<IfModule mod_rewrite.c>
RewriteEngine On
- # NOTE: change this to your actual StatusNet path; may be "/".
-
+ # NOTE: change this to your actual StatusNet base URL path,
+ # minus the domain part:
+ #
+ # http://example.com/ => /
+ # http://example.com/mublog/ => /mublog/
+ #
RewriteBase /mublog/
## Uncomment these if having trouble with API authentication
## when PHP is running in CGI or FastCGI mode.
+ #
#RewriteCond %{HTTP:Authorization} ^(.*)
#RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
//exit with 200 response, if this is checking fancy from the installer
if (isset($_REQUEST['p']) && $_REQUEST['p'] == 'check-fancy') { exit; }
-define('STATUSNET_VERSION', '0.9.0');
+define('STATUSNET_VERSION', '0.9.1rc1');
define('LACONICA_VERSION', STATUSNET_VERSION); // compatibility
-define('STATUSNET_CODENAME', 'Stand');
+define('STATUSNET_CODENAME', 'Everybody Hurts');
define('AVATAR_PROFILE_SIZE', 96);
define('AVATAR_STREAM_SIZE', 48);
} else if ($this->arg('connect')) {
$this->connectUser();
} else {
- common_debug(print_r($this->args, true), __FILE__);
$this->showForm(_m('Something weird happened.'),
$this->trimmed('newname'));
}
$canonical = ($response->endpoint->canonicalID) ?
$response->endpoint->canonicalID : $response->getDisplayIdentifier();
+ oid_assert_allowed($display);
+ oid_assert_allowed($canonical);
+
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
if ($sreg_resp) {
if (!$oid->insert()) {
$err = PEAR::getStaticProperty('DB_DataObject','lastError');
- common_debug('DB error ' . $err->code . ': ' . $err->message, __FILE__);
return false;
}
unset($args['action']);
$backto = common_local_url($action, $args);
}
- common_debug('going back to "' . $backto . '"', __FILE__);
common_ensure_session();
$_SESSION['openid_immediate_backto'] = $backto;
- common_debug('passed-in variable is "' . $backto . '"', __FILE__);
- common_debug('session variable is "' . $_SESSION['openid_immediate_backto'] . '"', __FILE__);
oid_authenticate($openid_url,
'finishimmediate',
return true;
}
+function oid_assert_allowed($url)
+{
+ $blacklist = common_config('openid', 'blacklist');
+ $whitelist = common_config('openid', 'whitelist');
+
+ if (empty($blacklist)) {
+ $blacklist = array();
+ }
+
+ if (empty($whitelist)) {
+ $whitelist = array();
+ }
+
+ foreach ($blacklist as $pattern) {
+ if (preg_match("/$pattern/", $url)) {
+ common_log(LOG_INFO, "Matched OpenID blacklist pattern {$pattern} with {$url}");
+ foreach ($whitelist as $exception) {
+ if (preg_match("/$exception/", $url)) {
+ common_log(LOG_INFO, "Matched OpenID whitelist pattern {$exception} with {$url}");
+ return;
+ }
+ }
+ throw new ClientException(_m("Unauthorized URL used for OpenID login."), 403);
+ }
+ }
+
+ return;
+}
+
class AutosubmitAction extends Action
{
var $form_html = null;
{
$this->raw($this->form_html);
}
-
+
function showScripts()
{
parent::showScripts();
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$openid_url = $this->trimmed('openid_url');
+ oid_assert_allowed($openid_url);
+
# CSRF protection
$token = $this->trimmed('token');
if (!$token || $token != common_session_token()) {
}
return true;
}
-
+
function handle($args)
{
parent::handle($args);
$user_openid_trustroot->created = DB_DataObject_Cast::dateTime();
if (!$user_openid_trustroot->insert()) {
$err = PEAR::getStaticProperty('DB_DataObject','lastError');
- common_debug('DB error ' . $err->code . ': ' . $err->message, __FILE__);
}
common_redirect($this->allowUrl, $code=302);
}else{
$this->elementStart('fieldset');
$this->submit('allow', _m('Continue'));
$this->submit('deny', _m('Cancel'));
-
+
$this->elementEnd('fieldset');
$this->elementEnd('form');
}