From 38fac1d46364933b2d0a0a33a02c0b4b78e376b4 Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Thu, 25 Mar 2010 12:21:02 -0700 Subject: [PATCH 1/5] Clarify RewriteBase comment in htaccess.sample --- htaccess.sample | 2 ++ 1 file changed, 2 insertions(+) diff --git a/htaccess.sample b/htaccess.sample index 18a868698c..1b7701609e 100644 --- a/htaccess.sample +++ b/htaccess.sample @@ -2,6 +2,8 @@ RewriteEngine On # NOTE: change this to your actual StatusNet path; may be "/". + # http://example.com/ => / + # http://example.com/mublog/ => /mublog/ RewriteBase /mublog/ From cd9017408e3a970d5d12433b9b81266817e0cc6f Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Thu, 25 Mar 2010 12:48:31 -0700 Subject: [PATCH 2/5] And clarify a little more --- htaccess.sample | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/htaccess.sample b/htaccess.sample index 1b7701609e..fa09b30f6d 100644 --- a/htaccess.sample +++ b/htaccess.sample @@ -1,14 +1,17 @@ RewriteEngine On - # NOTE: change this to your actual StatusNet path; may be "/". - # http://example.com/ => / - # http://example.com/mublog/ => /mublog/ - + # NOTE: change this to your actual StatusNet base URL path, + # minus the domain part: + # + # http://example.com/ => / + # http://example.com/mublog/ => /mublog/ + # RewriteBase /mublog/ ## Uncomment these if having trouble with API authentication ## when PHP is running in CGI or FastCGI mode. + # #RewriteCond %{HTTP:Authorization} ^(.*) #RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1] From 7f6fdb528c7e089984bc6ca121508469d423483c Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Thu, 25 Mar 2010 16:35:22 -0400 Subject: [PATCH 3/5] remove debugging calls --- plugins/OpenID/finishopenidlogin.php | 1 - plugins/OpenID/openid.php | 6 +----- plugins/OpenID/openidtrust.php | 5 ++--- 3 files changed, 3 insertions(+), 9 deletions(-) diff --git a/plugins/OpenID/finishopenidlogin.php b/plugins/OpenID/finishopenidlogin.php index 438a728d83..1f9bde0f15 100644 --- a/plugins/OpenID/finishopenidlogin.php +++ b/plugins/OpenID/finishopenidlogin.php @@ -48,7 +48,6 @@ class FinishopenidloginAction extends Action } else if ($this->arg('connect')) { $this->connectUser(); } else { - common_debug(print_r($this->args, true), __FILE__); $this->showForm(_m('Something weird happened.'), $this->trimmed('newname')); } diff --git a/plugins/OpenID/openid.php b/plugins/OpenID/openid.php index 9e02c7a883..d49941aed1 100644 --- a/plugins/OpenID/openid.php +++ b/plugins/OpenID/openid.php @@ -94,7 +94,6 @@ function oid_link_user($id, $canonical, $display) if (!$oid->insert()) { $err = PEAR::getStaticProperty('DB_DataObject','lastError'); - common_debug('DB error ' . $err->code . ': ' . $err->message, __FILE__); return false; } @@ -119,13 +118,10 @@ function oid_check_immediate($openid_url, $backto=null) unset($args['action']); $backto = common_local_url($action, $args); } - common_debug('going back to "' . $backto . '"', __FILE__); common_ensure_session(); $_SESSION['openid_immediate_backto'] = $backto; - common_debug('passed-in variable is "' . $backto . '"', __FILE__); - common_debug('session variable is "' . $_SESSION['openid_immediate_backto'] . '"', __FILE__); oid_authenticate($openid_url, 'finishimmediate', @@ -281,7 +277,7 @@ class AutosubmitAction extends Action { $this->raw($this->form_html); } - + function showScripts() { parent::showScripts(); diff --git a/plugins/OpenID/openidtrust.php b/plugins/OpenID/openidtrust.php index fa7ea36e26..ed6ca73a47 100644 --- a/plugins/OpenID/openidtrust.php +++ b/plugins/OpenID/openidtrust.php @@ -71,7 +71,7 @@ class OpenidtrustAction extends Action } return true; } - + function handle($args) { parent::handle($args); @@ -96,7 +96,6 @@ class OpenidtrustAction extends Action $user_openid_trustroot->created = DB_DataObject_Cast::dateTime(); if (!$user_openid_trustroot->insert()) { $err = PEAR::getStaticProperty('DB_DataObject','lastError'); - common_debug('DB error ' . $err->code . ': ' . $err->message, __FILE__); } common_redirect($this->allowUrl, $code=302); }else{ @@ -135,7 +134,7 @@ class OpenidtrustAction extends Action $this->elementStart('fieldset'); $this->submit('allow', _m('Continue')); $this->submit('deny', _m('Cancel')); - + $this->elementEnd('fieldset'); $this->elementEnd('form'); } From 9c63ae6e443e7b23f64e31617a1762393473509a Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Thu, 25 Mar 2010 16:58:05 -0400 Subject: [PATCH 4/5] add whitelist and blacklist for openid URLs --- plugins/OpenID/finishopenidlogin.php | 3 +++ plugins/OpenID/openid.php | 29 ++++++++++++++++++++++++++++ plugins/OpenID/openidlogin.php | 2 ++ 3 files changed, 34 insertions(+) diff --git a/plugins/OpenID/finishopenidlogin.php b/plugins/OpenID/finishopenidlogin.php index 1f9bde0f15..f3a4833006 100644 --- a/plugins/OpenID/finishopenidlogin.php +++ b/plugins/OpenID/finishopenidlogin.php @@ -158,6 +158,9 @@ class FinishopenidloginAction extends Action $canonical = ($response->endpoint->canonicalID) ? $response->endpoint->canonicalID : $response->getDisplayIdentifier(); + oid_assert_allowed($display); + oid_assert_allowed($canonical); + $sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response); if ($sreg_resp) { diff --git a/plugins/OpenID/openid.php b/plugins/OpenID/openid.php index d49941aed1..1524389177 100644 --- a/plugins/OpenID/openid.php +++ b/plugins/OpenID/openid.php @@ -257,6 +257,35 @@ function oid_update_user(&$user, &$sreg) return true; } +function oid_assert_allowed($url) +{ + $blacklist = common_config('openid', 'blacklist'); + $whitelist = common_config('openid', 'whitelist'); + + if (empty($blacklist)) { + $blacklist = array(); + } + + if (empty($whitelist)) { + $whitelist = array(); + } + + foreach ($blacklist as $pattern) { + if (preg_match("/$pattern/", $url)) { + common_log(LOG_INFO, "Matched OpenID blacklist pattern {$pattern} with {$url}"); + foreach ($whitelist as $exception) { + if (preg_match("/$exception/", $url)) { + common_log(LOG_INFO, "Matched OpenID whitelist pattern {$exception} with {$url}"); + return; + } + } + throw new ClientException(_m("Unauthorized URL used for OpenID login."), 403); + } + } + + return; +} + class AutosubmitAction extends Action { var $form_html = null; diff --git a/plugins/OpenID/openidlogin.php b/plugins/OpenID/openidlogin.php index 9ba55911c0..2a743672cf 100644 --- a/plugins/OpenID/openidlogin.php +++ b/plugins/OpenID/openidlogin.php @@ -31,6 +31,8 @@ class OpenidloginAction extends Action } else if ($_SERVER['REQUEST_METHOD'] == 'POST') { $openid_url = $this->trimmed('openid_url'); + oid_assert_allowed($openid_url); + # CSRF protection $token = $this->trimmed('token'); if (!$token || $token != common_session_token()) { From 46655eb3ca06666a747eacbef9de4bbc00cfd6b8 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Thu, 25 Mar 2010 17:25:26 -0400 Subject: [PATCH 5/5] version number and codename --- lib/common.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/common.php b/lib/common.php index 334a88ffd5..50cf5c99c3 100644 --- a/lib/common.php +++ b/lib/common.php @@ -22,10 +22,10 @@ if (!defined('STATUSNET') && !defined('LACONICA')) { exit(1); } //exit with 200 response, if this is checking fancy from the installer if (isset($_REQUEST['p']) && $_REQUEST['p'] == 'check-fancy') { exit; } -define('STATUSNET_VERSION', '0.9.0'); +define('STATUSNET_VERSION', '0.9.1rc1'); define('LACONICA_VERSION', STATUSNET_VERSION); // compatibility -define('STATUSNET_CODENAME', 'Stand'); +define('STATUSNET_CODENAME', 'Everybody Hurts'); define('AVATAR_PROFILE_SIZE', 96); define('AVATAR_STREAM_SIZE', 48);