = %d LIMIT 1", intval($writable), intval($contact_id)); } } header("Content-type: application/atom+xml"); $o = get_feed_for($a, $dfrn_id, $a->argv[1], $last_update, $direction); echo $o; killme(); } }
function dfrn_notify_post(&$a) { $dfrn_id = x($_POST, 'dfrn_id') ? notags(trim($_POST['dfrn_id'])) : ''; $dfrn_version = x($_POST, 'dfrn_version') ? (double) $_POST['dfrn_version'] : 2.0; $challenge = x($_POST, 'challenge') ? notags(trim($_POST['challenge'])) : ''; $data = x($_POST, 'data') ? $_POST['data'] : ''; $key = x($_POST, 'key') ? $_POST['key'] : ''; $dissolve = x($_POST, 'dissolve') ? intval($_POST['dissolve']) : 0; $perm = x($_POST, 'perm') ? notags(trim($_POST['perm'])) : 'r'; $ssl_policy = x($_POST, 'ssl_policy') ? notags(trim($_POST['ssl_policy'])) : 'none'; $page = x($_POST, 'page') ? intval($_POST['page']) : 0; $forum = $page == 1 ? 1 : 0; $prv = $page == 2 ? 1 : 0; $writable = -1; if ($dfrn_version >= 2.21) { $writable = $perm === 'rw' ? 1 : 0; } $direction = -1; if (strpos($dfrn_id, ':') == 1) { $direction = intval(substr($dfrn_id, 0, 1)); $dfrn_id = substr($dfrn_id, 2); } $r = q("SELECT * FROM `challenge` WHERE `dfrn-id` = '%s' AND `challenge` = '%s' LIMIT 1", dbesc($dfrn_id), dbesc($challenge)); if (!count($r)) { logger('dfrn_notify: could not match challenge to dfrn_id ' . $dfrn_id . ' challenge=' . $challenge); xml_status(3); } $r = q("DELETE FROM `challenge` WHERE `dfrn-id` = '%s' AND `challenge` = '%s' LIMIT 1", dbesc($dfrn_id), dbesc($challenge)); // find the local user who owns this relationship. $sql_extra = ''; switch ($direction) { case -1: $sql_extra = sprintf(" AND ( `issued-id` = '%s' OR `dfrn-id` = '%s' ) ", dbesc($dfrn_id), dbesc($dfrn_id)); break; case 0: $sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); break; case 1: $sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); break; default: xml_status(3); break; // NOTREACHED } // be careful - $importer will contain both the contact information for the contact // sending us the post, and also the user information for the person receiving it. // since they are mixed together, it is easy to get them confused. $r = q("SELECT\t`contact`.*, `contact`.`uid` AS `importer_uid`, \n\t\t\t\t\t`contact`.`pubkey` AS `cpubkey`, \n\t\t\t\t\t`contact`.`prvkey` AS `cprvkey`, \n\t\t\t\t\t`contact`.`thumb` AS `thumb`, \n\t\t\t\t\t`contact`.`url` as `url`,\n\t\t\t\t\t`contact`.`name` as `senderName`,\n\t\t\t\t\t`user`.* \n\t\t\tFROM `contact` \n\t\t\tLEFT JOIN `user` ON `contact`.`uid` = `user`.`uid` \n\t\t\tWHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0 \n\t\t\t\tAND `user`.`nickname` = '%s' AND `user`.`account_expired` = 0 {$sql_extra} LIMIT 1", dbesc($a->argv[1])); if (!count($r)) { logger('dfrn_notify: contact not found for dfrn_id ' . $dfrn_id); xml_status(3); //NOTREACHED } // $importer in this case contains the contact record for the remote contact joined with the user record of our user. $importer = $r[0]; if ($writable != -1 && $writable != $importer['writable'] || $importer['forum'] != $forum || $importer['prv'] != $prv) { q("UPDATE `contact` SET `writable` = %d, forum = %d, prv = %d WHERE `id` = %d LIMIT 1", intval($writable == -1 ? $importer['writable'] : $writable), intval($forum), intval($prv), intval($importer['id'])); if ($writable != -1) { $importer['writable'] = $writable; } $importer['forum'] = $page; } // if contact's ssl policy changed, update our links fix_contact_ssl_policy($importer, $ssl_policy); logger('dfrn_notify: received notify from ' . $importer['name'] . ' for ' . $importer['username']); logger('dfrn_notify: data: ' . $data, LOGGER_DATA); if ($dissolve == 1) { /** * Relationship is dissolved permanently */ require_once 'include/Contact.php'; contact_remove($importer['id']); logger('relationship dissolved : ' . $importer['name'] . ' dissolved ' . $importer['username']); xml_status(0); } // If we are setup as a soapbox we aren't accepting input from this person if ($importer['page-flags'] == PAGE_SOAPBOX) { xml_status(0); } if (strlen($key)) { $rawkey = hex2bin(trim($key)); logger('rino: md5 raw key: ' . md5($rawkey)); $final_key = ''; if ($dfrn_version >= 2.1) { if ($importer['duplex'] && strlen($importer['cprvkey']) || !strlen($importer['cpubkey'])) { openssl_private_decrypt($rawkey, $final_key, $importer['cprvkey']); } else { openssl_public_decrypt($rawkey, $final_key, $importer['cpubkey']); } } else { if ($importer['duplex'] && strlen($importer['cpubkey']) || !strlen($importer['cprvkey'])) { openssl_public_decrypt($rawkey, $final_key, $importer['cpubkey']); } else { openssl_private_decrypt($rawkey, $final_key, $importer['cprvkey']); } } logger('rino: received key : ' . $final_key); $data = aes_decrypt(hex2bin($data), $final_key); logger('rino: decrypted data: ' . $data, LOGGER_DATA); } $ret = local_delivery($importer, $data); xml_status($ret); // NOTREACHED }
function dfrn_notify_post(&$a) { $dfrn_id = notags(trim($_POST['dfrn_id'])); $challenge = notags(trim($_POST['challenge'])); $data = $_POST['data']; $r = q("SELECT * FROM `challenge` WHERE `dfrn-id` = '%s' AND `challenge` = '%s' LIMIT 1", dbesc($dfrn_id), dbesc($challenge)); if (!count($r)) { xml_status(3); } $r = q("DELETE FROM `challenge` WHERE `dfrn-id` = '%s' AND `challenge` = '%s' LIMIT 1", dbesc($dfrn_id), dbesc($challenge)); // find the local user who owns this relationship. $r = q("SELECT `contact`.*, `user`.* FROM `contact` LEFT JOIN `user` on `user`.`uid` = 1 \n\t\tWHERE ( `issued-id` = '%s' OR ( `duplex` = 1 AND `dfrn-id` = '%s' )) LIMIT 1", dbesc($dfrn_id), dbesc($dfrn_id)); if (!count($r)) { xml_status(3); return; //NOTREACHED } $importer = $r[0]; $feed = new SimplePie(); $feed->set_raw_data($data); $feed->enable_order_by_date(false); $feed->init(); $ismail = false; $rawmail = $feed->get_feed_tags(NAMESPACE_DFRN, 'mail'); if (isset($rawmail[0]['child'][NAMESPACE_DFRN])) { if ($importer['readonly']) { // We aren't receiving email from this person. But we will quietly ignore them // rather than a blatant "go away" message. xml_status(0); return; //NOTREACHED } $ismail = true; $base = $rawmail[0]['child'][NAMESPACE_DFRN]; $msg = array(); $msg['from-name'] = notags(unxmlify($base['sender'][0]['child'][NAMESPACE_DFRN]['name'][0]['data'])); $msg['from-photo'] = notags(unxmlify($base['sender'][0]['child'][NAMESPACE_DFRN]['avatar'][0]['data'])); $msg['from-url'] = notags(unxmlify($base['sender'][0]['child'][NAMESPACE_DFRN]['uri'][0]['data'])); $msg['contact-id'] = $importer['id']; $msg['title'] = notags(unxmlify($base['subject'][0]['data'])); $msg['body'] = escape_tags(unxmlify($base['content'][0]['data'])); $msg['delivered'] = 1; $msg['seen'] = 0; $msg['replied'] = 0; $msg['uri'] = notags(unxmlify($base['id'][0]['data'])); $msg['parent-uri'] = notags(unxmlify($base['in-reply-to'][0]['data'])); $msg['created'] = datetime_convert(notags(unxmlify('UTC', 'UTC', $base['sentdate'][0]['data']))); dbesc_array($msg); $r = q("INSERT INTO `mail` (`" . implode("`, `", array_keys($msg)) . "`) VALUES ('" . implode("', '", array_values($msg)) . "')"); require_once 'bbcode.php'; if ($importer['notify-flags'] & NOTIFY_MAIL) { $tpl = file_get_contents('view/mail_received_eml.tpl'); $email_tpl = replace_macros($tpl, array('$sitename' => $a->config['sitename'], '$siteurl' => $a->get_baseurl(), '$username' => $importer['username'], '$email' => $importer['email'], '$from' => $msg['from-name'], '$title' => $msg['title'], '$body' => strip_tags(bbcode($msg['body'])))); $res = mail($importer['email'], t("New mail received at ") . $a->config['sitename'], $email_tpl, t("From: Administrator@") . $a->get_hostname()); } xml_status(0); return; // NOTREACHED } if ($importer['readonly'] && !x($a->config['rockstar'])) { // This contact is readonly and we're going to ignore him/her, except if we're in // RockStar configuration. Us rockstars wan't people to talk about us. We just don't // want to have to deal with them individually. So our "readonly" fans can post to // our wall and comment, but they can't send us email. xml_status(0); return; // NOTREACHED } foreach ($feed->get_items() as $item) { $deleted = false; $rawdelete = $item->get_item_tags("http://purl.org/atompub/tombstones/1.0", 'deleted-entry'); if (isset($rawdelete[0]['attribs']['']['ref'])) { $uri = $rawthread[0]['attribs']['']['ref']; $deleted = true; if (isset($rawdelete[0]['attribs']['']['when'])) { $when = $rawthread[0]['attribs']['']['when']; $when = datetime_convert('UTC', 'UTC', $when, 'Y-m-d H:i:s'); } else { $when = datetime_convert('UTC', 'UTC', 'now', 'Y-m-d H:i:s'); } } if ($deleted) { $r = q("SELECT * FROM `item` WHERE `uri` = '%s' LIMIT 1", dbesc($uri)); if (count($r)) { $item = $r[0]; if ($item['uri'] == $item['parent-uri']) { $r = q("UPDATE `item` SET `deleted` = 1, `edited` = '%s' , `changed` = '%s'\n\t\t\t\t\t\tWHERE `parent-uri` = '%s'", dbesc($when), dbesc(datetime_convert()), dbesc($item['uri'])); } else { $r = q("UPDATE `item` SET `deleted` = 1, `edited` = '%s' , `changed` = '%s' \n\t\t\t\t\t\tWHERE `uri` = '%s' LIMIT 1", dbesc($when), dbesc(datetime_convert()), dbesc($uri)); } if ($item['last-child']) { // ensure that last-child is set in case the comment that had it just got wiped. $q("UPDATE `item` SET `last-child` = 0, `changed` = '%s' WHERE `parent-uri` = '%s' ", dbesc(datetime_convert()), dbesc($item['parent-uri'])); // who is the last child now? $r = q("SELECT `id` FROM `item` WHERE `parent-uri` = '%s' AND `type` != 'activity' AND `deleted` = 0 \n\t\t\t\t\t\tORDER BY `edited` DESC LIMIT 1", dbesc($item['parent-uri'])); if (count($r)) { q("UPDATE `item` SET `last-child` = 1 WHERE `id` = %d LIMIT 1", intval($r[0]['id'])); } } } continue; } $is_reply = false; $item_id = $item->get_id(); $rawthread = $item->get_item_tags("http://purl.org/syndication/thread/1.0", 'in-reply-to'); if (isset($rawthread[0]['attribs']['']['ref'])) { $is_reply = true; $parent_uri = $rawthread[0]['attribs']['']['ref']; } if ($is_reply) { if ($feed->get_item_quantity() == 1) { // remote reply to our post. Import and then notify everybody else. $datarray = get_atom_elements($item); $datarray['wall'] = 1; $datarray['type'] = 'remote-comment'; $datarray['parent-uri'] = $parent_uri; $datarray['contact-id'] = $importer['id']; $posted_id = post_remote($a, $datarray); if ($posted_id) { $r = q("SELECT `parent` FROM `item` WHERE `id` = %d LIMIT 1", intval($posted_id)); if (count($r)) { $r1 = q("UPDATE `item` SET `last-child` = 0, `changed` = '%s' WHERE `parent` = %d", dbesc(datetime_convert()), intval($r[0]['parent'])); } $r2 = q("UPDATE `item` SET `last-child` = 1, `changed` = '%s' WHERE `id` = %d LIMIT 1", dbesc(datetime_convert()), intval($posted_id)); $php_path = strlen($a->config['php_path']) ? $a->config['php_path'] : 'php'; proc_close(proc_open("\"{$php_path}\" \"include/notifier.php\" \"comment-import\" \"{$posted_id}\" &", array(), $foo)); if ($importer['notify-flags'] & NOTIFY_COMMENT && !$importer['self']) { require_once 'bbcode.php'; $from = stripslashes($datarray['author-name']); $tpl = file_get_contents('view/cmnt_received_eml.tpl'); $email_tpl = replace_macros($tpl, array('$sitename' => $a->config['sitename'], '$siteurl' => $a->get_baseurl(), '$username' => $importer['username'], '$email' => $importer['email'], '$from' => $from, '$body' => strip_tags(bbcode(stripslashes($datarray['body']))))); $res = mail($importer['email'], $from . t(" commented on your item at ") . $a->config['sitename'], $email_tpl, t("From: Administrator@") . $a->get_hostname()); } } xml_status(0); return; } else { // regular comment that is part of this total conversation. Have we seen it? If not, import it. $item_id = $item->get_id(); $r = q("SELECT `last-child`, `edited` FROM `item` WHERE `uri` = '%s' LIMIT 1", dbesc($item_id)); // FIXME update content if 'updated' changes if (count($r)) { $allow = $item->get_item_tags(NAMESPACE_DFRN, 'comment-allow'); if ($allow && $allow[0]['data'] != $r[0]['last-child']) { $r = q("UPDATE `item` SET `last-child` = %d, `changed` = '%s' WHERE `uri` = '%s' LIMIT 1", intval($allow[0]['data']), dbesc(datetime_convert()), dbesc($item_id)); } continue; } $datarray = get_atom_elements($item); $datarray['parent-uri'] = $parent_uri; $datarray['contact-id'] = $importer['id']; $r = post_remote($a, $datarray); // find out if our user is involved in this conversation and wants to be notified. if ($importer['notify-flags'] & NOTIFY_COMMENT) { $myconv = q("SELECT `author-link` FROM `item` WHERE `parent-uri` = '%s'", dbesc($parent_uri)); if (count($myconv)) { foreach ($myconv as $conv) { if ($conv['author-link'] != $importer['url']) { continue; } require_once 'bbcode.php'; $from = stripslashes($datarray['author-name']); $tpl = file_get_contents('view/cmnt_received_eml.tpl'); $email_tpl = replace_macros($tpl, array('$sitename' => $a->config['sitename'], '$siteurl' => $a->get_baseurl(), '$username' => $importer['username'], '$email' => $importer['email'], '$from' => $from, '$body' => strip_tags(bbcode(stripslashes($datarray['body']))))); $res = mail($importer['email'], $from . t(" commented on an item at ") . $a->config['sitename'], $email_tpl, t("From: Administrator@") . $a->get_hostname()); break; } } } continue; } } else { // Head post of a conversation. Have we seen it? If not, import it. $item_id = $item->get_id(); $r = q("SELECT `last-child`, `edited` FROM `item` WHERE `uri` = '%s' LIMIT 1", dbesc($item_id)); if (count($r)) { $allow = $item->get_item_tags(NAMESPACE_DFRN, 'comment-allow'); if ($allow && $allow[0]['data'] != $r[0]['last-child']) { $r = q("UPDATE `item` SET `last-child` = %d, `changed` = '%s' WHERE `uri` = '%s' LIMIT 1", intval($allow[0]['data']), dbesc(datetime_convert()), dbesc($item_id)); } continue; } $datarray = get_atom_elements($item); $datarray['parent-uri'] = $item_id; $datarray['contact-id'] = $importer['id']; $r = post_remote($a, $datarray); continue; } } xml_status(0); killme(); }
function dfrn_confirm_post(&$a, $handsfree = null) { if (is_array($handsfree)) { /** * We were called directly from dfrn_request due to automatic friend acceptance. * Any $_POST parameters we may require are supplied in the $handsfree array. * */ $node = $handsfree['node']; $a->interactive = false; // notice() becomes a no-op since nobody is there to see it } else { if ($a->argc > 1) { $node = $a->argv[1]; } } /** * * Main entry point. Scenario 1. Our user received a friend request notification (perhaps * from another site) and clicked 'Approve'. * $POST['source_url'] is not set. If it is, it indicates Scenario 2. * * We may also have been called directly from dfrn_request ($handsfree != null) due to * this being a page type which supports automatic friend acceptance. That is also Scenario 1 * since we are operating on behalf of our registered user to approve a friendship. * */ if (!x($_POST, 'source_url')) { $uid = is_array($handsfree) ? $handsfree['uid'] : local_user(); if (!$uid) { notice(t('Permission denied.') . EOL); return; } $user = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1", intval($uid)); if (!$user) { notice(t('Profile not found.') . EOL); return; } // These data elements may come from either the friend request notification form or $handsfree array. if (is_array($handsfree)) { logger('Confirm in handsfree mode'); $dfrn_id = $handsfree['dfrn_id']; $intro_id = $handsfree['intro_id']; $duplex = $handsfree['duplex']; $hidden = array_key_exists('hidden', $handsfree) ? intval($handsfree['hidden']) : 0; $activity = array_key_exists('activity', $handsfree) ? intval($handsfree['activity']) : 0; } else { $dfrn_id = x($_POST, 'dfrn_id') ? notags(trim($_POST['dfrn_id'])) : ""; $intro_id = x($_POST, 'intro_id') ? intval($_POST['intro_id']) : 0; $duplex = x($_POST, 'duplex') ? intval($_POST['duplex']) : 0; $cid = x($_POST, 'contact_id') ? intval($_POST['contact_id']) : 0; $hidden = x($_POST, 'hidden') ? intval($_POST['hidden']) : 0; $activity = x($_POST, 'activity') ? intval($_POST['activity']) : 0; } /** * * Ensure that dfrn_id has precedence when we go to find the contact record. * We only want to search based on contact id if there is no dfrn_id, * e.g. for OStatus network followers. * */ if (strlen($dfrn_id)) { $cid = 0; } logger('Confirming request for dfrn_id (issued) ' . $dfrn_id); if ($cid) { logger('Confirming follower with contact_id: ' . $cid); } /** * * The other person will have been issued an ID when they first requested friendship. * Locate their record. At this time, their record will have both pending and blocked set to 1. * There won't be any dfrn_id if this is a network follower, so use the contact_id instead. * */ $r = q("SELECT * FROM `contact` WHERE ( ( `issued-id` != '' AND `issued-id` = '%s' ) OR ( `id` = %d AND `id` != 0 ) ) AND `uid` = %d AND `duplex` = 0 LIMIT 1", dbesc($dfrn_id), intval($cid), intval($uid)); if (!count($r)) { logger('Contact not found in DB.'); notice(t('Contact not found.') . EOL); notice(t('This may occasionally happen if contact was requested by both persons and it has already been approved.') . EOL); return; } $contact = $r[0]; $contact_id = $contact['id']; $relation = $contact['rel']; $site_pubkey = $contact['site-pubkey']; $dfrn_confirm = $contact['confirm']; $aes_allow = $contact['aes_allow']; $network = strlen($contact['issued-id']) ? NETWORK_DFRN : NETWORK_OSTATUS; if ($contact['network']) { $network = $contact['network']; } if ($network === NETWORK_DFRN) { /** * * Generate a key pair for all further communications with this person. * We have a keypair for every contact, and a site key for unknown people. * This provides a means to carry on relationships with other people if * any single key is compromised. It is a robust key. We're much more * worried about key leakage than anybody cracking it. * */ require_once 'include/crypto.php'; $res = new_keypair(4096); $private_key = $res['prvkey']; $public_key = $res['pubkey']; // Save the private key. Send them the public key. $r = q("UPDATE `contact` SET `prvkey` = '%s' WHERE `id` = %d AND `uid` = %d", dbesc($private_key), intval($contact_id), intval($uid)); $params = array(); /** * * Per the DFRN protocol, we will verify both ends by encrypting the dfrn_id with our * site private key (person on the other end can decrypt it with our site public key). * Then encrypt our profile URL with the other person's site public key. They can decrypt * it with their site private key. If the decryption on the other end fails for either * item, it indicates tampering or key failure on at least one site and we will not be * able to provide a secure communication pathway. * * If other site is willing to accept full encryption, (aes_allow is 1 AND we have php5.3 * or later) then we encrypt the personal public key we send them using AES-256-CBC and a * random key which is encrypted with their site public key. * */ $src_aes_key = random_string(); $result = ''; openssl_private_encrypt($dfrn_id, $result, $user[0]['prvkey']); $params['dfrn_id'] = bin2hex($result); $params['public_key'] = $public_key; $my_url = $a->get_baseurl() . '/profile/' . $user[0]['nickname']; openssl_public_encrypt($my_url, $params['source_url'], $site_pubkey); $params['source_url'] = bin2hex($params['source_url']); if ($aes_allow && function_exists('openssl_encrypt')) { openssl_public_encrypt($src_aes_key, $params['aes_key'], $site_pubkey); $params['aes_key'] = bin2hex($params['aes_key']); $params['public_key'] = bin2hex(openssl_encrypt($public_key, 'AES-256-CBC', $src_aes_key)); } $params['dfrn_version'] = DFRN_PROTOCOL_VERSION; if ($duplex == 1) { $params['duplex'] = 1; } if ($user[0]['page-flags'] == PAGE_COMMUNITY) { $params['page'] = 1; } if ($user[0]['page-flags'] == PAGE_PRVGROUP) { $params['page'] = 2; } logger('Confirm: posting data to ' . $dfrn_confirm . ': ' . print_r($params, true), LOGGER_DATA); /** * * POST all this stuff to the other site. * Temporarily raise the network timeout to 120 seconds because the default 60 * doesn't always give the other side quite enough time to decrypt everything. * */ $a->config['system']['curl_timeout'] = 120; $res = post_url($dfrn_confirm, $params); logger(' Confirm: received data: ' . $res, LOGGER_DATA); // Now figure out what they responded. Try to be robust if the remote site is // having difficulty and throwing up errors of some kind. $leading_junk = substr($res, 0, strpos($res, '<?xml')); $res = substr($res, strpos($res, '<?xml')); if (!strlen($res)) { // No XML at all, this exchange is messed up really bad. // We shouldn't proceed, because the xml parser might choke, // and $status is going to be zero, which indicates success. // We can hardly call this a success. notice(t('Response from remote site was not understood.') . EOL); return; } if (strlen($leading_junk) && get_config('system', 'debugging')) { // This might be more common. Mixed error text and some XML. // If we're configured for debugging, show the text. Proceed in either case. notice(t('Unexpected response from remote site: ') . EOL . $leading_junk . EOL); } if (stristr($res, "<status") === false) { // wrong xml! stop here! notice(t('Unexpected response from remote site: ') . EOL . htmlspecialchars($res) . EOL); return; } $xml = parse_xml_string($res); $status = (int) $xml->status; $message = unxmlify($xml->message); // human readable text of what may have gone wrong. switch ($status) { case 0: info(t("Confirmation completed successfully.") . EOL); if (strlen($message)) { notice(t('Remote site reported: ') . $message . EOL); } break; case 1: // birthday paradox - generate new dfrn-id and fall through. $new_dfrn_id = random_string(); $r = q("UPDATE contact SET `issued-id` = '%s' WHERE `id` = %d AND `uid` = %d", dbesc($new_dfrn_id), intval($contact_id), intval($uid)); case 2: notice(t("Temporary failure. Please wait and try again.") . EOL); if (strlen($message)) { notice(t('Remote site reported: ') . $message . EOL); } break; case 3: notice(t("Introduction failed or was revoked.") . EOL); if (strlen($message)) { notice(t('Remote site reported: ') . $message . EOL); } break; } if ($status == 0 && $intro_id) { // Success. Delete the notification. $r = q("DELETE FROM `intro` WHERE `id` = %d AND `uid` = %d", intval($intro_id), intval($uid)); } if ($status != 0) { return; } } /* * * We have now established a relationship with the other site. * Let's make our own personal copy of their profile photo so we don't have * to always load it from their site. * * We will also update the contact record with the nature and scope of the relationship. * */ require_once 'include/Photo.php'; $photos = import_profile_photo($contact['photo'], $uid, $contact_id); logger('dfrn_confirm: confirm - imported photos'); if ($network === NETWORK_DFRN) { $new_relation = CONTACT_IS_FOLLOWER; if ($relation == CONTACT_IS_SHARING || $duplex) { $new_relation = CONTACT_IS_FRIEND; } if ($relation == CONTACT_IS_SHARING && $duplex) { $duplex = 0; } $r = q("UPDATE `contact` SET\n\t\t\t\t`photo` = '%s',\n\t\t\t\t`thumb` = '%s',\n\t\t\t\t`micro` = '%s',\n\t\t\t\t`rel` = %d,\n\t\t\t\t`name-date` = '%s',\n\t\t\t\t`uri-date` = '%s',\n\t\t\t\t`avatar-date` = '%s',\n\t\t\t\t`blocked` = 0,\n\t\t\t\t`pending` = 0,\n\t\t\t\t`duplex` = %d,\n\t\t\t\t`hidden` = %d,\n\t\t\t\t`network` = '%s' WHERE `id` = %d\n\t\t\t", dbesc($photos[0]), dbesc($photos[1]), dbesc($photos[2]), intval($new_relation), dbesc(datetime_convert()), dbesc(datetime_convert()), dbesc(datetime_convert()), intval($duplex), intval($hidden), dbesc(NETWORK_DFRN), intval($contact_id)); } else { // $network !== NETWORK_DFRN $network = $contact['network'] ? $contact['network'] : NETWORK_OSTATUS; $notify = $contact['notify'] ? $contact['notify'] : ''; $poll = $contact['poll'] ? $contact['poll'] : ''; if (!$contact['notify'] || !$contact['poll']) { $arr = lrdd($contact['url']); if (count($arr)) { foreach ($arr as $link) { if ($link['@attributes']['rel'] === 'salmon') { $notify = $link['@attributes']['href']; } if ($link['@attributes']['rel'] === NAMESPACE_FEED) { $poll = $link['@attributes']['href']; } } } } $new_relation = $contact['rel']; $writable = $contact['writable']; if ($network === NETWORK_DIASPORA) { if ($duplex) { $new_relation = CONTACT_IS_FRIEND; } else { $new_relation = CONTACT_IS_FOLLOWER; } if ($new_relation != CONTACT_IS_FOLLOWER) { $writable = 1; } } $r = q("DELETE FROM `intro` WHERE `id` = %d AND `uid` = %d", intval($intro_id), intval($uid)); $r = q("UPDATE `contact` SET `photo` = '%s',\n\t\t\t\t`thumb` = '%s',\n\t\t\t\t`micro` = '%s',\n\t\t\t\t`name-date` = '%s',\n\t\t\t\t`uri-date` = '%s',\n\t\t\t\t`avatar-date` = '%s',\n\t\t\t\t`notify` = '%s',\n\t\t\t\t`poll` = '%s',\n\t\t\t\t`blocked` = 0,\n\t\t\t\t`pending` = 0,\n\t\t\t\t`network` = '%s',\n\t\t\t\t`writable` = %d,\n\t\t\t\t`hidden` = %d,\n\t\t\t\t`rel` = %d\n\t\t\t\tWHERE `id` = %d\n\t\t\t", dbesc($photos[0]), dbesc($photos[1]), dbesc($photos[2]), dbesc(datetime_convert()), dbesc(datetime_convert()), dbesc(datetime_convert()), dbesc($notify), dbesc($poll), dbesc($network), intval($writable), intval($hidden), intval($new_relation), intval($contact_id)); } if ($r === false) { notice(t('Unable to set contact photo.') . EOL); } // reload contact info $r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1", intval($contact_id)); if (count($r)) { $contact = $r[0]; } else { $contact = null; } if (isset($new_relation) && $new_relation == CONTACT_IS_FRIEND) { if ($contact && $contact['network'] === NETWORK_DIASPORA) { require_once 'include/diaspora.php'; $ret = diaspora_share($user[0], $r[0]); logger('mod_follow: diaspora_share returns: ' . $ret); } // Send a new friend post if we are allowed to... $r = q("SELECT `hide-friends` FROM `profile` WHERE `uid` = %d AND `is-default` = 1 LIMIT 1", intval($uid)); if (count($r) && $r[0]['hide-friends'] == 0 && $activity && !$hidden) { require_once 'include/items.php'; $self = q("SELECT * FROM `contact` WHERE `self` = 1 AND `uid` = %d LIMIT 1", intval($uid)); if (count($self)) { $arr = array(); $arr['uri'] = $arr['parent-uri'] = item_new_uri($a->get_hostname(), $uid); $arr['uid'] = $uid; $arr['contact-id'] = $self[0]['id']; $arr['wall'] = 1; $arr['type'] = 'wall'; $arr['gravity'] = 0; $arr['origin'] = 1; $arr['author-name'] = $arr['owner-name'] = $self[0]['name']; $arr['author-link'] = $arr['owner-link'] = $self[0]['url']; $arr['author-avatar'] = $arr['owner-avatar'] = $self[0]['thumb']; $A = '[url=' . $self[0]['url'] . ']' . $self[0]['name'] . '[/url]'; $APhoto = '[url=' . $self[0]['url'] . ']' . '[img]' . $self[0]['thumb'] . '[/img][/url]'; $B = '[url=' . $contact['url'] . ']' . $contact['name'] . '[/url]'; $BPhoto = '[url=' . $contact['url'] . ']' . '[img]' . $contact['thumb'] . '[/img][/url]'; $arr['verb'] = ACTIVITY_FRIEND; $arr['object-type'] = ACTIVITY_OBJ_PERSON; $arr['body'] = sprintf(t('%1$s is now friends with %2$s'), $A, $B) . "\n\n\n" . $BPhoto; $arr['object'] = '<object><type>' . ACTIVITY_OBJ_PERSON . '</type><title>' . $contact['name'] . '</title>' . '<id>' . $contact['url'] . '/' . $contact['name'] . '</id>'; $arr['object'] .= '<link>' . xmlify('<link rel="alternate" type="text/html" href="' . $contact['url'] . '" />' . "\n"); $arr['object'] .= xmlify('<link rel="photo" type="image/jpeg" href="' . $contact['thumb'] . '" />' . "\n"); $arr['object'] .= '</link></object>' . "\n"; $arr['last-child'] = 1; $arr['allow_cid'] = $user[0]['allow_cid']; $arr['allow_gid'] = $user[0]['allow_gid']; $arr['deny_cid'] = $user[0]['deny_cid']; $arr['deny_gid'] = $user[0]['deny_gid']; $i = item_store($arr); if ($i) { proc_run('php', "include/notifier.php", "activity", "{$i}"); } } } } $g = q("select def_gid from user where uid = %d limit 1", intval($uid)); if ($contact && $g && intval($g[0]['def_gid'])) { require_once 'include/group.php'; group_add_member($uid, '', $contact['id'], $g[0]['def_gid']); } // Let's send our user to the contact editor in case they want to // do anything special with this new friend. if ($handsfree === null) { goaway($a->get_baseurl() . '/contacts/' . intval($contact_id)); } else { return; } //NOTREACHED } /** * * * End of Scenario 1. [Local confirmation of remote friend request]. * * Begin Scenario 2. This is the remote response to the above scenario. * This will take place on the site that originally initiated the friend request. * In the section above where the confirming party makes a POST and * retrieves xml status information, they are communicating with the following code. * */ if (x($_POST, 'source_url')) { // We are processing an external confirmation to an introduction created by our user. $public_key = x($_POST, 'public_key') ? $_POST['public_key'] : ''; $dfrn_id = x($_POST, 'dfrn_id') ? hex2bin($_POST['dfrn_id']) : ''; $source_url = x($_POST, 'source_url') ? hex2bin($_POST['source_url']) : ''; $aes_key = x($_POST, 'aes_key') ? $_POST['aes_key'] : ''; $duplex = x($_POST, 'duplex') ? intval($_POST['duplex']) : 0; $page = x($_POST, 'page') ? intval($_POST['page']) : 0; $version_id = x($_POST, 'dfrn_version') ? (double) $_POST['dfrn_version'] : 2.0; $forum = $page == 1 ? 1 : 0; $prv = $page == 2 ? 1 : 0; logger('dfrn_confirm: requestee contacted: ' . $node); logger('dfrn_confirm: request: POST=' . print_r($_POST, true), LOGGER_DATA); // If $aes_key is set, both of these items require unpacking from the hex transport encoding. if (x($aes_key)) { $aes_key = hex2bin($aes_key); $public_key = hex2bin($public_key); } // Find our user's account $r = q("SELECT * FROM `user` WHERE `nickname` = '%s' LIMIT 1", dbesc($node)); if (!count($r)) { $message = sprintf(t('No user record found for \'%s\' '), $node); xml_status(3, $message); // failure // NOTREACHED } $my_prvkey = $r[0]['prvkey']; $local_uid = $r[0]['uid']; if (!strstr($my_prvkey, 'PRIVATE KEY')) { $message = t('Our site encryption key is apparently messed up.'); xml_status(3, $message); } // verify everything $decrypted_source_url = ""; openssl_private_decrypt($source_url, $decrypted_source_url, $my_prvkey); if (!strlen($decrypted_source_url)) { $message = t('Empty site URL was provided or URL could not be decrypted by us.'); xml_status(3, $message); // NOTREACHED } $ret = q("SELECT * FROM `contact` WHERE `url` = '%s' AND `uid` = %d LIMIT 1", dbesc($decrypted_source_url), intval($local_uid)); if (!count($ret)) { if (strstr($decrypted_source_url, 'http:')) { $newurl = str_replace('http:', 'https:', $decrypted_source_url); } else { $newurl = str_replace('https:', 'http:', $decrypted_source_url); } $ret = q("SELECT * FROM `contact` WHERE `url` = '%s' AND `uid` = %d LIMIT 1", dbesc($newurl), intval($local_uid)); if (!count($ret)) { // this is either a bogus confirmation (?) or we deleted the original introduction. $message = t('Contact record was not found for you on our site.'); xml_status(3, $message); return; // NOTREACHED } } $relation = $ret[0]['rel']; // Decrypt all this stuff we just received $foreign_pubkey = $ret[0]['site-pubkey']; $dfrn_record = $ret[0]['id']; if (!$foreign_pubkey) { $message = sprintf(t('Site public key not available in contact record for URL %s.'), $newurl); xml_status(3, $message); } $decrypted_dfrn_id = ""; openssl_public_decrypt($dfrn_id, $decrypted_dfrn_id, $foreign_pubkey); if (strlen($aes_key)) { $decrypted_aes_key = ""; openssl_private_decrypt($aes_key, $decrypted_aes_key, $my_prvkey); $dfrn_pubkey = openssl_decrypt($public_key, 'AES-256-CBC', $decrypted_aes_key); } else { $dfrn_pubkey = $public_key; } $r = q("SELECT * FROM `contact` WHERE `dfrn-id` = '%s' LIMIT 1", dbesc($decrypted_dfrn_id)); if (count($r)) { $message = t('The ID provided by your system is a duplicate on our system. It should work if you try again.'); xml_status(1, $message); // Birthday paradox - duplicate dfrn-id // NOTREACHED } $r = q("UPDATE `contact` SET `dfrn-id` = '%s', `pubkey` = '%s' WHERE `id` = %d", dbesc($decrypted_dfrn_id), dbesc($dfrn_pubkey), intval($dfrn_record)); if (!count($r)) { $message = t('Unable to set your contact credentials on our system.'); xml_status(3, $message); } // It's possible that the other person also requested friendship. // If it is a duplex relationship, ditch the issued-id if one exists. if ($duplex) { $r = q("UPDATE `contact` SET `issued-id` = '' WHERE `id` = %d", intval($dfrn_record)); } // We're good but now we have to scrape the profile photo and send notifications. $r = q("SELECT `photo` FROM `contact` WHERE `id` = %d LIMIT 1", intval($dfrn_record)); if (count($r)) { $photo = $r[0]['photo']; } else { $photo = $a->get_baseurl() . '/images/person-175.jpg'; } require_once "include/Photo.php"; $photos = import_profile_photo($photo, $local_uid, $dfrn_record); logger('dfrn_confirm: request - photos imported'); $new_relation = CONTACT_IS_SHARING; if ($relation == CONTACT_IS_FOLLOWER || $duplex) { $new_relation = CONTACT_IS_FRIEND; } if ($relation == CONTACT_IS_FOLLOWER && $duplex) { $duplex = 0; } $r = q("UPDATE `contact` SET\n\t\t\t`photo` = '%s',\n\t\t\t`thumb` = '%s',\n\t\t\t`micro` = '%s',\n\t\t\t`rel` = %d,\n\t\t\t`name-date` = '%s',\n\t\t\t`uri-date` = '%s',\n\t\t\t`avatar-date` = '%s',\n\t\t\t`blocked` = 0,\n\t\t\t`pending` = 0,\n\t\t\t`duplex` = %d,\n\t\t\t`forum` = %d,\n\t\t\t`prv` = %d,\n\t\t\t`network` = '%s' WHERE `id` = %d\n\t\t", dbesc($photos[0]), dbesc($photos[1]), dbesc($photos[2]), intval($new_relation), dbesc(datetime_convert()), dbesc(datetime_convert()), dbesc(datetime_convert()), intval($duplex), intval($forum), intval($prv), dbesc(NETWORK_DFRN), intval($dfrn_record)); if ($r === false) { // indicates schema is messed up or total db failure $message = t('Unable to update your contact profile details on our system'); xml_status(3, $message); } // Otherwise everything seems to have worked and we are almost done. Yay! // Send an email notification logger('dfrn_confirm: request: info updated'); $r = q("SELECT `contact`.*, `user`.* FROM `contact` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid`\n\t\t\tWHERE `contact`.`id` = %d LIMIT 1", intval($dfrn_record)); if (count($r)) { $combined = $r[0]; } if (count($r) && $r[0]['notify-flags'] & NOTIFY_CONFIRM) { $mutual = $new_relation == CONTACT_IS_FRIEND; notification(array('type' => NOTIFY_CONFIRM, 'notify_flags' => $r[0]['notify-flags'], 'language' => $r[0]['language'], 'to_name' => $r[0]['username'], 'to_email' => $r[0]['email'], 'uid' => $r[0]['uid'], 'link' => $a->get_baseurl() . '/contacts/' . $dfrn_record, 'source_name' => strlen(stripslashes($r[0]['name'])) ? stripslashes($r[0]['name']) : t('[Name Withheld]'), 'source_link' => $r[0]['url'], 'source_photo' => $r[0]['photo'], 'verb' => $mutual ? ACTIVITY_FRIEND : ACTIVITY_FOLLOW, 'otype' => 'intro')); } // Send a new friend post if we are allowed to... if ($page && intval(get_pconfig($local_uid, 'system', 'post_joingroup'))) { $r = q("SELECT `hide-friends` FROM `profile` WHERE `uid` = %d AND `is-default` = 1 LIMIT 1", intval($local_uid)); if (count($r) && $r[0]['hide-friends'] == 0) { require_once 'include/items.php'; $self = q("SELECT * FROM `contact` WHERE `self` = 1 AND `uid` = %d LIMIT 1", intval($local_uid)); if (count($self)) { $arr = array(); $arr['uri'] = $arr['parent-uri'] = item_new_uri($a->get_hostname(), $local_uid); $arr['uid'] = $local_uid; $arr['contact-id'] = $self[0]['id']; $arr['wall'] = 1; $arr['type'] = 'wall'; $arr['gravity'] = 0; $arr['origin'] = 1; $arr['author-name'] = $arr['owner-name'] = $self[0]['name']; $arr['author-link'] = $arr['owner-link'] = $self[0]['url']; $arr['author-avatar'] = $arr['owner-avatar'] = $self[0]['thumb']; $A = '[url=' . $self[0]['url'] . ']' . $self[0]['name'] . '[/url]'; $APhoto = '[url=' . $self[0]['url'] . ']' . '[img]' . $self[0]['thumb'] . '[/img][/url]'; $B = '[url=' . $combined['url'] . ']' . $combined['name'] . '[/url]'; $BPhoto = '[url=' . $combined['url'] . ']' . '[img]' . $combined['thumb'] . '[/img][/url]'; $arr['verb'] = ACTIVITY_JOIN; $arr['object-type'] = ACTIVITY_OBJ_GROUP; $arr['body'] = sprintf(t('%1$s has joined %2$s'), $A, $B) . "\n\n\n" . $BPhoto; $arr['object'] = '<object><type>' . ACTIVITY_OBJ_GROUP . '</type><title>' . $combined['name'] . '</title>' . '<id>' . $combined['url'] . '/' . $combined['name'] . '</id>'; $arr['object'] .= '<link>' . xmlify('<link rel="alternate" type="text/html" href="' . $combined['url'] . '" />' . "\n"); $arr['object'] .= xmlify('<link rel="photo" type="image/jpeg" href="' . $combined['thumb'] . '" />' . "\n"); $arr['object'] .= '</link></object>' . "\n"; $arr['last-child'] = 1; $arr['allow_cid'] = $user[0]['allow_cid']; $arr['allow_gid'] = $user[0]['allow_gid']; $arr['deny_cid'] = $user[0]['deny_cid']; $arr['deny_gid'] = $user[0]['deny_gid']; $i = item_store($arr); if ($i) { proc_run('php', "include/notifier.php", "activity", "{$i}"); } } } } xml_status(0); // Success return; // NOTREACHED ////////////////////// End of this scenario /////////////////////////////////////////////// } // somebody arrived here by mistake or they are fishing. Send them to the homepage. goaway(z_root()); // NOTREACHED }
function dfrn_confirm_post(&$a) { if ($a->argc > 1) { $node = $a->argv[1]; } if (x($_POST, 'source_url')) { // We are processing an external confirmation to an introduction created by our user. $public_key = $_POST['public_key']; $dfrn_id = $_POST['dfrn_id']; $source_url = $_POST['source_url']; $aes_key = $_POST['aes_key']; $duplex = $_POST['duplex']; $version_id = $_POST['dfrn_version']; // Find our user's account $r = q("SELECT * FROM `user` WHERE `nickname` = '%s' LIMIT 1", dbesc($node)); if (!count($r)) { xml_status(3); // failure return; // NOTREACHED } $my_prvkey = $r[0]['prvkey']; $local_uid = $r[0]['uid']; // verify everything $decrypted_source_url = ""; openssl_private_decrypt($source_url, $decrypted_source_url, $my_prvkey); $ret = q("SELECT * FROM `contact` WHERE `url` = '%s' LIMIT 1", dbesc($decrypted_source_url)); if (!count($ret)) { // this is either a bogus confirmation or we deleted the original introduction. xml_status(3); return; // NOTREACHED } $relation = $ret[0]['rel']; // Decrypt all this stuff we just received $foreign_pubkey = $ret[0]['site-pubkey']; $dfrn_record = $ret[0]['id']; $decrypted_dfrn_id = ""; openssl_public_decrypt($dfrn_id, $decrypted_dfrn_id, $foreign_pubkey); if (strlen($aes_key)) { $decrypted_aes_key = ""; openssl_private_decrypt($aes_key, $decrypted_aes_key, $my_prvkey); $dfrn_pubkey = openssl_decrypt($public_key, 'AES-256-CBC', $decrypted_aes_key); } else { $dfrn_pubkey = $public_key; } $r = q("SELECT * FROM `contact` WHERE `dfrn-id` = '%s' LIMIT 1", dbesc($decrypted_dfrn_id), intval($local_uid)); if (count($r)) { xml_status(1); // Birthday paradox - duplicate dfrn-id return; // NOTREACHED } $r = q("UPDATE `contact` SET `dfrn-id` = '%s', `pubkey` = '%s' WHERE `id` = %d LIMIT 1", dbesc($decrypted_dfrn_id), dbesc($dfrn_pubkey), intval($dfrn_record)); if ($r) { // We're good but now we have to scrape the profile photo and send notifications. require_once "Photo.php"; $photo_failure = false; $r = q("SELECT `photo` FROM `contact` WHERE `id` = %d LIMIT 1", intval($dfrn_record)); if (count($r)) { $filename = basename($r[0]['photo']); $img_str = fetch_url($r[0]['photo'], true); $img = new Photo($img_str); if ($img) { $img->scaleImageSquare(175); $hash = hash('md5', uniqid(mt_rand(), true)); $r = $img->store($dfrn_record, $hash, $filename, t('Contact Photos'), 4); if ($r === false) { $photo_failure = true; } $img->scaleImage(80); $r = $img->store($dfrn_record, $hash, $filename, t('Contact Photos'), 5); if ($r === false) { $photo_failure = true; } $photo = $a->get_baseurl() . '/photo/' . $hash . '-4.jpg'; $thumb = $a->get_baseurl() . '/photo/' . $hash . '-5.jpg'; } else { $photo_failure = true; } } else { $photo_failure = true; } if ($photo_failure) { $photo = $a->get_baseurl() . '/images/default-profile.jpg'; $thumb = $a->get_baseurl() . '/images/default-profile-sm.jpg'; } $new_relation = DIRECTION_OUT; if ($relation == DIRECTION_IN || $duplex) { $new_relation = DIRECTION_BOTH; } $r = q("UPDATE `contact` SET \n\t\t\t\t`photo` = '%s',\n\t\t\t\t`thumb` = '%s',\n\t\t\t\t`rel` = %d,\n\t\t\t\t`name-date` = '%s',\n\t\t\t\t`uri-date` = '%s',\n\t\t\t\t`avatar-date` = '%s',\n\t\t\t\t`blocked` = 0,\n\t\t\t\t`pending` = 0,\n\t\t\t\t`duplex` = %d\n\t\t\t\t`network` = 'dfrn' WHERE `id` = %d LIMIT 1\n\t\t\t", dbesc($photo), dbesc($thumb), intval($newrelation), dbesc(datetime_convert()), dbesc(datetime_convert()), dbesc(datetime_convert()), intval($duplex), intval($dfrn_record)); if ($r === false) { notice(t("Unable to set contact photo info.") . EOL); } // Otherwise everything seems to have worked and we are almost done. Yay! // Send an email notification $r = q("SELECT * FROM `contact` LEFT JOIN `user` ON `user`.`uid` = 1\n\t\t\t\tWHERE `contact`.`id` = %d LIMIT 1", intval($dfrn_record)); if (count($r) && $r[0]['notify-flags'] & NOTIFY_CONFIRM) { $tpl = file_get_contents('view/intro_complete_eml.tpl'); $email_tpl = replace_macros($tpl, array('$sitename' => $a->config['sitename'], '$siteurl' => $a->get_baseurl(), '$username' => $r[0]['username'], '$email' => $r[0]['email'], '$fn' => $r[0]['name'], '$dfrn_url' => $r[0]['url'])); $res = mail($r[0]['email'], t("Introduction accepted at ") . $a->config['sitename'], $email_tpl, 'From: ' . t('Administrator') . '@' . $_SERVER[SERVER_NAME]); if (!$res) { notice(t("Email notification failed.") . EOL); } } xml_status(0); // Success return; // NOTREACHED } else { xml_status(2); // Hopefully temporary problem that can be retried. } return; // NOTREACHED ////////////////////// End of this scenario /////////////////////////////////////////////// } else { // We are processing a local confirmation initiated on this system by our user to an external introduction. $uid = get_uid(); if (!$uid) { notice(t("Permission denied.") . EOL); return; } $dfrn_id = x($_POST, 'dfrn_id') ? notags(trim($_POST['dfrn_id'])) : ""; $intro_id = intval($_POST['intro_id']); $duplex = intval($_POST['duplex']); $r = q("SELECT * FROM `contact` WHERE `issued-id` = '%s' LIMIT 1", dbesc($dfrn_id)); if (!count($r)) { notice(t('Node does not exist.') . EOL); return; } $contact_id = $r[0]['id']; $relation = $r[0]['rel']; $site_pubkey = $r[0]['site-pubkey']; $dfrn_confirm = $r[0]['confirm']; $aes_allow = $r[0]['aes_allow']; $res = openssl_pkey_new(array('digest_alg' => 'whirlpool', 'private_key_bits' => 4096, 'encrypt_key' => false)); $private_key = ''; openssl_pkey_export($res, $private_key); $pubkey = openssl_pkey_get_details($res); $public_key = $pubkey["key"]; $r = q("UPDATE `contact` SET `issued-pubkey` = '%s', `prvkey` = '%s' WHERE `id` = %d LIMIT 1", dbesc($public_key), dbesc($private_key), intval($contact_id)); $params = array(); $src_aes_key = random_string(); $result = ''; openssl_private_encrypt($dfrn_id, $result, $a->user['prvkey']); $params['dfrn_id'] = $result; $params['public_key'] = $public_key; openssl_public_encrypt($_SESSION['my_url'], $params['source_url'], $site_pubkey); if ($aes_allow && function_exists('openssl_encrypt')) { openssl_public_encrypt($src_aes_key, $params['aes_key'], $site_pubkey); $params['public_key'] = openssl_encrypt($public_key, 'AES-256-CBC', $src_aes_key); } $params['dfrn_version'] = '2.0'; if ($duplex == 1) { $params['duplex'] = 1; } $res = post_url($dfrn_confirm, $params); // uncomment the following two lines and comment the following xml/status lines // to debug the remote confirmation section (when both confirmations // and responses originate on this system) // echo $res; // $status = 0; $xml = simplexml_load_string($res); $status = (int) $xml->status; switch ($status) { case 0: notice(t("Confirmation completed successfully") . EOL); break; case 1: // birthday paradox - generate new dfrn-id and fall through. $new_dfrn_id = random_string(); $r = q("UPDATE contact SET `issued-id` = '%s' WHERE `id` = %d LIMIT 1", dbesc($new_dfrn_id), intval($contact_id)); case 2: notice(t("Temporary failure. Please wait and try again.") . EOL); break; case 3: notice(t("Introduction failed or was revoked. Cannot complete.") . EOL); break; } if (($status == 0 || $status == 3) && $intro_id) { //delete the notification $r = q("DELETE FROM `intro` WHERE `id` = %d LIMIT 1", intval($intro_id)); } if ($status != 0) { return; } require_once "Photo.php"; $photo_failure = false; $r = q("SELECT `photo` FROM `contact` WHERE `id` = %d LIMIT 1", intval($contact_id)); if (count($r)) { $filename = basename($r[0]['photo']); $img_str = fetch_url($r[0]['photo'], true); $img = new Photo($img_str); if ($img) { $img->scaleImageSquare(175); $hash = hash('md5', uniqid(mt_rand(), true)); $r = $img->store($contact_id, $hash, $filename, t('Contact Photos'), 4); if ($r === false) { $photo_failure = true; } $img->scaleImage(80); $r = $img->store($contact_id, $hash, $filename, t('Contact Photos'), 5); if ($r === false) { $photo_failure = true; } $photo = $a->get_baseurl() . '/photo/' . $hash . '-4.jpg'; $thumb = $a->get_baseurl() . '/photo/' . $hash . '-5.jpg'; } else { $photo_failure = true; } } else { $photo_failure = true; } if ($photo_failure) { $photo = $a->get_baseurl() . '/images/default-profile.jpg'; $thumb = $a->get_baseurl() . '/images/default-profile-sm.jpg'; } $new_relation = DIRECTION_IN; if ($relation == DIRECTION_OUT || $duplex) { $new_relation = DIRECTION_BOTH; } $r = q("UPDATE `contact` SET \n\t\t\t`photo` = '%s', \n\t\t\t`thumb` = '%s', \n\t\t\t`rel` = %d, \n\t\t\t`name-date` = '%s', \n\t\t\t`uri-date` = '%s', \n\t\t\t`avatar-date` = '%s', \n\t\t\t`blocked` = 0, \n\t\t\t`pending` = 0, \n\t\t\t`duplex` = %d,\n\t\t\t`network` = 'dfrn' WHERE `id` = %d LIMIT 1\n\t\t", dbesc($photo), dbesc($thumb), intval($newrelation), dbesc(datetime_convert()), dbesc(datetime_convert()), dbesc(datetime_convert()), intval($duplex), intval($contact_id)); if ($r === false) { notice(t('Unable to set contact photo.') . EOL); } goaway($a->get_baseurl() . '/contacts/' . intval($contact_id)); return; //NOTREACHED } return; }
function dfrn_notify_post(&$a) { logger(__FUNCTION__, LOGGER_TRACE); $dfrn_id = x($_POST, 'dfrn_id') ? notags(trim($_POST['dfrn_id'])) : ''; $dfrn_version = x($_POST, 'dfrn_version') ? (double) $_POST['dfrn_version'] : 2.0; $challenge = x($_POST, 'challenge') ? notags(trim($_POST['challenge'])) : ''; $data = x($_POST, 'data') ? $_POST['data'] : ''; $key = x($_POST, 'key') ? $_POST['key'] : ''; $rino_remote = x($_POST, 'rino') ? intval($_POST['rino']) : 0; $dissolve = x($_POST, 'dissolve') ? intval($_POST['dissolve']) : 0; $perm = x($_POST, 'perm') ? notags(trim($_POST['perm'])) : 'r'; $ssl_policy = x($_POST, 'ssl_policy') ? notags(trim($_POST['ssl_policy'])) : 'none'; $page = x($_POST, 'page') ? intval($_POST['page']) : 0; $forum = $page == 1 ? 1 : 0; $prv = $page == 2 ? 1 : 0; $writable = -1; if ($dfrn_version >= 2.21) { $writable = $perm === 'rw' ? 1 : 0; } $direction = -1; if (strpos($dfrn_id, ':') == 1) { $direction = intval(substr($dfrn_id, 0, 1)); $dfrn_id = substr($dfrn_id, 2); } $r = q("SELECT * FROM `challenge` WHERE `dfrn-id` = '%s' AND `challenge` = '%s' LIMIT 1", dbesc($dfrn_id), dbesc($challenge)); if (!count($r)) { logger('dfrn_notify: could not match challenge to dfrn_id ' . $dfrn_id . ' challenge=' . $challenge); xml_status(3); } $r = q("DELETE FROM `challenge` WHERE `dfrn-id` = '%s' AND `challenge` = '%s'", dbesc($dfrn_id), dbesc($challenge)); // find the local user who owns this relationship. $sql_extra = ''; switch ($direction) { case -1: $sql_extra = sprintf(" AND ( `issued-id` = '%s' OR `dfrn-id` = '%s' ) ", dbesc($dfrn_id), dbesc($dfrn_id)); break; case 0: $sql_extra = sprintf(" AND `issued-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); break; case 1: $sql_extra = sprintf(" AND `dfrn-id` = '%s' AND `duplex` = 1 ", dbesc($dfrn_id)); break; default: xml_status(3); break; // NOTREACHED } // be careful - $importer will contain both the contact information for the contact // sending us the post, and also the user information for the person receiving it. // since they are mixed together, it is easy to get them confused. $r = q("SELECT\t`contact`.*, `contact`.`uid` AS `importer_uid`,\n\t\t\t\t\t`contact`.`pubkey` AS `cpubkey`,\n\t\t\t\t\t`contact`.`prvkey` AS `cprvkey`,\n\t\t\t\t\t`contact`.`thumb` AS `thumb`,\n\t\t\t\t\t`contact`.`url` as `url`,\n\t\t\t\t\t`contact`.`name` as `senderName`,\n\t\t\t\t\t`user`.*\n\t\t\tFROM `contact`\n\t\t\tLEFT JOIN `user` ON `contact`.`uid` = `user`.`uid`\n\t\t\tWHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0\n\t\t\t\tAND `user`.`nickname` = '%s' AND `user`.`account_expired` = 0 AND `user`.`account_removed` = 0 {$sql_extra} LIMIT 1", dbesc($a->argv[1])); if (!count($r)) { logger('dfrn_notify: contact not found for dfrn_id ' . $dfrn_id); xml_status(3); //NOTREACHED } // $importer in this case contains the contact record for the remote contact joined with the user record of our user. $importer = $r[0]; logger("Remote rino version: " . $rino_remote . " for " . $importer["url"], LOGGER_DEBUG); if ($writable != -1 && $writable != $importer['writable'] || $importer['forum'] != $forum || $importer['prv'] != $prv) { q("UPDATE `contact` SET `writable` = %d, forum = %d, prv = %d WHERE `id` = %d", intval($writable == -1 ? $importer['writable'] : $writable), intval($forum), intval($prv), intval($importer['id'])); if ($writable != -1) { $importer['writable'] = $writable; } $importer['forum'] = $page; } // if contact's ssl policy changed, update our links fix_contact_ssl_policy($importer, $ssl_policy); logger('dfrn_notify: received notify from ' . $importer['name'] . ' for ' . $importer['username']); logger('dfrn_notify: data: ' . $data, LOGGER_DATA); if ($dissolve == 1) { /** * Relationship is dissolved permanently */ require_once 'include/Contact.php'; contact_remove($importer['id']); logger('relationship dissolved : ' . $importer['name'] . ' dissolved ' . $importer['username']); xml_status(0); } // If we are setup as a soapbox we aren't accepting input from this person // This behaviour is deactivated since it really doesn't make sense to even disallow comments // The check if someone is a friend or simply a follower is done in a later place so it needn't to be done here //if($importer['page-flags'] == PAGE_SOAPBOX) // xml_status(0); $rino = get_config('system', 'rino_encrypt'); $rino = intval($rino); // use RINO1 if mcrypt isn't installed and RINO2 was selected if ($rino == 2 and !function_exists('mcrypt_create_iv')) { $rino = 1; } logger("Local rino version: " . $rino, LOGGER_DEBUG); if (strlen($key)) { // if local rino is lower than remote rino, abort: should not happen! // but only for $remote_rino > 1, because old code did't send rino version if ($rino_remote_version > 1 && $rino < $rino_remote) { logger("rino version '{$rino_remote}' is lower than supported '{$rino}'"); xml_status(0, "rino version '{$rino_remote}' is lower than supported '{$rino}'"); } $rawkey = hex2bin(trim($key)); logger('rino: md5 raw key: ' . md5($rawkey)); $final_key = ''; if ($dfrn_version >= 2.1) { if ($importer['duplex'] && strlen($importer['cprvkey']) || !strlen($importer['cpubkey'])) { openssl_private_decrypt($rawkey, $final_key, $importer['cprvkey']); } else { openssl_public_decrypt($rawkey, $final_key, $importer['cpubkey']); } } else { if ($importer['duplex'] && strlen($importer['cpubkey']) || !strlen($importer['cprvkey'])) { openssl_public_decrypt($rawkey, $final_key, $importer['cpubkey']); } else { openssl_private_decrypt($rawkey, $final_key, $importer['cprvkey']); } } #logger('rino: received key : ' . $final_key); switch ($rino_remote) { case 0: case 1: // we got a key. old code send only the key, without RINO version. // we assume RINO 1 if key and no RINO version $data = aes_decrypt(hex2bin($data), $final_key); break; case 2: try { $data = Crypto::decrypt(hex2bin($data), $final_key); } catch (InvalidCiphertext $ex) { // VERY IMPORTANT // Either: // 1. The ciphertext was modified by the attacker, // 2. The key is wrong, or // 3. $ciphertext is not a valid ciphertext or was corrupted. // Assume the worst. logger('The ciphertext has been tampered with!'); xml_status(0, 'The ciphertext has been tampered with!'); } catch (Ex\CryptoTestFailed $ex) { logger('Cannot safely perform dencryption'); xml_status(0, 'CryptoTestFailed'); } catch (Ex\CannotPerformOperation $ex) { logger('Cannot safely perform decryption'); xml_status(0, 'Cannot safely perform decryption'); } break; default: logger("rino: invalid sent verision '{$rino_remote}'"); xml_status(0); } logger('rino: decrypted data: ' . $data, LOGGER_DATA); } $ret = local_delivery($importer, $data); xml_status($ret); // NOTREACHED }