[SECURITY] Fix open redirection in openid extension
[Packages/TYPO3.CMS.git] / typo3 / sysext / openid / Classes / OpenidEid.php
1 <?php
2 namespace TYPO3\CMS\Openid;
3
4 /***************************************************************
5 * Copyright notice
6 *
7 * (c) 2008-2013 Dmitry Dulepov <dmitry@typo3.org>
8 * All rights reserved
9 *
10 * This script is part of the TYPO3 project. The TYPO3 project is
11 * free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * The GNU General Public License can be found at
17 * http://www.gnu.org/copyleft/gpl.html.
18 *
19 * This script is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
23 *
24 * This copyright notice MUST APPEAR in all copies of the script!
25 ***************************************************************/
26
27 use TYPO3\CMS\Core\Utility\GeneralUtility;
28 use TYPO3\CMS\Core\Utility\HttpUtility;
29
30 /**
31 * This class is the OpenID return script for the TYPO3 Frontend.
32 *
33 * @author Dmitry Dulepov <dmitry@typo3.org>
34 */
35 class OpenidEid {
36
37 /**
38 * Processes eID request.
39 *
40 * @return void
41 */
42 public function main() {
43 // Due to the nature of OpenID (redrections, etc) we need to force user
44 // session fetching if there is no session around. This ensures that
45 // our service is called even if there is no login data in the request.
46 // Inside the service we will process OpenID response and authenticate
47 // the user.
48 $GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth']['FE_fetchUserIfNoSession'] = TRUE;
49 // Initialize Frontend user
50 \TYPO3\CMS\Frontend\Utility\EidUtility::initFeUser();
51 // Redirect to the original location in any case (authenticated or not)
52 @ob_end_clean();
53 if ($this->getSignature(GeneralUtility::_GP('tx_openid_location')) === GeneralUtility::_GP('tx_openid_location_signature')) {
54 HttpUtility::redirect(GeneralUtility::_GP('tx_openid_location'), HttpUtility::HTTP_STATUS_303);
55 }
56 }
57
58 /**
59 * Signs a GET parameter.
60 *
61 * @param string $parameter
62 * @return string
63 */
64 protected function getSignature($parameter) {
65 return GeneralUtility::hmac($parameter, 'openid');
66 }
67 }