Some openid fixes

diff --git a/forum/forum b/forum/forum
index ba95dcd7afe29553812e56a91b4b2f4f3abca860..df265c3c6157b3723baa8ddfc2c95628ca22c10a 100755 (executable)
--- a/forum/forum
+++ b/forum/forum
@@ -469,6 +469,13 @@ sub authorize_user {
                dbmopen %sessbase,datafile($forum,"session"),0644;
                        if ($sessbase{$session})  {
                                my ($user,$expires,$ip)=split(";", $sessbase{$session});
+                               my $user_cookie = $cgi->cookie("sluser");
+                               if ($user_cookie ne $user && $user_cookie ne
+                               "http://".$user) {
+                                       clear_user_cookies($cgi,$forum);
+                                       show_error($forum,"Некорректная пользовательская сессия");
+                                       exit;
+                               }       
                                if (!defined $ip|| $ip eq $ENV{'REMOTE_ADDR'}) {
                                        my %userbase;
                                        dbmopen %userbase,datafile($forum,"passwd"),0644;
@@ -488,7 +495,11 @@ sub authorize_user {
                                        }       
                                        dbmclose %userbase; 
                                }       
-                       }       
+                       } else {
+                               clear_user_cookies($cgi,$forum);
+                               show_error($forum,"Некорректная пользовательская сессия");
+                               exit;
+                       }
                dbmclose %sessbase;
        }
 }
@@ -522,7 +533,9 @@ sub newsession {
        } while ($base->{$sessname});
        my $cookie = $cgi->cookie(-name=>"slsession",
                -expires => $forum->{"authperiod"},-value=> $sessname);
-       $base->{$sessname}=$user.";".str2time($cookie->expires()).
+       my $username = $user;
+       $username =~ s/^http:\/\///; #Remoove http:// from OpenID user names 
+       $base->{$sessname}=$username.";".str2time($cookie->expires()).
                ($ip?";$ENV{'REMOTE_ADDR'}":"");
                
        $forum->{'cookies'}=[ $cookie,
@@ -704,15 +717,19 @@ sub login {
                show_template(@_);
        }       
 }      
+sub clear_user_cookies {
+       my ($cgi,$forum) = @_;
+       $forum->{cookies}=[ $cgi->cookie(-name=>"sluser", -value=>"0",
+       -expires=>"-1m"),$cgi->cookie(-name=>"slsession", -value=>"0",
+                       -expires => "-1m")];
+}                      
 #
 # Обработчик формы logout. В отличие от большинства обработчиков форм,
 # поддерживает обработку методом GET
 #
 sub logout {
        my ($form,$cgi,$forum) = @_;
-       $forum->{cookies}=[ $cgi->cookie(-name=>"sluser", -value=>"0",
-       -expires=>"-1m"),$cgi->cookie(-name=>"slsession", -value=>"0",
-                       -expires => "-1m")];
+       clear_user_cookies($cgi,$forum);
        if (defined (my $session_id = $cgi->cookie("slsession"))) {
                my %sessiondb;
                dbmopen %sessiondb,datafile($forum,"session"),0644;
@@ -942,7 +959,7 @@ sub openid_verify {
                my %userbase;
                dbmopen %userbase,datafile($forum,"passwd"),0664;
                if (!$userbase{$user}) {
-                       $userbase{$user} = $forum->{authenticated}={};
+                       $userbase{$user} = $forum->{authenticated}={"openiduser"=>1};
                } else {
                        $forum->{authenticated} = thaw ($userbase{$user});
                }