Merge branch 'master' of git@gitorious.org:statusnet/mainline

author: Brion Vibber <brion@pobox.com> 2010-03-25 14:32:28 -0700
committer: Brion Vibber <brion@pobox.com> 2010-03-25 14:32:28 -0700
commit: 511a164c99eb143575925743a5223ca454f55fb0 (patch)
tree: ea6d862b6f9e48f8c9bda7c00d4a1b47ce457b46
parent: e174a7211df1e15e1c79415a2722651a3b885be7 (diff)
parent: 46655eb3ca06666a747eacbef9de4bbc00cfd6b8 (diff)
6 files changed, 46 insertions, 13 deletions
diff --git a/htaccess.sample b/htaccess.sample
index 18a868698..fa09b30f6 100644
--- a/htaccess.sample
+++ b/htaccess.sample
@@ -1,12 +1,17 @@
 <IfModule mod_rewrite.c>
   RewriteEngine On
 
-  # NOTE: change this to your actual StatusNet path; may be "/".
-
+  # NOTE: change this to your actual StatusNet base URL path,
+  # minus the domain part:
+  #
+  #   http://example.com/        => /
+  #   http://example.com/mublog/ => /mublog/
+  #
   RewriteBase /mublog/
 
   ## Uncomment these if having trouble with API authentication
   ## when PHP is running in CGI or FastCGI mode.
+  #
   #RewriteCond %{HTTP:Authorization} ^(.*)
   #RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
 
diff --git a/lib/common.php b/lib/common.php
index 334a88ffd..50cf5c99c 100644
--- a/lib/common.php
+++ b/lib/common.php
@@ -22,10 +22,10 @@ if (!defined('STATUSNET') && !defined('LACONICA')) { exit(1); }
 //exit with 200 response, if this is checking fancy from the installer
 if (isset($_REQUEST['p']) && $_REQUEST['p'] == 'check-fancy') {  exit; }
 
-define('STATUSNET_VERSION', '0.9.0');
+define('STATUSNET_VERSION', '0.9.1rc1');
 define('LACONICA_VERSION', STATUSNET_VERSION); // compatibility
 
-define('STATUSNET_CODENAME', 'Stand');
+define('STATUSNET_CODENAME', 'Everybody Hurts');
 
 define('AVATAR_PROFILE_SIZE', 96);
 define('AVATAR_STREAM_SIZE', 48);
diff --git a/plugins/OpenID/finishopenidlogin.php b/plugins/OpenID/finishopenidlogin.php
index 438a728d8..f3a483300 100644
--- a/plugins/OpenID/finishopenidlogin.php
+++ b/plugins/OpenID/finishopenidlogin.php
@@ -48,7 +48,6 @@ class FinishopenidloginAction extends Action
             } else if ($this->arg('connect')) {
                 $this->connectUser();
             } else {
-                common_debug(print_r($this->args, true), __FILE__);
                 $this->showForm(_m('Something weird happened.'),
                                 $this->trimmed('newname'));
             }
@@ -159,6 +158,9 @@ class FinishopenidloginAction extends Action
             $canonical = ($response->endpoint->canonicalID) ?
               $response->endpoint->canonicalID : $response->getDisplayIdentifier();
 
+            oid_assert_allowed($display);
+            oid_assert_allowed($canonical);
+
             $sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
 
             if ($sreg_resp) {
diff --git a/plugins/OpenID/openid.php b/plugins/OpenID/openid.php
index 9e02c7a88..152438917 100644
--- a/plugins/OpenID/openid.php
+++ b/plugins/OpenID/openid.php
@@ -94,7 +94,6 @@ function oid_link_user($id, $canonical, $display)
 
     if (!$oid->insert()) {
         $err = PEAR::getStaticProperty('DB_DataObject','lastError');
-        common_debug('DB error ' . $err->code . ': ' . $err->message, __FILE__);
         return false;
     }
 
@@ -119,13 +118,10 @@ function oid_check_immediate($openid_url, $backto=null)
         unset($args['action']);
         $backto = common_local_url($action, $args);
     }
-    common_debug('going back to "' . $backto . '"', __FILE__);
 
     common_ensure_session();
 
     $_SESSION['openid_immediate_backto'] = $backto;
-    common_debug('passed-in variable is "' . $backto . '"', __FILE__);
-    common_debug('session variable is "' . $_SESSION['openid_immediate_backto'] . '"', __FILE__);
 
     oid_authenticate($openid_url,
                      'finishimmediate',
@@ -261,6 +257,35 @@ function oid_update_user(&$user, &$sreg)
     return true;
 }
 
+function oid_assert_allowed($url)
+{
+    $blacklist = common_config('openid', 'blacklist');
+    $whitelist = common_config('openid', 'whitelist');
+
+    if (empty($blacklist)) {
+        $blacklist = array();
+    }
+
+    if (empty($whitelist)) {
+        $whitelist = array();
+    }
+
+    foreach ($blacklist as $pattern) {
+        if (preg_match("/$pattern/", $url)) {
+            common_log(LOG_INFO, "Matched OpenID blacklist pattern {$pattern} with {$url}");
+            foreach ($whitelist as $exception) {
+                if (preg_match("/$exception/", $url)) {
+                    common_log(LOG_INFO, "Matched OpenID whitelist pattern {$exception} with {$url}");
+                    return;
+                }
+            }
+            throw new ClientException(_m("Unauthorized URL used for OpenID login."), 403);
+        }
+    }
+
+    return;
+}
+
 class AutosubmitAction extends Action
 {
     var $form_html = null;
@@ -281,7 +306,7 @@ class AutosubmitAction extends Action
     {
         $this->raw($this->form_html);
     }
-    
+
     function showScripts()
     {
         parent::showScripts();
diff --git a/plugins/OpenID/openidlogin.php b/plugins/OpenID/openidlogin.php
index 9ba55911c..2a743672c 100644
--- a/plugins/OpenID/openidlogin.php
+++ b/plugins/OpenID/openidlogin.php
@@ -31,6 +31,8 @@ class OpenidloginAction extends Action
         } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
             $openid_url = $this->trimmed('openid_url');
 
+            oid_assert_allowed($openid_url);
+
             # CSRF protection
             $token = $this->trimmed('token');
             if (!$token || $token != common_session_token()) {
diff --git a/plugins/OpenID/openidtrust.php b/plugins/OpenID/openidtrust.php
index fa7ea36e2..ed6ca73a4 100644
--- a/plugins/OpenID/openidtrust.php
+++ b/plugins/OpenID/openidtrust.php
@@ -71,7 +71,7 @@ class OpenidtrustAction extends Action
         }
         return true;
     }
-    
+
     function handle($args)
     {
         parent::handle($args);
@@ -96,7 +96,6 @@ class OpenidtrustAction extends Action
             $user_openid_trustroot->created = DB_DataObject_Cast::dateTime();
             if (!$user_openid_trustroot->insert()) {
                 $err = PEAR::getStaticProperty('DB_DataObject','lastError');
-                common_debug('DB error ' . $err->code . ': ' . $err->message, __FILE__);
             }
             common_redirect($this->allowUrl, $code=302);
         }else{
@@ -135,7 +134,7 @@ class OpenidtrustAction extends Action
         $this->elementStart('fieldset');
         $this->submit('allow', _m('Continue'));
         $this->submit('deny', _m('Cancel'));
-        
+
         $this->elementEnd('fieldset');
         $this->elementEnd('form');
     }
author	Brion Vibber <brion@pobox.com>	2010-03-25 14:32:28 -0700
committer	Brion Vibber <brion@pobox.com>	2010-03-25 14:32:28 -0700
commit	511a164c99eb143575925743a5223ca454f55fb0 (patch)
tree	ea6d862b6f9e48f8c9bda7c00d4a1b47ce457b46
parent	e174a7211df1e15e1c79415a2722651a3b885be7 (diff)
parent	46655eb3ca06666a747eacbef9de4bbc00cfd6b8 (diff)