Merge branch 'testing' into 0.9.x

diff --git a/plugins/OpenID/finishopenidlogin.php b/plugins/OpenID/finishopenidlogin.php
index 438a728d83fb65c0934887353713cb6e747f05d3..f3a48330063f1a93aac04835785b01c66f520f3c 100644 (file)
--- a/plugins/OpenID/finishopenidlogin.php
+++ b/plugins/OpenID/finishopenidlogin.php
@@ -48,7 +48,6 @@ class FinishopenidloginAction extends Action
             } else if ($this->arg('connect')) {
                 $this->connectUser();
             } else {
-                common_debug(print_r($this->args, true), __FILE__);
                 $this->showForm(_m('Something weird happened.'),
                                 $this->trimmed('newname'));
             }
@@ -159,6 +158,9 @@ class FinishopenidloginAction extends Action
             $canonical = ($response->endpoint->canonicalID) ?
               $response->endpoint->canonicalID : $response->getDisplayIdentifier();
 
+            oid_assert_allowed($display);
+            oid_assert_allowed($canonical);
+
             $sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
 
             if ($sreg_resp) {

diff --git a/plugins/OpenID/openid.php b/plugins/OpenID/openid.php
index 9e02c7a8834566bd8ec852c90ae84dbc4573dde0..1524389177eb5ee0e6eb158655539927ec30b343 100644 (file)
--- a/plugins/OpenID/openid.php
+++ b/plugins/OpenID/openid.php
@@ -94,7 +94,6 @@ function oid_link_user($id, $canonical, $display)
 
     if (!$oid->insert()) {
         $err = PEAR::getStaticProperty('DB_DataObject','lastError');
-        common_debug('DB error ' . $err->code . ': ' . $err->message, __FILE__);
         return false;
     }
 
@@ -119,13 +118,10 @@ function oid_check_immediate($openid_url, $backto=null)
         unset($args['action']);
         $backto = common_local_url($action, $args);
     }
-    common_debug('going back to "' . $backto . '"', __FILE__);
 
     common_ensure_session();
 
     $_SESSION['openid_immediate_backto'] = $backto;
-    common_debug('passed-in variable is "' . $backto . '"', __FILE__);
-    common_debug('session variable is "' . $_SESSION['openid_immediate_backto'] . '"', __FILE__);
 
     oid_authenticate($openid_url,
                      'finishimmediate',
@@ -261,6 +257,35 @@ function oid_update_user(&$user, &$sreg)
     return true;
 }
 
+function oid_assert_allowed($url)
+{
+    $blacklist = common_config('openid', 'blacklist');
+    $whitelist = common_config('openid', 'whitelist');
+
+    if (empty($blacklist)) {
+        $blacklist = array();
+    }
+
+    if (empty($whitelist)) {
+        $whitelist = array();
+    }
+
+    foreach ($blacklist as $pattern) {
+        if (preg_match("/$pattern/", $url)) {
+            common_log(LOG_INFO, "Matched OpenID blacklist pattern {$pattern} with {$url}");
+            foreach ($whitelist as $exception) {
+                if (preg_match("/$exception/", $url)) {
+                    common_log(LOG_INFO, "Matched OpenID whitelist pattern {$exception} with {$url}");
+                    return;
+                }
+            }
+            throw new ClientException(_m("Unauthorized URL used for OpenID login."), 403);
+        }
+    }
+
+    return;
+}
+
 class AutosubmitAction extends Action
 {
     var $form_html = null;
@@ -281,7 +306,7 @@ class AutosubmitAction extends Action
     {
         $this->raw($this->form_html);
     }
-    
+
     function showScripts()
     {
         parent::showScripts();

diff --git a/plugins/OpenID/openidlogin.php b/plugins/OpenID/openidlogin.php
index 9ba55911c014c8afa156e16ce71b7fb33610ba3d..2a743672cf68d2bfb59e4bcfa61c0239cccd489c 100644 (file)
--- a/plugins/OpenID/openidlogin.php
+++ b/plugins/OpenID/openidlogin.php
@@ -31,6 +31,8 @@ class OpenidloginAction extends Action
         } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
             $openid_url = $this->trimmed('openid_url');
 
+            oid_assert_allowed($openid_url);
+
             # CSRF protection
             $token = $this->trimmed('token');
             if (!$token || $token != common_session_token()) {

diff --git a/plugins/OpenID/openidtrust.php b/plugins/OpenID/openidtrust.php
index fa7ea36e26c40bc2906aca5ebaa4535e4fde5f7e..ed6ca73a47f71ca11e84d8cbf32f30c8a459f163 100644 (file)
--- a/plugins/OpenID/openidtrust.php
+++ b/plugins/OpenID/openidtrust.php
@@ -71,7 +71,7 @@ class OpenidtrustAction extends Action
         }
         return true;
     }
-    
+
     function handle($args)
     {
         parent::handle($args);
@@ -96,7 +96,6 @@ class OpenidtrustAction extends Action
             $user_openid_trustroot->created = DB_DataObject_Cast::dateTime();
             if (!$user_openid_trustroot->insert()) {
                 $err = PEAR::getStaticProperty('DB_DataObject','lastError');
-                common_debug('DB error ' . $err->code . ': ' . $err->message, __FILE__);
             }
             common_redirect($this->allowUrl, $code=302);
         }else{
@@ -135,7 +134,7 @@ class OpenidtrustAction extends Action
         $this->elementStart('fieldset');
         $this->submit('allow', _m('Continue'));
         $this->submit('deny', _m('Cancel'));
-        
+
         $this->elementEnd('fieldset');
         $this->elementEnd('form');
     }