From 9c63ae6e443e7b23f64e31617a1762393473509a Mon Sep 17 00:00:00 2001
From: Evan Prodromou <evan@status.net>
Date: Thu, 25 Mar 2010 16:58:05 -0400
Subject: [PATCH] add whitelist and blacklist for openid URLs

---
 plugins/OpenID/finishopenidlogin.php |  3 +++
 plugins/OpenID/openid.php            | 29 ++++++++++++++++++++++++++++
 plugins/OpenID/openidlogin.php       |  2 ++
 3 files changed, 34 insertions(+)

diff --git a/plugins/OpenID/finishopenidlogin.php b/plugins/OpenID/finishopenidlogin.php
index 1f9bde0f15..f3a4833006 100644
--- a/plugins/OpenID/finishopenidlogin.php
+++ b/plugins/OpenID/finishopenidlogin.php
@@ -158,6 +158,9 @@ class FinishopenidloginAction extends Action
             $canonical = ($response->endpoint->canonicalID) ?
               $response->endpoint->canonicalID : $response->getDisplayIdentifier();
 
+            oid_assert_allowed($display);
+            oid_assert_allowed($canonical);
+
             $sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
 
             if ($sreg_resp) {
diff --git a/plugins/OpenID/openid.php b/plugins/OpenID/openid.php
index d49941aed1..1524389177 100644
--- a/plugins/OpenID/openid.php
+++ b/plugins/OpenID/openid.php
@@ -257,6 +257,35 @@ function oid_update_user(&$user, &$sreg)
     return true;
 }
 
+function oid_assert_allowed($url)
+{
+    $blacklist = common_config('openid', 'blacklist');
+    $whitelist = common_config('openid', 'whitelist');
+
+    if (empty($blacklist)) {
+        $blacklist = array();
+    }
+
+    if (empty($whitelist)) {
+        $whitelist = array();
+    }
+
+    foreach ($blacklist as $pattern) {
+        if (preg_match("/$pattern/", $url)) {
+            common_log(LOG_INFO, "Matched OpenID blacklist pattern {$pattern} with {$url}");
+            foreach ($whitelist as $exception) {
+                if (preg_match("/$exception/", $url)) {
+                    common_log(LOG_INFO, "Matched OpenID whitelist pattern {$exception} with {$url}");
+                    return;
+                }
+            }
+            throw new ClientException(_m("Unauthorized URL used for OpenID login."), 403);
+        }
+    }
+
+    return;
+}
+
 class AutosubmitAction extends Action
 {
     var $form_html = null;
diff --git a/plugins/OpenID/openidlogin.php b/plugins/OpenID/openidlogin.php
index 9ba55911c0..2a743672cf 100644
--- a/plugins/OpenID/openidlogin.php
+++ b/plugins/OpenID/openidlogin.php
@@ -31,6 +31,8 @@ class OpenidloginAction extends Action
         } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
             $openid_url = $this->trimmed('openid_url');
 
+            oid_assert_allowed($openid_url);
+
             # CSRF protection
             $token = $this->trimmed('token');
             if (!$token || $token != common_session_token()) {
-- 
2.39.2