From 2077464d464e485a978166604faf158b654fb0cb Mon Sep 17 00:00:00 2001 From: Christian Weiske Date: Tue, 3 May 2011 09:14:32 +0200 Subject: begin bookmark model class with URL validation method --- src/SemanticScuttle/Model/Bookmark.php | 38 ++++++++++++++++++++++++++++++++++ src/SemanticScuttle/header.php | 1 + 2 files changed, 39 insertions(+) create mode 100644 src/SemanticScuttle/Model/Bookmark.php (limited to 'src') diff --git a/src/SemanticScuttle/Model/Bookmark.php b/src/SemanticScuttle/Model/Bookmark.php new file mode 100644 index 0000000..2cbe38d --- /dev/null +++ b/src/SemanticScuttle/Model/Bookmark.php @@ -0,0 +1,38 @@ + + * @license GPL http://www.gnu.org/licenses/gpl.html + * @link http://sourceforge.net/projects/semanticscuttle + */ + +/** + * Bookmark model class, keeping the data of a single bookmark. + * It will slowly replace the old array style format. + * + * @category Bookmarking + * @package SemanticScuttle + * @author Christian Weiske + * @license GPL http://www.gnu.org/licenses/gpl.html + * @link http://sourceforge.net/projects/semanticscuttle + */ +class SemanticScuttle_Model_Bookmark +{ + public static function isValidUrl($url) + { + $scheme = parse_url($url, PHP_URL_SCHEME); + if (array_search($scheme, $GLOBALS['allowedProtocols']) === false) { + return false; + } + return true; + } + +} + + +?> \ No newline at end of file diff --git a/src/SemanticScuttle/header.php b/src/SemanticScuttle/header.php index 75e5204..d812124 100644 --- a/src/SemanticScuttle/header.php +++ b/src/SemanticScuttle/header.php @@ -82,6 +82,7 @@ require_once 'SemanticScuttle/Service.php'; require_once 'SemanticScuttle/DbService.php'; require_once 'SemanticScuttle/Service/Factory.php'; require_once 'SemanticScuttle/functions.php'; +require_once 'SemanticScuttle/Model/Bookmark.php'; require_once 'SemanticScuttle/Model/UserArray.php'; if (count($GLOBALS['serviceoverrides']) > 0 -- cgit v1.2.3 From 218ac05e712a85572afd0ed76ff969bcbe6c4b09 Mon Sep 17 00:00:00 2001 From: Christian Weiske Date: Tue, 3 May 2011 09:19:08 +0200 Subject: docblock for isValidUrl method --- src/SemanticScuttle/Model/Bookmark.php | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src') diff --git a/src/SemanticScuttle/Model/Bookmark.php b/src/SemanticScuttle/Model/Bookmark.php index 2cbe38d..8bda0b3 100644 --- a/src/SemanticScuttle/Model/Bookmark.php +++ b/src/SemanticScuttle/Model/Bookmark.php @@ -23,6 +23,14 @@ */ class SemanticScuttle_Model_Bookmark { + /** + * Checks if the given URL is valid and may be used with this + * SemanticScuttle installation. + * + * @param string $url URL to verify. + * + * @return boolean True if the URL is allowed, false if not + */ public static function isValidUrl($url) { $scheme = parse_url($url, PHP_URL_SCHEME); -- cgit v1.2.3 From fb11021ed7eadf7443755e936cbad34fbfec7d4c Mon Sep 17 00:00:00 2001 From: Christian Weiske Date: Tue, 3 May 2011 19:10:12 +0200 Subject: do not add bookmarks with an invalid URL --- src/SemanticScuttle/Service/Bookmark.php | 10 +++++++++- tests/BookmarkTest.php | 11 ++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/SemanticScuttle/Service/Bookmark.php b/src/SemanticScuttle/Service/Bookmark.php index a30ad5f..919ca7a 100644 --- a/src/SemanticScuttle/Service/Bookmark.php +++ b/src/SemanticScuttle/Service/Bookmark.php @@ -435,6 +435,10 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService /** * Adds a bookmark to the database. * + * Security checks are being made here, but no error reasons will be + * returned. It is the responsibility of the code that calls + * addBookmark() to verify the data. + * * @param string $address Full URL of the bookmark * @param string $title Bookmark title * @param string $description Long bookmark description @@ -453,7 +457,8 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService * @param boolean $fromImport True when the bookmark is from an import. * @param integer $sId ID of user who creates the bookmark. * - * @return integer Bookmark ID + * @return mixed Integer bookmark ID if saving succeeded, false in + * case of an error. Error reasons are not returned. */ public function addBookmark( $address, $title, $description, $privateNote, $status, $tags, @@ -466,6 +471,9 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService } $address = $this->normalize($address); + if (!SemanticScuttle_Model_Bookmark::isValidUrl($address)) { + return false; + } /* * Note that if date is NULL, then it's added with a date and diff --git a/tests/BookmarkTest.php b/tests/BookmarkTest.php index e7ce488..7533f3a 100644 --- a/tests/BookmarkTest.php +++ b/tests/BookmarkTest.php @@ -65,7 +65,16 @@ class BookmarkTest extends TestBase $this->assertEquals('myShortName', $bm['bShort']); } - public function testHardCharactersInBookmarks() + public function testAddBookmarkInvalidUrl() + { + $retval = $this->bs->addBookmark( + 'javascript:alert(123)', 'title', 'desc', 'priv', + 0, array() + ); + $this->assertFalse($retval, 'Bookmark with invalid URL was accepted'); + } + + public function testAddBookmarkWithSpecialCharacters() { $bs = $this->bs; $title = "title&é\"'(-è_çà)="; -- cgit v1.2.3 From 69e58d8632198cf3eb39317d9382007731a10141 Mon Sep 17 00:00:00 2001 From: Christian Weiske Date: Wed, 4 May 2011 07:24:52 +0200 Subject: Support HTTPS connections when $root is not configured --- doc/ChangeLog | 1 + src/SemanticScuttle/constants.php | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/doc/ChangeLog b/doc/ChangeLog index dacee5a..d9b6f57 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -15,6 +15,7 @@ ChangeLog for SemantiScuttle - api/posts/add respects the "replace" parameter now - Fix privacy issue when fetching tags of several users - Only URLs with an allowed protocol may be added to the database +- Support HTTPS connections when $root is not configured 0.97.2 - 2011-02-17 diff --git a/src/SemanticScuttle/constants.php b/src/SemanticScuttle/constants.php index b023840..f8567d9 100644 --- a/src/SemanticScuttle/constants.php +++ b/src/SemanticScuttle/constants.php @@ -41,7 +41,10 @@ if (!isset($GLOBALS['root'])) { $rootTmp .= '/'; } - define('ROOT', 'http://'. $_SERVER['HTTP_HOST'] . $rootTmp); + //we do not prepend http since we also want to support https connections + // "http" is not required; it's automatically determined by the browser + // depending on the current connection. + define('ROOT', '//'. $_SERVER['HTTP_HOST'] . $rootTmp); } else { define('ROOT', $GLOBALS['root']); } -- cgit v1.2.3 From f647c4847783101edd32d48eeec3131fe2e48bd8 Mon Sep 17 00:00:00 2001 From: Christian Weiske Date: Thu, 12 May 2011 09:22:04 +0200 Subject: reformat userservice::getWatchNames --- src/SemanticScuttle/Service/User.php | 37 ++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/SemanticScuttle/Service/User.php b/src/SemanticScuttle/Service/User.php index 9ef8430..e8ee723 100644 --- a/src/SemanticScuttle/Service/User.php +++ b/src/SemanticScuttle/Service/User.php @@ -492,10 +492,18 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService return $arrWatch; } - function getWatchNames($uId, $watchedby = false) { - // Gets the list of user names being watched by the given user. - // - If $watchedby is false get the list of users that $uId watches - // - If $watchedby is true get the list of users that watch $uId + + /** + * Gets the list of user names being watched by the given user. + * + * @param integer $uId User ID + * @param boolean $watchedby if false: get the list of users that $uId watches + * if true: get the list of users that watch $uId + * + * @return array Array of user names + */ + public function getWatchNames($uId, $watchedby = false) + { if ($watchedby) { $table1 = 'b'; $table2 = 'a'; @@ -503,10 +511,22 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService $table1 = 'a'; $table2 = 'b'; } - $query = 'SELECT '. $table1 .'.'. $this->getFieldName('username') .' FROM '. $GLOBALS['tableprefix'] .'watched AS W, '. $this->getTableName() .' AS a, '. $this->getTableName() .' AS b WHERE W.watched = a.'. $this->getFieldName('primary') .' AND W.uId = b.'. $this->getFieldName('primary') .' AND '. $table2 .'.'. $this->getFieldName('primary') .' = '. intval($uId) .' ORDER BY '. $table1 .'.'. $this->getFieldName('username'); + $primary = $this->getFieldName('primary'); + $userfield = $this->getFieldName('username'); + $query = 'SELECT '. $table1 .'.'. $userfield + . ' FROM '. $GLOBALS['tableprefix'] . 'watched AS W,' + . ' ' . $this->getTableName() .' AS a,' + . ' ' . $this->getTableName() .' AS b' + . ' WHERE W.watched = a.' . $primary + . ' AND W.uId = b.' . $primary + . ' AND ' . $table2 . '.' . $primary . ' = '. intval($uId) + . ' ORDER BY '. $table1 . '.' . $userfield; - if (!($dbresult =& $this->db->sql_query($query))) { - message_die(GENERAL_ERROR, 'Could not get watchlist', '', __LINE__, __FILE__, $query, $this->db); + if (!($dbresult = $this->db->sql_query($query))) { + message_die( + GENERAL_ERROR, 'Could not get watchlist', + '', __LINE__, __FILE__, $query, $this->db + ); return false; } @@ -515,13 +535,14 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService $this->db->sql_freeresult($dbresult); return $arrWatch; } - while ($row =& $this->db->sql_fetchrow($dbresult)) { + while ($row = $this->db->sql_fetchrow($dbresult)) { $arrWatch[] = $row[$this->getFieldName('username')]; } $this->db->sql_freeresult($dbresult); return $arrWatch; } + function getWatchStatus($watcheduser, $currentuser) { // Returns true if the current user is watching the given user, and false otherwise. $query = 'SELECT watched FROM '. $GLOBALS['tableprefix'] .'watched AS W INNER JOIN '. $this->getTableName() .' AS U ON U.'. $this->getFieldName('primary') .' = W.watched WHERE U.'. $this->getFieldName('primary') .' = '. intval($watcheduser) .' AND W.uId = '. intval($currentuser); -- cgit v1.2.3 From b57c8d4581b05cd70a363cacd37f9ffc7da785d8 Mon Sep 17 00:00:00 2001 From: Christian Weiske Date: Thu, 12 May 2011 19:23:53 +0200 Subject: do not automatically store user id in session --- src/SemanticScuttle/Service/User.php | 51 +++++++++++++++++++++++++++--------- 1 file changed, 39 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/src/SemanticScuttle/Service/User.php b/src/SemanticScuttle/Service/User.php index e8ee723..072ce85 100644 --- a/src/SemanticScuttle/Service/User.php +++ b/src/SemanticScuttle/Service/User.php @@ -28,6 +28,14 @@ require_once 'SemanticScuttle/Model/User.php'; */ class SemanticScuttle_Service_User extends SemanticScuttle_DbService { + /** + * The ID of the currently logged on user. + * NULL when not logged in. + * + * @var integer + */ + protected $currentuserId = null; + /** * Currently logged on user from database * @@ -363,10 +371,17 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService */ public function getCurrentUserId() { + if ($this->currentuserId !== null) { + return $this->currentuserId; + } + if (isset($_SESSION[$this->getSessionKey()])) { - return (int)$_SESSION[$this->getSessionKey()]; + $this->currentuserId = (int)$_SESSION[$this->getSessionKey()]; + return $this->currentuserId; + + } - } else if (isset($_COOKIE[$this->getCookieKey()])) { + if (isset($_COOKIE[$this->getCookieKey()])) { $cook = explode(':', $_COOKIE[$this->getCookieKey()]); //cookie looks like this: 'id:md5(username+password)' $query = 'SELECT * FROM '. $this->getTableName() . @@ -385,10 +400,10 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService if ($row = $this->db->sql_fetchrow($dbresult)) { $this->setCurrentUserId( - (int)$row[$this->getFieldName('primary')] + (int)$row[$this->getFieldName('primary')], true ); $this->db->sql_freeresult($dbresult); - return (int)$_SESSION[$this->getSessionKey()]; + return $this->currentuserId; } } return false; @@ -402,16 +417,23 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService * @internal * No ID verification is being done. * - * @param integer $user User ID or null to unset the user + * @param integer $user User ID or null to unset the user + * @param boolean $storeInSession Store the user ID in the session * * @return void */ - public function setCurrentUserId($user) + public function setCurrentUserId($user, $storeInSession = false) { if ($user === null) { - unset($_SESSION[$this->getSessionKey()]); + $this->currentuserId = null; + if ($storeInSession) { + unset($_SESSION[$this->getSessionKey()]); + } } else { - $_SESSION[$this->getSessionKey()] = (int)$user; + $this->currentuserId = (int)$user; + if ($storeInSession) { + $_SESSION[$this->getSessionKey()] = $this->currentuserId; + } } //reload user object $this->getCurrentUser(true); @@ -449,10 +471,9 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService $this->db->sql_freeresult($dbresult); if ($row) { - $id = $_SESSION[$this->getSessionKey()] - = $row[$this->getFieldName('primary')]; + $this->setCurrentUserId($row[$this->getFieldName('primary')], true); if ($remember) { - $cookie = $id .':'. md5($username.$password); + $cookie = $this->currentuserId . ':' . md5($username.$password); setcookie( $this->cookiekey, $cookie, time() + $this->cookietime, '/' @@ -464,7 +485,13 @@ class SemanticScuttle_Service_User extends SemanticScuttle_DbService } } - function logout() { + /** + * Logs the user off + * + * @return void + */ + public function logout() + { @setcookie($this->getCookiekey(), '', time() - 1, '/'); unset($_COOKIE[$this->getCookiekey()]); session_unset(); -- cgit v1.2.3