We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

Commit 9c63ae6e authored by Evan Prodromou's avatar Evan Prodromou

add whitelist and blacklist for openid URLs

parent 5b23b7e7
......@@ -158,6 +158,9 @@ class FinishopenidloginAction extends Action
$canonical = ($response->endpoint->canonicalID) ?
$response->endpoint->canonicalID : $response->getDisplayIdentifier();
oid_assert_allowed($display);
oid_assert_allowed($canonical);
$sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response);
if ($sreg_resp) {
......
......@@ -257,6 +257,35 @@ function oid_update_user(&$user, &$sreg)
return true;
}
function oid_assert_allowed($url)
{
$blacklist = common_config('openid', 'blacklist');
$whitelist = common_config('openid', 'whitelist');
if (empty($blacklist)) {
$blacklist = array();
}
if (empty($whitelist)) {
$whitelist = array();
}
foreach ($blacklist as $pattern) {
if (preg_match("/$pattern/", $url)) {
common_log(LOG_INFO, "Matched OpenID blacklist pattern {$pattern} with {$url}");
foreach ($whitelist as $exception) {
if (preg_match("/$exception/", $url)) {
common_log(LOG_INFO, "Matched OpenID whitelist pattern {$exception} with {$url}");
return;
}
}
throw new ClientException(_m("Unauthorized URL used for OpenID login."), 403);
}
}
return;
}
class AutosubmitAction extends Action
{
var $form_html = null;
......
......@@ -31,6 +31,8 @@ class OpenidloginAction extends Action
} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$openid_url = $this->trimmed('openid_url');
oid_assert_allowed($openid_url);
# CSRF protection
$token = $this->trimmed('token');
if (!$token || $token != common_session_token()) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment