From d51820adc52aef962542ecc6da0607ce0118fefc Mon Sep 17 00:00:00 2001 From: Zach Copley Date: Mon, 19 Jul 2010 13:43:17 -0700 Subject: Change the cache window on notices from 61 to 200, the max number of notices available at one time through the API. Note: this will require a memcache restart. --- classes/Notice.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/classes/Notice.php b/classes/Notice.php index ae7e2e540..8552248ba 100644 --- a/classes/Notice.php +++ b/classes/Notice.php @@ -42,10 +42,10 @@ if (!defined('STATUSNET') && !defined('LACONICA')) { */ require_once INSTALLDIR.'/classes/Memcached_DataObject.php'; -/* We keep the first three 20-notice pages, plus one for pagination check, +/* We keep 200 notices, the max number of notices available per API request, * in the memcached cache. */ -define('NOTICE_CACHE_WINDOW', 61); +define('NOTICE_CACHE_WINDOW', 200); define('MAX_BOXCARS', 128); -- cgit v1.2.3-54-g00ecf From f0620a74c8a1a25ceb957819e528ef5a7d044d6e Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Mon, 19 Jul 2010 16:47:49 -0700 Subject: Provisional OAuth, OpenID token check timing attack patches --- extlib/Auth/OpenID/Association.php | 37 ++++++++++++++++++++++++++++++++++++- extlib/OAuth.php | 18 ++++++++++++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) diff --git a/extlib/Auth/OpenID/Association.php b/extlib/Auth/OpenID/Association.php index d1ac1ed9b..7fdf399a3 100644 --- a/extlib/Auth/OpenID/Association.php +++ b/extlib/Auth/OpenID/Association.php @@ -374,7 +374,42 @@ class Auth_OpenID_Association { } $calculated_sig = $this->getMessageSignature($message); - return $calculated_sig == $sig; + + return $this->constantTimeCompare($calculated_sig, $sig); + } + + /** + * String comparison function which will complete in a constant time + * for strings of any given matching length, to help prevent an attacker + * from distinguishing how much of a signature token they have guessed + * correctly. + * + * For this usage, it's assumed that the length of the string is known, + * so we may safely short-circuit on mismatched lengths which will be known + * to be invalid by the attacker. + * + * http://lists.openid.net/pipermail/openid-security/2010-July/001156.html + * http://rdist.root.org/2010/01/07/timing-independent-array-comparison/ + */ + private function constantTimeCompare($a, $b) + { + $len = strlen($a); + if (strlen($b) !== $len) { + // Short-circuit on length mismatch; attackers will already know + // the correct target length so this is safe. + return false; + } + if ($len == 0) { + // 0-length valid input shouldn't really happen. :) + return true; + } + $result = 0; + for ($i = 0; $i < strlen($a); $i++) { + // We use scary bitwise operations to avoid logical short-circuits + // in lower-level code. + $result |= ord($a{$i}) ^ ord($b{$i}); + } + return ($result == 0); } } diff --git a/extlib/OAuth.php b/extlib/OAuth.php index 648627b57..04984d5fa 100644 --- a/extlib/OAuth.php +++ b/extlib/OAuth.php @@ -54,6 +54,24 @@ class OAuthSignatureMethod {/*{{{*/ public function check_signature(&$request, $consumer, $token, $signature) { $built = $this->build_signature($request, $consumer, $token); return $built == $signature; + + // Check for zero length, although unlikely here + if (strlen($built) == 0 || strlen($signature) == 0) { + return false; + } + + if (strlen($built) != strlen($signature)) { + return false; + } + + $result = 0; + + // Avoid a timing leak with a (hopefully) time insensitive compare + for ($i = 0; $i < strlen($signature); $i++) { + $result |= ord($built{$i}) ^ ord($signature{$i}); + } + + return $result == 0; } }/*}}}*/ -- cgit v1.2.3-54-g00ecf From a65b3f171c4d23af8ca844439ad08959eb760b86 Mon Sep 17 00:00:00 2001 From: Zach Copley Date: Mon, 19 Jul 2010 17:38:11 -0700 Subject: Revert "Change the cache window on notices from 61 to 200, the max number" This reverts commit d51820adc52aef962542ecc6da0607ce0118fefc. --- classes/Notice.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/classes/Notice.php b/classes/Notice.php index 8552248ba..ae7e2e540 100644 --- a/classes/Notice.php +++ b/classes/Notice.php @@ -42,10 +42,10 @@ if (!defined('STATUSNET') && !defined('LACONICA')) { */ require_once INSTALLDIR.'/classes/Memcached_DataObject.php'; -/* We keep 200 notices, the max number of notices available per API request, +/* We keep the first three 20-notice pages, plus one for pagination check, * in the memcached cache. */ -define('NOTICE_CACHE_WINDOW', 200); +define('NOTICE_CACHE_WINDOW', 61); define('MAX_BOXCARS', 128); -- cgit v1.2.3-54-g00ecf From 9b899eea750fd54c75fbb58e48526a5cab169f6c Mon Sep 17 00:00:00 2001 From: Eric Helgeson Date: Mon, 19 Jul 2010 21:09:09 -0500 Subject: Make some messages gender neutral. --- actions/all.php | 4 ++-- actions/favor.php | 2 +- actions/finishremotesubscribe.php | 2 +- actions/nudge.php | 2 +- actions/replies.php | 6 +++--- actions/showfavorites.php | 6 +++--- actions/showstream.php | 4 ++-- classes/User.php | 2 +- 8 files changed, 14 insertions(+), 14 deletions(-) diff --git a/actions/all.php b/actions/all.php index 9c01b6393..ac4e321d0 100644 --- a/actions/all.php +++ b/actions/all.php @@ -143,10 +143,10 @@ class AllAction extends ProfileAction $message .= _('Try subscribing to more people, [join a group](%%action.groups%%) or post something yourself.'); } else { // TRANS: %1$s is user nickname, %2$s is user nickname, %2$s is user nickname prefixed with "@" - $message .= sprintf(_('You can try to [nudge %1$s](../%2$s) from his profile or [post something to his or her attention](%%%%action.newnotice%%%%?status_textarea=%3$s).'), $this->user->nickname, $this->user->nickname, '@' . $this->user->nickname); + $message .= sprintf(_('You can try to [nudge %1$s](../%2$s) from their profile or [post something to their attention](%%%%action.newnotice%%%%?status_textarea=%3$s).'), $this->user->nickname, $this->user->nickname, '@' . $this->user->nickname); } } else { - $message .= sprintf(_('Why not [register an account](%%%%action.register%%%%) and then nudge %s or post a notice to his or her attention.'), $this->user->nickname); + $message .= sprintf(_('Why not [register an account](%%%%action.register%%%%) and then nudge %s or post a notice to their attention.'), $this->user->nickname); } $this->elementStart('div', 'guide'); diff --git a/actions/favor.php b/actions/favor.php index 475912fd0..01976a38f 100644 --- a/actions/favor.php +++ b/actions/favor.php @@ -104,7 +104,7 @@ class FavorAction extends Action } /** - * Notifies a user when his notice is favorited. + * Notifies a user when their notice is favorited. * * @param class $notice favorited notice * @param class $user user declaring a favorite diff --git a/actions/finishremotesubscribe.php b/actions/finishremotesubscribe.php index ac51ddec3..0325f6adb 100644 --- a/actions/finishremotesubscribe.php +++ b/actions/finishremotesubscribe.php @@ -37,7 +37,7 @@ require_once INSTALLDIR.'/lib/omb.php'; * Handler for remote subscription finish callback * * When a remote user subscribes a local user, a redirect to this action is - * issued after the remote user authorized his service to subscribe. + * issued after the remote user authorized their service to subscribe. * * @category Action * @package Laconica diff --git a/actions/nudge.php b/actions/nudge.php index cf5f773e7..32ae8587c 100644 --- a/actions/nudge.php +++ b/actions/nudge.php @@ -82,7 +82,7 @@ class NudgeAction extends Action } if (!$other->email || !$other->emailnotifynudge) { - $this->clientError(_('This user doesn\'t allow nudges or hasn\'t confirmed or set his email yet.')); + $this->clientError(_('This user doesn\'t allow nudges or hasn\'t confirmed or set their email yet.')); return; } diff --git a/actions/replies.php b/actions/replies.php index 608f71d6e..0474a6de0 100644 --- a/actions/replies.php +++ b/actions/replies.php @@ -196,18 +196,18 @@ class RepliesAction extends OwnerDesignAction function showEmptyListMessage() { - $message = sprintf(_('This is the timeline showing replies to %1$s but %2$s hasn\'t received a notice to his attention yet.'), $this->user->nickname, $this->user->nickname) . ' '; + $message = sprintf(_('This is the timeline showing replies to %1$s but %2$s hasn\'t received a notice to their attention yet.'), $this->user->nickname, $this->user->nickname) . ' '; if (common_logged_in()) { $current_user = common_current_user(); if ($this->user->id === $current_user->id) { $message .= _('You can engage other users in a conversation, subscribe to more people or [join groups](%%action.groups%%).'); } else { - $message .= sprintf(_('You can try to [nudge %1$s](../%2$s) or [post something to his or her attention](%%%%action.newnotice%%%%?status_textarea=%3$s).'), $this->user->nickname, $this->user->nickname, '@' . $this->user->nickname); + $message .= sprintf(_('You can try to [nudge %1$s](../%2$s) or [post something to their attention](%%%%action.newnotice%%%%?status_textarea=%3$s).'), $this->user->nickname, $this->user->nickname, '@' . $this->user->nickname); } } else { - $message .= sprintf(_('Why not [register an account](%%%%action.register%%%%) and then nudge %s or post a notice to his or her attention.'), $this->user->nickname); + $message .= sprintf(_('Why not [register an account](%%%%action.register%%%%) and then nudge %s or post a notice to their attention.'), $this->user->nickname); } $this->elementStart('div', 'guide'); diff --git a/actions/showfavorites.php b/actions/showfavorites.php index 7f3c77ee2..d8042e91c 100644 --- a/actions/showfavorites.php +++ b/actions/showfavorites.php @@ -119,7 +119,7 @@ class ShowfavoritesAction extends OwnerDesignAction if (!empty($cur) && $cur->id == $this->user->id) { // Show imported/gateway notices as well as local if - // the user is looking at his own favorites + // the user is looking at their own favorites $this->notice = $this->user->favoriteNotices(true, ($this->page-1)*NOTICES_PER_PAGE, NOTICES_PER_PAGE + 1); @@ -205,11 +205,11 @@ class ShowfavoritesAction extends OwnerDesignAction if ($this->user->id === $current_user->id) { $message = _('You haven\'t chosen any favorite notices yet. Click the fave button on notices you like to bookmark them for later or shed a spotlight on them.'); } else { - $message = sprintf(_('%s hasn\'t added any notices to his favorites yet. Post something interesting they would add to their favorites :)'), $this->user->nickname); + $message = sprintf(_('%s hasn\'t added any favorite notices yet. Post something interesting they would add to their favorites :)'), $this->user->nickname); } } else { - $message = sprintf(_('%s hasn\'t added any notices to his favorites yet. Why not [register an account](%%%%action.register%%%%) and then post something interesting they would add to their favorites :)'), $this->user->nickname); + $message = sprintf(_('%s hasn\'t added any favorite notices yet. Why not [register an account](%%%%action.register%%%%) and then post something interesting they would add to their favorites :)'), $this->user->nickname); } $this->elementStart('div', 'guide'); diff --git a/actions/showstream.php b/actions/showstream.php index f9407e35a..956c05741 100644 --- a/actions/showstream.php +++ b/actions/showstream.php @@ -204,11 +204,11 @@ class ShowstreamAction extends ProfileAction if ($this->user->id === $current_user->id) { $message .= _('Seen anything interesting recently? You haven\'t posted any notices yet, now would be a good time to start :)'); } else { - $message .= sprintf(_('You can try to nudge %1$s or [post something to his or her attention](%%%%action.newnotice%%%%?status_textarea=%2$s).'), $this->user->nickname, '@' . $this->user->nickname); + $message .= sprintf(_('You can try to nudge %1$s or [post something to their attention](%%%%action.newnotice%%%%?status_textarea=%2$s).'), $this->user->nickname, '@' . $this->user->nickname); } } else { - $message .= sprintf(_('Why not [register an account](%%%%action.register%%%%) and then nudge %s or post a notice to his or her attention.'), $this->user->nickname); + $message .= sprintf(_('Why not [register an account](%%%%action.register%%%%) and then nudge %s or post a notice to their attention.'), $this->user->nickname); } $this->elementStart('div', 'guide'); diff --git a/classes/User.php b/classes/User.php index 2abb7eeb6..cf8d4527b 100644 --- a/classes/User.php +++ b/classes/User.php @@ -524,7 +524,7 @@ class User extends Memcached_DataObject if ($this->id == $other->id) { common_log(LOG_WARNING, sprintf( - "Profile ID %d (%s) tried to block his or herself.", + "Profile ID %d (%s) tried to block themself.", $this->id, $this->nickname ) -- cgit v1.2.3-54-g00ecf From 25e963769c866d6847064fd88172483a9c6b1964 Mon Sep 17 00:00:00 2001 From: Zach Copley Date: Wed, 21 Jul 2010 12:29:47 -0700 Subject: Revert "Revert "Change the cache window on notices from 61 to 200, the max number"" This reverts commit a65b3f171c4d23af8ca844439ad08959eb760b86. --- classes/Notice.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/classes/Notice.php b/classes/Notice.php index ae7e2e540..8552248ba 100644 --- a/classes/Notice.php +++ b/classes/Notice.php @@ -42,10 +42,10 @@ if (!defined('STATUSNET') && !defined('LACONICA')) { */ require_once INSTALLDIR.'/classes/Memcached_DataObject.php'; -/* We keep the first three 20-notice pages, plus one for pagination check, +/* We keep 200 notices, the max number of notices available per API request, * in the memcached cache. */ -define('NOTICE_CACHE_WINDOW', 61); +define('NOTICE_CACHE_WINDOW', 200); define('MAX_BOXCARS', 128); -- cgit v1.2.3-54-g00ecf From 3040a5ff858c88651f9ef01a9822d2c567f86467 Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Thu, 22 Jul 2010 05:22:09 +0000 Subject: Quick fix for IE7 via sammy: remove redundant media specifiers from base style @import in main themes. The s already specify screen/etc media, so all it was doing was breaking. There are still some issues, but most things seem to work-ish as long as Realtime plugins are off. --- theme/biz/css/display.css | 2 +- theme/default/css/display.css | 2 +- theme/identica/css/display.css | 2 +- theme/pigeonthoughts/css/display.css | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/theme/biz/css/display.css b/theme/biz/css/display.css index ea09ef4c0..e735d8683 100644 --- a/theme/biz/css/display.css +++ b/theme/biz/css/display.css @@ -7,7 +7,7 @@ * @link http://status.net/ */ -@import url(base.css) screen, projection, tv, print; +@import url(base.css); @media screen, projection, tv { html { diff --git a/theme/default/css/display.css b/theme/default/css/display.css index 5e3748cb7..9a1dabb51 100644 --- a/theme/default/css/display.css +++ b/theme/default/css/display.css @@ -7,7 +7,7 @@ * @link http://status.net/ */ -@import url(../../base/css/display.css) screen, projection, tv, print; +@import url(../../base/css/display.css); @media screen, projection, tv { body, diff --git a/theme/identica/css/display.css b/theme/identica/css/display.css index 440dd8be2..d7f150bcb 100644 --- a/theme/identica/css/display.css +++ b/theme/identica/css/display.css @@ -7,7 +7,7 @@ * @link http://status.net/ */ -@import url(../../base/css/display.css) screen, projection, tv, print; +@import url(../../base/css/display.css); @media screen, projection, tv { body, diff --git a/theme/pigeonthoughts/css/display.css b/theme/pigeonthoughts/css/display.css index e584683fc..3d6db00e1 100644 --- a/theme/pigeonthoughts/css/display.css +++ b/theme/pigeonthoughts/css/display.css @@ -7,7 +7,7 @@ * @link http://status.net/ */ -@import url(base.css) screen, projection, tv, print; +@import url(base.css); @media screen, projection, tv { html { -- cgit v1.2.3-54-g00ecf From dbb5e9e1914c9dc67019a4abb1948d40171df0d4 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Thu, 22 Jul 2010 16:00:26 -0700 Subject: accept mailto: URIs as OStatus identifiers --- lib/activityutils.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/activityutils.php b/lib/activityutils.php index 401fd7fc2..dd38d4e14 100644 --- a/lib/activityutils.php +++ b/lib/activityutils.php @@ -257,6 +257,12 @@ class ActivityUtils */ static function validateUri($uri) { + // Check mailto: URIs first + + if (preg_match('/^mailto:(.*)$/', $uri, $match)) { + return Validate::email($match[1], common_config('email', 'check_domain')); + } + if (Validate::uri($uri)) { return true; } -- cgit v1.2.3-54-g00ecf