summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Rothstein2015-06-17 14:33:35 -0400
committerDavid Rothstein2015-06-17 14:33:35 -0400
commita362d912056d6e385a6c458cddf776ec746c68ae (patch)
tree2eb8bee2425a9627004e6d772acb3ca3a40f7e14
parent8ffc5db3c0ab926f3d4b2cf8bc51714c8c0f3c93 (diff)
Drupal 6.366.36
-rw-r--r--CHANGELOG.txt4
-rw-r--r--modules/openid/openid.module32
-rw-r--r--modules/system/system.module2
3 files changed, 33 insertions, 5 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 389eee7..ecfaadf 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,4 +1,8 @@
+Drupal 6.36, 2015-06-17
+-----------------------
+- Fixed security issues (OpenID impersonation). See SA-CORE-2015-002.
+
Drupal 6.35, 2015-03-18
----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2015-001.
diff --git a/modules/openid/openid.module b/modules/openid/openid.module
index 4a7c57b..bef8242 100644
--- a/modules/openid/openid.module
+++ b/modules/openid/openid.module
@@ -241,10 +241,34 @@ function openid_complete($response = array()) {
if (openid_verify_assertion($service, $response)) {
// If the returned claimed_id is different from the session claimed_id,
// then we need to do discovery and make sure the op_endpoint matches.
- if ($service['version'] == 2 && $response['openid.claimed_id'] != $claimed_id) {
- $disco = openid_discovery($response['openid.claimed_id']);
- if ($disco[0]['uri'] != $service['uri']) {
- return $response;
+ if ($service['version'] == 2) {
+ // Returned Claimed Identifier could contain unique fragment
+ // identifier to allow identifier recycling so we need to preserve
+ // it in the response.
+ $response_claimed_id = _openid_normalize($response['openid.claimed_id']);
+
+ if ($response_claimed_id != $claimed_id || $response_claimed_id != $response['openid.identity']) {
+ $disco = openid_discovery($response['openid.claimed_id']);
+
+ if ($disco[0]['uri'] != $service['uri']) {
+ return $response;
+ }
+
+ if (!empty($disco[0]['localid'])) {
+ $identity = $disco[0]['localid'];
+ }
+ else if (!empty($disco[0]['delegate'])) {
+ $identity = $disco[0]['delegate'];
+ }
+ else {
+ $identity = FALSE;
+ }
+
+ // The OP-Local Identifier (if different than the Claimed
+ // Identifier) must be present in the XRDS document.
+ if ($response_claimed_id != $response['openid.identity'] && (!$identity || $identity != $response['openid.identity'])) {
+ return $response;
+ }
}
}
else {
diff --git a/modules/system/system.module b/modules/system/system.module
index f03bc08..cb37bdf 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -8,7 +8,7 @@
/**
* The current system version.
*/
-define('VERSION', '6.35');
+define('VERSION', '6.36');
/**
* Core API compatibility.