vadvs (vadvs) wrote in changelog,
vadvs
vadvs
changelog

[livejournal] r22860: LJSUP-13611: get_domain_session should a...

Committer: vad
LJSUP-13611: get_domain_session should accept only signed parameters
U   trunk/cgi-bin/LJ/Session.pm
U   trunk/cgi-bin/weblib.pl
U   trunk/htdocs/misc/get_domain_session.bml
Modified: trunk/cgi-bin/LJ/Session.pm
===================================================================
--- trunk/cgi-bin/LJ/Session.pm	2012-09-11 12:15:03 UTC (rev 22859)
+++ trunk/cgi-bin/LJ/Session.pm	2012-09-11 12:33:46 UTC (rev 22860)
@@ -670,7 +670,12 @@
         my $rr = $opts->{redirect_ref};
 
         if ($rr) {
-            $$rr = "$LJ::SITEROOT/misc/get_domain_session.bml?return=" . LJ::eurl(_current_url());
+            my $current_url = _current_url();
+
+            my $time     = time;
+            my $sign     = LJ::run_hook('sign_set_domain_session_redirect' => $current_url, $time);
+            my $returnto = LJ::eurl($current_url);
+            $$rr = "$LJ::SITEROOT/misc/get_domain_session.bml?return=" . $returnto . '&sign=' . $sign . '&t=' . $time;
         }
 
         return undef;

Modified: trunk/cgi-bin/weblib.pl
===================================================================
--- trunk/cgi-bin/weblib.pl	2012-09-11 12:15:03 UTC (rev 22859)
+++ trunk/cgi-bin/weblib.pl	2012-09-11 12:33:46 UTC (rev 22860)
@@ -1640,9 +1640,13 @@
         |;
 
         my $curl = LJ::Session::_current_url();
-        $curl =~ m|^https?://(.+?)/|i;
+           $curl =~ m|^https?://(.+?)/|i;
 
         my $domain = $1;
+
+        my $sign_time = time;
+        my $curl_sign = LJ::run_hook('sign_set_domain_session_redirect' => $curl, $sign_time);
+        
         $curl = LJ::eurl($curl);
 
         $ret_js .= qq|
@@ -1650,7 +1654,7 @@
             if( lj_user !== 0 && lj_master_user === 0 ) {
                 window.location = "http://$domain/misc/clear_domain_session.bml?return=$curl";
             } else if ( lj_master_user > 0 && lj_master_user !== lj_user ) {
-                window.location = "${LJ::SITEROOT}/misc/get_domain_session.bml?return=$curl";
+                window.location = "${LJ::SITEROOT}/misc/get_domain_session.bml?return=$curl&sign=$curl_sign&t=$sign_time";
             }
         </script>\n|;
     }

Modified: trunk/htdocs/misc/get_domain_session.bml
===================================================================
--- trunk/htdocs/misc/get_domain_session.bml	2012-09-11 12:15:03 UTC (rev 22859)
+++ trunk/htdocs/misc/get_domain_session.bml	2012-09-11 12:33:46 UTC (rev 22860)
@@ -2,7 +2,22 @@
 {
     use strict;
     use vars qw(%GET);
-    return BML::redirect(LJ::Session->helper_url($GET{'return'}, $GET{'ljpta'}) || "$LJ::SITEROOT/login.bml");
+
+    my $return = $GET{'return'};
+    my $ljpta  = $GET{'ljpta'};
+    my $sign_time = $GET{'t'};
+    my $sign   = $GET{'sign'};
+
+    my $is_sign_valid = 0;
+    LJ::run_hook('check_get_domain_session_sign' => \$is_sign_valid, $return, $sign_time, $sign);
+
+    if (!$is_sign_valid){
+        BML::set_status( LJ::Request::NOT_FOUND() );
+        BML::finish();
+        return '';
+    }
+
+    return BML::redirect(LJ::Session->helper_url($return, $ljpta) || "$LJ::SITEROOT/login.bml");
 }
 _code?>
 

Tags: bml, livejournal, pl, pm, vad, vadvs
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments