aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFriendika <info@friendika.com>2011-01-04 23:18:52 -0800
committerFriendika <info@friendika.com>2011-01-04 23:18:52 -0800
commit95507cf90fda35bb90fd32db4e7786765f7498e2 (patch)
tree895d5d3c5c57583dd465c2825a64751bac5da367
parentbb0c24bd4fd159cc005f60a0808a4b37b91060b0 (diff)
downloadvolse-hubzilla-95507cf90fda35bb90fd32db4e7786765f7498e2.tar.gz
volse-hubzilla-95507cf90fda35bb90fd32db4e7786765f7498e2.tar.bz2
volse-hubzilla-95507cf90fda35bb90fd32db4e7786765f7498e2.zip
secure admin hijacking from openid
-rw-r--r--mod/register.php11
1 files changed, 11 insertions, 0 deletions
diff --git a/mod/register.php b/mod/register.php
index 68c7297c9..fcc9ebcab 100644
--- a/mod/register.php
+++ b/mod/register.php
@@ -37,8 +37,13 @@ function register_post(&$a) {
$openid_url = ((x($_POST,'openid_url')) ? notags(trim($_POST['openid_url'])) : '');
$photo = ((x($_POST,'photo')) ? notags(trim($_POST['photo'])) : '');
+ $tmp_str = $openid_url;
if((! x($username)) || (! x($email)) || (! x($nickname))) {
if($openid_url) {
+ if(! validate_url($tmp_str)) {
+ notice( t('Invalid OpenID url') . EOL);
+ return;
+ }
$_SESSION['register'] = 1;
$_SESSION['openid'] = $openid_url;
require_once('library/openid.php');
@@ -82,6 +87,12 @@ function register_post(&$a) {
if((! valid_email($email)) || (! validate_email($email)))
$err .= t('Not a valid email address.') . EOL;
+ // Disallow somebody creating an account using openid that uses the admin email address,
+ // since openid bypasses email verification.
+
+ if((x($a->config,'admin_email')) && (strcasecmp($email,$a->config['admin_email']) == 0) && strlen($openid_url))
+ $err .= t('Cannot use that email.') . EOL;
+
$nickname = $_POST['nickname'] = strtolower($nickname);
if(! preg_match("/^[a-z][a-z0-9\-\_]*$/",$nickname))