forked from GNUsocial/gnu-social
add whitelist and blacklist for openid URLs
This commit is contained in:
parent
5b23b7e736
commit
9c63ae6e44
@ -158,6 +158,9 @@ class FinishopenidloginAction extends Action
|
||||
$canonical = ($response->endpoint->canonicalID) ?
|
||||
$response->endpoint->canonicalID : $response->getDisplayIdentifier();
|
||||
|
||||
oid_assert_allowed($display);
|
||||
oid_assert_allowed($canonical);
|
||||
|
||||
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
|
||||
|
||||
if ($sreg_resp) {
|
||||
|
@ -257,6 +257,35 @@ function oid_update_user(&$user, &$sreg)
|
||||
return true;
|
||||
}
|
||||
|
||||
function oid_assert_allowed($url)
|
||||
{
|
||||
$blacklist = common_config('openid', 'blacklist');
|
||||
$whitelist = common_config('openid', 'whitelist');
|
||||
|
||||
if (empty($blacklist)) {
|
||||
$blacklist = array();
|
||||
}
|
||||
|
||||
if (empty($whitelist)) {
|
||||
$whitelist = array();
|
||||
}
|
||||
|
||||
foreach ($blacklist as $pattern) {
|
||||
if (preg_match("/$pattern/", $url)) {
|
||||
common_log(LOG_INFO, "Matched OpenID blacklist pattern {$pattern} with {$url}");
|
||||
foreach ($whitelist as $exception) {
|
||||
if (preg_match("/$exception/", $url)) {
|
||||
common_log(LOG_INFO, "Matched OpenID whitelist pattern {$exception} with {$url}");
|
||||
return;
|
||||
}
|
||||
}
|
||||
throw new ClientException(_m("Unauthorized URL used for OpenID login."), 403);
|
||||
}
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
class AutosubmitAction extends Action
|
||||
{
|
||||
var $form_html = null;
|
||||
|
@ -31,6 +31,8 @@ class OpenidloginAction extends Action
|
||||
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
|
||||
$openid_url = $this->trimmed('openid_url');
|
||||
|
||||
oid_assert_allowed($openid_url);
|
||||
|
||||
# CSRF protection
|
||||
$token = $this->trimmed('token');
|
||||
if (!$token || $token != common_session_token()) {
|
||||
|
Loading…
Reference in New Issue
Block a user