Merge branch 'master' of git@gitorious.org:statusnet/mainline
This commit is contained in:
commit
511a164c99
|
@ -1,12 +1,17 @@
|
|||
<IfModule mod_rewrite.c>
|
||||
RewriteEngine On
|
||||
|
||||
# NOTE: change this to your actual StatusNet path; may be "/".
|
||||
|
||||
# NOTE: change this to your actual StatusNet base URL path,
|
||||
# minus the domain part:
|
||||
#
|
||||
# http://example.com/ => /
|
||||
# http://example.com/mublog/ => /mublog/
|
||||
#
|
||||
RewriteBase /mublog/
|
||||
|
||||
## Uncomment these if having trouble with API authentication
|
||||
## when PHP is running in CGI or FastCGI mode.
|
||||
#
|
||||
#RewriteCond %{HTTP:Authorization} ^(.*)
|
||||
#RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
|
||||
|
||||
|
|
|
@ -22,10 +22,10 @@ if (!defined('STATUSNET') && !defined('LACONICA')) { exit(1); }
|
|||
//exit with 200 response, if this is checking fancy from the installer
|
||||
if (isset($_REQUEST['p']) && $_REQUEST['p'] == 'check-fancy') { exit; }
|
||||
|
||||
define('STATUSNET_VERSION', '0.9.0');
|
||||
define('STATUSNET_VERSION', '0.9.1rc1');
|
||||
define('LACONICA_VERSION', STATUSNET_VERSION); // compatibility
|
||||
|
||||
define('STATUSNET_CODENAME', 'Stand');
|
||||
define('STATUSNET_CODENAME', 'Everybody Hurts');
|
||||
|
||||
define('AVATAR_PROFILE_SIZE', 96);
|
||||
define('AVATAR_STREAM_SIZE', 48);
|
||||
|
|
|
@ -48,7 +48,6 @@ class FinishopenidloginAction extends Action
|
|||
} else if ($this->arg('connect')) {
|
||||
$this->connectUser();
|
||||
} else {
|
||||
common_debug(print_r($this->args, true), __FILE__);
|
||||
$this->showForm(_m('Something weird happened.'),
|
||||
$this->trimmed('newname'));
|
||||
}
|
||||
|
@ -159,6 +158,9 @@ class FinishopenidloginAction extends Action
|
|||
$canonical = ($response->endpoint->canonicalID) ?
|
||||
$response->endpoint->canonicalID : $response->getDisplayIdentifier();
|
||||
|
||||
oid_assert_allowed($display);
|
||||
oid_assert_allowed($canonical);
|
||||
|
||||
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
|
||||
|
||||
if ($sreg_resp) {
|
||||
|
|
|
@ -94,7 +94,6 @@ function oid_link_user($id, $canonical, $display)
|
|||
|
||||
if (!$oid->insert()) {
|
||||
$err = PEAR::getStaticProperty('DB_DataObject','lastError');
|
||||
common_debug('DB error ' . $err->code . ': ' . $err->message, __FILE__);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -119,13 +118,10 @@ function oid_check_immediate($openid_url, $backto=null)
|
|||
unset($args['action']);
|
||||
$backto = common_local_url($action, $args);
|
||||
}
|
||||
common_debug('going back to "' . $backto . '"', __FILE__);
|
||||
|
||||
common_ensure_session();
|
||||
|
||||
$_SESSION['openid_immediate_backto'] = $backto;
|
||||
common_debug('passed-in variable is "' . $backto . '"', __FILE__);
|
||||
common_debug('session variable is "' . $_SESSION['openid_immediate_backto'] . '"', __FILE__);
|
||||
|
||||
oid_authenticate($openid_url,
|
||||
'finishimmediate',
|
||||
|
@ -261,6 +257,35 @@ function oid_update_user(&$user, &$sreg)
|
|||
return true;
|
||||
}
|
||||
|
||||
function oid_assert_allowed($url)
|
||||
{
|
||||
$blacklist = common_config('openid', 'blacklist');
|
||||
$whitelist = common_config('openid', 'whitelist');
|
||||
|
||||
if (empty($blacklist)) {
|
||||
$blacklist = array();
|
||||
}
|
||||
|
||||
if (empty($whitelist)) {
|
||||
$whitelist = array();
|
||||
}
|
||||
|
||||
foreach ($blacklist as $pattern) {
|
||||
if (preg_match("/$pattern/", $url)) {
|
||||
common_log(LOG_INFO, "Matched OpenID blacklist pattern {$pattern} with {$url}");
|
||||
foreach ($whitelist as $exception) {
|
||||
if (preg_match("/$exception/", $url)) {
|
||||
common_log(LOG_INFO, "Matched OpenID whitelist pattern {$exception} with {$url}");
|
||||
return;
|
||||
}
|
||||
}
|
||||
throw new ClientException(_m("Unauthorized URL used for OpenID login."), 403);
|
||||
}
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
class AutosubmitAction extends Action
|
||||
{
|
||||
var $form_html = null;
|
||||
|
@ -281,7 +306,7 @@ class AutosubmitAction extends Action
|
|||
{
|
||||
$this->raw($this->form_html);
|
||||
}
|
||||
|
||||
|
||||
function showScripts()
|
||||
{
|
||||
parent::showScripts();
|
||||
|
|
|
@ -31,6 +31,8 @@ class OpenidloginAction extends Action
|
|||
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
|
||||
$openid_url = $this->trimmed('openid_url');
|
||||
|
||||
oid_assert_allowed($openid_url);
|
||||
|
||||
# CSRF protection
|
||||
$token = $this->trimmed('token');
|
||||
if (!$token || $token != common_session_token()) {
|
||||
|
|
|
@ -71,7 +71,7 @@ class OpenidtrustAction extends Action
|
|||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
function handle($args)
|
||||
{
|
||||
parent::handle($args);
|
||||
|
@ -96,7 +96,6 @@ class OpenidtrustAction extends Action
|
|||
$user_openid_trustroot->created = DB_DataObject_Cast::dateTime();
|
||||
if (!$user_openid_trustroot->insert()) {
|
||||
$err = PEAR::getStaticProperty('DB_DataObject','lastError');
|
||||
common_debug('DB error ' . $err->code . ': ' . $err->message, __FILE__);
|
||||
}
|
||||
common_redirect($this->allowUrl, $code=302);
|
||||
}else{
|
||||
|
@ -135,7 +134,7 @@ class OpenidtrustAction extends Action
|
|||
$this->elementStart('fieldset');
|
||||
$this->submit('allow', _m('Continue'));
|
||||
$this->submit('deny', _m('Cancel'));
|
||||
|
||||
|
||||
$this->elementEnd('fieldset');
|
||||
$this->elementEnd('form');
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user