X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=actions%2Fuserauthorization.php;h=680f55094c7916da8a8aca6576056ba80bfe4577;hb=485247e9011e08a6ff0b9a2ff3d7a60bad515a26;hp=19fe693139c3d4c23d86b7c8a28f5cb38023c940;hpb=87b494f1ebbe7640d194ef322af12fdf378295df;p=quix0rs-gnu-social.git

diff --git a/actions/userauthorization.php b/actions/userauthorization.php
index 19fe693139..680f55094c 100644
--- a/actions/userauthorization.php
+++ b/actions/userauthorization.php
@@ -23,39 +23,46 @@ require_once(INSTALLDIR.'/lib/omb.php');
 define('TIMESTAMP_THRESHOLD', 300);
 
 class UserauthorizationAction extends Action {
+
 	function handle($args) {
 		parent::handle($args);
 
 		if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+			# CSRF protection
+			$token = $this->trimmed('token');
+			if (!$token || $token != common_session_token()) {
+				$req = $this->get_stored_request();
+				$this->show_form(_('There was a problem with your session token. Try again, please.'), $req);
+				return;
+			}
 			# We've shown the form, now post user's choice
 			$this->send_authorization();
 		} else {
 			if (!common_logged_in()) {
 				# Go log in, and then come back
-				common_debug('userauthorization.php - saving URL for returnto');
-				$argsclone = $_GET;
-				unset($argsclone['action']);
-				common_set_returnto(common_local_url('userauthorization', $argsclone));
-				common_debug('userauthorization.php - redirecting to login');
+				common_debug('saving URL for returnto', __FILE__);
+				common_set_returnto($_SERVER['REQUEST_URI']);
+
+				common_debug('redirecting to login', __FILE__);
 				common_redirect(common_local_url('login'));
 				return;
 			}
 			try {
 				# this must be a new request
-				common_debug('userauthorization.php - getting new request');
+				common_debug('getting new request', __FILE__);
 				$req = $this->get_new_request();
 				if (!$req) {
-					common_server_error(_('No request found!'));
+					$this->client_error(_('No request found!'));
 				}
-				common_debug('userauthorization.php - validating request');
+				common_debug('validating request', __FILE__);
 				# XXX: only validate new requests, since nonce is one-time use
 				$this->validate_request($req);
-				common_debug('userauthorization.php - showing form');
+				common_debug('showing form', __FILE__);
 				$this->store_request($req);
 				$this->show_form($req);
 			} catch (OAuthException $e) {
 				$this->clear_request();
-				common_server_error($e->getMessage());
+				$this->client_error($e->getMessage());
 				return;
 			}
 
@@ -115,6 +122,7 @@ class UserauthorizationAction extends Action {
 										   'id' => 'userauthorization',
 										   'name' => 'userauthorization',
 										   'action' => common_local_url('userauthorization')));
+		common_hidden('token', common_session_token());
 		common_submit('accept', _('Accept'));
 		common_submit('reject', _('Reject'));
 		common_element_end('form');
@@ -133,10 +141,10 @@ class UserauthorizationAction extends Action {
 
 		if ($this->arg('accept')) {
 			if (!$this->authorize_token($req)) {
-				common_server_error(_('Error authorizing token'));
+				$this->client_error(_('Error authorizing token'));
 			}
 			if (!$this->save_remote_profile($req)) {
-				common_server_error(_('Error saving remote profile'));
+				$this->client_error(_('Error saving remote profile'));
 			}
 			if (!$callback) {
 				$this->show_accept_message($req->get_parameter('oauth_token'));
@@ -146,6 +154,11 @@ class UserauthorizationAction extends Action {
 				$params['omb_version'] = OMB_VERSION_01;
 				$user = User::staticGet('uri', $req->get_parameter('omb_listener'));
 				$profile = $user->getProfile();
+				if (!$profile) {
+					common_log_db_error($user, 'SELECT', __FILE__);
+					$this->server_error(_('User without matching profile'));
+					return;
+				}
 				$params['omb_listener_nickname'] = $user->nickname;
 				$params['omb_listener_profile'] = common_local_url('showstream',
 																   array('nickname' => $user->nickname));
@@ -341,6 +354,7 @@ class UserauthorizationAction extends Action {
 	}
 
 	function get_new_request() {
+		common_remove_magic_from_request();
 		$req = OAuthRequest::from_request();
 		return $req;
 	}
@@ -384,7 +398,8 @@ class UserauthorizationAction extends Action {
 		if ($version != OMB_VERSION_01) {
 			throw new OAuthException("OpenMicroBlogging version '$version' not supported");
 		}
-		$user = User::staticGet('uri', $req->get_parameter('omb_listener'));
+		$listener =	$req->get_parameter('omb_listener');
+		$user = User::staticGet('uri', $listener);
 		if (!$user) {
 			throw new OAuthException("Listener URI '$listener' not found here");
 		}