From c635da4f907912ff26fbfcf6369b9e0dc4393321 Mon Sep 17 00:00:00 2001 From: Victor Wagner Date: Mon, 24 Mar 2008 10:59:23 +0000 Subject: [PATCH] Some openid fixes --- forum/forum | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/forum/forum b/forum/forum index ba95dcd..df265c3 100755 --- a/forum/forum +++ b/forum/forum @@ -469,6 +469,13 @@ sub authorize_user { dbmopen %sessbase,datafile($forum,"session"),0644; if ($sessbase{$session}) { my ($user,$expires,$ip)=split(";", $sessbase{$session}); + my $user_cookie = $cgi->cookie("sluser"); + if ($user_cookie ne $user && $user_cookie ne + "http://".$user) { + clear_user_cookies($cgi,$forum); + show_error($forum,"Некорректная пользовательская сессия"); + exit; + } if (!defined $ip|| $ip eq $ENV{'REMOTE_ADDR'}) { my %userbase; dbmopen %userbase,datafile($forum,"passwd"),0644; @@ -488,7 +495,11 @@ sub authorize_user { } dbmclose %userbase; } - } + } else { + clear_user_cookies($cgi,$forum); + show_error($forum,"Некорректная пользовательская сессия"); + exit; + } dbmclose %sessbase; } } @@ -522,7 +533,9 @@ sub newsession { } while ($base->{$sessname}); my $cookie = $cgi->cookie(-name=>"slsession", -expires => $forum->{"authperiod"},-value=> $sessname); - $base->{$sessname}=$user.";".str2time($cookie->expires()). + my $username = $user; + $username =~ s/^http:\/\///; #Remoove http:// from OpenID user names + $base->{$sessname}=$username.";".str2time($cookie->expires()). ($ip?";$ENV{'REMOTE_ADDR'}":""); $forum->{'cookies'}=[ $cookie, @@ -704,15 +717,19 @@ sub login { show_template(@_); } } +sub clear_user_cookies { + my ($cgi,$forum) = @_; + $forum->{cookies}=[ $cgi->cookie(-name=>"sluser", -value=>"0", + -expires=>"-1m"),$cgi->cookie(-name=>"slsession", -value=>"0", + -expires => "-1m")]; +} # # Обработчик формы logout. В отличие от большинства обработчиков форм, # поддерживает обработку методом GET # sub logout { my ($form,$cgi,$forum) = @_; - $forum->{cookies}=[ $cgi->cookie(-name=>"sluser", -value=>"0", - -expires=>"-1m"),$cgi->cookie(-name=>"slsession", -value=>"0", - -expires => "-1m")]; + clear_user_cookies($cgi,$forum); if (defined (my $session_id = $cgi->cookie("slsession"))) { my %sessiondb; dbmopen %sessiondb,datafile($forum,"session"),0644; @@ -942,7 +959,7 @@ sub openid_verify { my %userbase; dbmopen %userbase,datafile($forum,"passwd"),0664; if (!$userbase{$user}) { - $userbase{$user} = $forum->{authenticated}={}; + $userbase{$user} = $forum->{authenticated}={"openiduser"=>1}; } else { $forum->{authenticated} = thaw ($userbase{$user}); } -- 2.39.5