[SECURITY] Fix open redirection in openid extension 20/26220/2
authorHelmut Hummel <helmut.hummel@typo3.org>
Tue, 10 Dec 2013 09:54:48 +0000 (10:54 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:54:52 +0000 (10:54 +0100)
The eID script of the openid extension does not
validate the given redirect url, leading to
an open redirection vulnerability.

Add and verify hmac of the redirect url.

Change-Id: I0d65390b61dd5cf92151d36e490a194624b98b8f
Fixes: #54099
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 5c6a45c0f843a93ab048a3df4bb352b8e02099b2
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26220
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/openid/Classes/OpenidEid.php
typo3/sysext/openid/Classes/OpenidService.php

index e53ace1..c810c4e 100644 (file)
@@ -23,6 +23,10 @@ namespace TYPO3\CMS\Openid;
  *
  *  This copyright notice MUST APPEAR in all copies of the script!
  ***************************************************************/
+
+use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Core\Utility\HttpUtility;
+
 /**
  * This class is the OpenID return script for the TYPO3 Frontend.
  *
@@ -46,7 +50,18 @@ class OpenidEid {
                \TYPO3\CMS\Frontend\Utility\EidUtility::initFeUser();
                // Redirect to the original location in any case (authenticated or not)
                @ob_end_clean();
-               \TYPO3\CMS\Core\Utility\HttpUtility::redirect(\TYPO3\CMS\Core\Utility\GeneralUtility::_GP('tx_openid_location'), \TYPO3\CMS\Core\Utility\HttpUtility::HTTP_STATUS_303);
+               if ($this->getSignature(GeneralUtility::_GP('tx_openid_location')) === GeneralUtility::_GP('tx_openid_location_signature')) {
+                       HttpUtility::redirect(GeneralUtility::_GP('tx_openid_location'), HttpUtility::HTTP_STATUS_303);
+               }
        }
 
+       /**
+        * Signs a GET parameter.
+        *
+        * @param string $parameter
+        * @return string
+        */
+       protected function getSignature($parameter) {
+               return GeneralUtility::hmac($parameter, 'openid');
+       }
 }
index f219cdb..081c8a4 100644 (file)
@@ -422,21 +422,18 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
                } else {
                        $requestURL = GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL');
                }
-               $returnURL .= 'tx_openid_location=' . rawurlencode($requestURL) . '&' . 'tx_openid_mode=finish&' . 'tx_openid_claimed=' . rawurlencode($claimedIdentifier) . '&' . 'tx_openid_signature=' . $this->getSignature($claimedIdentifier);
+               $returnURL .= 'tx_openid_location=' . rawurlencode($requestURL) . '&tx_openid_location_signature=' . $this->getSignature($requestURL) . '&tx_openid_mode=finish&tx_openid_claimed=' . rawurlencode($claimedIdentifier) . '&tx_openid_signature=' . $this->getSignature($claimedIdentifier);
                return GeneralUtility::locationHeaderUrl($returnURL);
        }
 
        /**
-        * Signs claimed id.
+        * Signs a GET parameter.
         *
-        * @param string $claimedIdentifier
+        * @param string $parameter
         * @return string
         */
-       protected function getSignature($claimedIdentifier) {
-               return GeneralUtility::hmac(
-                       implode('/', array($claimedIdentifier, strval(strlen($claimedIdentifier)))),
-                       $this->extKey
-               );
+       protected function getSignature($parameter) {
+               return GeneralUtility::hmac($parameter, $this->extKey);
        }
 
        /**