Merge remote branch 'gitorious/1.0.x' into 1.0.x

This commit is contained in:
Evan Prodromou 2010-10-27 07:12:20 -04:00
commit 563b4f968a
5 changed files with 87 additions and 13 deletions

View File

@ -183,7 +183,7 @@ class GravatarPlugin extends Plugin
function gravatar_url($email, $size)
{
$url = "http://www.gravatar.com/avatar.php?gravatar_id=".
$url = "https://secure.gravatar.com/avatar.php?gravatar_id=".
md5(strtolower($email)).
"&default=".urlencode(Avatar::defaultImage($size)).
"&size=".$size;

View File

@ -125,7 +125,7 @@ class MapstractionPlugin extends Plugin
urlencode($this->apikey)));
break;
case 'microsoft':
$action->script('http://dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=6');
$action->script((StatusNet::isHTTPS()?'https':'http') + '://dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=6');
break;
case 'openlayers':
// XXX: is this not nice...?

View File

@ -51,15 +51,6 @@ class RecaptchaPlugin extends Plugin
}
}
function checkssl()
{
if(common_config('site', 'ssl') === 'sometimes' || common_config('site', 'ssl') === 'always') {
return true;
}
return false;
}
function onEndRegistrationFormData($action)
{
$action->elementStart('li');
@ -79,7 +70,7 @@ class RecaptchaPlugin extends Plugin
{
if (isset($action->recaptchaPluginNeedsOutput) && $action->recaptchaPluginNeedsOutput) {
// Load the AJAX API
if ($this->checkssl()) {
if (StatusNet::isHTTPS()) {
$url = "https://api-secure.recaptcha.net/js/recaptcha_ajax.js";
} else {
$url = "http://api.recaptcha.net/js/recaptcha_ajax.js";
@ -120,4 +111,4 @@ class RecaptchaPlugin extends Plugin
'captcha to the registration page.'));
return true;
}
}
}

View File

@ -0,0 +1,21 @@
The Strict Transport Security plugin implements the Strict Transport Security header, improving the security of HTTPS only sites.
See http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html for the specification.
Installation
============
add "addPlugin('strictTransportSecurity');"
to the bottom of your config.php
The plugin will not do anything unless:
$config['site']['ssl'] is set to 'always'
$config['site']['path'] is either not set, empty, or '/'
Settings
========
max_age (15552000): sets how long to remember the forced HTTPS (seconds) (15552000 seconds is 180 days)
includeSubDomains (false): if set, then STS will apply to all the sub-domains too.
Example
=======
addPlugin('strictTransportSecurity');

View File

@ -0,0 +1,62 @@
<?php
/**
* StatusNet, the distributed open-source microblogging tool
*
* Plugin to enable Single Sign On via CAS (Central Authentication Service)
*
* PHP version 5
*
* LICENCE: This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* @category Plugin
* @package StatusNet
* @author Craig Andrews <candrews@integralblue.com>
* @copyright 2009 Free Software Foundation, Inc http://www.fsf.org
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
* @link http://status.net/
*/
if (!defined('STATUSNET') && !defined('LACONICA')) {
exit(1);
}
class StrictTransportSecurityPlugin extends Plugin
{
public $max_age = 15552000;
public $includeSubDomains = false;
function __construct()
{
parent::__construct();
}
function onArgsInitialize($args)
{
$path = common_config('site', 'path');
if(common_config('site', 'ssl') == 'always' && ($path == '/' || ! $path )) {
header('Strict-Transport-Security: max-age=' . $this->max_age . + ($this->includeSubDomains?'; includeSubDomains':''));
}
}
function onPluginVersion(&$versions)
{
$versions[] = array('name' => 'StrictTransportSecurity',
'version' => STATUSNET_VERSION,
'author' => 'Craig Andrews',
'homepage' => 'http://status.net/wiki/Plugin:StrictTransportSecurity',
'rawdescription' =>
_m('The Strict Transport Security plugin implements the Strict Transport Security header, improving the security of HTTPS only sites.'));
return true;
}
}