zlax/ljr
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

init

Browse Source
This commit is contained in:
ivan
2019-02-06 00:49:12 +03:00
commit 8dbb1bb605
4796 changed files with 506072 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
livejournal/htdocs/openid/approve.bml Executable file
View File

@@ -0,0 +1,83 @@
<?_code
{
return "OpenID consumer support is disabled" unless LJ::OpenID::server_enabled();
use strict;
use vars qw($title $body %GET %POST);
use LJ::OpenID;
my $err = sub {
$title = "Error";
$body = shift;
return "";
};
my $u = LJ::get_remote() or
return $err->("Currently you need to be logged in to grant another site permission to know your identity, but this page will eventually let you log in during the same step.");
my $identity = LJ::OpenID::is_identity($u, $GET{'identity'}, \%GET);
unless ($identity) {
return $err->("The site you just came from seems to want to verify <a href='" .
LJ::ehtml($GET{'identity'}) .
"'>an identity</a> that you, as " .
LJ::ljuser($u) .
", cannot provide.");
}
my $site = $GET{'trust_root'};
$site =~ s/\?.*//;
return $err->("Invalid site address") unless $site =~ m!^https?://!;
# TODO: check URL and see if it contains images or external scripts/css/images, where
# an attacker could sniff the validation tokens in the Referer header?
if (LJ::did_post()) {
return $err->("Possible form tampering detected.") unless LJ::check_form_auth();
my $dur;
$body = "";
$dur = "always" if $POST{'yes:always'};
$dur = "once" if $POST{'yes:once'};
LJ::OpenID::add_trust($u, $site, $dur)
or return $err->("Failed to save");
$title = "Saved";
$body .= "Permission has been granted. You can now <a href='javascript:window.close()'>close this window</a> and login to the site you were previously visiting.";
if ($GET{"openid.post_grant"} eq "close") {
$body .= "<script>window.close();</script>";
} elsif ($GET{"openid.post_grant"} eq "return") {
my $nos = LJ::OpenID::server();
my $sig_return = $nos->signed_return_url(
identity => $GET{'identity'},
return_to => $GET{'return_to'},
trust_root => $GET{'trust_root'},
assoc_handle => $GET{'assoc_handle'},
);
return BML::redirect($sig_return) if $sig_return;
return $err->("Failed to make signed return URL.");
}
return;
}
$title = "Grant identity validation?";
$body = "";
$body .= "<?h1 Identity Validation h1?><?p Another site on the web wants to validate your LiveJournal identity. No information will be shared with them that isn't already public in your profile, only that you're who you've already told them you are (if you told them). p?><?p The address wanting permission is: p?>";
$body .= "<form method='post'>";
$body .= LJ::form_auth();
my $dis_site = LJ::ehtml($site);
$dis_site =~ s!\*\.!<span style='color: red'><i>&lt;anything&gt;</i></span>.!;
$body .= "<div style='overflow: auto; background: #DDD; word-wrap: break-word; color: black; border: 2px solid black; padding: 0.5em; font-size: 13pt'><tt>$dis_site</tt></div>";
$body .= "<?p Do you want to pass your identity to them? p?>";
$body .= "<table align='center'><tr><td><input type='submit' name='yes:once' value='Yes; just this time.' /> <input type='submit' name='yes:always' value='Yes; always.' /></td></tr></table>";
$body .= "<?p If not, just close this window. p?>";
$body .= "</form>";
return;
}
_code?><?page
title=><?_code return $title; _code?>
body=><?_code return $body; _code?>
page?>

61
livejournal/htdocs/openid/index.bml Executable file
View File

@@ -0,0 +1,61 @@
<?page
head<=
<style>
input.sexy {
background: url(<?imgprefix?>/openid-inputicon.gif) no-repeat;
background-color: #fff;
background-position: 0 50%;
padding-left: 18px;
}
</style>
<script>
function regEvent (target, evt, func) {
if (! target) return;
if (target.attachEvent)
target.attachEvent("on"+evt, func);
if (target.addEventListener)
target.addEventListener(evt, func, false);
}
function initPage () {
if (document.getElementById) {
var ur = document.getElementById('openid_url');
if (ur) ur.focus();
}
}
regEvent(window, "load", initPage);
</script>
<=head
title=>OpenID
body<=
<div style='background-color: #ffe680; float: right; width: 175px; font-size: 0.8em; border: 1px outset #333; padding: 2px;'>
<strong style='text-decoration: underline'>BETA:</strong><br /> Our OpenID consumer support is very new. That is, external users logging in with their identity here will find some rough edges while we work on smoothing it all out.<br /><br />Our server support is relatively complete, though.
</div>
<?h1 What is OpenID? h1?>
<?p <?sitename?> supports the <a href="http://openid.net/">OpenID</a> distributed identity system, letting you bring your <?sitename?> identity to other sites, and letting non-<?sitename?> users bring their identity here. After all, not everybody uses the same websites, but you should still be able to play together. p?>
<?h1 Using your OpenID here. h1?>
<?p
If you're not a member of <?sitename?> but want to leave authenticated comments and let people add you as their friend, trust your comments, etc., then you can login either in the form below, or from any comment entry form. Once you're logged in, you'll also be able to read friends-only posts that <?sitename?> users have indicated you're allowed to read.
p?>
<div style='padding: 0.4em; margin-left: 25px; margin-right: 25px; width: auto; text-align: center; background: #ccc; border: #000'>
<form method='post' action='login.bml' style='display:inline; width:auto'><nobr><b>Your OpenID URL:</b> <input class='sexy' id='openid_url' name="openid_url" size='30' />
<input style='background: #ff6200; color: #fff;' type='submit' value='Login' /></nobr><br />For example: <tt>melody.someblog.com</tt> (if your host supports OpenID)</form></div>
<?h1 Using your OpenID on another site. h1?>
<?p
If another site says it supports OpenID and you want to use your <?sitename?> identity there, just enter your journal URL. (you don't need the http:// part either). For example, just enter <b>melody.livejournal.com</b>, or whatever your address is. After you do so, you'll be sent to LiveJournal briefly to ask if you want to trust that site to know who you are. You can either trust them once, or forever. You can change your <a href="/openid/options.bml">OpenID settings and trust</a> at any time.
p?>
<=body
page?>

89
livejournal/htdocs/openid/login.bml Executable file
View File

@@ -0,0 +1,89 @@
<?_code
{
return "OpenID consumer support is disabled" unless LJ::OpenID::consumer_enabled();
use strict;
use vars qw($title $head $body %GET %POST);
use LJ::OpenID;
LJ::set_active_crumb("openid_login");
$title = "OpenID Login";
$head = "";
my $err = sub {
$title = "Error";
$body = shift;
return;
};
my $remote = LJ::get_remote();
if ($remote) {
$body .= "<?h1 Already logged in h1?><?p Hello, " . LJ::ljuser($remote) . ". Before logging in with <a href='http://www.danga.com/openid/'>OpenID</a>, you must first <a href='/logout.bml'>log out</a>. p?>";
return;
}
if ($GET{'openid.mode'}) {
my $csr = LJ::OpenID::consumer(\%GET);
if (my $setup = $csr->user_setup_url) {
return BML::redirect($setup);
}
my $vident = eval { $csr->verified_identity; };
return $err->($csr->err) unless $vident;
my $url = $vident->url;
return $err->("Invalid characters in identity URL.") if $url =~ /[\<\>\s]/;
my $u = LJ::User::load_identity_user("O", $url, $vident);
return $err->("Couldn't vivify your account (but we verified that you're " . LJ::ehtml($url) . ")") unless $u;
my $sess_opts = {
'exptype' => 'short',
'ipfixed' => 0,
};
my $etime = 0;
if ($POST{'expire'} eq "never") {
$etime = time()+60*60*24*60;
$sess_opts->{'exptype'} = "long";
}
$u->make_login_session($sess_opts->{'exptype'}, $sess_opts->{'ipfixed'});
LJ::set_remote($u);
return BML::redirect("$LJ::SITEROOT/login.bml");
}
if (LJ::did_post()) {
my $csr = LJ::OpenID::consumer();
my $url = $POST{'openid_url'};
return $err->("Invalid characters in identity URL.") if $url =~ /[\<\>\s]/;
my $tried_local_ref = LJ::OpenID::blocked_hosts($csr);
my $claimed_id = $csr->claimed_identity($url);
unless ($claimed_id) {
return $err->("You can't use a LiveJournal OpenID account on LiveJournal &mdash; ".
"just <a href='/login.bml'>go login</a> with your actual LiveJournal account.") if $tried_local_ref;
return $err->($csr->err);
}
my $check_url = $claimed_id->check_url(
return_to => "$LJ::SITEROOT/openid/login.bml",
trust_root => "$LJ::SITEROOT/",
delayed_return => 1,
);
return BML::redirect($check_url);
}
return undef;
}
_code?><?_info
nocache=>1
_info?><?page
title=><?_code return $title; _code?>
body=><?_code return $body; _code?>
page?>

96
livejournal/htdocs/openid/options.bml Executable file
View File

@@ -0,0 +1,96 @@
<?_code
{
use strict;
use vars qw($title $body %GET %POST);
my $err = sub {
$title = "Error";
$body = shift;
return "";
};
return $err->("OpenID server support is disabled")
unless LJ::OpenID::server_enabled();
my $u = LJ::get_remote() or
return $err->("You need to be <a href='/login.bml?ret=1'>logged in</a> to manage your OpenID options.");
my $dbh = LJ::get_db_writer();
my $trusted = {};
my @external;
my $load_trusted = sub {
$trusted = $dbh->selectall_hashref("SELECT ye.endpoint_id as 'endid', ye.url FROM openid_endpoint ye, openid_trust yt WHERE yt.endpoint_id=ye.endpoint_id AND yt.userid=$u->{userid}", 'endid');
};
my $load_external = sub {
@external = @{ $dbh->selectcol_arrayref("SELECT url FROM openid_external WHERE userid=?", undef, $u->{userid}) };
};
if (LJ::did_post()) {
return $err->("Possible form tampering detected.") unless LJ::check_form_auth();
my $dur;
$body = "";
$load_trusted->();
foreach my $endid (sort { $trusted->{$a} cmp $trusted->{$b} } keys %$trusted) {
next unless $POST{"delete:$endid"};
$dbh->do("DELETE FROM openid_trust WHERE userid=? AND endpoint_id=?", undef, $u->{userid}, $endid);
}
$load_external->();
foreach my $url (@external) {
next unless $POST{"extdelete:$url"};
$dbh->do("DELETE FROM openid_external WHERE userid=? AND url=?", undef, $u->{userid}, $url);
}
if ($POST{'ext_url'} =~ m!^http://!) {
$dbh->do("REPLACE INTO openid_external (userid, url) VALUES (?,?)", undef, $u->{userid}, $POST{'ext_url'});
}
}
$load_trusted->();
$load_external->();
$title = "OpenID Options";
$body = "";
$body .= "<form method='post'>";
$body .= LJ::form_auth();
$body .= "<?h1 Sites you trust h1?><?p You've marked these sites as able to verify your identity. You may remove them here. p?>";
$body .= "<div style='margin: 5px 0px 5px 30px'>";
if (%$trusted) {
foreach my $endid (sort { $trusted->{$a} cmp $trusted->{$b} } keys %$trusted) {
my $url = $trusted->{$endid}->{url};
my $dis_site = LJ::ehtml($url);
$dis_site =~ s!\*\.!<i>&lt;anything&gt;</i>.!;
$body .= LJ::html_submit("delete:$endid", "Delete") . " -- $dis_site<br />";
}
} else {
$body .= "<i>(None)</i>";
}
$body .= "</div>";
$body .= "<?h1 External Assertion URLs h1?><?p Optional URLs LiveJournal will assert for you, if you put this in your HTML's head. p?>";
$body .= "<b>&lt;link rel=\"openid.server\" href=\"$LJ::OPENID_SERVER?ljuser=$u->{user}\" /&gt;</b>";
$body .= "<div style='margin: 5px 0px 5px 30px'>";
if (@external) {
foreach my $url (@external) {
$body .= LJ::html_submit("extdelete:$url", "Delete") . " -- " . LJ::ehtml($url) . "<br />";
}
} else {
$body .= "<i>(None)</i>";
}
$body .= "</div>";
$body .= "Add: " . LJ::html_text({ name => 'ext_url', size => 60 }) . " <input type='submit' value='Add' />";
$body .= "</form>";
return;
}
_code?><?page
title=><?_code return $title; _code?>
body=><?_code return $body; _code?>
page?>

20
livejournal/htdocs/openid/server.bml Executable file
View File

@@ -0,0 +1,20 @@
<?_info
nocache=>1
_info?><?_code
{
return "OpenID consumer support is disabled" unless LJ::OpenID::server_enabled();
use strict;
use vars qw(%GET %POST);
my $nos = LJ::OpenID::server(\%GET, \%POST);
my ($type, $data) = $nos->handle_page(redirect_for_setup => 1);
if ($type eq "redirect") {
return BML::redirect($data);
} else {
BML::set_content_type($type) if $type;
return $data;
}
}
_code?>