Merge remote-tracking branch 'friendica/master'

boot.php

@@ -713,15 +713,16 @@ function login($register = false, $hiddens=false) {
 
 	$noid = get_config('system','no_openid');
 	
+	$dest_url = $a->get_baseurl(true) . '/' . $a->query_string;
+
 	if(local_user()) {
 		$tpl = get_markup_template("logout.tpl");
 	}
 	else {
 		$tpl = get_markup_template("login.tpl");
-
+		$_SESSION['return_url'] = $a->query_string;
 	}
 
-	$dest_url = $a->get_baseurl(true) . '/' . $a->query_string;
 
 	$o .= replace_macros($tpl,array(
 

include/text.php

@@ -1355,3 +1355,6 @@ function file_tag_unsave_file($uid,$item,$file) {
 	return true;
 }
 
+function normalise_openid($s) {
+	return trim(str_replace(array('http://','https://'),array('',''),$s),'/');
+}

mod/openid.php

@@ -10,6 +10,8 @@ function openid_content(&$a) {
 	if($noid)
 		goaway(z_root());
 
+	logger('mod_openid ' . print_r($_REQUEST,true), LOGGER_DATA);
+
 	if((x($_GET,'openid_mode')) && (x($_SESSION,'openid'))) {
 		$openid = new LightOpenID;
 
@@ -54,11 +56,16 @@ function openid_content(&$a) {
 				// NOTREACHED
 			} 
 
+			$authid = normalise_openid($_REQUEST['openid_identity']);
+			if(! strlen($authid))
+				goaway(z_root());
+
 
 			$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey` 
 				FROM `user` WHERE `openid` = '%s' AND `blocked` = 0 AND `account_expired` = 0 AND `verified` = 1 LIMIT 1",
-				dbesc($_SESSION['openid'])
+				dbesc($authid)
 			);
+
 			if(! count($r)) {
 				notice( t('Login failed.') . EOL );
 				goaway(z_root());

mod/settings.php

@@ -322,6 +322,7 @@ function settings_post(&$a) {
 	$str_contact_deny  = perms2str($_POST['contact_deny']);
 
 	$openidserver = $a->user['openidserver'];
+	$openid = normalise_openid($openid);
 
 	// If openid has changed or if there's an openid but no openidserver, try and discover it.