summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Rothstein2015-06-17 18:35:40 (GMT)
committerDavid Rothstein2015-06-17 18:35:40 (GMT)
commitf46396a6f6b425c4c652f1155cbb892b07c7313e (patch)
tree93ffdc3b3f1c8371663c8c2458e9cc2b5f36b6c6
parent89f56c3bb4a30ef3551ebcf32449c44c40cc1bab (diff)
parenta362d912056d6e385a6c458cddf776ec746c68ae (diff)
Merge tag '6.36' into 6.x6.x
6.36 release Conflicts: CHANGELOG.txt modules/system/system.module
-rw-r--r--CHANGELOG.txt6
-rw-r--r--modules/openid/openid.module32
-rw-r--r--modules/system/system.module2
3 files changed, 34 insertions, 6 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index f5a0610..4fd0017 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,11 @@
-Drupal 6.36-dev, xxxx-xx-xx (development release)
+Drupal 6.37-dev, xxxx-xx-xx (development release)
----------------------
+Drupal 6.36, 2015-06-17
+-----------------------
+- Fixed security issues (OpenID impersonation). See SA-CORE-2015-002.
+
Drupal 6.35, 2015-03-18
----------------------
- Fixed security issues (multiple vulnerabilities). See SA-CORE-2015-001.
diff --git a/modules/openid/openid.module b/modules/openid/openid.module
index 4a7c57b..bef8242 100644
--- a/modules/openid/openid.module
+++ b/modules/openid/openid.module
@@ -241,10 +241,34 @@ function openid_complete($response = array()) {
if (openid_verify_assertion($service, $response)) {
// If the returned claimed_id is different from the session claimed_id,
// then we need to do discovery and make sure the op_endpoint matches.
- if ($service['version'] == 2 && $response['openid.claimed_id'] != $claimed_id) {
- $disco = openid_discovery($response['openid.claimed_id']);
- if ($disco[0]['uri'] != $service['uri']) {
- return $response;
+ if ($service['version'] == 2) {
+ // Returned Claimed Identifier could contain unique fragment
+ // identifier to allow identifier recycling so we need to preserve
+ // it in the response.
+ $response_claimed_id = _openid_normalize($response['openid.claimed_id']);
+
+ if ($response_claimed_id != $claimed_id || $response_claimed_id != $response['openid.identity']) {
+ $disco = openid_discovery($response['openid.claimed_id']);
+
+ if ($disco[0]['uri'] != $service['uri']) {
+ return $response;
+ }
+
+ if (!empty($disco[0]['localid'])) {
+ $identity = $disco[0]['localid'];
+ }
+ else if (!empty($disco[0]['delegate'])) {
+ $identity = $disco[0]['delegate'];
+ }
+ else {
+ $identity = FALSE;
+ }
+
+ // The OP-Local Identifier (if different than the Claimed
+ // Identifier) must be present in the XRDS document.
+ if ($response_claimed_id != $response['openid.identity'] && (!$identity || $identity != $response['openid.identity'])) {
+ return $response;
+ }
}
}
else {
diff --git a/modules/system/system.module b/modules/system/system.module
index 0a4ac39..6ffa529 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -8,7 +8,7 @@
/**
* The current system version.
*/
-define('VERSION', '6.36-dev');
+define('VERSION', '6.37-dev');
/**
* Core API compatibility.