From 37b0a323ad675b0787e998e322ab05297429ad1b Mon Sep 17 00:00:00 2001
From: Daniel Winzen <d@winzen4.de>
Date: Tue, 9 Aug 2016 21:06:25 +0200
Subject: [PATCH] Instruct browser not to send referrer. Enable image embedding
 without cookies as there is no more risk of session leakage.

---
 CHANGELOG      |  2 ++
 chat.php       | 52 +++++++++++---------------------------------------
 lang_de.php    |  2 +-
 lang_en.php    |  2 +-
 lang_es_AR.php |  2 +-
 lang_es_ES.php |  2 +-
 lang_fr.php    |  2 +-
 lang_id.php    |  2 +-
 lang_ru.php    |  2 +-
 9 files changed, 20 insertions(+), 48 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 5574a97..4d52b62 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,8 @@ Don't display empty option for system messages in delete messages by name
 Don't show a kick button on your own session in the list of active sessions
 Allow ignoring incognito chatters
 Prevent posting the same message twice, if no other message was posted in-between
+Instruct browser not to send referrer.
+Enable image embedding without cookies as there is no more risk of session leakage.
 
 Version 1.20.6 - Jul. 23, 2016
 Simplify ignore logic + disallow ignoring chatters with higher status
diff --git a/chat.php b/chat.php
index 2bbb7b7..fc12477 100644
--- a/chat.php
+++ b/chat.php
@@ -1352,17 +1352,7 @@ function send_inbox(){
 	echo "<$H[form]>$H[commonform]".hidden('action', 'inbox').hidden('do', 'clean').submit($I['delselmes'], 'class="delbutton"').'<br><br>';
 	$dateformat=get_setting('dateformat');
 	$tz=3600*$U['tz'];
-	if(!isSet($_COOKIE[COOKIENAME]) && get_setting('forceredirect')==0){
-		$injectRedirect=true;
-		$redirect=get_setting('redirect');
-		if(empty($redirect)){
-			$redirect="$_SERVER[SCRIPT_NAME]?action=redirect&amp;url=";
-		}
-	}else{
-		$injectRedirect=false;
-		$redirect='';
-	}
-	if(get_setting('imgembed') && (!$U['embed'] || !isSet($_COOKIE[COOKIENAME]))){
+	if(!$U['embed'] && get_setting('imgembed')){
 		$removeEmbed=true;
 	}else{
 		$removeEmbed=false;
@@ -1380,7 +1370,7 @@ function send_inbox(){
 	$stmt=$db->prepare('SELECT id, postdate, text FROM ' . PREFIX . 'inbox WHERE recipient=? ORDER BY id DESC;');
 	$stmt->execute(array($U['nickname']));
 	while($message=$stmt->fetch(PDO::FETCH_ASSOC)){
-		prepare_message_print($message, $injectRedirect, $redirect, $removeEmbed);
+		prepare_message_print($message, $removeEmbed);
 		echo "<div class=\"msg\"><input type=\"checkbox\" name=\"mid[]\" id=\"$message[id]\" value=\"$message[id]\"><label for=\"$message[id]\">";
 		if($timestamps){
 			echo ' <small>'.date($dateformat, $message['postdate']+$tz).' - </small>';
@@ -1739,16 +1729,11 @@ function send_profile($arg=''){
 	echo "<tr><td><table class=\"left-table\"><tr><th>$I[refreshrate]</th><td class=\"right\">";
 	echo "<input type=\"number\" name=\"refresh\" size=\"3\" maxlength=\"3\" min=\"5\" max=\"150\" value=\"$U[refresh]\"></td></tr></table></td></tr>";
 	thr();
-	if(!isSet($_COOKIE[COOKIENAME])){
-		$param="&amp;session=$U[session]&amp;lang=$language";
-	}else{
-		$param='';
-	}
 	preg_match('/#([0-9a-f]{6})/i', $U['style'], $matches);
-	echo "<tr><td><table class=\"left-table\"><tr><td><b>$I[fontcolour]</b> (<a href=\"$_SERVER[SCRIPT_NAME]?action=colours$param\" target=\"view\">$I[viewexample]</a>)</td><td class=\"right\">";
+	echo "<tr><td><table class=\"left-table\"><tr><td><b>$I[fontcolour]</b> (<a href=\"$_SERVER[SCRIPT_NAME]?action=colours&amp;session=$U[session]&amp;lang=$language\" target=\"view\">$I[viewexample]</a>)</td><td class=\"right\">";
 	echo "<input type=\"text\" size=\"6\" maxlength=\"6\" pattern=\"[a-fA-F0-9]{6}\" value=\"$matches[1]\" name=\"colour\"></td></tr></table></td></tr>";
 	thr();
-	echo "<tr><td><table class=\"left-table\"><tr><td><b>$I[bgcolour]</b> (<a href=\"$_SERVER[SCRIPT_NAME]?action=colours$param\" target=\"view\">$I[viewexample]</a>)</td><td class=\"right\">";
+	echo "<tr><td><table class=\"left-table\"><tr><td><b>$I[bgcolour]</b> (<a href=\"$_SERVER[SCRIPT_NAME]?action=colours&amp;session=$U[session]&amp;lang=$language\" target=\"view\">$I[viewexample]</a>)</td><td class=\"right\">";
 	echo "<input type=\"text\" size=\"6\" maxlength=\"6\" pattern=\"[a-fA-F0-9]{6}\" value=\"$U[bgcolour]\" name=\"bgcolour\"></td></tr></table></td></tr>";
 	thr();
 	if($U['status']>=3){
@@ -3031,17 +3016,7 @@ function print_messages($delstatus=''){
 	global $I, $U, $db;
 	$dateformat=get_setting('dateformat');
 	$tz=3600*$U['tz'];
-	if(!isSet($_COOKIE[COOKIENAME]) && get_setting('forceredirect')==0){
-		$injectRedirect=true;
-		$redirect=get_setting('redirect');
-		if(empty($redirect)){
-			$redirect="$_SERVER[SCRIPT_NAME]?action=redirect&amp;url=";
-		}
-	}else{
-		$injectRedirect=false;
-		$redirect='';
-	}
-	if(get_setting('imgembed') && (!$U['embed'] || !isSet($_COOKIE[COOKIENAME]))){
+	if(!$U['embed'] && get_setting('imgembed')){
 		$removeEmbed=true;
 	}else{
 		$removeEmbed=false;
@@ -3064,7 +3039,7 @@ function print_messages($delstatus=''){
 		'(poststatus<? AND delstatus<?) OR poster=? OR recipient=? ORDER BY id DESC;');
 		$stmt->execute(array($U['status'], $delstatus, $U['nickname'], $U['nickname']));
 		while($message=$stmt->fetch(PDO::FETCH_ASSOC)){
-			prepare_message_print($message, $injectRedirect, $redirect, $removeEmbed);
+			prepare_message_print($message, $removeEmbed);
 			echo "<div class=\"msg\"><input type=\"checkbox\" name=\"mid[]\" id=\"$message[id]\" value=\"$message[id]\"><label for=\"$message[id]\">";
 			if($timestamps){
 				echo ' <small>'.date($dateformat, $message['postdate']+$tz).' - </small>';
@@ -3077,7 +3052,7 @@ function print_messages($delstatus=''){
 		') AND poster NOT IN (SELECT ign FROM ' . PREFIX . 'ignored WHERE ignby=?) ORDER BY id DESC;');
 		$stmt->execute(array($U['status'], $U['nickname'], $U['nickname'], $U['nickname'], $U['nickname']));
 		while($message=$stmt->fetch(PDO::FETCH_ASSOC)){
-			prepare_message_print($message, $injectRedirect, $redirect, $removeEmbed);
+			prepare_message_print($message, $removeEmbed);
 			echo '<div class="msg">';
 			if($timestamps){
 				echo '<small>'.date($dateformat, $message['postdate']+$tz).' - </small>';
@@ -3087,17 +3062,10 @@ function print_messages($delstatus=''){
 	}
 }
 
-function prepare_message_print(&$message, $injectRedirect, $redirect, $removeEmbed){
+function prepare_message_print(&$message, $removeEmbed){
 	if(MSGENCRYPTED){
 		$message['text']=openssl_decrypt($message['text'], 'aes-256-cbc', ENCRYPTKEY, 0, '1234567890123456');
 	}
-	if($injectRedirect){
-		$message['text']=preg_replace_callback('/<a href="([^"]+)" target="_blank">(.*?(?=<\/a>))<\/a>/',
-			function ($matched) use($redirect) {
-				return "<a href=\"$redirect".rawurlencode($matched[1])."\" target=\"_blank\">$matched[2]</a>";
-			}
-		, $message['text']);
-	}
 	if($removeEmbed){
 		$message['text']=preg_replace_callback('/<img src="([^"]+)"><\/a>/',
 			function ($matched){
@@ -3122,6 +3090,8 @@ function send_headers(){
 	header('Pragma: no-cache');
 	header('Cache-Control: no-cache');
 	header('Expires: 0');
+	header('Referrer-Policy: no-referrer');
+	header('Content-Security-Policy: referrer never');
 	if($_SERVER['REQUEST_METHOD']==='HEAD'){
 		exit; // headers sent, no further processing needed
 	}
@@ -3696,7 +3666,7 @@ function load_html(){
 	global $H, $I, $language;
 	$H=array(// default HTML
 		'form'		=>"form action=\"$_SERVER[SCRIPT_NAME]\" method=\"post\"",
-		'meta_html'	=>"<meta name=\"robots\" content=\"noindex,nofollow\"><meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"><meta http-equiv=\"Pragma\" content=\"no-cache\"><meta http-equiv=\"Cache-Control\" content=\"no-cache\"><meta http-equiv=\"expires\" content=\"0\">",
+		'meta_html'	=>'<meta name="robots" content="noindex,nofollow"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="Pragma" content="no-cache"><meta http-equiv="Cache-Control" content="no-cache"><meta http-equiv="expires" content="0"><meta name="referrer" content="no-referrer">',
 		'credit'	=>'<small><br><br><a target="_blank" href="https://github.com/DanWin/le-chat-php">LE CHAT-PHP - ' . VERSION . '</a></small>',
 		'commonform'	=>hidden('lang', $language).hidden('nc', substr(time(), -6))
 	);
diff --git a/lang_de.php b/lang_de.php
index 8182241..c0f50d8 100644
--- a/lang_de.php
+++ b/lang_de.php
@@ -153,7 +153,7 @@ $T=array(
 	'italic' => 'Kursiv',
 	'fontexample' => 'Beispiel für deine gewählte Schrift',
 	'timestamps' => 'Zeitstempel anzeigen',
-	'embed' => 'Bilder einbetten (Benötigt Cookies)',
+	'embed' => 'Bilder einbetten',
 	'incognito' => 'Inkognito Modus',
 	'pbsize' => 'Postboxgröße',
 	'nbsize' => 'Notizboxgröße',
diff --git a/lang_en.php b/lang_en.php
index daa9021..6d4a97c 100644
--- a/lang_en.php
+++ b/lang_en.php
@@ -153,7 +153,7 @@ $I=array(
 	'italic' => 'Italic',
 	'fontexample' => 'Example for your chosen font',
 	'timestamps' => 'Show Timestamps',
-	'embed' => 'Embed images (needs Cookies)',
+	'embed' => 'Embed images',
 	'incognito' => 'Incognito mode',
 	'pbsize' => 'Post box size',
 	'nbsize' => 'Notes box size',
diff --git a/lang_es_AR.php b/lang_es_AR.php
index 25f32f7..71fd04b 100644
--- a/lang_es_AR.php
+++ b/lang_es_AR.php
@@ -153,7 +153,7 @@ $T=array(
 	'italic' => 'Bastardilla',
 	'fontexample' => 'Ejemplo de la tipografía seleccionada',
 	'timestamps' => 'Mostrar fecha y hora',
-	'embed' => 'Habilitar imágenes (necesita cookies)',
+	'embed' => 'Habilitar imágenes',
 	'incognito' => 'Modo incógnito',
 	'pbsize' => 'Tamaño de la caja de publicación',
 	'nbsize' => 'Tamaño de la caja de notas',
diff --git a/lang_es_ES.php b/lang_es_ES.php
index ff43832..1dc5964 100644
--- a/lang_es_ES.php
+++ b/lang_es_ES.php
@@ -153,7 +153,7 @@ $T=array(
 	'italic' => 'Bastardilla',
 	'fontexample' => 'Ejemplo de la tipografía seleccionada',
 	'timestamps' => 'Mostrar fecha y hora',
-	'embed' => 'Habilitar imágenes (necesita cookies)',
+	'embed' => 'Habilitar imágenes',
 	'incognito' => 'Modo incógnito',
 	'pbsize' => 'Tamaño de la caja de publicación',
 	'nbsize' => 'Tamaño de la caja de notas',
diff --git a/lang_fr.php b/lang_fr.php
index 46979fa..c12c900 100644
--- a/lang_fr.php
+++ b/lang_fr.php
@@ -153,7 +153,7 @@ $T=array(
 	'italic' => 'Italique',
 	'fontexample' => 'Exemple de choix de polices',
 	'timestamps' => 'Afficher l\'horodatage',
-	'embed' => 'Images imbriquées (besoin des Cookies)',
+	'embed' => 'Images imbriquées',
 	'incognito' => 'Mode incognito',
 	'pbsize' => 'Dimension de la boite du texte',
 	'nbsize' => 'Dimension de la boite du chat',
diff --git a/lang_id.php b/lang_id.php
index 674cacb..a969a06 100644
--- a/lang_id.php
+++ b/lang_id.php
@@ -153,7 +153,7 @@ $T=array(
 	'italic' => 'Miring',
 	'fontexample' => 'Contoh untuk font yang anda pilih',
 	'timestamps' => 'Tunjukkan penanda waktu',
-	'embed' => 'Tanamkan gambar (Membutuhkan kuki)',
+	'embed' => 'Tanamkan gambar',
 	'incognito' => 'Mode penyamaran',
 	'pbsize' => 'Ukuran kotak pos',
 	'nbsize' => 'Ukuran otak catatan',
diff --git a/lang_ru.php b/lang_ru.php
index 49db1e0..be73a37 100644
--- a/lang_ru.php
+++ b/lang_ru.php
@@ -153,7 +153,7 @@ $T=array(
 	'italic' => 'Курсив',
 	'fontexample' => 'Пример выбранного вами шрифта',
 	'timestamps' => 'Показать отметки времени',
-	'embed' => 'Вставить изображения (использует Cookies)',
+	'embed' => 'Вставить изображения',
 	'incognito' => 'Режим инкогнито',
 	'pbsize' => 'Размер окна сообщений',
 	'nbsize' => 'Размер окна заметок',