From a179a816b589d8fc097c7fff068dbe5b053e9e27 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Tue, 18 Nov 2008 13:06:44 -0500 Subject: [PATCH] add some extra checks to avoid remote subscriptions to local users darcs-hash:20081118180644-84dde-ab152249ac0844a482029b7e0f8db2780a0f15d6.gz --- actions/finishremotesubscribe.php | 12 ++++++++++++ actions/remotesubscribe.php | 7 +++++++ actions/userauthorization.php | 14 ++++++++++++++ 3 files changed, 33 insertions(+) diff --git a/actions/finishremotesubscribe.php b/actions/finishremotesubscribe.php index ae62fe4b32..cacf545b5f 100644 --- a/actions/finishremotesubscribe.php +++ b/actions/finishremotesubscribe.php @@ -80,6 +80,11 @@ class FinishremotesubscribeAction extends Action { return; } + if ($profile_url == common_local_url('showstream', array('nickname' => $nickname))) { + common_user_error(_('You can use the local subscription!')); + return; + } + common_debug('listenee: "'.$omb['listenee'].'"', __FILE__); $user = User::staticGet('nickname', $omb['listenee']); @@ -89,6 +94,13 @@ class FinishremotesubscribeAction extends Action { return; } + $other = User::staticGet('uri', $omb['listener']); + + if ($other) { + common_user_error(_('You can use the local subscription!')); + return; + } + $fullname = $req->get_parameter('omb_listener_fullname'); $homepage = $req->get_parameter('omb_listener_homepage'); $bio = $req->get_parameter('omb_listener_bio'); diff --git a/actions/remotesubscribe.php b/actions/remotesubscribe.php index 7137b42a26..2c932178fa 100644 --- a/actions/remotesubscribe.php +++ b/actions/remotesubscribe.php @@ -130,6 +130,13 @@ class RemotesubscribeAction extends Action { return; } + if (omb_service_uri($omb[OAUTH_ENDPOINT_REQUEST]) == + common_local_url('requesttoken')) + { + $this->show_form(_('That\'s a local profile! Login to subscribe.')); + return; + } + list($token, $secret) = $this->request_token($omb); if (!$token || !$secret) { diff --git a/actions/userauthorization.php b/actions/userauthorization.php index 680f55094c..11e2d71359 100644 --- a/actions/userauthorization.php +++ b/actions/userauthorization.php @@ -415,6 +415,12 @@ class UserauthorizationAction extends Action { if (strlen($listenee) > 255) { throw new OAuthException("Listenee URI '$listenee' too long"); } + + $other = User::staticGet('uri', $listenee); + if ($other) { + throw new OAuthException("Listenee URI '$listenee' is local user"); + } + $remote = Remote_profile::staticGet('uri', $listenee); if ($remote) { $sub = new Subscription(); @@ -434,6 +440,11 @@ class UserauthorizationAction extends Action { if (!common_valid_http_url($profile)) { throw new OAuthException("Invalid profile URL '$profile'."); } + + if ($profile == common_local_url('showstream', array('nickname' => $nickname))) { + throw new OAuthException("Profile URL '$profile' is for a local user."); + } + $license = $req->get_parameter('omb_listenee_license'); if (!common_valid_http_url($license)) { throw new OAuthException("Invalid license URL '$license'."); @@ -476,6 +487,9 @@ class UserauthorizationAction extends Action { if ($callback && !common_valid_http_url($callback)) { throw new OAuthException("Invalid callback URL '$callback'"); } + if ($callback && $callback == common_local_url('finishremotesubscribe')) { + throw new OAuthException("Callback URL '$callback' is for local site."); + } } # Snagged from OAuthServer -- 2.39.5