summaryrefslogtreecommitdiff
path: root/plugins/OpenID
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/OpenID')
-rw-r--r--plugins/OpenID/finishopenidlogin.php3
-rw-r--r--plugins/OpenID/openid.php29
-rw-r--r--plugins/OpenID/openidlogin.php2
3 files changed, 34 insertions, 0 deletions
diff --git a/plugins/OpenID/finishopenidlogin.php b/plugins/OpenID/finishopenidlogin.php
index 1f9bde0f1..f3a483300 100644
--- a/plugins/OpenID/finishopenidlogin.php
+++ b/plugins/OpenID/finishopenidlogin.php
@@ -158,6 +158,9 @@ class FinishopenidloginAction extends Action
$canonical = ($response->endpoint->canonicalID) ?
$response->endpoint->canonicalID : $response->getDisplayIdentifier();
+ oid_assert_allowed($display);
+ oid_assert_allowed($canonical);
+
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
if ($sreg_resp) {
diff --git a/plugins/OpenID/openid.php b/plugins/OpenID/openid.php
index d49941aed..152438917 100644
--- a/plugins/OpenID/openid.php
+++ b/plugins/OpenID/openid.php
@@ -257,6 +257,35 @@ function oid_update_user(&$user, &$sreg)
return true;
}
+function oid_assert_allowed($url)
+{
+ $blacklist = common_config('openid', 'blacklist');
+ $whitelist = common_config('openid', 'whitelist');
+
+ if (empty($blacklist)) {
+ $blacklist = array();
+ }
+
+ if (empty($whitelist)) {
+ $whitelist = array();
+ }
+
+ foreach ($blacklist as $pattern) {
+ if (preg_match("/$pattern/", $url)) {
+ common_log(LOG_INFO, "Matched OpenID blacklist pattern {$pattern} with {$url}");
+ foreach ($whitelist as $exception) {
+ if (preg_match("/$exception/", $url)) {
+ common_log(LOG_INFO, "Matched OpenID whitelist pattern {$exception} with {$url}");
+ return;
+ }
+ }
+ throw new ClientException(_m("Unauthorized URL used for OpenID login."), 403);
+ }
+ }
+
+ return;
+}
+
class AutosubmitAction extends Action
{
var $form_html = null;
diff --git a/plugins/OpenID/openidlogin.php b/plugins/OpenID/openidlogin.php
index 9ba55911c..2a743672c 100644
--- a/plugins/OpenID/openidlogin.php
+++ b/plugins/OpenID/openidlogin.php
@@ -31,6 +31,8 @@ class OpenidloginAction extends Action
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$openid_url = $this->trimmed('openid_url');
+ oid_assert_allowed($openid_url);
+
# CSRF protection
$token = $this->trimmed('token');
if (!$token || $token != common_session_token()) {