TrackBack implimentation had been removed entirely due to extremely strong suspicion of violating copyright. 'referer' function (that use the implimentation), also removed.
tb.inc.php leaks content of protected page as <description> when you query it using "__mode=rss"
also, i think unauthed users should not see received trackbacks even if they figured trackback url. (md5..)
--- orig/plugin/tb.inc.php Sun Jan 23 12:15:40 2005 +++ plugin/tb.inc.php Thu Feb 24 18:13:32 2005 @@ -113,18 +114,19 @@ // ?__mode=rss function plugin_tb_mode_rss($tb_id) { - global $script, $vars, $entity_pattern; + global $script, $vars, $entity_pattern, $_title_cannotread; $page = tb_id2page($tb_id); if ($page === FALSE) return FALSE; $items = ''; - foreach (tb_get(tb_get_filename($page)) as $arr) { - // _utime_, title, excerpt, _blog_name_ - array_shift($arr); // Cut utime - list ($url, $title, $excerpt) = array_map( - create_function('$a', 'return htmlspecialchars($a);'), $arr); - $items .= <<<EOD + if (check_readable($page, FALSE, FALSE)) + foreach (tb_get(tb_get_filename($page)) as $arr) { + // _utime_, title, excerpt, _blog_name_ + array_shift($arr); // Cut utime + list ($url, $title, $excerpt) = array_map( + create_function('$a', 'return htmlspecialchars($a);'), $arr); + $items .= <<<EOD <item> <title>$title</title> @@ -132,16 +134,20 @@ <description>$excerpt</description> </item> EOD; - } + } $title = htmlspecialchars($page); $link = $script . '?' . rawurlencode($page); $vars['page'] = $page; - $excerpt = strip_htmltag(convert_html(get_source($page))); - $excerpt = preg_replace("/&$entity_pattern;/", '', $excerpt); - $excerpt = mb_strimwidth(preg_replace("/[\r\n]/", ' ', $excerpt), 0, 255, '...'); $lang = PLUGIN_TB_LANGUAGE; + if (check_readable($page, FALSE, FALSE)) { + $excerpt = strip_htmltag(convert_html(get_source($page))); + $excerpt = preg_replace("/&$entity_pattern;/", '', $excerpt); + $excerpt = mb_strimwidth(preg_replace("/[\r\n]/", ' ', $excerpt), 0, 255, '...'); + } else + $excerpt=str_replace('$1', $title, $_title_cannotread); + $rc = <<<EOD <?xml version="1.0" encoding="utf-8" ?> <response> @@ -179,20 +185,21 @@ $tb_refer = sprintf($_tb_refer, '<a href="' . $script . '?' . $r_page . '">\'' . $page . '\'</a>', '<a href="' . $script . '">' . $page_title . '</a>'); - $data = tb_get(tb_get_filename($page)); + if (check_readable($page, FALSE, FALSE)) { + $data = tb_get(tb_get_filename($page)); - // Sort: The first is the latest - usort($data, create_function('$a,$b', 'return $b[0] - $a[0];')); + // Sort: The first is the latest + usort($data, create_function('$a,$b', 'return $b[0] - $a[0];')); - $tb_body = ''; - foreach ($data as $x) { - if (count($x) != 5) continue; // Ignore incorrect record + $tb_body = ''; + foreach ($data as $x) { + if (count($x) != 5) continue; // Ignore incorrect record - list ($time, $url, $title, $excerpt, $blog_name) = $x; - if ($title == '') $title = 'no title'; + list ($time, $url, $title, $excerpt, $blog_name) = $x; + if ($title == '') $title = 'no title'; - $time = date($_tb_date, $time + LOCALZONE); // May 2, 2003 11:25 AM - $tb_body .= <<<EOD + $time = date($_tb_date, $time + LOCALZONE); // May 2, 2003 11:25 AM + $tb_body .= <<<EOD <div class="trackback-body"> <span class="trackback-post"><a href="$url" target="new" rel="nofollow">$title</a><br /> <strong>$_tb_header_Excerpt</strong> $excerpt<br /> @@ -201,6 +208,7 @@ </span> </div> EOD; + } } $msg = <<<EOD <?xml version="1.0" encoding="UTF-8"?>
its not tb.inc.php but since we are talking about trackback here.. ;)
I think it would be better if PukiWiki send site name(page_title) as blog_name.
--- orig/lib/trackback.php Sat Jan 29 22:53:37 2005 +++ lib/trackback.php Thu Feb 24 17:34:26 2005 @@ -71,7 +71,7 @@ // $minus = Removed lines may include URLs function tb_send($page, $plus, $minus = '') { - global $script, $trackback; + global $script, $trackback, $page_title; if (! $trackback) return; @@ -108,7 +108,7 @@ 'title' => $page, // Title = It's page name 'url' => "$script?$r_page", // will be rawurlencode() at send phase 'excerpt' => mb_strimwidth(preg_replace("/[\r\n]/", ' ', $excerpt), 0, 255, '...'), - 'blog_name' => PLUGIN_TRACKBACK_VERSION, + 'blog_name' => $page_title .' ('. PLUGIN_TRACKBACK_VERSION .')', 'charset' => SOURCE_ENCODING // Ping text encoding (Not defined) );
we only need to parse trackback RDF. (theres other type of RDF for other things.. like CC schema for copyright info)
@@ -189,7 +189,7 @@ if ($data['rc'] !== 200) return ''; $matches = array(); - if (! preg_match_all('#<rdf:RDF[^>]*>(.*?)</rdf:RDF>#si', $data['data'], + if (! preg_match_all('#<rdf:RDF[^>]*xmlns:trackback[^>]*>(.*?)</rdf:RDF>#si', $data['data'], $matches, PREG_PATTERN_ORDER)) return '';