diff options
| -rw-r--r-- | Auth/OpenID/Server.php | 26 | ||||
| -rw-r--r-- | Tests/Auth/OpenID/Server.php | 31 |
2 files changed, 57 insertions, 0 deletions
diff --git a/Auth/OpenID/Server.php b/Auth/OpenID/Server.php index 3dd6cf8..24282c0 100644 --- a/Auth/OpenID/Server.php +++ b/Auth/OpenID/Server.php @@ -709,6 +709,12 @@ class Auth_OpenID_AssociateRequest extends Auth_OpenID_Request { */ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { /** + * Return-to verification callback. Default is + * Auth_OpenID_verifyReturnTo from TrustRoot.php. + */ + var $verifyReturnTo = 'Auth_OpenID_verifyReturnTo'; + + /** * The mode of this request. */ var $mode = "checkid_setup"; // or "checkid_immediate" @@ -785,6 +791,26 @@ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { ($this->trust_root == $other->trust_root)); } + /* + * Does the relying party publish the return_to URL for this + * response under the realm? It is up to the provider to set a + * policy for what kinds of realms should be allowed. This + * return_to URL verification reduces vulnerability to data-theft + * attacks based on open proxies, corss-site-scripting, or open + * redirectors. + * + * This check should only be performed after making sure that the + * return_to URL matches the realm. + * + * @return true if the realm publishes a document with the + * return_to URL listed, false if not or if discovery fails + */ + function returnToVerified() + { + return call_user_func_array($this->verifyReturnTo, + array($this->trust_root, $this->return_to)); + } + function fromMessage(&$message, $server) { $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode'); diff --git a/Tests/Auth/OpenID/Server.php b/Tests/Auth/OpenID/Server.php index 75abad6..a8af901 100644 --- a/Tests/Auth/OpenID/Server.php +++ b/Tests/Auth/OpenID/Server.php @@ -982,6 +982,37 @@ class Tests_Auth_OpenID_CheckID extends PHPUnit_TestCase { $this->assertTrue($this->request->trustRootValid()); } + function _verify($trust_root, $return_to, $value) + { + $this->assertEquals($this->request->trust_root, $trust_root); + $this->assertEquals($this->request->return_to, $return_to); + return $value; + } + + function _verifyTrue($trust_root, $return_to) + { + return $this->_verify($trust_root, $return_to, true); + } + + function _verifyFalse($trust_root, $return_to) + { + return $this->_verify($trust_root, $return_to, false); + } + + /* + * Make sure that verifyReturnTo is calling + * Auth_OpenID_verifyReturnTo + */ + function test_returnToVerified_callsVerify() + { + // Ensure that True and False are passed through unchanged + $this->request->verifyReturnTo = array(&$this, '_verifyTrue'); + $this->assertEquals(true, $this->request->returnToVerified()); + + $this->request->verifyReturnTo = array(&$this, '_verifyFalse'); + $this->assertEquals(false, $this->request->returnToVerified()); + } + function test_answerToInvalidRoot() { $this->request->trust_root = "http://foo.unittest/17"; |