From a7857445e3654bdc2d7968e31064349b92399cc7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Kr=C3=B6ll?= Date: Tue, 2 Dec 2008 00:01:00 +0100 Subject: Check for valid return_to url --- Build.PL | 3 ++- lib/PAUSE/OpenID/Controller/Root.pm | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Build.PL b/Build.PL index e6d5eb0..ca06808 100644 --- a/Build.PL +++ b/Build.PL @@ -13,12 +13,13 @@ my $builder = Module::Build->new( 'perl' => '5.010', 'Catalyst::Runtime' => '5.7014', 'Net::OpenID::Server' => '1.02', - 'Catalyst::View::XSLT' => 0, + 'Catalyst::View::XSLT' => '0', 'Catalyst::Plugin::Cache::Memcached' => '0.6', 'Catalyst::Plugin::Session' => '0', 'Catalyst::Plugin::Session::State::Cookie' => '0', 'Catalyst::Plugin::Session::Store::FastMmap' => '0', 'Crypt::SSLeay' => '0', + 'Regexp::Common' => '0', }, add_to_cleanup => ['PAUSE-OpenID-*'], diff --git a/lib/PAUSE/OpenID/Controller/Root.pm b/lib/PAUSE/OpenID/Controller/Root.pm index 6ffa03b..13f165f 100644 --- a/lib/PAUSE/OpenID/Controller/Root.pm +++ b/lib/PAUSE/OpenID/Controller/Root.pm @@ -5,6 +5,7 @@ use warnings; use parent 'Catalyst::Controller'; use LWP::UserAgent; +use Regexp::Common qw /URI/; # # Sets the actions in this controller to be registered with no prefix @@ -41,6 +42,10 @@ sub index :Path :Args(0) { #$c->flash->{xml} = 'Missing parameter'; $c->res->redirect($c->uri_for('/error')); } + elsif ( $return_to !~ /$RE{URI}{HTTP}/ ) { #{'-scheme'=>'P'} + #$c->flash->{xml} = 'Invalid URI'; + $c->res->redirect($c->uri_for('/error')); + } # TODO: generate XML programatically $c->stash->{xml} = sprintf('', $c->config->{'PAUSE::OpenID'}{'baseurl'}); -- cgit v1.2.3