[SECURITY] Fix open redirection in openid extension 79/26179/2
authorAnja Leichsenring <aleichsenring@ab-softlab.de>
Tue, 10 Dec 2013 09:50:59 +0000 (10:50 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:51:04 +0000 (10:51 +0100)
The eID script of the openid extension does not
validate the given redirect url, leading to
an open redirection vulnerability.
Add and verify hmac of the redirect url.

Change-Id: I0c446199504018cab6e4ad2f6bd9085458ca86f0
Fixes: #54099
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 6be16f2ea6b135b6f7ab2dec17d126f3f1eb89c4
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26179
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/openid/class.tx_openid_eid.php
typo3/sysext/openid/sv1/class.tx_openid_sv1.php

index 033f65e..c537fbb 100644 (file)
@@ -61,7 +61,19 @@ class tx_openid_eID {
 
                // Redirect to the original location in any case (authenticated or not)
                @ob_end_clean();
-               t3lib_utility_Http::redirect(t3lib_div::_GP('tx_openid_location'), t3lib_utility_Http::HTTP_STATUS_303);
+               if ($this->getSignature(t3lib_div::_GP('tx_openid_location')) === t3lib_div::_GP('tx_openid_location_signature')) {
+                       t3lib_utility_Http::redirect(t3lib_div::_GP('tx_openid_location'), t3lib_utility_Http::HTTP_STATUS_303);
+               }
+       }
+
+       /**
+        * Signs a GET parameter.
+        *
+        * @param string $parameter
+        * @return string
+     */
+       protected function getSignature($parameter) {
+               return t3lib_div::hmac($parameter, 'openid');
        }
 }
 
index 2b659ac..3c80bb3 100644 (file)
@@ -437,24 +437,21 @@ class tx_openid_sv1 extends t3lib_svbase {
                        $claimedIdentifier = $this->loginData['uname'];
                }
                $returnURL .= 'tx_openid_location=' . rawurlencode($requestURL) . '&' .
-                                               'tx_openid_mode=finish&' .
-                                               'tx_openid_claimed=' . rawurlencode($claimedIdentifier) . '&' .
-                                               'tx_openid_signature=' . $this->getSignature($claimedIdentifier);
+                       'tx_openid_location_signature=' . $this->getSignature($requestURL) . '&' .
+                       'tx_openid_mode=finish&' .
+                       'tx_openid_claimed=' . rawurlencode($claimedIdentifier) . '&' .
+                       'tx_openid_signature=' . $this->getSignature($claimedIdentifier);
                return t3lib_div::locationHeaderUrl($returnURL);
        }
 
        /**
-        * Signs claimed id.
+        * Signs a GET parameter.
         *
-        * @return void
+        * @param string $parameter
+        * @return string
         */
-       protected function getSignature($claimedIdentifier) {
-               // You can also increase security by using sha1 (beware of too long URLs!)
-               return md5(implode('/', array(
-                       $claimedIdentifier,
-                       strval(strlen($claimedIdentifier)),
-                       $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']
-               )));
+       protected function getSignature($parameter) {
+               return t3lib_div::hmac($parameter, $this->extKey);
        }
 
        /**
@@ -577,4 +574,4 @@ if (defined('TYPO3_MODE') && isset($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLA
        include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['ext/openid/sv1/class.tx_openid_sv1.php']);
 }
 
-?>
+?>
\ No newline at end of file