version 5.4.3

(cherry picked from commit 5dfe4ef6f8)

CHANGELOG

@@ -1,3 +1,13 @@
+Hubzilla 5.4.3 (2021-04-20)
+	- Fix regression in mod notifications (only the last was visible)
+	- Set Permissions-Policy: interest-cohort=() header by default
+	- Fix xchans containing a % breaking get_forum_channels()
+	- Fix webfinger if using a reverse proxy
+	- Fix regression finding bookmarks
+	- Fix zot6 hublocs import on channel import
+	- Fix revision not checked in import_items()
+
+
 Hubzilla 5.4.2 (2021-03-15)
 	- Fix translation plural variable
 	- Fix issue with following/unfollowing a thread

Zotlabs/Module/Import.php

@@ -209,12 +209,6 @@ class Import extends \Zotlabs\Web\Controller {
 
 		logger('import step 3');
 
-		if(is_array($data['hubloc'])) {
-			import_hublocs($channel,$data['hubloc'],$seize,$moving);
-		}
-
-		logger('import step 4');
-
 		// create new hubloc for the new channel at this site
 
 		if(array_key_exists('channel',$data)) {
@@ -277,7 +271,7 @@ class Import extends \Zotlabs\Web\Controller {
 
 		}
 
-		logger('import step 5');
+		logger('import step 4');
 
 
 		// import xchans and contact photos
@@ -335,7 +329,7 @@ class Import extends \Zotlabs\Web\Controller {
 
 		}
 
-		logger('import step 6');
+		logger('import step 5');
 
 		// import xchans
 		$xchans = $data['xchan'];
@@ -404,7 +398,14 @@ class Import extends \Zotlabs\Web\Controller {
 				}
 			}
 
-			logger('import step 7');
+			logger('import step 6');
+		}
+
+		logger('import step 7');
+
+		// this must happen after xchans got imported!
+		if(is_array($data['hubloc'])) {
+			import_hublocs($channel,$data['hubloc'],$seize,$moving);
 		}
 
 		$friends = 0;

Zotlabs/Module/Notifications.php

@@ -6,15 +6,17 @@ require_once('include/bbcode.php');
 class Notifications extends \Zotlabs\Web\Controller {
 
 	function get() {
-	
+
 		if(! local_channel()) {
 			notice( t('Permission denied.') . EOL);
 			return;
 		}
-	
+
 		nav_set_selected('Notifications');
-	
+
 		$o = '';
+		$notif_content = '';
+		$notifications_available = false;
 
 		$r = q("select count(*) as total from notify where uid = %d and seen = 0",
 			intval(local_channel())
@@ -24,7 +26,8 @@ class Notifications extends \Zotlabs\Web\Controller {
 				and seen = 0 order by created desc limit 50",
 				intval(local_channel())
 			);
-		} else {
+		}
+		else {
 			$r1 = q("select * from notify where uid = %d
 				and seen = 0 order by created desc limit 50",
 				intval(local_channel())
@@ -36,12 +39,12 @@ class Notifications extends \Zotlabs\Web\Controller {
 			);
 			$r = array_merge($r1,$r2);
 		}
-			
+
 		if($r) {
-			$notifications_available = 1;
+			$notifications_available = true;
 			foreach ($r as $rr) {
 				$x = strip_tags(bbcode($rr['msg']));
-				$notif_content = replace_macros(get_markup_template('notify.tpl'),array(
+				$notif_content .= replace_macros(get_markup_template('notify.tpl'),array(
 					'$item_link' => z_root().'/notify/view/'. $rr['id'],
 					'$item_image' => $rr['photo'],
 					'$item_text' => $x,
@@ -54,15 +57,15 @@ class Notifications extends \Zotlabs\Web\Controller {
 		else {
 			$notif_content = t('No more system notifications.');
 		}
-			
+
 		$o .= replace_macros(get_markup_template('notifications.tpl'),array(
 			'$notif_header' => t('System Notifications'),
 			'$notif_link_mark_seen' => t('Mark all seen'),
 			'$notif_content' => $notif_content,
 			'$notifications_available' => $notifications_available,
 		));
-	
+
 		return $o;
 	}
-	
+
 }

Zotlabs/Module/Wfinger.php

@@ -20,6 +20,8 @@ class Wfinger extends \Zotlabs\Web\Controller {
 			$scheme = 'https';
 		elseif(x($_SERVER,'SERVER_PORT') && (intval($_SERVER['SERVER_PORT']) == 443))
 			$scheme = 'https';
+		elseif(x($_SERVER,'HTTP_X_FORWARDED_PROTO') && ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'))
+			$scheme = 'https';			
 
 		$zot = intval($_REQUEST['zot']);
 

boot.php

@@ -52,7 +52,7 @@ require_once('include/attach.php');
 require_once('include/bbcode.php');
 
 define ( 'PLATFORM_NAME',           'hubzilla' );
-define ( 'STD_VERSION',             '5.4.2' );
+define ( 'STD_VERSION',             '5.4.3' );
 define ( 'ZOT_REVISION',            '6.0' );
 
 define ( 'DB_UPDATE_VERSION',       1243 );
@@ -2460,6 +2460,14 @@ function construct_page() {
 		header("X-Content-Type-Options: nosniff");
 	}
 
+	if (isset(App::$config['system']['perm_policy_header']) && App::$config['system']['perm_policy_header']) {
+		header("Permissions-Policy: " . App::$config['system']['perm_policy_header']);
+	}
+	else {
+		// opt-out this site from federated browser surveillance
+		header("Permissions-Policy: interest-cohort=()");
+	}
+
 	if(isset(App::$config['system']['public_key_pins'])) {
 		header("Public-Key-Pins: " . App::$config['system']['public_key_pins']);
 	}

include/channel.php

@@ -922,7 +922,7 @@ function identity_basic_export($channel_id, $sections = null, $zap_compat = fals
 			$ret['photo'] = [
 				'type' => $r[0]['mimetype'],
 				'data' => (($r[0]['os_storage'])
-					? base64url_encode(file_get_contents($r[0]['content'])) : base64url_encode(dbunescbin($r[0]['content'])))
+					? base64url_encode(file_get_contents(dbunescbin($r[0]['content']))) : base64url_encode(dbunescbin($r[0]['content'])))
 			];
 		}
 	}
@@ -991,11 +991,11 @@ function identity_basic_export($channel_id, $sections = null, $zap_compat = fals
 		}
 
 		if($xchans) {
-			$r = q("select * from xchan where xchan_hash in ( " . implode(',',$xchans) . " ) ");
+			$r = dbq("select * from xchan where xchan_hash in ( " . implode(',',$xchans) . " ) ");
 			if($r)
 				$ret['xchan'] = $r;
 
-			$r = q("select * from hubloc where hubloc_hash in ( " . implode(',',$xchans) . " ) ");
+			$r = dbq("select * from hubloc where hubloc_hash in ( " . implode(',',$xchans) . " ) ");
 			if($r)
 				$ret['hubloc'] = $r;
 		}

include/import.php

@@ -708,12 +708,12 @@ function import_items($channel, $items, $sync = false, $relocate = null) {
 		$allow_code = channel_codeallowed($channel['channel_id']);
 
 		$deliver = false; // Don't deliver any messages or notifications when importing
-
 		foreach($items as $i) {
 			$item_result = false;
 			$item = get_item_elements($i,$allow_code);
-			if(! $item)
+			if(! $item) {
 				continue;
+			}
 
 			// deprecated
 
@@ -724,9 +724,10 @@ function import_items($channel, $items, $sync = false, $relocate = null) {
 				item_url_replace($channel,$item,$relocate['url'],z_root(),$relocate['channel_address']);
 			}
 
-			$r = q("select id, edited from item where mid = '%s' and uid = %d limit 1",
+			$r = q("select id, edited from item where mid = '%s' and uid = %d and revision = %d limit 1",
 				dbesc($item['mid']),
-				intval($channel['channel_id'])
+				intval($channel['channel_id']),
+				intval($item['revision'])
 			);
 			if($r) {
 
@@ -734,7 +735,7 @@ function import_items($channel, $items, $sync = false, $relocate = null) {
 				// so force an update even if we have the same timestamp
 
 				if($item['edited'] >= $r[0]['edited']) {
-					$item['id'] = $r[0]['id'];
+					$item['id']  = $r[0]['id'];
 					$item['uid'] = $channel['channel_id'];
 					$item_result = item_store_update($item,$allow_code,$deliver);
 				}

include/text.php

@@ -874,11 +874,7 @@ function get_tags($s) {
 	// ignore anything in [color= ], because it may contain color codes which are mistaken for tags
 	$s = preg_replace('/\[color=(.*?)\]/sm','',$s);
 
-	// skip anchors in URL
-	$s = preg_replace('/\[url=(.*?)\]/sm','',$s);
-
 	// match any double quoted tags
-
 	if(preg_match_all('/([@#\!]\&quot\;.*?\&quot\;)/',$s,$match)) {
 		foreach($match[1] as $mtch) {
 			$ret[] = $mtch;
@@ -891,7 +887,6 @@ function get_tags($s) {
 	}
 
 	// match bracket mentions
-
 	if(preg_match_all('/([@!]\!?\{.*?\})/',$s,$match)) {
 		foreach($match[1] as $mtch) {
 			$ret[] = $mtch;
@@ -900,7 +895,6 @@ function get_tags($s) {
 
 	// Pull out single word tags. These can be @nickname, @first_last
 	// and #hash tags.
-
 	if(preg_match_all('/(?<![a-zA-Z0-9=\pL\/\?\;])([@#\!]\!?[^ \x0D\x0A,;:\?\[\{\&]+)/u',$s,$match)) {
 		foreach($match[1] as $mtch) {
 
@@ -924,7 +918,6 @@ function get_tags($s) {
 	}
 
 	// bookmarks
-
 	if(preg_match_all('/#\^\[(url|zrl)(.*?)\](.*?)\[\/(url|zrl)\]/',$s,$match,PREG_SET_ORDER)) {
 		foreach($match as $mtch) {
 			$ret[] = $mtch[0];
@@ -3700,7 +3693,7 @@ function get_forum_channels($uid) {
 
 		$xc = ids_to_querystr($x1,'xchan',true);
 
-		$x2 = q("select xchan from abconfig where chan = %d and cat = 'their_perms' and k = 'tag_deliver' and v = '1' and xchan in (" . $xc . ") ",
+		$x2 = q("select xchan from abconfig where chan = %d and cat = 'their_perms' and k = 'tag_deliver' and v = '1' and xchan in (" . protect_sprintf($xc) . ") ",
 			intval($uid)
 		);
 
@@ -3708,7 +3701,7 @@ function get_forum_channels($uid) {
 		$sql_extra = (($xf) ? ' and not xchan in (' . $xf . ')' : '');
 
 		// private forums
-		$x3 = q("select xchan from abconfig where chan = %d and cat = 'their_perms' and k = 'post_wall' and v = '1' and xchan in (" . $xc . ") $sql_extra ",
+		$x3 = q("select xchan from abconfig where chan = %d and cat = 'their_perms' and k = 'post_wall' and v = '1' and xchan in (" . protect_sprintf($xc) . ") $sql_extra ",
 			intval(local_channel())
 		);
 		if($x3) {
@@ -3716,7 +3709,7 @@ function get_forum_channels($uid) {
 		}
 
 		// public forums with no permission to post
-		$x4 = q("select xchan from abconfig left join xchan on xchan = xchan_hash where chan = %d and cat = 'their_perms' and k in ('post_wall', 'tag_deliver') and v = '0' and xchan in (" . $xc . ") and xchan_pubforum = 1 $sql_extra ",
+		$x4 = q("select xchan from abconfig left join xchan on xchan = xchan_hash where chan = %d and cat = 'their_perms' and k in ('post_wall', 'tag_deliver') and v = '0' and xchan in (" . protect_sprintf($xc) . ") and xchan_pubforum = 1 $sql_extra ",
 			intval(local_channel())
 		);
 		if($x4) {
@@ -3725,7 +3718,7 @@ function get_forum_channels($uid) {
 
 	}
 
-	$sql_extra_1 = (($xf) ? " and ( xchan_hash in (" . $xf . ") or xchan_pubforum = 1 ) " : " and xchan_pubforum = 1 ");
+	$sql_extra_1 = (($xf) ? " and ( xchan_hash in (" . protect_sprintf($xf) . ") or xchan_pubforum = 1 ) " : " and xchan_pubforum = 1 ");
 
 	$r = q("select abook_id, xchan_hash, xchan_name, xchan_url, xchan_addr, xchan_photo_s from abook left join xchan on abook_xchan = xchan_hash where xchan_deleted = 0 and abook_channel = %d and abook_pending = 0 and abook_ignored = 0 and abook_blocked = 0 and abook_archived = 0 $sql_extra_1 order by xchan_name",
 		intval($uid)