diff options
author | Friendika <info@friendika.com> | 2011-01-04 23:18:52 -0800 |
---|---|---|
committer | Friendika <info@friendika.com> | 2011-01-04 23:18:52 -0800 |
commit | 95507cf90fda35bb90fd32db4e7786765f7498e2 (patch) | |
tree | 895d5d3c5c57583dd465c2825a64751bac5da367 | |
parent | bb0c24bd4fd159cc005f60a0808a4b37b91060b0 (diff) | |
download | volse-hubzilla-95507cf90fda35bb90fd32db4e7786765f7498e2.tar.gz volse-hubzilla-95507cf90fda35bb90fd32db4e7786765f7498e2.tar.bz2 volse-hubzilla-95507cf90fda35bb90fd32db4e7786765f7498e2.zip |
secure admin hijacking from openid
-rw-r--r-- | mod/register.php | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/mod/register.php b/mod/register.php index 68c7297c9..fcc9ebcab 100644 --- a/mod/register.php +++ b/mod/register.php @@ -37,8 +37,13 @@ function register_post(&$a) { $openid_url = ((x($_POST,'openid_url')) ? notags(trim($_POST['openid_url'])) : ''); $photo = ((x($_POST,'photo')) ? notags(trim($_POST['photo'])) : ''); + $tmp_str = $openid_url; if((! x($username)) || (! x($email)) || (! x($nickname))) { if($openid_url) { + if(! validate_url($tmp_str)) { + notice( t('Invalid OpenID url') . EOL); + return; + } $_SESSION['register'] = 1; $_SESSION['openid'] = $openid_url; require_once('library/openid.php'); @@ -82,6 +87,12 @@ function register_post(&$a) { if((! valid_email($email)) || (! validate_email($email))) $err .= t('Not a valid email address.') . EOL; + // Disallow somebody creating an account using openid that uses the admin email address, + // since openid bypasses email verification. + + if((x($a->config,'admin_email')) && (strcasecmp($email,$a->config['admin_email']) == 0) && strlen($openid_url)) + $err .= t('Cannot use that email.') . EOL; + $nickname = $_POST['nickname'] = strtolower($nickname); if(! preg_match("/^[a-z][a-z0-9\-\_]*$/",$nickname)) |