[project @ FileStore, SQLStore, MemStore: check timestamp in useNonce]

4 files changed, 30 insertions, 1 deletions

diff --git a/Auth/OpenID/FileStore.php b/Auth/OpenID/FileStore.php
index dba0e4d..34266ca 100644
--- a/Auth/OpenID/FileStore.php
+++ b/Auth/OpenID/FileStore.php
@@ -20,6 +20,7 @@
 require_once 'Auth/OpenID.php';
 require_once 'Auth/OpenID/Interface.php';
 require_once 'Auth/OpenID/HMACSHA1.php';
+require_once 'Auth/OpenID/Nonce.php';
 
 /**
  * This is a filesystem-based store for OpenID associations and
@@ -337,11 +338,17 @@ class Auth_OpenID_FileStore extends Auth_OpenID_OpenIDStore {
      */
     function useNonce($server_url, $timestamp, $salt)
     {
+        global $Auth_OpenID_SKEW;
+
         if (!$this->active) {
             trigger_error("FileStore no longer active", E_USER_ERROR);
             return null;
         }
 
+        if ( abs($timestamp - gmmktime()) > $Auth_OpenID_SKEW ) {
+            return False;
+        }
+
         if ($server_url) {
             list($proto, $rest) = explode('://', $server_url, 2);
         } else {
diff --git a/Auth/OpenID/SQLStore.php b/Auth/OpenID/SQLStore.php
index bd99dd2..0f58203 100644
--- a/Auth/OpenID/SQLStore.php
+++ b/Auth/OpenID/SQLStore.php
@@ -27,6 +27,7 @@ $__Auth_OpenID_PEAR_AVAILABLE = @include_once 'DB.php';
  * @access private
  */
 require_once 'Auth/OpenID/Interface.php';
+require_once 'Auth/OpenID/Nonce.php';
 
 /**
  * @access private
@@ -487,6 +488,12 @@ class Auth_OpenID_SQLStore extends Auth_OpenID_OpenIDStore {
 
     function useNonce($server_url, $timestamp, $salt)
     {
+        global $Auth_OpenID_SKEW;
+
+        if ( abs($timestamp - gmmktime()) > $Auth_OpenID_SKEW ) {
+            return False;
+        }
+
         return $this->_add_nonce($server_url, $timestamp, $salt);
     }
 
diff --git a/Tests/Auth/OpenID/MemStore.php b/Tests/Auth/OpenID/MemStore.php
index 35f6a77..23edfe3 100644
--- a/Tests/Auth/OpenID/MemStore.php
+++ b/Tests/Auth/OpenID/MemStore.php
@@ -4,6 +4,7 @@
  * In-memory OpenID store implementation for testing only
  */
 require_once "Auth/OpenID/Interface.php";
+require_once 'Auth/OpenID/Nonce.php';
 
 class Tests_Auth_OpenID_MemStore extends Auth_OpenID_OpenIDStore {
     var $assocs = null;
@@ -107,7 +108,14 @@ class Tests_Auth_OpenID_MemStore extends Auth_OpenID_OpenIDStore {
 
     function useNonce($server_url, $timestamp, $salt)
     {
+        global $Auth_OpenID_SKEW;
+
         $nonce = sprintf("%s%s%s", $server_url, $timestamp, $salt);
+
+        if ( abs($timestamp - gmmktime()) > $Auth_OpenID_SKEW ) {
+            return False;
+        }
+
         if (in_array($nonce, $this->nonces)) {
             return false;
         } else {
diff --git a/Tests/Auth/OpenID/StoreTest.php b/Tests/Auth/OpenID/StoreTest.php
index c841a2e..15380f7 100644
--- a/Tests/Auth/OpenID/StoreTest.php
+++ b/Tests/Auth/OpenID/StoreTest.php
@@ -302,13 +302,20 @@ explicitly');
             $nonce1 = Auth_OpenID_mkNonce();
 
             // A nonce is not by default
-            $this->_checkUseNonce($store, $nonce1, true, $url, 1);
+            $this->_checkUseNonce($store, $nonce1, true, $url, "blergx");
 
             // Once stored, cannot be stored again
             $this->_checkUseNonce($store, $nonce1, false, $url, 2);
 
             // And using again has the same effect
             $this->_checkUseNonce($store, $nonce1, false, $url, 3);
+
+            // Nonces from when the universe was an hour old should
+            // not pass these days.
+            $old_nonce = Auth_OpenID_mkNonce(3600);
+            $this->_checkUseNonce($store, $old_nonce, false, $url,
+                                  "Old nonce ($old_nonce) passed.");
+
         }
     }