diff options
-rw-r--r-- | plugins/OpenID/finishopenidlogin.php | 3 | ||||
-rw-r--r-- | plugins/OpenID/openid.php | 29 | ||||
-rw-r--r-- | plugins/OpenID/openidlogin.php | 2 |
3 files changed, 34 insertions, 0 deletions
diff --git a/plugins/OpenID/finishopenidlogin.php b/plugins/OpenID/finishopenidlogin.php index 1f9bde0f1..f3a483300 100644 --- a/plugins/OpenID/finishopenidlogin.php +++ b/plugins/OpenID/finishopenidlogin.php @@ -158,6 +158,9 @@ class FinishopenidloginAction extends Action $canonical = ($response->endpoint->canonicalID) ? $response->endpoint->canonicalID : $response->getDisplayIdentifier(); + oid_assert_allowed($display); + oid_assert_allowed($canonical); + $sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response); if ($sreg_resp) { diff --git a/plugins/OpenID/openid.php b/plugins/OpenID/openid.php index d49941aed..152438917 100644 --- a/plugins/OpenID/openid.php +++ b/plugins/OpenID/openid.php @@ -257,6 +257,35 @@ function oid_update_user(&$user, &$sreg) return true; } +function oid_assert_allowed($url) +{ + $blacklist = common_config('openid', 'blacklist'); + $whitelist = common_config('openid', 'whitelist'); + + if (empty($blacklist)) { + $blacklist = array(); + } + + if (empty($whitelist)) { + $whitelist = array(); + } + + foreach ($blacklist as $pattern) { + if (preg_match("/$pattern/", $url)) { + common_log(LOG_INFO, "Matched OpenID blacklist pattern {$pattern} with {$url}"); + foreach ($whitelist as $exception) { + if (preg_match("/$exception/", $url)) { + common_log(LOG_INFO, "Matched OpenID whitelist pattern {$exception} with {$url}"); + return; + } + } + throw new ClientException(_m("Unauthorized URL used for OpenID login."), 403); + } + } + + return; +} + class AutosubmitAction extends Action { var $form_html = null; diff --git a/plugins/OpenID/openidlogin.php b/plugins/OpenID/openidlogin.php index 9ba55911c..2a743672c 100644 --- a/plugins/OpenID/openidlogin.php +++ b/plugins/OpenID/openidlogin.php @@ -31,6 +31,8 @@ class OpenidloginAction extends Action } else if ($_SERVER['REQUEST_METHOD'] == 'POST') { $openid_url = $this->trimmed('openid_url'); + oid_assert_allowed($openid_url); + # CSRF protection $token = $this->trimmed('token'); if (!$token || $token != common_session_token()) { |