TheRON/core
1
0
Fork 0
mirror of https://framagit.org/hubzilla/core.git synced 2026-06-21 00:52:33 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'remove-direct-access-to-app-observer' into 'dev'

Browse Source 
Don't access App::$observer directly in core

See merge request hubzilla/core!2197
This commit is contained in:
Mario
2025-05-11 18:08:16 +00:00
parent 5655807337 8141ef9511
commit e511220022
5 changed files with 81 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
boot.php
View File

@@ -49,6 +49,7 @@ require_once('include/text.php');
require_once('include/datetime.php'); require_once('include/datetime.php');
require_once('include/language.php'); require_once('include/language.php');
require_once('include/nav.php'); require_once('include/nav.php');
require_once('include/observer.php');
require_once('include/permissions.php'); require_once('include/permissions.php');
require_once('include/features.php'); require_once('include/features.php');
require_once('include/taxonomy.php'); require_once('include/taxonomy.php');
@@ -2150,22 +2151,6 @@ function dba_timer() {
return microtime(true); return microtime(true);
} }
/**
* @brief Returns xchan_hash from the observer.
*
* Observer can be a local or remote channel.
*
* @return string xchan_hash from observer, otherwise empty string if no observer
*/
function get_observer_hash() {
$observer = App::get_observer();
if (is_array($observer)) {
return $observer['xchan_hash'];
}
return '';
}
/** /**
* @brief Returns the complete URL of the current page, e.g.: http(s)://something.com/network * @brief Returns the complete URL of the current page, e.g.: http(s)://something.com/network
* *

68
include/observer.php Normal file
View File

@@ -0,0 +1,68 @@
<?php
/**
* Helper functions for getting info about the observer.
*
* SPDX-FileCopyrightText: 2025 The Hubzilla Community
* SPDX-FileContributor: Harald Eilertsen <haraldei@anduin.net>
*
* SPDX-License-Identifier: MIT
*
* The _observer_ in Hubzilla is the channel visiting the site in the current
* session. This could be a local channel, or a remote channel logged in via
* OpenWebAuth.
*
* If the observer is not set, or empty, this indicates an unauthenticated
* visitor, which may mean a visitor from another site that don't support, or
* has not enabled OpenWebAuth.
*/
/**
* Get the unique hash identifying the current observer.
*
* Observer can be a local or remote channel.
*
* @return string Unique hash of observer, otherwise empty string if no
* observer
*/
function get_observer_hash() {
$observer = App::get_observer();
if (is_array($observer)) {
return $observer['xchan_hash'];
}
return '';
}
/**
* Get the guid of the current observer.
*
* Observer can be a local or remote channel.
*
* @return string The GUID of the observer, otherwise empty string if no
* observer
*/
function get_observer_guid() {
$observer = App::get_observer();
if (is_array($observer)) {
return $observer['xchan_guid'];
}
return '';
}
/**
* Get the name of the current observer.
*
* Observer can be a local or remote channel.
*
* @return string The name of the observer, otherwise empty string if no
* observer
*/
function get_observer_name() {
$observer = App::get_observer();
if (is_array($observer)) {
return $observer['xchan_name'];
}
return '';
}

8
include/security.php
View File

@@ -607,7 +607,7 @@ function public_permissions_sql($observer_hash) {
function get_form_security_token($typename = '') { function get_form_security_token($typename = '') {
$timestamp = time(); $timestamp = time();
$guid = App::$observer['xchan_guid'] ?? ''; $guid = get_observer_guid();
$sec_hash = hash('whirlpool', $guid . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $timestamp . $typename); $sec_hash = hash('whirlpool', $guid . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $timestamp . $typename);
return $timestamp . '.' . $sec_hash; return $timestamp . '.' . $sec_hash;
@@ -623,7 +623,7 @@ function check_form_security_token($typename = '', $formname = 'form_security_to
if (time() > (IntVal($x[0]) + $max_livetime)) if (time() > (IntVal($x[0]) + $max_livetime))
return false; return false;
$sec_hash = hash('whirlpool', App::$observer['xchan_guid'] . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $x[0] . $typename); $sec_hash = hash('whirlpool', get_observer_guid() . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $x[0] . $typename);
return ($sec_hash == $x[1]); return ($sec_hash == $x[1]);
} }
@@ -635,7 +635,7 @@ function check_form_security_std_err_msg() {
function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token') { function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token') {
if (!check_form_security_token($typename, $formname)) { if (!check_form_security_token($typename, $formname)) {
logger('check_form_security_token failed: user ' . App::$observer['xchan_name'] . ' - form element ' . $typename); logger('check_form_security_token failed: user ' . get_observer_name() . ' - form element ' . $typename);
logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA); logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA);
notice(check_form_security_std_err_msg()); notice(check_form_security_std_err_msg());
goaway(z_root() . $err_redirect); goaway(z_root() . $err_redirect);
@@ -644,7 +644,7 @@ function check_form_security_token_redirectOnErr($err_redirect, $typename = '',
function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'form_security_token') { function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'form_security_token') {
if (!check_form_security_token($typename, $formname)) { if (!check_form_security_token($typename, $formname)) {
logger('check_form_security_token failed: user ' . App::$observer['xchan_name'] . ' - form element ' . $typename); logger('check_form_security_token failed: user ' . get_observer_name() . ' - form element ' . $typename);
logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA); logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA);
header('HTTP/1.1 403 Forbidden'); header('HTTP/1.1 403 Forbidden');
killme(); killme();

8
tests/unit/Module/MagicTest.php
View File

@@ -46,9 +46,9 @@ class MagicTest extends TestCase {
App::set_baseurl($baseurl); App::set_baseurl($baseurl);
App::$observer = [ App::set_observer([
'xchan_hash' => 'the hash', 'xchan_hash' => 'the hash',
]; ]);
// We pass a local URL, and have a valid observer, but as the // We pass a local URL, and have a valid observer, but as the
// delegate param is not passed, nothing will be done except // delegate param is not passed, nothing will be done except
@@ -72,9 +72,9 @@ class MagicTest extends TestCase {
App::$timezone = 'UTC'; App::$timezone = 'UTC';
// Simulate a foreign (to this hub) observer, // Simulate a foreign (to this hub) observer,
App::$observer = [ App::set_observer([
'xchan_hash' => 'foreign hash', 'xchan_hash' => 'foreign hash',
]; ]);
// Create the channel the foreign observer wants to access // Create the channel the foreign observer wants to access
$result = create_identity([ $result = create_identity([

7
tests/unit/includes/BBCodeTest.php
View File

@@ -23,6 +23,7 @@
namespace Zotlabs\Tests\Unit\includes; namespace Zotlabs\Tests\Unit\includes;
use App;
use Zotlabs\Tests\Unit\UnitTestCase; use Zotlabs\Tests\Unit\UnitTestCase;
class BBCodeTest extends UnitTestCase { class BBCodeTest extends UnitTestCase {
@@ -42,7 +43,7 @@ class BBCodeTest extends UnitTestCase {
*/ */
public function test_bbcode_observer(string $src, bool $logged_in, string $lang, string $expected): void { public function test_bbcode_observer(string $src, bool $logged_in, string $lang, string $expected): void {
if ($logged_in) { if ($logged_in) {
\App::$observer = [ App::set_observer([
'xchan_addr' => '', 'xchan_addr' => '',
'xchan_name' => '', 'xchan_name' => '',
'xchan_connurl' => '', 'xchan_connurl' => '',
@@ -50,9 +51,9 @@ class BBCodeTest extends UnitTestCase {
// port required in xchan url due to bug in get_rpost_path // port required in xchan url due to bug in get_rpost_path
'xchan_url' => 'https://example.com:666', 'xchan_url' => 'https://example.com:666',
]; ]);
} else { } else {
\App::$observer = null; App::set_observer(null);
} }
\App::$language = $lang; \App::$language = $lang;