--- a/web/lib/Zend/OpenId/Consumer.php Thu May 07 15:10:09 2015 +0200
+++ b/web/lib/Zend/OpenId/Consumer.php Thu May 07 15:16:02 2015 +0200
@@ -16,7 +16,7 @@
* @category Zend
* @package Zend_OpenId
* @subpackage Zend_OpenId_Consumer
- * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
+ * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
* @version $Id: Consumer.php 24593 2012-01-05 20:35:02Z matthew $
*/
@@ -47,13 +47,18 @@
* @category Zend
* @package Zend_OpenId
* @subpackage Zend_OpenId_Consumer
- * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
+ * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
class Zend_OpenId_Consumer
{
/**
+ * Parameters required for signature
+ */
+ protected $_signParams = array('op_endpoint', 'return_to', 'response_nonce', 'assoc_handle');
+
+ /**
* Reference to an implementation of storage object
*
* @var Zend_OpenId_Consumer_Storage $_storage
@@ -259,7 +264,6 @@
return false;
}
}
-
if ($version >= 2.0) {
if (empty($params['openid_response_nonce'])) {
$this->_setError("Missing openid.response_nonce");
@@ -275,7 +279,6 @@
}
}
-
if (!empty($params['openid_invalidate_handle'])) {
if ($this->_storage->getAssociationByHandle(
$params['openid_invalidate_handle'],
@@ -293,7 +296,25 @@
$macFunc,
$secret,
$expires)) {
+ // Security fix - check the association bewteen op_endpoint and assoc_handle
+ if (isset($params['openid_op_endpoint']) && $url !== $params['openid_op_endpoint']) {
+ $this->_setError("The op_endpoint URI is not the same of URI associated with the assoc_handle");
+ return false;
+ }
$signed = explode(',', $params['openid_signed']);
+ // Check the parameters for the signature
+ // @see https://openid.net/specs/openid-authentication-2_0.html#positive_assertions
+ $toCheck = $this->_signParams;
+ if (isset($params['openid_claimed_id']) && isset($params['openid_identity'])) {
+ $toCheck = array_merge($toCheck, array('claimed_id', 'identity'));
+ }
+ foreach ($toCheck as $param) {
+ if (!in_array($param, $signed, true)) {
+ $this->_setError("The required parameter $param is missing in the signed");
+ return false;
+ }
+ }
+
$data = '';
foreach ($signed as $key) {
$data .= $key . ':' . $params['openid_' . strtr($key,'.','_')] . "\n";
@@ -730,14 +751,34 @@
return true;
}
- /* TODO: OpenID 2.0 (7.3) XRI and Yadis discovery */
-
- /* HTML-based discovery */
$response = $this->_httpRequest($id, 'GET', array(), $status);
if ($status != 200 || !is_string($response)) {
return false;
}
+
+ /* OpenID 2.0 (7.3) XRI and Yadis discovery */
if (preg_match(
+ '/<meta[^>]*http-equiv=(["\'])[ \t]*(?:[^ \t"\']+[ \t]+)*?X-XRDS-Location[ \t]*[^"\']*\\1[^>]*content=(["\'])([^"\']+)\\2[^>]*\/?>/i',
+ $response,
+ $r)) {
+ $XRDS = $r[3];
+ $version = 2.0;
+ $response = $this->_httpRequest($XRDS);
+ if (preg_match(
+ '/<URI>([^\t]*)<\/URI>/i',
+ $response,
+ $x)) {
+ $server = $x[1];
+ // $realId
+ $realId = 'http://specs.openid.net/auth/2.0/identifier_select';
+ }
+ else {
+ $this->_setError("Unable to get URI for XRDS discovery");
+ }
+ }
+
+ /* HTML-based discovery */
+ else if (preg_match(
'/<link[^>]*rel=(["\'])[ \t]*(?:[^ \t"\']+[ \t]+)*?openid2.provider[ \t]*[^"\']*\\1[^>]*href=(["\'])([^"\']+)\\2[^>]*\/?>/i',
$response,
$r)) {