[BUGFIX] OpenID login fails if trailing slash is missing
authorXavier Perseguers <xavier@typo3.org>
Sun, 4 Mar 2012 18:51:10 +0000 (19:51 +0100)
committerJigal van Hemert <jigal@xs4all.nl>
Sun, 4 Mar 2012 19:18:04 +0000 (20:18 +0100)
The authentication process should ensure that the OpenID from database
is properly normalized prior to comparison checks.

Change-Id: I93610fca2491f830859c02b1a94ad65c651a7e3c
Fixes: #34439
Relates: #33518
Releases: 4.8, 4.7, 4.6-backports, 4.5-backports
Reviewed-on: http://review.typo3.org/9354
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert
typo3/sysext/openid/sv1/class.tx_openid_sv1.php

index 70244fc..3a4a717 100644 (file)
@@ -294,11 +294,20 @@ class tx_openid_sv1 extends t3lib_svbase {
        protected function getUserRecord($openIDIdentifier) {
                $record = NULL;
                if ($openIDIdentifier) {
+                               // $openIDIdentifier always as a trailing slash because it got normalized
+                               // but tx_openid_openid possibly not so check for both alternatives in database
                        $record = $GLOBALS['TYPO3_DB']->exec_SELECTgetSingleRow('*',
                                $this->authenticationInformation['db_user']['table'],
-                               'tx_openid_openid=' . $GLOBALS['TYPO3_DB']->fullQuoteStr($openIDIdentifier, $this->authenticationInformation['db_user']['table']) .
+                               'tx_openid_openid IN (' .
+                                       $GLOBALS['TYPO3_DB']->fullQuoteStr($openIDIdentifier, $this->authenticationInformation['db_user']['table']) .
+                                       ',' . $GLOBALS['TYPO3_DB']->fullQuoteStr(rtrim($openIDIdentifier, '/'), $this->authenticationInformation['db_user']['table']) .
+                                       ')' .
                                        $this->authenticationInformation['db_user']['check_pid_clause'] .
                                        $this->authenticationInformation['db_user']['enable_clause']);
+                       if ($record) {
+                                       // Make sure to work only with normalized OpenID during the whole process
+                               $record['tx_openid_openid'] = $this->normalizeOpenID($record['tx_openid_openid']);
+                       }
                } else {
                        // This should never happen and generally means hack attempt.
                        // We just log it and do not return any records.
@@ -481,7 +490,7 @@ class tx_openid_sv1 extends t3lib_svbase {
                        // An empty path component is normalized to a slash
                        // (e.g. "http://domain.org" -> "http://domain.org/")
                if (preg_match('#^https?://[^/]+$#', $openIDIdentifier)) {
-                       $openIDIdentifier.= '/';
+                       $openIDIdentifier .= '/';
                }
 
                return $openIDIdentifier;