Merge branch '1.0.x' of git@gitorious.org:statusnet/mainline into 1.0.x

This commit is contained in:
Brion Vibber 2010-03-29 15:15:41 -07:00
commit e2d3ebb9f4
4 changed files with 37 additions and 9 deletions

View File

@ -48,7 +48,6 @@ class FinishopenidloginAction extends Action
} else if ($this->arg('connect')) { } else if ($this->arg('connect')) {
$this->connectUser(); $this->connectUser();
} else { } else {
common_debug(print_r($this->args, true), __FILE__);
$this->showForm(_m('Something weird happened.'), $this->showForm(_m('Something weird happened.'),
$this->trimmed('newname')); $this->trimmed('newname'));
} }
@ -159,6 +158,9 @@ class FinishopenidloginAction extends Action
$canonical = ($response->endpoint->canonicalID) ? $canonical = ($response->endpoint->canonicalID) ?
$response->endpoint->canonicalID : $response->getDisplayIdentifier(); $response->endpoint->canonicalID : $response->getDisplayIdentifier();
oid_assert_allowed($display);
oid_assert_allowed($canonical);
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response); $sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
if ($sreg_resp) { if ($sreg_resp) {

View File

@ -94,7 +94,6 @@ function oid_link_user($id, $canonical, $display)
if (!$oid->insert()) { if (!$oid->insert()) {
$err = PEAR::getStaticProperty('DB_DataObject','lastError'); $err = PEAR::getStaticProperty('DB_DataObject','lastError');
common_debug('DB error ' . $err->code . ': ' . $err->message, __FILE__);
return false; return false;
} }
@ -119,13 +118,10 @@ function oid_check_immediate($openid_url, $backto=null)
unset($args['action']); unset($args['action']);
$backto = common_local_url($action, $args); $backto = common_local_url($action, $args);
} }
common_debug('going back to "' . $backto . '"', __FILE__);
common_ensure_session(); common_ensure_session();
$_SESSION['openid_immediate_backto'] = $backto; $_SESSION['openid_immediate_backto'] = $backto;
common_debug('passed-in variable is "' . $backto . '"', __FILE__);
common_debug('session variable is "' . $_SESSION['openid_immediate_backto'] . '"', __FILE__);
oid_authenticate($openid_url, oid_authenticate($openid_url,
'finishimmediate', 'finishimmediate',
@ -261,6 +257,35 @@ function oid_update_user(&$user, &$sreg)
return true; return true;
} }
function oid_assert_allowed($url)
{
$blacklist = common_config('openid', 'blacklist');
$whitelist = common_config('openid', 'whitelist');
if (empty($blacklist)) {
$blacklist = array();
}
if (empty($whitelist)) {
$whitelist = array();
}
foreach ($blacklist as $pattern) {
if (preg_match("/$pattern/", $url)) {
common_log(LOG_INFO, "Matched OpenID blacklist pattern {$pattern} with {$url}");
foreach ($whitelist as $exception) {
if (preg_match("/$exception/", $url)) {
common_log(LOG_INFO, "Matched OpenID whitelist pattern {$exception} with {$url}");
return;
}
}
throw new ClientException(_m("Unauthorized URL used for OpenID login."), 403);
}
}
return;
}
class AutosubmitAction extends Action class AutosubmitAction extends Action
{ {
var $form_html = null; var $form_html = null;
@ -281,7 +306,7 @@ class AutosubmitAction extends Action
{ {
$this->raw($this->form_html); $this->raw($this->form_html);
} }
function showScripts() function showScripts()
{ {
parent::showScripts(); parent::showScripts();

View File

@ -31,6 +31,8 @@ class OpenidloginAction extends Action
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') { } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$openid_url = $this->trimmed('openid_url'); $openid_url = $this->trimmed('openid_url');
oid_assert_allowed($openid_url);
# CSRF protection # CSRF protection
$token = $this->trimmed('token'); $token = $this->trimmed('token');
if (!$token || $token != common_session_token()) { if (!$token || $token != common_session_token()) {

View File

@ -71,7 +71,7 @@ class OpenidtrustAction extends Action
} }
return true; return true;
} }
function handle($args) function handle($args)
{ {
parent::handle($args); parent::handle($args);
@ -96,7 +96,6 @@ class OpenidtrustAction extends Action
$user_openid_trustroot->created = DB_DataObject_Cast::dateTime(); $user_openid_trustroot->created = DB_DataObject_Cast::dateTime();
if (!$user_openid_trustroot->insert()) { if (!$user_openid_trustroot->insert()) {
$err = PEAR::getStaticProperty('DB_DataObject','lastError'); $err = PEAR::getStaticProperty('DB_DataObject','lastError');
common_debug('DB error ' . $err->code . ': ' . $err->message, __FILE__);
} }
common_redirect($this->allowUrl, $code=302); common_redirect($this->allowUrl, $code=302);
}else{ }else{
@ -135,7 +134,7 @@ class OpenidtrustAction extends Action
$this->elementStart('fieldset'); $this->elementStart('fieldset');
$this->submit('allow', _m('Continue')); $this->submit('allow', _m('Continue'));
$this->submit('deny', _m('Cancel')); $this->submit('deny', _m('Cancel'));
$this->elementEnd('fieldset'); $this->elementEnd('fieldset');
$this->elementEnd('form'); $this->elementEnd('form');
} }