New Consumer Demo: OpenID Guestbook
Martin Atkins
mart at degeneration.co.uk
Wed May 25 00:35:56 PDT 2005
I've made a simple guestbook script which uses OpenID:
http://goathack.livejournal.org:9016/guestbook
It currently does not support AJAX mode, because it's far too early in
the morning to be faffing about with client-side JavaScript. You should,
however, be able to log in with any Identity URL and leave a message in
the guestbook.
The script isn't very robust; it doesn't do any locking on the guestbook
file, for example. However, I would appreciate it if people could point
out any bugs which allow arbitrary externally-provided HTML to be
injected, as I hope I've got them all now.
It also doesn't do any fancy stuff with nonces and such. It doesn't
maintain any state whatsoever apart from the guestbook datafile. This
means that you can replay-attack it if you can get hold of a valid
signature. It doesn't matter much for a guestbook, but in practice you'd
maintain a nonce list somewhere and check/invalidate that as part of the
final checking process as well.
The source code is available:
http://goathack.livejournal.org:9016/guestbook.txt
Again it's not-so-pretty Perl, but this time all of the OpenID guts are
hidden away in the Net::OpenID::Consumer module so it should hopefully
be clearer than my previous demo was.
If you don't like the idea of a guestbook, think of it as a weblog
comments page. :)
More information about the yadis
mailing list