summaryrefslogtreecommitdiff
path: root/extlib/libomb
diff options
context:
space:
mode:
Diffstat (limited to 'extlib/libomb')
-rwxr-xr-xextlib/libomb/datastore.php32
-rwxr-xr-xextlib/libomb/service_provider.php22
2 files changed, 35 insertions, 19 deletions
diff --git a/extlib/libomb/datastore.php b/extlib/libomb/datastore.php
index ac51a4ab8..ab52de547 100755
--- a/extlib/libomb/datastore.php
+++ b/extlib/libomb/datastore.php
@@ -5,26 +5,28 @@ require_once 'OAuth.php';
/**
* Data access interface
*
- * This interface specifies data access methods libomb needs. It
- * should be implemented by libomb users.
- * OMB_Datastore is libomb’s main interface to the application’s data.
+ * This interface specifies data access methods libomb needs. It should be
+ * implemented by libomb users. OMB_Datastore is libomb’s main interface to the
+ * application’s data. Objects corresponding to this interface are used in
+ * OMB_Service_Provider and OMB_Service_Consumer.
+ *
+ * Note that it’s implemented as a class since OAuthDataStore is as well a
+ * class, though only declaring methods.
+ *
+ * OMB_Datastore extends OAuthDataStore with two OAuth-related methods for token
+ * revoking and authorizing and all OMB-related methods.
+ * Refer to OAuth.php for a complete specification of OAuth-related methods.
*
* It is the user’s duty to signal and handle errors. libomb does not check
* return values nor handle exceptions. It is suggested to use exceptions.
* Note that lookup_token and getProfile return null if the requested object
* is not available. This is NOT an error and should not raise an exception.
* Same applies for lookup_nonce which returns a boolean value. These methods
- * may nevertheless throw an exception, for example in case of a storage error.
+ * may nevertheless throw an exception, for example in case of a storage errors.
*
- * Objects corresponding to this interface are used in OMB_Service_Provider and
- * OMB_Service_Consumer.
- *
- * OMB_Datastore extends OAuthDataStore with two OAuth-related methods for token
- * revoking and authorizing and all OMB-related methods.
- * Refer to OAuth.php for a complete specification of OAuth-related methods.
- *
- * Note that it’s implemented as a class since OAuthDataStore is as well a
- * class, though only declaring methods.
+ * Most of the parameters passed to these methods are unescaped and unverified
+ * user input. Therefore they should be handled with extra care to avoid
+ * security problems like SQL injections.
*
* PHP version 5
*
@@ -59,7 +61,7 @@ class OMB_Datastore extends OAuthDataStore {
* Revokes the authorization token specified by $token_key.
* Throws exceptions in case of error.
*
- * @param string $token_key The token to be revoked
+ * @param string $token_key The key of the token to be revoked
*
* @access public
**/
@@ -73,7 +75,7 @@ class OMB_Datastore extends OAuthDataStore {
* Authorizes the authorization token specified by $token_key.
* Throws exceptions in case of error.
*
- * @param string $token_key The token to be authorized
+ * @param string $token_key The key of the token to be authorized
*
* @access public
**/
diff --git a/extlib/libomb/service_provider.php b/extlib/libomb/service_provider.php
index b3ad53753..753152713 100755
--- a/extlib/libomb/service_provider.php
+++ b/extlib/libomb/service_provider.php
@@ -111,6 +111,12 @@ class OMB_Service_Provider {
* Throws exceptions on failures. Returns an OMB_Profile object representing
* the remote user.
*
+ * The OMB_Profile passed to the constructor of OMB_Service_Provider should
+ * not represent the user specified in the authorization request, but the one
+ * currently logged in to the service. This condition being satisfied,
+ * handleUserAuth will check whether the listener specified in the request is
+ * identical to the logged in user.
+ *
* @access public
*
* @return OMB_Profile The profile of the soon-to-be subscribed, i. e. remote
@@ -150,6 +156,10 @@ class OMB_Service_Provider {
/* Store given callback for later use. */
if (isset($_GET['oauth_callback']) && $_GET['oauth_callback'] !== '') {
$this->callback = $_GET['oauth_callback'];
+ if (!OMB_Helper::validateURL($this->callback)) {
+ throw OMB_RemoteServiceException::forRequest(OAUTH_ENDPOINT_AUTHORIZE,
+ 'Invalid callback URL specified');
+ }
}
$this->remote_user = OMB_Profile::fromParameters($_GET, 'omb_listenee');
@@ -205,13 +215,16 @@ class OMB_Service_Provider {
/**
* Echo an access token
*
- * Outputs an access token for the query found in $_GET or $_POST.
+ * Outputs an access token for the query found in $_POST. OMB 0.1 specifies
+ * that the access token request has to be a POST even if OAuth allows GET as
+ * well.
*
* @access public
**/
public function writeAccessToken() {
OMB_Helper::removeMagicQuotesFromRequest();
- echo $this->getOAuthServer()->fetch_access_token(OAuthRequest::from_request());
+ echo $this->getOAuthServer()->fetch_access_token(
+ OAuthRequest::from_request('POST'));
}
/**
@@ -235,7 +248,8 @@ class OMB_Service_Provider {
/**
* Handle a postnotice request
*
- * Handles a postnotice request posted to this service.
+ * Handles a postnotice request posted to this service. Saves the notice
+ * through the OMB_Datastore.
*
* @access public
*
@@ -264,7 +278,7 @@ class OMB_Service_Provider {
protected function handleOMBRequest($uri) {
OMB_Helper::removeMagicQuotesFromRequest();
- $req = OAuthRequest::from_request();
+ $req = OAuthRequest::from_request('POST');
$listenee = $req->get_parameter('omb_listenee');
try {