[project @ Fail return_to verification if bare args in response are absent from return_to]

2 files changed, 24 insertions, 0 deletions

diff --git a/Auth/OpenID/Consumer.php b/Auth/OpenID/Consumer.php
index 7049164..4fe8cb5 100644
--- a/Auth/OpenID/Consumer.php
+++ b/Auth/OpenID/Consumer.php
@@ -873,6 +873,17 @@ class Auth_OpenID_GenericConsumer {
             }
         }
 
+        // Make sure all non-OpenID arguments in the response are also
+        // in the signed return_to.
+        $bare_args = $message->getArgs(Auth_OpenID_BARE_NS);
+        foreach ($bare_args as $key => $value) {
+            if (Auth_OpenID::arrayGet($q, $key) != $value) {
+                return new Auth_OpenID_FailureResponse(
+                  sprintf("Parameter %s = %s not in return_to URL",
+                          $key, $value));
+            }
+        }
+
         return true;
     }
 
diff --git a/Tests/Auth/OpenID/Consumer.php b/Tests/Auth/OpenID/Consumer.php
index 03163c8..0578e4b 100644
--- a/Tests/Auth/OpenID/Consumer.php
+++ b/Tests/Auth/OpenID/Consumer.php
@@ -1058,6 +1058,19 @@ class TestReturnToArgs extends PHPUnit_TestCase {
         $this->consumer = new Auth_OpenID_GenericConsumer($store);
     }
 
+    function test_returnToArgsUnexpectedArg()
+    {
+        $query = array(
+            'openid.mode' => 'id_res',
+            'openid.return_to' => 'http://example.com/',
+            'foo' => 'bar');
+
+        // no return value, success is assumed if there are no
+        // exceptions.
+        $this->assertTrue(Auth_OpenID::isFailure(
+                 $this->consumer->_verifyReturnToArgs($query)));
+    }
+
     function test_returnToArgsOkay()
     {
         $query = array(