init

2019-02-06 00:49:12 +03:00
commit 8dbb1bb605
4796 changed files with 506072 additions and 0 deletions
--- a/local/htdocs/openid/approve.bml
+++ b/local/htdocs/openid/approve.bml
@@ -0,0 +1,83 @@
+<?_code
+{
+    return "OpenID consumer support is disabled" unless LJ::OpenID::server_enabled();
+
+    use strict;
+    use vars qw($title $body %GET %POST);
+    use LJ::OpenID;
+
+    my $err = sub {
+	$title = "Error";
+	$body = shift;
+	return "";
+    };
+
+    my $u = LJ::get_remote() or
+	return $err->("Currently you need to be logged in to grant another site permission to know your identity, but this page will eventually let you log in during the same step.");
+
+    my $identity = LJ::OpenID::is_identity($u, $GET{'identity'}, \%GET);
+    unless ($identity) {
+        return $err->("The site you just came from seems to want to verify <a href='" .
+                      LJ::ehtml($GET{'identity'}) .
+                      "'>an identity</a> that you, as " .
+                      LJ::ljuser($u) .
+                      ", cannot provide.");
+    }
+
+    my $site = $GET{'trust_root'};
+    $site =~ s/\?.*//;
+    return $err->("Invalid site address") unless $site =~ m!^https?://!;
+
+    # TODO: check URL and see if it contains images or external scripts/css/images, where
+    # an attacker could sniff the validation tokens in the Referer header?
+
+    if (LJ::did_post()) {
+	return $err->("Possible form tampering detected.") unless LJ::check_form_auth();
+	my $dur;
+	$body = "";
+
+	$dur = "always" if $POST{'yes:always'};
+	$dur = "once"   if $POST{'yes:once'};
+
+        LJ::OpenID::add_trust($u, $site, $dur)
+            or return $err->("Failed to save");
+
+	$title = "Saved";
+	$body .= "Permission has been granted.  You can now <a href='javascript:window.close()'>close this window</a> and login to the site you were previously visiting.";
+	if ($GET{"openid.post_grant"} eq "close") {
+	    $body .= "<script>window.close();</script>";
+	} elsif ($GET{"openid.post_grant"} eq "return") {
+            my $nos = LJ::OpenID::server();
+            my $sig_return = $nos->signed_return_url(
+                                                     identity     => $GET{'identity'},
+                                                     return_to    => $GET{'return_to'},
+                                                     trust_root   => $GET{'trust_root'},
+                                                     assoc_handle => $GET{'assoc_handle'},
+                                                     );
+            return BML::redirect($sig_return) if $sig_return;
+            return $err->("Failed to make signed return URL.");
+	}
+	return;
+    }
+
+
+    $title = "Grant identity validation?";
+    $body = "";
+    $body .= "<?h1 Identity Validation h1?><?p Another site on the web wants to validate your LJ.Rossia.org identity.  No information will be shared with them that isn't already public in your profile, only that you're who you've already told them you are (if you told them). p?><?p The address wanting permission is: p?>";
+    $body .= "<form method='post'>";
+    $body .= LJ::form_auth();
+    my $dis_site = LJ::ehtml($site);
+    $dis_site =~ s!\*\.!<span style='color: red'><i>&lt;anything&gt;</i></span>.!;
+
+    $body .= "<div style='overflow: auto; background: #DDD; word-wrap: break-word; color: black; border: 2px solid black; padding: 0.5em; font-size: 13pt'><tt>$dis_site</tt></div>";
+    $body .= "<?p Do you want to pass your identity to them? p?>";
+    $body .= "<table align='center'><tr><td><input type='submit' name='yes:once' value='Yes; just this time.' /> <input type='submit' name='yes:always' value='Yes; always.' /></td></tr></table>";
+    $body .= "<?p If not, just close this window. p?>";
+    $body .= "</form>";
+    return;
+
+}
+_code?><?page
+title=><?_code return $title; _code?>
+body=><?_code  return $body;  _code?>
+page?>
--- a/local/htdocs/openid/login.bml
+++ b/local/htdocs/openid/login.bml
@@ -0,0 +1,89 @@
+<?_code
+{
+
+    return "OpenID consumer support is disabled" unless LJ::OpenID::consumer_enabled();
+
+    use strict;
+    use vars qw($title $head $body %GET %POST);
+    use LJ::OpenID;
+    LJ::set_active_crumb("openid_login");
+
+    $title = "OpenID Login";
+    $head = "";
+
+    my $err = sub {
+        $title = "Error";
+        $body = shift;
+        return;
+    };
+
+    my $remote = LJ::get_remote();
+    if ($remote) {
+        $body .= "<?h1 Already logged in h1?><?p Hello, " . LJ::ljuser($remote) . ". Before logging in with <a href='http://www.danga.com/openid/'>OpenID</a>, you must first <a href='/logout.bml'>log out</a>. p?>";
+        return;
+    }
+
+    if ($GET{'openid.mode'}) {
+        my $csr = LJ::OpenID::consumer(\%GET);
+        if (my $setup = $csr->user_setup_url) {
+            return BML::redirect($setup);
+        }
+
+        my $vident = eval { $csr->verified_identity; };
+        return $err->($csr->err) unless $vident;
+
+        my $url = $vident->url;
+        return $err->("Invalid characters in identity URL.") if $url =~ /[\<\>\s]/;
+
+        my $u = LJ::User::load_identity_user("O", $url, $vident);
+        return $err->("Couldn't vivify your account (but we verified that you're " . LJ::ehtml($url) . ")") unless $u;
+
+        my $sess_opts = {
+            'exptype' => 'short',
+            'ipfixed' => 0,
+        };
+        my $etime = 0;
+        if ($POST{'expire'} eq "never") {
+            $etime = time()+60*60*24*60;
+            $sess_opts->{'exptype'} = "long";
+        }
+
+        $u->make_login_session($sess_opts->{'exptype'}, $sess_opts->{'ipfixed'});
+        LJ::set_remote($u);
+
+        return BML::redirect("$LJ::SITEROOT/login.bml");
+    }
+
+
+    if (LJ::did_post()) {
+        my $csr = LJ::OpenID::consumer();
+        my $url = $POST{'openid_url'};
+        return $err->("Invalid characters in identity URL.") if $url =~ /[\<\>\s]/;
+
+        my $tried_local_ref = LJ::OpenID::blocked_hosts($csr);
+
+        my $claimed_id = $csr->claimed_identity($url);
+
+        unless ($claimed_id) {
+            return $err->("You can't use a LiveJournal OpenID account on LiveJournal &mdash; ".
+                          "just <a href='/login.bml'>go login</a> with your actual LJ.Rossia.org account.") if $tried_local_ref;
+            return $err->($csr->err);
+        }
+
+        my $check_url = $claimed_id->check_url(
+                                               return_to => "$LJ::SITEROOT/openid/login.bml",
+                                               trust_root => "$LJ::SITEROOT/",
+                                               delayed_return => 1,
+                                               );
+        return BML::redirect($check_url);
+    }
+
+return undef;
+
+}
+ _code?><?_info
+nocache=>1
+_info?><?page
+title=><?_code return $title; _code?>
+body=><?_code return $body; _code?>
+page?>
--- a/local/htdocs/openid/options.bml
+++ b/local/htdocs/openid/options.bml
@@ -0,0 +1,96 @@
+<?_code
+{
+    use strict;
+    use vars qw($title $body %GET %POST);
+
+    my $err = sub {
+	$title = "Error";
+	$body = shift;
+	return "";
+    };
+
+    return $err->("OpenID server support is disabled")
+        unless LJ::OpenID::server_enabled();
+
+    my $u = LJ::get_remote() or
+	return $err->("You need to be <a href='/login.bml?ret=1'>logged in</a> to manage your OpenID options.");
+
+    my $dbh = LJ::get_db_writer();
+    my $trusted = {};
+    my @external;
+
+    my $load_trusted = sub {
+	$trusted = $dbh->selectall_hashref("SELECT ye.endpoint_id as 'endid', ye.url FROM openid_endpoint ye, openid_trust yt WHERE yt.endpoint_id=ye.endpoint_id AND yt.userid=$u->{userid}", 'endid');
+    };
+
+    my $load_external = sub {
+	@external = @{ $dbh->selectcol_arrayref("SELECT url FROM openid_external WHERE userid=?", undef, $u->{userid}) };
+    };
+
+    if (LJ::did_post()) {
+	return $err->("Possible form tampering detected.") unless LJ::check_form_auth();
+	my $dur;
+	$body = "";
+
+	$load_trusted->();
+	foreach my $endid (sort { $trusted->{$a} cmp $trusted->{$b} } keys %$trusted) {
+	    next unless $POST{"delete:$endid"};
+	    $dbh->do("DELETE FROM openid_trust WHERE userid=? AND endpoint_id=?", undef, $u->{userid}, $endid);
+	}
+
+	$load_external->();
+        foreach my $url (@external) {
+	    next unless $POST{"extdelete:$url"};
+	    $dbh->do("DELETE FROM openid_external WHERE userid=? AND url=?", undef, $u->{userid}, $url);
+        }
+
+	if ($POST{'ext_url'} =~ m!^http://!) {
+	    $dbh->do("REPLACE INTO openid_external (userid, url) VALUES (?,?)", undef, $u->{userid}, $POST{'ext_url'});
+	}
+
+    }
+
+    $load_trusted->();
+    $load_external->();
+
+    $title = "OpenID Options";
+    $body = "";
+    $body .= "<form method='post'>";
+    $body .= LJ::form_auth();
+    $body .= "<?h1 Sites you trust h1?><?p You've marked these sites as able to verify your identity.  You may remove them here. p?>";
+    $body .= "<div style='margin: 5px 0px 5px 30px'>";
+    if (%$trusted) {
+	foreach my $endid (sort { $trusted->{$a} cmp $trusted->{$b} } keys %$trusted) {
+	    my $url = $trusted->{$endid}->{url};
+	    my $dis_site = LJ::ehtml($url);
+	    $dis_site =~ s!\*\.!<i>&lt;anything&gt;</i>.!;
+	    $body .= LJ::html_submit("delete:$endid", "Delete") . " -- $dis_site<br />";
+	}
+    } else {
+	$body .= "<i>(None)</i>";
+    }
+    $body .= "</div>";
+
+
+    $body .= "<?h1 External Assertion URLs h1?><?p Optional URLs LJ.Rossia.org will assert for you, if you put this in your HTML's head. p?>";
+
+    $body .= "<b>&lt;link rel=\"openid.server\" href=\"$LJ::OPENID_SERVER?ljuser=$u->{user}\" /&gt;</b>";
+
+    $body .= "<div style='margin: 5px 0px 5px 30px'>";
+    if (@external) {
+	foreach my $url (@external) {
+	    $body .= LJ::html_submit("extdelete:$url", "Delete") . " -- " . LJ::ehtml($url) . "<br />";
+	}
+    } else {
+	$body .= "<i>(None)</i>";
+    }
+    $body .= "</div>";
+    $body .= "Add: " . LJ::html_text({ name => 'ext_url', size => 60 }) . " <input type='submit' value='Add' />";
+    $body .= "</form>";
+    return;
+
+}
+_code?><?page
+title=><?_code return $title; _code?>
+body=><?_code  return $body;  _code?>
+page?>