From d2e66641322a3297be6a3a6680d10ed7b6720c0e Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@pobox.com>
Date: Fri, 19 Mar 2010 10:15:00 -0700
Subject: Validate OStatus avatar URL before fetching.

---
 plugins/OStatus/classes/Ostatus_profile.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'plugins/OStatus')

diff --git a/plugins/OStatus/classes/Ostatus_profile.php b/plugins/OStatus/classes/Ostatus_profile.php
index 6ae8e4fd5..6145080fc 100644
--- a/plugins/OStatus/classes/Ostatus_profile.php
+++ b/plugins/OStatus/classes/Ostatus_profile.php
@@ -781,8 +781,8 @@ class Ostatus_profile extends Memcached_DataObject
     }
 
     /**
-     *
      * Download and update given avatar image
+     *
      * @param string $url
      * @throws Exception in various failure cases
      */
@@ -792,6 +792,9 @@ class Ostatus_profile extends Memcached_DataObject
             // We've already got this one.
             return;
         }
+        if (!common_valid_http_url($url)) {
+            throw new ServerException(_m("Invalid avatar URL %s"), $url);
+        }
 
         if ($this->isGroup()) {
             $self = $this->localGroup();
-- 
cgit v1.2.3-54-g00ecf


From b97400bd6f49dfac71124a3243d1c27f49822f58 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@pobox.com>
Date: Fri, 19 Mar 2010 11:17:56 -0700
Subject: clarify output on fixup-shadow.php

---
 plugins/OStatus/scripts/fixup-shadow.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'plugins/OStatus')

diff --git a/plugins/OStatus/scripts/fixup-shadow.php b/plugins/OStatus/scripts/fixup-shadow.php
index 0171b77bc..ec014c787 100644
--- a/plugins/OStatus/scripts/fixup-shadow.php
+++ b/plugins/OStatus/scripts/fixup-shadow.php
@@ -50,7 +50,7 @@ $encGroup = str_replace($marker, '%', $encGroup);
 $sql = "SELECT * FROM ostatus_profile WHERE uri LIKE '%s' OR uri LIKE '%s'";
 $oprofile->query(sprintf($sql, $encProfile, $encGroup));
 
-echo "Found $oprofile->N bogus ostatus_profile entries:\n";
+echo "Found $oprofile->N bogus ostatus_profile entries for local users and groups:\n";
 
 while ($oprofile->fetch()) {
     echo "$oprofile->uri";
@@ -58,7 +58,7 @@ while ($oprofile->fetch()) {
     if ($dry) {
         echo " (unchanged)\n";
     } else {
-        echo " deleting...";
+        echo " removing bogus ostatus_profile entry...";
         $evil = clone($oprofile);
         $evil->delete();
         echo "  ok\n";
-- 
cgit v1.2.3-54-g00ecf