Merge branch 'master' into configurable-privacy2

This commit is contained in:
Christian Weiske 2011-05-12 19:25:03 +02:00
commit 88d7b9631b
15 changed files with 269 additions and 31 deletions

View file

@ -469,6 +469,21 @@ $filetypes = array(
'video' => array('avi', 'mov', 'mp4', 'mpeg', 'mpg', 'wmv') 'video' => array('avi', 'mov', 'mp4', 'mpeg', 'mpg', 'wmv')
); );
/**
* Link protocols that are allowed for newly added bookmarks.
* This prevents i.e. adding javascript: links.
*
* @link http://en.wikipedia.org/wiki/URI_scheme
*
* @var array
*/
$allowedProtocols = array(
'ftp', 'ftps',
'http', 'https',
'mailto', 'nntp',
'xmpp'
);
/** /**
* Enable the "common bookmark description" functionality * Enable the "common bookmark description" functionality
* *

4
data/schema/6.sql Normal file
View file

@ -0,0 +1,4 @@
CREATE TABLE `sc_version` (
`schema_version` int(11) NOT NULL
) DEFAULT CHARSET=utf8;
INSERT INTO `sc_version` (`schema_version`) VALUES ('6');

View file

@ -183,3 +183,9 @@ CREATE TABLE `sc_votes` (
KEY `bid` (`bId`), KEY `bid` (`bId`),
KEY `uid` (`uId`) KEY `uid` (`uId`)
) CHARACTER SET utf8 COLLATE utf8_general_ci ; ) CHARACTER SET utf8 COLLATE utf8_general_ci ;
CREATE TABLE `sc_version` (
`schema_version` int(11) NOT NULL
) DEFAULT CHARSET=utf8;
INSERT INTO `sc_version` (`schema_version`) VALUES ('6');

View file

@ -7,12 +7,16 @@ ChangeLog for SemantiScuttle
- Fix bug #3187177: Wrong URL / Export XML Bookmarks - Fix bug #3187177: Wrong URL / Export XML Bookmarks
- Fix bug in getTagsForBookmarks() that fetched all tags - Fix bug in getTagsForBookmarks() that fetched all tags
- Fix bug #3097187: Using opensearch with two tags does not work in Firefox - Fix bug #3097187: Using opensearch with two tags does not work in Firefox
- Fix bug #3251877: French translation JavaScript Bug when editing bookmarks
- Implement request #3054906: Show user's full name instead of nickname - Implement request #3054906: Show user's full name instead of nickname
- Implement patch #3059829: update FR_CA translation - Implement patch #3059829: update FR_CA translation
- Show error message on mysqli connection errors - Show error message on mysqli connection errors
- Update php-gettext library to 1.0.10 - Update php-gettext library to 1.0.10
- api/posts/add respects the "replace" parameter now - api/posts/add respects the "replace" parameter now
- Fix privacy issue when fetching tags of several users - Fix privacy issue when fetching tags of several users
- Only URLs with an allowed protocol may be added to the database
- Support HTTPS connections when $root is not configured
- SQL schema version table to ease future database upgrades
0.97.2 - 2011-02-17 0.97.2 - 2011-02-17

View file

@ -2,6 +2,17 @@ Upgrading SemanticScuttle from a previous version
================================================= =================================================
From version 0.97 to 0.98
-------------------------
Database updates: Apply data/schema/6.sql or do the following:
CREATE TABLE `sc_version` (
`schema_version` int(11) NOT NULL
) DEFAULT CHARSET=utf8;
INSERT INTO `sc_version` (`schema_version`) VALUES ('6');
From version 0.96 to 0.97 From version 0.96 to 0.97
------------------------- -------------------------
No database changes necessary. No database changes necessary.

View file

@ -0,0 +1,46 @@
<?php
/**
* SemanticScuttle - your social bookmark manager.
*
* PHP version 5.
*
* @category Bookmarking
* @package SemanticScuttle
* @author Christian Weiske <cweiske@cweiske.de>
* @license GPL http://www.gnu.org/licenses/gpl.html
* @link http://sourceforge.net/projects/semanticscuttle
*/
/**
* Bookmark model class, keeping the data of a single bookmark.
* It will slowly replace the old array style format.
*
* @category Bookmarking
* @package SemanticScuttle
* @author Christian Weiske <cweiske@cweiske.de>
* @license GPL http://www.gnu.org/licenses/gpl.html
* @link http://sourceforge.net/projects/semanticscuttle
*/
class SemanticScuttle_Model_Bookmark
{
/**
* Checks if the given URL is valid and may be used with this
* SemanticScuttle installation.
*
* @param string $url URL to verify.
*
* @return boolean True if the URL is allowed, false if not
*/
public static function isValidUrl($url)
{
$scheme = parse_url($url, PHP_URL_SCHEME);
if (array_search($scheme, $GLOBALS['allowedProtocols']) === false) {
return false;
}
return true;
}
}
?>

View file

@ -435,6 +435,10 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService
/** /**
* Adds a bookmark to the database. * Adds a bookmark to the database.
* *
* Security checks are being made here, but no error reasons will be
* returned. It is the responsibility of the code that calls
* addBookmark() to verify the data.
*
* @param string $address Full URL of the bookmark * @param string $address Full URL of the bookmark
* @param string $title Bookmark title * @param string $title Bookmark title
* @param string $description Long bookmark description * @param string $description Long bookmark description
@ -453,7 +457,8 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService
* @param boolean $fromImport True when the bookmark is from an import. * @param boolean $fromImport True when the bookmark is from an import.
* @param integer $sId ID of user who creates the bookmark. * @param integer $sId ID of user who creates the bookmark.
* *
* @return integer Bookmark ID * @return mixed Integer bookmark ID if saving succeeded, false in
* case of an error. Error reasons are not returned.
*/ */
public function addBookmark( public function addBookmark(
$address, $title, $description, $privateNote, $status, $tags, $address, $title, $description, $privateNote, $status, $tags,
@ -466,6 +471,9 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService
} }
$address = $this->normalize($address); $address = $this->normalize($address);
if (!SemanticScuttle_Model_Bookmark::isValidUrl($address)) {
return false;
}
/* /*
* Note that if date is NULL, then it's added with a date and * Note that if date is NULL, then it's added with a date and

View file

@ -28,6 +28,14 @@ require_once 'SemanticScuttle/Model/User.php';
*/ */
class SemanticScuttle_Service_User extends SemanticScuttle_DbService class SemanticScuttle_Service_User extends SemanticScuttle_DbService
{ {
/**
* The ID of the currently logged on user.
* NULL when not logged in.
*
* @var integer
*/
protected $currentuserId = null;
/** /**
* Currently logged on user from database * Currently logged on user from database
* *
@ -363,10 +371,17 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService
*/ */
public function getCurrentUserId() public function getCurrentUserId()
{ {
if (isset($_SESSION[$this->getSessionKey()])) { if ($this->currentuserId !== null) {
return (int)$_SESSION[$this->getSessionKey()]; return $this->currentuserId;
}
} else if (isset($_COOKIE[$this->getCookieKey()])) { if (isset($_SESSION[$this->getSessionKey()])) {
$this->currentuserId = (int)$_SESSION[$this->getSessionKey()];
return $this->currentuserId;
}
if (isset($_COOKIE[$this->getCookieKey()])) {
$cook = explode(':', $_COOKIE[$this->getCookieKey()]); $cook = explode(':', $_COOKIE[$this->getCookieKey()]);
//cookie looks like this: 'id:md5(username+password)' //cookie looks like this: 'id:md5(username+password)'
$query = 'SELECT * FROM '. $this->getTableName() . $query = 'SELECT * FROM '. $this->getTableName() .
@ -385,10 +400,10 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService
if ($row = $this->db->sql_fetchrow($dbresult)) { if ($row = $this->db->sql_fetchrow($dbresult)) {
$this->setCurrentUserId( $this->setCurrentUserId(
(int)$row[$this->getFieldName('primary')] (int)$row[$this->getFieldName('primary')], true
); );
$this->db->sql_freeresult($dbresult); $this->db->sql_freeresult($dbresult);
return (int)$_SESSION[$this->getSessionKey()]; return $this->currentuserId;
} }
} }
return false; return false;
@ -402,16 +417,23 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService
* @internal * @internal
* No ID verification is being done. * No ID verification is being done.
* *
* @param integer $user User ID or null to unset the user * @param integer $user User ID or null to unset the user
* @param boolean $storeInSession Store the user ID in the session
* *
* @return void * @return void
*/ */
public function setCurrentUserId($user) public function setCurrentUserId($user, $storeInSession = false)
{ {
if ($user === null) { if ($user === null) {
unset($_SESSION[$this->getSessionKey()]); $this->currentuserId = null;
if ($storeInSession) {
unset($_SESSION[$this->getSessionKey()]);
}
} else { } else {
$_SESSION[$this->getSessionKey()] = (int)$user; $this->currentuserId = (int)$user;
if ($storeInSession) {
$_SESSION[$this->getSessionKey()] = $this->currentuserId;
}
} }
//reload user object //reload user object
$this->getCurrentUser(true); $this->getCurrentUser(true);
@ -449,10 +471,9 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService
$this->db->sql_freeresult($dbresult); $this->db->sql_freeresult($dbresult);
if ($row) { if ($row) {
$id = $_SESSION[$this->getSessionKey()] $this->setCurrentUserId($row[$this->getFieldName('primary')], true);
= $row[$this->getFieldName('primary')];
if ($remember) { if ($remember) {
$cookie = $id .':'. md5($username.$password); $cookie = $this->currentuserId . ':' . md5($username.$password);
setcookie( setcookie(
$this->cookiekey, $cookie, $this->cookiekey, $cookie,
time() + $this->cookietime, '/' time() + $this->cookietime, '/'
@ -464,7 +485,13 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService
} }
} }
function logout() { /**
* Logs the user off
*
* @return void
*/
public function logout()
{
@setcookie($this->getCookiekey(), '', time() - 1, '/'); @setcookie($this->getCookiekey(), '', time() - 1, '/');
unset($_COOKIE[$this->getCookiekey()]); unset($_COOKIE[$this->getCookiekey()]);
session_unset(); session_unset();
@ -492,10 +519,18 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService
return $arrWatch; return $arrWatch;
} }
function getWatchNames($uId, $watchedby = false) {
// Gets the list of user names being watched by the given user. /**
// - If $watchedby is false get the list of users that $uId watches * Gets the list of user names being watched by the given user.
// - If $watchedby is true get the list of users that watch $uId *
* @param integer $uId User ID
* @param boolean $watchedby if false: get the list of users that $uId watches
* if true: get the list of users that watch $uId
*
* @return array Array of user names
*/
public function getWatchNames($uId, $watchedby = false)
{
if ($watchedby) { if ($watchedby) {
$table1 = 'b'; $table1 = 'b';
$table2 = 'a'; $table2 = 'a';
@ -503,10 +538,22 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService
$table1 = 'a'; $table1 = 'a';
$table2 = 'b'; $table2 = 'b';
} }
$query = 'SELECT '. $table1 .'.'. $this->getFieldName('username') .' FROM '. $GLOBALS['tableprefix'] .'watched AS W, '. $this->getTableName() .' AS a, '. $this->getTableName() .' AS b WHERE W.watched = a.'. $this->getFieldName('primary') .' AND W.uId = b.'. $this->getFieldName('primary') .' AND '. $table2 .'.'. $this->getFieldName('primary') .' = '. intval($uId) .' ORDER BY '. $table1 .'.'. $this->getFieldName('username'); $primary = $this->getFieldName('primary');
$userfield = $this->getFieldName('username');
$query = 'SELECT '. $table1 .'.'. $userfield
. ' FROM '. $GLOBALS['tableprefix'] . 'watched AS W,'
. ' ' . $this->getTableName() .' AS a,'
. ' ' . $this->getTableName() .' AS b'
. ' WHERE W.watched = a.' . $primary
. ' AND W.uId = b.' . $primary
. ' AND ' . $table2 . '.' . $primary . ' = '. intval($uId)
. ' ORDER BY '. $table1 . '.' . $userfield;
if (!($dbresult =& $this->db->sql_query($query))) { if (!($dbresult = $this->db->sql_query($query))) {
message_die(GENERAL_ERROR, 'Could not get watchlist', '', __LINE__, __FILE__, $query, $this->db); message_die(
GENERAL_ERROR, 'Could not get watchlist',
'', __LINE__, __FILE__, $query, $this->db
);
return false; return false;
} }
@ -515,13 +562,14 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService
$this->db->sql_freeresult($dbresult); $this->db->sql_freeresult($dbresult);
return $arrWatch; return $arrWatch;
} }
while ($row =& $this->db->sql_fetchrow($dbresult)) { while ($row = $this->db->sql_fetchrow($dbresult)) {
$arrWatch[] = $row[$this->getFieldName('username')]; $arrWatch[] = $row[$this->getFieldName('username')];
} }
$this->db->sql_freeresult($dbresult); $this->db->sql_freeresult($dbresult);
return $arrWatch; return $arrWatch;
} }
function getWatchStatus($watcheduser, $currentuser) { function getWatchStatus($watcheduser, $currentuser) {
// Returns true if the current user is watching the given user, and false otherwise. // Returns true if the current user is watching the given user, and false otherwise.
$query = 'SELECT watched FROM '. $GLOBALS['tableprefix'] .'watched AS W INNER JOIN '. $this->getTableName() .' AS U ON U.'. $this->getFieldName('primary') .' = W.watched WHERE U.'. $this->getFieldName('primary') .' = '. intval($watcheduser) .' AND W.uId = '. intval($currentuser); $query = 'SELECT watched FROM '. $GLOBALS['tableprefix'] .'watched AS W INNER JOIN '. $this->getTableName() .' AS U ON U.'. $this->getFieldName('primary') .' = W.watched WHERE U.'. $this->getFieldName('primary') .' = '. intval($watcheduser) .' AND W.uId = '. intval($currentuser);

View file

@ -41,7 +41,10 @@ if (!isset($GLOBALS['root'])) {
$rootTmp .= '/'; $rootTmp .= '/';
} }
define('ROOT', 'http://'. $_SERVER['HTTP_HOST'] . $rootTmp); //we do not prepend http since we also want to support https connections
// "http" is not required; it's automatically determined by the browser
// depending on the current connection.
define('ROOT', '//'. $_SERVER['HTTP_HOST'] . $rootTmp);
} else { } else {
define('ROOT', $GLOBALS['root']); define('ROOT', $GLOBALS['root']);
} }

View file

@ -82,6 +82,7 @@ require_once 'SemanticScuttle/Service.php';
require_once 'SemanticScuttle/DbService.php'; require_once 'SemanticScuttle/DbService.php';
require_once 'SemanticScuttle/Service/Factory.php'; require_once 'SemanticScuttle/Service/Factory.php';
require_once 'SemanticScuttle/functions.php'; require_once 'SemanticScuttle/functions.php';
require_once 'SemanticScuttle/Model/Bookmark.php';
require_once 'SemanticScuttle/Model/UserArray.php'; require_once 'SemanticScuttle/Model/UserArray.php';
if (count($GLOBALS['serviceoverrides']) > 0 if (count($GLOBALS['serviceoverrides']) > 0

View file

@ -27,7 +27,7 @@ class Api_OpenSearchTest extends TestBaseApi
1, count($arElements), 1, count($arElements),
'OpenSearch link in HTML is missing' 'OpenSearch link in HTML is missing'
); );
$searchDescUrl = (string)$arElements[0]['href']; $searchDescUrl = $this->completeUrl((string)$arElements[0]['href']);
$this->assertNotNull($searchDescUrl, 'Search description URL is empty'); $this->assertNotNull($searchDescUrl, 'Search description URL is empty');
$req = new HTTP_Request2($searchDescUrl); $req = new HTTP_Request2($searchDescUrl);

View file

@ -50,8 +50,6 @@ class BookmarkTest extends TestBase
/** /**
* Tests if adding a bookmark with short url name * Tests if adding a bookmark with short url name
* saves it in the database. * saves it in the database.
*
* @return void
*/ */
public function testAddBookmarkShort() public function testAddBookmarkShort()
{ {
@ -65,7 +63,16 @@ class BookmarkTest extends TestBase
$this->assertEquals('myShortName', $bm['bShort']); $this->assertEquals('myShortName', $bm['bShort']);
} }
public function testHardCharactersInBookmarks() public function testAddBookmarkInvalidUrl()
{
$retval = $this->bs->addBookmark(
'javascript:alert(123)', 'title', 'desc', 'priv',
0, array()
);
$this->assertFalse($retval, 'Bookmark with invalid URL was accepted');
}
public function testAddBookmarkWithSpecialCharacters()
{ {
$bs = $this->bs; $bs = $this->bs;
$title = "title&é\"'(-è_çà)="; $title = "title&é\"'(-è_çà)=";
@ -95,7 +102,7 @@ class BookmarkTest extends TestBase
); );
} }
public function testUnificationOfBookmarks() public function testAddBookmarkUnification()
{ {
$bs = $this->bs; $bs = $this->bs;

View file

@ -0,0 +1,65 @@
<?php
/**
* SemanticScuttle - your social bookmark manager.
*
* PHP version 5.
*
* @category Bookmarking
* @package SemanticScuttle
* @author Christian Weiske <cweiske@cweiske.de>
* @license GPL http://www.gnu.org/licenses/gpl.html
* @link http://sourceforge.net/projects/semanticscuttle
*/
/**
* Unit tests for the SemanticScuttle Bookmark model
*
* @category Bookmarking
* @package SemanticScuttle
* @author Christian Weiske <cweiske@cweiske.de>
* @license GPL http://www.gnu.org/licenses/gpl.html
* @link http://sourceforge.net/projects/semanticscuttle
*/
class Model_BookmarkTest extends TestBase
{
public function testIsValidUrlValid()
{
$this->assertTrue(
SemanticScuttle_Model_Bookmark::isValidUrl(
'http://example.org/foo/bar?baz=foorina'
)
);
$this->assertTrue(
SemanticScuttle_Model_Bookmark::isValidUrl(
'https://example.org/'
)
);
$this->assertTrue(
SemanticScuttle_Model_Bookmark::isValidUrl(
'ftp://user:pass@example.org/'
)
);
$this->assertTrue(
SemanticScuttle_Model_Bookmark::isValidUrl(
'mailto:cweiske@example.org'
)
);
}
public function testIsValidUrlInvalid()
{
$this->assertFalse(
SemanticScuttle_Model_Bookmark::isValidUrl(
'javascript:alert("foo")'
)
);
$this->assertFalse(
SemanticScuttle_Model_Bookmark::isValidUrl(
'foo://example.org/foo/bar'
)
);
}
}
?>

View file

@ -85,6 +85,23 @@ class TestBaseApi extends TestBase
} }
/**
* Completes an URL that's missing the protocol.
* Useful when re-using URLs extracted from HTML
*
* @param string $url Potentially partial URL
*
* @return string Full URL
*/
protected function completeUrl($url)
{
if (substr($url, 0, 2) == '//') {
$url = 'http:' . $url;
}
return $url;
}
/** /**
* Creates a user and a HTTP GET request object and prepares * Creates a user and a HTTP GET request object and prepares

View file

@ -135,8 +135,11 @@ if ($userservice->isLoggedOn() && POST_SUBMITTED != '') {
$templatename = 'editbookmark.tpl'; $templatename = 'editbookmark.tpl';
} else { } else {
$address = trim(POST_ADDRESS); $address = trim(POST_ADDRESS);
// If the bookmark exists already, edit the original if (!SemanticScuttle_Model_Bookmark::isValidUrl($address)) {
if ($bookmarkservice->bookmarkExists($address, $currentUserID)) { $tplVars['error'] = T_('This bookmark URL may not be added');
$templatename = 'editbookmark.tpl';
} else if ($bookmarkservice->bookmarkExists($address, $currentUserID)) {
// If the bookmark exists already, edit the original
$bookmark = $bookmarkservice->getBookmarkByAddress($address); $bookmark = $bookmarkservice->getBookmarkByAddress($address);
header('Location: '. createURL('edit', $bookmark['bId'])); header('Location: '. createURL('edit', $bookmark['bId']));
exit(); exit();