Fixed bug #13977: Improve OpenID association handling
authorDmitry Dulepov <dmitry.dulepov@gmail.com>
Tue, 6 Apr 2010 12:37:51 +0000 (12:37 +0000)
committerDmitry Dulepov <dmitry.dulepov@gmail.com>
Tue, 6 Apr 2010 12:37:51 +0000 (12:37 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@7248 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
typo3/sysext/openid/lib/php-openid/Auth/OpenID/Consumer.php
typo3/sysext/openid/lib/php-openid/php-openid-typo3.patch
typo3/sysext/openid/sv1/class.tx_openid_store.php

index 4eb73af..da90c67 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2010-04-06  Dmitry Dulepov  <dmitry.dulepov@gmail.com>
+
+       * Fixed bug #13977: Improve OpenID association handling
+
 2010-04-05  Stanislas Rolland  <typo3@sjbr.ca>
 
        * Fixed bug #14004: htmlArea RTE: Applying color or font repeatedly produces nested span elements
index c9f6992..5cc69c0 100644 (file)
@@ -957,7 +957,11 @@ class Auth_OpenID_GenericConsumer {
             }
 
             if (!$assoc->checkMessageSignature($message)) {
-                return new Auth_OpenID_FailureResponse(null,
+                               // If we get a "bad signature" here, it means that the association
+                               // is unrecoverabley corrupted in some way. Any futher attempts
+                               // to login with this association is likely to fail. Drop it.
+                               $this->store->removeAssociation($server_url, $assoc_handle);
+                               return new Auth_OpenID_FailureResponse(null,
                                                        "Bad signature");
             }
         } else {
index efefa6f..89c0410 100644 (file)
@@ -41,3 +41,21 @@ diff -b -r -u Auth/Yadis/ParanoidHTTPFetcher.php Auth/Yadis/ParanoidHTTPFetcher.
          curl_exec($c);
  
          $code = curl_getinfo($c, CURLINFO_HTTP_CODE);
+Index: typo3/sysext/openid/lib/php-openid/Auth/OpenID/Consumer.php
+===================================================================
+--- typo3/sysext/openid/lib/php-openid/Auth/OpenID/Consumer.php        (revision 7119)
++++ typo3/sysext/openid/lib/php-openid/Auth/OpenID/Consumer.php        (working copy)
+@@ -957,7 +957,11 @@
+             }
+             if (!$assoc->checkMessageSignature($message)) {
+-                return new Auth_OpenID_FailureResponse(null,
++                              // If we get a "bad signature" here, it means that the association
++                              // is unrecoverabley corrupted in some way. Any futher attempts
++                              // to login with this association is likely to fail. Drop it.
++                              $this->store->removeAssociation($server_url, $assoc_handle);
++                              return new Auth_OpenID_FailureResponse(null,
+                                                        "Bad signature");
+             }
+         } else {
+
index d1a0e86..e41a977 100644 (file)
@@ -102,8 +102,13 @@ class tx_openid_store extends Auth_OpenID_OpenIDStore {
 
                $result = null;
                if (is_array($row)) {
-                       $result = @unserialize($row['content']);
-                       $this->updateAssociationTimeStamp($row['tstamp']);
+                       $result = @unserialize(base64_decode($row['content']));
+                       if ($result === false) {
+                               $result = null;
+                       }
+                       else {
+                               $this->updateAssociationTimeStamp($row['tstamp']);
+                       }
                }
                return $result;
        }
@@ -201,7 +206,7 @@ class tx_openid_store extends Auth_OpenID_OpenIDStore {
                        time());
                $serializedAssociation = serialize($association);
                $values = array(
-                       'content' => $serializedAssociation,
+                       'content' => base64_encode($serializedAssociation),
                        'tstamp' => time(),
                );
                $GLOBALS['TYPO3_DB']->exec_UPDATEquery(self::ASSOCIATION_TABLE_NAME, $where, $values);
@@ -218,7 +223,7 @@ class tx_openid_store extends Auth_OpenID_OpenIDStore {
                $serializedAssociation = serialize($association);
                $values = array(
                        'assoc_handle' => $association->handle,
-                       'content' => $serializedAssociation,
+                       'content' => base64_encode($serializedAssociation),
                        'crdate' => $association->issued,
                        'tstamp' => time(),
                        'expires' => $association->issued + $association->lifetime - self::ASSOCIATION_EXPIRATION_SAFETY_INTERVAL,