From: Brion Vibber Date: Thu, 2 Sep 2010 17:40:41 +0000 (-0700) Subject: Fix for #2635: use ssl-sometimes settings for Twitter settings & auth pages X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=4cbbfdab84c3cd58880902dbc560b14b4c66a0e8;p=quix0rs-gnu-social.git Fix for #2635: use ssl-sometimes settings for Twitter settings & auth pages --- diff --git a/lib/util.php b/lib/util.php index 66600c766f..f63e152e33 100644 --- a/lib/util.php +++ b/lib/util.php @@ -1018,8 +1018,7 @@ function common_local_url($action, $args=null, $params=null, $fragment=null, $ad function common_is_sensitive($action) { - static $sensitive = array('login', 'register', 'passwordsettings', - 'twittersettings', 'api'); + static $sensitive = array('login', 'register', 'passwordsettings', 'api'); $ssl = null; if (Event::handle('SensitiveAction', array($action, &$ssl))) { diff --git a/plugins/TwitterBridge/TwitterBridgePlugin.php b/plugins/TwitterBridge/TwitterBridgePlugin.php index 0505a328fb..8e3eba3186 100644 --- a/plugins/TwitterBridge/TwitterBridgePlugin.php +++ b/plugins/TwitterBridge/TwitterBridgePlugin.php @@ -335,5 +335,30 @@ class TwitterBridgePlugin extends Plugin return (bool)$this->adminImportControl; } + /** + * When the site is set to ssl=sometimes mode, we should make sure our + * various auth-related pages are on SSL to keep things looking happy. + * Although we're not submitting passwords directly, we do link out to + * an authentication source and it's a lot happier if we've got some + * protection against MitM. + * + * @param string $action name + * @param boolean $ssl outval to force SSL + * @return mixed hook return value + */ + function onSensitiveAction($action, &$ssl) + { + $sensitive = array('twitteradminpanel', + 'twittersettings', + 'twitterauthorization', + 'twitterlogin'); + if (in_array($action, $sensitive)) { + $ssl = true; + return false; + } else { + return true; + } + } + }