diff -r 5a6b6e770365 -r 68c69c656a2c web/lib/Zend/OpenId/Consumer.php --- a/web/lib/Zend/OpenId/Consumer.php Thu May 07 15:10:09 2015 +0200 +++ b/web/lib/Zend/OpenId/Consumer.php Thu May 07 15:16:02 2015 +0200 @@ -16,7 +16,7 @@ * @category Zend * @package Zend_OpenId * @subpackage Zend_OpenId_Consumer - * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com) + * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com) * @license http://framework.zend.com/license/new-bsd New BSD License * @version $Id: Consumer.php 24593 2012-01-05 20:35:02Z matthew $ */ @@ -47,13 +47,18 @@ * @category Zend * @package Zend_OpenId * @subpackage Zend_OpenId_Consumer - * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com) + * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com) * @license http://framework.zend.com/license/new-bsd New BSD License */ class Zend_OpenId_Consumer { /** + * Parameters required for signature + */ + protected $_signParams = array('op_endpoint', 'return_to', 'response_nonce', 'assoc_handle'); + + /** * Reference to an implementation of storage object * * @var Zend_OpenId_Consumer_Storage $_storage @@ -259,7 +264,6 @@ return false; } } - if ($version >= 2.0) { if (empty($params['openid_response_nonce'])) { $this->_setError("Missing openid.response_nonce"); @@ -275,7 +279,6 @@ } } - if (!empty($params['openid_invalidate_handle'])) { if ($this->_storage->getAssociationByHandle( $params['openid_invalidate_handle'], @@ -293,7 +296,25 @@ $macFunc, $secret, $expires)) { + // Security fix - check the association bewteen op_endpoint and assoc_handle + if (isset($params['openid_op_endpoint']) && $url !== $params['openid_op_endpoint']) { + $this->_setError("The op_endpoint URI is not the same of URI associated with the assoc_handle"); + return false; + } $signed = explode(',', $params['openid_signed']); + // Check the parameters for the signature + // @see https://openid.net/specs/openid-authentication-2_0.html#positive_assertions + $toCheck = $this->_signParams; + if (isset($params['openid_claimed_id']) && isset($params['openid_identity'])) { + $toCheck = array_merge($toCheck, array('claimed_id', 'identity')); + } + foreach ($toCheck as $param) { + if (!in_array($param, $signed, true)) { + $this->_setError("The required parameter $param is missing in the signed"); + return false; + } + } + $data = ''; foreach ($signed as $key) { $data .= $key . ':' . $params['openid_' . strtr($key,'.','_')] . "\n"; @@ -730,14 +751,34 @@ return true; } - /* TODO: OpenID 2.0 (7.3) XRI and Yadis discovery */ - - /* HTML-based discovery */ $response = $this->_httpRequest($id, 'GET', array(), $status); if ($status != 200 || !is_string($response)) { return false; } + + /* OpenID 2.0 (7.3) XRI and Yadis discovery */ if (preg_match( + '/]*http-equiv=(["\'])[ \t]*(?:[^ \t"\']+[ \t]+)*?X-XRDS-Location[ \t]*[^"\']*\\1[^>]*content=(["\'])([^"\']+)\\2[^>]*\/?>/i', + $response, + $r)) { + $XRDS = $r[3]; + $version = 2.0; + $response = $this->_httpRequest($XRDS); + if (preg_match( + '/([^\t]*)<\/URI>/i', + $response, + $x)) { + $server = $x[1]; + // $realId + $realId = 'http://specs.openid.net/auth/2.0/identifier_select'; + } + else { + $this->_setError("Unable to get URI for XRDS discovery"); + } + } + + /* HTML-based discovery */ + else if (preg_match( '/]*rel=(["\'])[ \t]*(?:[^ \t"\']+[ \t]+)*?openid2.provider[ \t]*[^"\']*\\1[^>]*href=(["\'])([^"\']+)\\2[^>]*\/?>/i', $response, $r)) {