Skip to content

Use hostmatcher for openid allow/block list. Disable OpenID by default and added default black list for OpenID #36729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lunny wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Use hostmatcher for openid allow/block list. Disable OpenID by default and added default black list for OpenID #36729

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
ae63568
Disable OpenID by default. Added default black list for OpenID
lunny Feb 24, 2026
6996249
Use hostmatcher to detect open id allow/block list
lunny Feb 26, 2026
b288038
Merge branch 'main' into lunny/disable_openid_by_default
lunny Feb 26, 2026
6d7518a
adjustment
lunny Feb 26, 2026
2b6df87
Merge branch 'main' into lunny/disable_openid_by_default
lunny Mar 1, 2026
4c5a036
Fix admin config page
lunny Mar 1, 2026
3ae00fb
Merge branch 'main' into lunny/disable_openid_by_default
lunny Mar 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions custom/conf/app.example.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1650,7 +1650,7 @@ LEVEL = Info
;; - <username>.livejournal.com
;;
;; Whether to allow signin in via OpenID
;ENABLE_OPENID_SIGNIN = true
;ENABLE_OPENID_SIGNIN = false
;;
;; Whether to allow registering via OpenID
;; Do not include to rely on rhw DISABLE_REGISTRATION setting
Expand All @@ -1665,8 +1665,8 @@ LEVEL = Info
;; Forbidden URI patterns (POSIX regexp).
;; Space separated.
;; Only used if WHITELISTED_URIS is blank.
;; Example value: loadaverage.org/badguy stackexchange.com/.*spammer
;BLACKLISTED_URIS =
;; Default value blocks localhost and private network IPs to avoid SSRF.
;BLACKLISTED_URIS = localhost 127\.0\.0\.1 10\..* 192\.168\..* 172\.(1[6-9]|2[0-9]|3[0-1])\..* \[::1\] \[f[c-d][0-9a-fA-F]{2}:.*\] \[fe80:.*\]

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Expand Down
16 changes: 15 additions & 1 deletion modules/setting/service.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -265,9 +265,20 @@ func loadServiceFrom(rootCfg ConfigProvider) {
loadQosSetting(rootCfg)
}

var defaultOpenIDBlacklist = []string{
"localhost",
"127\\.0\\.0\\.1",
"10\\..*",
"192\\.168\\..*",
"172\\.(1[6-9]|2[0-9]|3[0-1])\\..*",
"\\[::1\\]",
"\\[f[c-d][0-9a-fA-F]{2}:.*\\]",
"\\[fe80:.*\\]",
}
Comment thread
lunny marked this conversation as resolved.
Outdated
Comment thread
lunny marked this conversation as resolved.
Outdated

func loadOpenIDSetting(rootCfg ConfigProvider) {
sec := rootCfg.Section("openid")
Service.EnableOpenIDSignIn = sec.Key("ENABLE_OPENID_SIGNIN").MustBool(!InstallLock)
Service.EnableOpenIDSignIn = sec.Key("ENABLE_OPENID_SIGNIN").MustBool(false)
Service.EnableOpenIDSignUp = sec.Key("ENABLE_OPENID_SIGNUP").MustBool(!Service.DisableRegistration && Service.EnableOpenIDSignIn)
pats := sec.Key("WHITELISTED_URIS").Strings(" ")
if len(pats) != 0 {
Expand All @@ -277,6 +288,9 @@ func loadOpenIDSetting(rootCfg ConfigProvider) {
}
}
pats = sec.Key("BLACKLISTED_URIS").Strings(" ")
if len(pats) == 0 {
pats = defaultOpenIDBlacklist
}
if len(pats) != 0 {
Service.OpenIDBlacklist = make([]*regexp.Regexp, len(pats))
for i, p := range pats {
Expand Down