tweet_live: comparison web/lib/Zend/OpenId/Consumer.php

equal deleted inserted replaced

-:5a6b6e770365
+:68c69c656a2c
 * to license@zend.com so we can send you a copy immediately.
 *
 * @category   Zend
 * @package    Zend_OpenId
 * @subpackage Zend_OpenId_Consumer
-* @copyright  Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
+* @copyright  Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
 * @license    http://framework.zend.com/license/new-bsd     New BSD License
 * @version    $Id: Consumer.php 24593 2012-01-05 20:35:02Z matthew $
 */
 /**
 * OpenID consumer implementation
 *
 * @category   Zend
 * @package    Zend_OpenId
 * @subpackage Zend_OpenId_Consumer
-* @copyright  Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
+* @copyright  Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
 * @license    http://framework.zend.com/license/new-bsd     New BSD License
 */
 class Zend_OpenId_Consumer
 {
+/**
+* Parameters required for signature
+*/
+protected $_signParams = array('op_endpoint', 'return_to', 'response_nonce', 'assoc_handle');
 /**
 * Reference to an implementation of storage object
 *
 * @var Zend_OpenId_Consumer_Storage $_storage
 $this->_setError("Wrong openid.return_to '".
 $params['openid_return_to']."' != '" . Zend_OpenId::selfUrl() ."'");
 return false;
 }
 }
 if ($version >= 2.0) {
 if (empty($params['openid_response_nonce'])) {
 $this->_setError("Missing openid.response_nonce");
 return false;
 }
 } else if (!$this->_storage->isUniqueNonce($params['openid_op_endpoint'], $params['openid_response_nonce'])) {
 $this->_setError("Duplicate openid.response_nonce");
 return false;
 }
 }
 if (!empty($params['openid_invalidate_handle'])) {
 if ($this->_storage->getAssociationByHandle(
 $params['openid_invalidate_handle'],
 $url,
 $params['openid_assoc_handle'],
 $url,
 $macFunc,
 $secret,
 $expires)) {
+// Security fix - check the association bewteen op_endpoint and assoc_handle
+if (isset($params['openid_op_endpoint']) && $url !== $params['openid_op_endpoint']) {
+$this->_setError("The op_endpoint URI is not the same of URI associated with the assoc_handle");
+return false;
+}
 $signed = explode(',', $params['openid_signed']);
+// Check the parameters for the signature
+// @see https://openid.net/specs/openid-authentication-2_0.html#positive_assertions
+$toCheck = $this->_signParams;
+if (isset($params['openid_claimed_id']) && isset($params['openid_identity'])) {
+$toCheck = array_merge($toCheck, array('claimed_id', 'identity'));
+}
+foreach ($toCheck as $param) {
+if (!in_array($param, $signed, true)) {
+$this->_setError("The required parameter $param is missing in the signed");
+return false;
+}
+}
 $data = '';
 foreach ($signed as $key) {
 $data .= $key . ':' . $params['openid_' . strtr($key,'.','_')] . "\n";
 }
 if (base64_decode($params['openid_sig']) ==
 $expire)) {
 $id = $realId;
 return true;
 }
-/* TODO: OpenID 2.0 (7.3) XRI and Yadis discovery */
-/* HTML-based discovery */
 $response = $this->_httpRequest($id, 'GET', array(), $status);
 if ($status != 200 || !is_string($response)) {
 return false;
 }
+/* OpenID 2.0 (7.3) XRI and Yadis discovery */
 if (preg_match(
+'/<meta[^>]*http-equiv=(["\'])[ \t]*(?:[^ \t"\']+[ \t]+)*?X-XRDS-Location[ \t]*[^"\']*\\1[^>]*content=(["\'])([^"\']+)\\2[^>]*\/?>/i',
+$response,
+$r)) {
+$XRDS = $r[3];
+$version = 2.0;
+$response = $this->_httpRequest($XRDS);
+if (preg_match(
+'/<URI>([^\t]*)<\/URI>/i',
+$response,
+$x)) {
+$server = $x[1];
+// $realId
+$realId = 'http://specs.openid.net/auth/2.0/identifier_select';
+}
+else {
+$this->_setError("Unable to get URI for XRDS discovery");
+}
+}
+/* HTML-based discovery */
+else if (preg_match(
 '/<link[^>]*rel=(["\'])[ \t]*(?:[^ \t"\']+[ \t]+)*?openid2.provider[ \t]*[^"\']*\\1[^>]*href=(["\'])([^"\']+)\\2[^>]*\/?>/i',
 $response,
 $r)) {
 $version = 2.0;
 $server = $r[3];

changeset 1230	68c69c656a2c
parent 807	877f952ae2bd