danwin1210/le-chat-php
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Instruct browser not to send referrer.

Browse Source 
Enable image embedding without cookies as there is no more risk of session leakage.
This commit is contained in:
Daniel Winzen
2016-08-09 21:06:25 +02:00
parent 2b8faa735a
commit 37b0a323ad
9 changed files with 20 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG
View File

@ -2,6 +2,8 @@ Don't display empty option for system messages in delete messages by name
Don't show a kick button on your own session in the list of active sessions Don't show a kick button on your own session in the list of active sessions
Allow ignoring incognito chatters Allow ignoring incognito chatters
Prevent posting the same message twice, if no other message was posted in-between Prevent posting the same message twice, if no other message was posted in-between
Instruct browser not to send referrer.
Enable image embedding without cookies as there is no more risk of session leakage.
Version 1.20.6 - Jul. 23, 2016 Version 1.20.6 - Jul. 23, 2016
Simplify ignore logic + disallow ignoring chatters with higher status Simplify ignore logic + disallow ignoring chatters with higher status

52
chat.php
View File

@ -1352,17 +1352,7 @@ function send_inbox(){
echo "<$H[form]>$H[commonform]".hidden('action', 'inbox').hidden('do', 'clean').submit($I['delselmes'], 'class="delbutton"').'<br><br>'; echo "<$H[form]>$H[commonform]".hidden('action', 'inbox').hidden('do', 'clean').submit($I['delselmes'], 'class="delbutton"').'<br><br>';
$dateformat=get_setting('dateformat'); $dateformat=get_setting('dateformat');
$tz=3600*$U['tz']; $tz=3600*$U['tz'];
if(!isSet($_COOKIE[COOKIENAME]) && get_setting('forceredirect')==0){ if(!$U['embed'] && get_setting('imgembed')){
$injectRedirect=true;
$redirect=get_setting('redirect');
if(empty($redirect)){
$redirect="$_SERVER[SCRIPT_NAME]?action=redirect&amp;url=";
}
}else{
$injectRedirect=false;
$redirect='';
}
if(get_setting('imgembed') && (!$U['embed'] || !isSet($_COOKIE[COOKIENAME]))){
$removeEmbed=true; $removeEmbed=true;
}else{ }else{
$removeEmbed=false; $removeEmbed=false;
@ -1380,7 +1370,7 @@ function send_inbox(){
$stmt=$db->prepare('SELECT id, postdate, text FROM ' . PREFIX . 'inbox WHERE recipient=? ORDER BY id DESC;'); $stmt=$db->prepare('SELECT id, postdate, text FROM ' . PREFIX . 'inbox WHERE recipient=? ORDER BY id DESC;');
$stmt->execute(array($U['nickname'])); $stmt->execute(array($U['nickname']));
while($message=$stmt->fetch(PDO::FETCH_ASSOC)){ while($message=$stmt->fetch(PDO::FETCH_ASSOC)){
prepare_message_print($message, $injectRedirect, $redirect, $removeEmbed); prepare_message_print($message, $removeEmbed);
echo "<div class=\"msg\"><input type=\"checkbox\" name=\"mid[]\" id=\"$message[id]\" value=\"$message[id]\"><label for=\"$message[id]\">"; echo "<div class=\"msg\"><input type=\"checkbox\" name=\"mid[]\" id=\"$message[id]\" value=\"$message[id]\"><label for=\"$message[id]\">";
if($timestamps){ if($timestamps){
echo ' <small>'.date($dateformat, $message['postdate']+$tz).' - </small>'; echo ' <small>'.date($dateformat, $message['postdate']+$tz).' - </small>';
@ -1739,16 +1729,11 @@ function send_profile($arg=''){
echo "<tr><td><table class=\"left-table\"><tr><th>$I[refreshrate]</th><td class=\"right\">"; echo "<tr><td><table class=\"left-table\"><tr><th>$I[refreshrate]</th><td class=\"right\">";
echo "<input type=\"number\" name=\"refresh\" size=\"3\" maxlength=\"3\" min=\"5\" max=\"150\" value=\"$U[refresh]\"></td></tr></table></td></tr>"; echo "<input type=\"number\" name=\"refresh\" size=\"3\" maxlength=\"3\" min=\"5\" max=\"150\" value=\"$U[refresh]\"></td></tr></table></td></tr>";
thr(); thr();
if(!isSet($_COOKIE[COOKIENAME])){
$param="&amp;session=$U[session]&amp;lang=$language";
}else{
$param='';
}
preg_match('/#([0-9a-f]{6})/i', $U['style'], $matches); preg_match('/#([0-9a-f]{6})/i', $U['style'], $matches);
echo "<tr><td><table class=\"left-table\"><tr><td><b>$I[fontcolour]</b> (<a href=\"$_SERVER[SCRIPT_NAME]?action=colours$param\" target=\"view\">$I[viewexample]</a>)</td><td class=\"right\">"; echo "<tr><td><table class=\"left-table\"><tr><td><b>$I[fontcolour]</b> (<a href=\"$_SERVER[SCRIPT_NAME]?action=colours&amp;session=$U[session]&amp;lang=$language\" target=\"view\">$I[viewexample]</a>)</td><td class=\"right\">";
echo "<input type=\"text\" size=\"6\" maxlength=\"6\" pattern=\"[a-fA-F0-9]{6}\" value=\"$matches[1]\" name=\"colour\"></td></tr></table></td></tr>"; echo "<input type=\"text\" size=\"6\" maxlength=\"6\" pattern=\"[a-fA-F0-9]{6}\" value=\"$matches[1]\" name=\"colour\"></td></tr></table></td></tr>";
thr(); thr();
echo "<tr><td><table class=\"left-table\"><tr><td><b>$I[bgcolour]</b> (<a href=\"$_SERVER[SCRIPT_NAME]?action=colours$param\" target=\"view\">$I[viewexample]</a>)</td><td class=\"right\">"; echo "<tr><td><table class=\"left-table\"><tr><td><b>$I[bgcolour]</b> (<a href=\"$_SERVER[SCRIPT_NAME]?action=colours&amp;session=$U[session]&amp;lang=$language\" target=\"view\">$I[viewexample]</a>)</td><td class=\"right\">";
echo "<input type=\"text\" size=\"6\" maxlength=\"6\" pattern=\"[a-fA-F0-9]{6}\" value=\"$U[bgcolour]\" name=\"bgcolour\"></td></tr></table></td></tr>"; echo "<input type=\"text\" size=\"6\" maxlength=\"6\" pattern=\"[a-fA-F0-9]{6}\" value=\"$U[bgcolour]\" name=\"bgcolour\"></td></tr></table></td></tr>";
thr(); thr();
if($U['status']>=3){ if($U['status']>=3){
@ -3031,17 +3016,7 @@ function print_messages($delstatus=''){
global $I, $U, $db; global $I, $U, $db;
$dateformat=get_setting('dateformat'); $dateformat=get_setting('dateformat');
$tz=3600*$U['tz']; $tz=3600*$U['tz'];
if(!isSet($_COOKIE[COOKIENAME]) && get_setting('forceredirect')==0){ if(!$U['embed'] && get_setting('imgembed')){
$injectRedirect=true;
$redirect=get_setting('redirect');
if(empty($redirect)){
$redirect="$_SERVER[SCRIPT_NAME]?action=redirect&amp;url=";
}
}else{
$injectRedirect=false;
$redirect='';
}
if(get_setting('imgembed') && (!$U['embed'] || !isSet($_COOKIE[COOKIENAME]))){
$removeEmbed=true; $removeEmbed=true;
}else{ }else{
$removeEmbed=false; $removeEmbed=false;
@ -3064,7 +3039,7 @@ function print_messages($delstatus=''){
'(poststatus<? AND delstatus<?) OR poster=? OR recipient=? ORDER BY id DESC;'); '(poststatus<? AND delstatus<?) OR poster=? OR recipient=? ORDER BY id DESC;');
$stmt->execute(array($U['status'], $delstatus, $U['nickname'], $U['nickname'])); $stmt->execute(array($U['status'], $delstatus, $U['nickname'], $U['nickname']));
while($message=$stmt->fetch(PDO::FETCH_ASSOC)){ while($message=$stmt->fetch(PDO::FETCH_ASSOC)){
prepare_message_print($message, $injectRedirect, $redirect, $removeEmbed); prepare_message_print($message, $removeEmbed);
echo "<div class=\"msg\"><input type=\"checkbox\" name=\"mid[]\" id=\"$message[id]\" value=\"$message[id]\"><label for=\"$message[id]\">"; echo "<div class=\"msg\"><input type=\"checkbox\" name=\"mid[]\" id=\"$message[id]\" value=\"$message[id]\"><label for=\"$message[id]\">";
if($timestamps){ if($timestamps){
echo ' <small>'.date($dateformat, $message['postdate']+$tz).' - </small>'; echo ' <small>'.date($dateformat, $message['postdate']+$tz).' - </small>';
@ -3077,7 +3052,7 @@ function print_messages($delstatus=''){
') AND poster NOT IN (SELECT ign FROM ' . PREFIX . 'ignored WHERE ignby=?) ORDER BY id DESC;'); ') AND poster NOT IN (SELECT ign FROM ' . PREFIX . 'ignored WHERE ignby=?) ORDER BY id DESC;');
$stmt->execute(array($U['status'], $U['nickname'], $U['nickname'], $U['nickname'], $U['nickname'])); $stmt->execute(array($U['status'], $U['nickname'], $U['nickname'], $U['nickname'], $U['nickname']));
while($message=$stmt->fetch(PDO::FETCH_ASSOC)){ while($message=$stmt->fetch(PDO::FETCH_ASSOC)){
prepare_message_print($message, $injectRedirect, $redirect, $removeEmbed); prepare_message_print($message, $removeEmbed);
echo '<div class="msg">'; echo '<div class="msg">';
if($timestamps){ if($timestamps){
echo '<small>'.date($dateformat, $message['postdate']+$tz).' - </small>'; echo '<small>'.date($dateformat, $message['postdate']+$tz).' - </small>';
@ -3087,17 +3062,10 @@ function print_messages($delstatus=''){
} }
} }
function prepare_message_print(&$message, $injectRedirect, $redirect, $removeEmbed){ function prepare_message_print(&$message, $removeEmbed){
if(MSGENCRYPTED){ if(MSGENCRYPTED){
$message['text']=openssl_decrypt($message['text'], 'aes-256-cbc', ENCRYPTKEY, 0, '1234567890123456'); $message['text']=openssl_decrypt($message['text'], 'aes-256-cbc', ENCRYPTKEY, 0, '1234567890123456');
} }
if($injectRedirect){
$message['text']=preg_replace_callback('/<a href="([^"]+)" target="_blank">(.*?(?=<\/a>))<\/a>/',
function ($matched) use($redirect) {
return "<a href=\"$redirect".rawurlencode($matched[1])."\" target=\"_blank\">$matched[2]</a>";
}
, $message['text']);
}
if($removeEmbed){ if($removeEmbed){
$message['text']=preg_replace_callback('/<img src="([^"]+)"><\/a>/', $message['text']=preg_replace_callback('/<img src="([^"]+)"><\/a>/',
function ($matched){ function ($matched){
@ -3122,6 +3090,8 @@ function send_headers(){
header('Pragma: no-cache'); header('Pragma: no-cache');
header('Cache-Control: no-cache'); header('Cache-Control: no-cache');
header('Expires: 0'); header('Expires: 0');
header('Referrer-Policy: no-referrer');
header('Content-Security-Policy: referrer never');
if($_SERVER['REQUEST_METHOD']==='HEAD'){ if($_SERVER['REQUEST_METHOD']==='HEAD'){
exit; // headers sent, no further processing needed exit; // headers sent, no further processing needed
} }
@ -3696,7 +3666,7 @@ function load_html(){
global $H, $I, $language; global $H, $I, $language;
$H=array(// default HTML $H=array(// default HTML
'form' =>"form action=\"$_SERVER[SCRIPT_NAME]\" method=\"post\"", 'form' =>"form action=\"$_SERVER[SCRIPT_NAME]\" method=\"post\"",
'meta_html' =>"<meta name=\"robots\" content=\"noindex,nofollow\"><meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"><meta http-equiv=\"Pragma\" content=\"no-cache\"><meta http-equiv=\"Cache-Control\" content=\"no-cache\"><meta http-equiv=\"expires\" content=\"0\">", 'meta_html' =>'<meta name="robots" content="noindex,nofollow"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="Pragma" content="no-cache"><meta http-equiv="Cache-Control" content="no-cache"><meta http-equiv="expires" content="0"><meta name="referrer" content="no-referrer">',
'credit' =>'<small><br><br><a target="_blank" href="https://github.com/DanWin/le-chat-php">LE CHAT-PHP - ' . VERSION . '</a></small>', 'credit' =>'<small><br><br><a target="_blank" href="https://github.com/DanWin/le-chat-php">LE CHAT-PHP - ' . VERSION . '</a></small>',
'commonform' =>hidden('lang', $language).hidden('nc', substr(time(), -6)) 'commonform' =>hidden('lang', $language).hidden('nc', substr(time(), -6))
); );

2
lang_de.php
View File

@ -153,7 +153,7 @@ $T=array(
'italic' => 'Kursiv', 'italic' => 'Kursiv',
'fontexample' => 'Beispiel für deine gewählte Schrift', 'fontexample' => 'Beispiel für deine gewählte Schrift',
'timestamps' => 'Zeitstempel anzeigen', 'timestamps' => 'Zeitstempel anzeigen',
'embed' => 'Bilder einbetten (Benötigt Cookies)', 'embed' => 'Bilder einbetten',
'incognito' => 'Inkognito Modus', 'incognito' => 'Inkognito Modus',
'pbsize' => 'Postboxgröße', 'pbsize' => 'Postboxgröße',
'nbsize' => 'Notizboxgröße', 'nbsize' => 'Notizboxgröße',

2
lang_en.php
View File

@ -153,7 +153,7 @@ $I=array(
'italic' => 'Italic', 'italic' => 'Italic',
'fontexample' => 'Example for your chosen font', 'fontexample' => 'Example for your chosen font',
'timestamps' => 'Show Timestamps', 'timestamps' => 'Show Timestamps',
'embed' => 'Embed images (needs Cookies)', 'embed' => 'Embed images',
'incognito' => 'Incognito mode', 'incognito' => 'Incognito mode',
'pbsize' => 'Post box size', 'pbsize' => 'Post box size',
'nbsize' => 'Notes box size', 'nbsize' => 'Notes box size',

2
lang_es_AR.php
View File

@ -153,7 +153,7 @@ $T=array(
'italic' => 'Bastardilla', 'italic' => 'Bastardilla',
'fontexample' => 'Ejemplo de la tipografía seleccionada', 'fontexample' => 'Ejemplo de la tipografía seleccionada',
'timestamps' => 'Mostrar fecha y hora', 'timestamps' => 'Mostrar fecha y hora',
'embed' => 'Habilitar imágenes (necesita cookies)', 'embed' => 'Habilitar imágenes',
'incognito' => 'Modo incógnito', 'incognito' => 'Modo incógnito',
'pbsize' => 'Tamaño de la caja de publicación', 'pbsize' => 'Tamaño de la caja de publicación',
'nbsize' => 'Tamaño de la caja de notas', 'nbsize' => 'Tamaño de la caja de notas',

2
lang_es_ES.php
View File

@ -153,7 +153,7 @@ $T=array(
'italic' => 'Bastardilla', 'italic' => 'Bastardilla',
'fontexample' => 'Ejemplo de la tipografía seleccionada', 'fontexample' => 'Ejemplo de la tipografía seleccionada',
'timestamps' => 'Mostrar fecha y hora', 'timestamps' => 'Mostrar fecha y hora',
'embed' => 'Habilitar imágenes (necesita cookies)', 'embed' => 'Habilitar imágenes',
'incognito' => 'Modo incógnito', 'incognito' => 'Modo incógnito',
'pbsize' => 'Tamaño de la caja de publicación', 'pbsize' => 'Tamaño de la caja de publicación',
'nbsize' => 'Tamaño de la caja de notas', 'nbsize' => 'Tamaño de la caja de notas',

2
lang_fr.php
View File

@ -153,7 +153,7 @@ $T=array(
'italic' => 'Italique', 'italic' => 'Italique',
'fontexample' => 'Exemple de choix de polices', 'fontexample' => 'Exemple de choix de polices',
'timestamps' => 'Afficher l\'horodatage', 'timestamps' => 'Afficher l\'horodatage',
'embed' => 'Images imbriquées (besoin des Cookies)', 'embed' => 'Images imbriquées',
'incognito' => 'Mode incognito', 'incognito' => 'Mode incognito',
'pbsize' => 'Dimension de la boite du texte', 'pbsize' => 'Dimension de la boite du texte',
'nbsize' => 'Dimension de la boite du chat', 'nbsize' => 'Dimension de la boite du chat',

2
lang_id.php
View File

@ -153,7 +153,7 @@ $T=array(
'italic' => 'Miring', 'italic' => 'Miring',
'fontexample' => 'Contoh untuk font yang anda pilih', 'fontexample' => 'Contoh untuk font yang anda pilih',
'timestamps' => 'Tunjukkan penanda waktu', 'timestamps' => 'Tunjukkan penanda waktu',
'embed' => 'Tanamkan gambar (Membutuhkan kuki)', 'embed' => 'Tanamkan gambar',
'incognito' => 'Mode penyamaran', 'incognito' => 'Mode penyamaran',
'pbsize' => 'Ukuran kotak pos', 'pbsize' => 'Ukuran kotak pos',
'nbsize' => 'Ukuran otak catatan', 'nbsize' => 'Ukuran otak catatan',

2
lang_ru.php
View File

@ -153,7 +153,7 @@ $T=array(
'italic' => 'Курсив', 'italic' => 'Курсив',
'fontexample' => 'Пример выбранного вами шрифта', 'fontexample' => 'Пример выбранного вами шрифта',
'timestamps' => 'Показать отметки времени', 'timestamps' => 'Показать отметки времени',
'embed' => 'Вставить изображения (использует Cookies)', 'embed' => 'Вставить изображения',
'incognito' => 'Режим инкогнито', 'incognito' => 'Режим инкогнито',
'pbsize' => 'Размер окна сообщений', 'pbsize' => 'Размер окна сообщений',
'nbsize' => 'Размер окна заметок', 'nbsize' => 'Размер окна заметок',