check if return_to matches realm

Signed-off-by: Michael Krelin <hacker@klever.net>

2 files changed, 45 insertions, 0 deletions

diff --git a/include/opkele/exception.h b/include/opkele/exception.h
index 5c8418e..33f89cc 100644
--- a/include/opkele/exception.h
+++ b/include/opkele/exception.h
@@ -348,15 +348,24 @@ namespace opkele {
                 : exception(OPKELE_E_CONS) { }
     };
 
     /**
      * thrown when querying identity of non-identity related request
      */
     class non_identity : public exception {
         public:
             non_identity(OPKELE_E_PARS)
                 : exception(OPKELE_E_CONS) { }
     };
 
+    /**
+     * thrown if return_to URL doesn't match realm
+     */
+    class bad_return_to : public exception {
+        public:
+            bad_return_to(OPKELE_E_PARS)
+                : exception(OPKELE_E_CONS) { }
+    };
+
 }
 
 #endif /* __OPKELE_EXCEPTION_H */
diff --git a/lib/basic_op.cc b/lib/basic_op.cc
index 22012bc..f7573aa 100644
--- a/lib/basic_op.cc
+++ b/lib/basic_op.cc
@@ -1,23 +1,26 @@
 #include <time.h>
 #include <cassert>
+#include <algorithm>
 #include <openssl/sha.h>
 #include <openssl/hmac.h>
 #include <opkele/data.h>
 #include <opkele/basic_op.h>
 #include <opkele/exception.h>
 #include <opkele/util.h>
 #include <opkele/uris.h>
 
 namespace opkele {
+    using std::pair;
+    using std::mismatch;
 
     void basic_op::reset_vars() {
         assoc.reset();
         return_to.clear(); realm.clear();
         claimed_id.clear(); identity.clear();
         invalidate_handle.clear();
     }
 
     bool basic_op::has_return_to() const {
         return !return_to.empty();
     }
     const string& basic_op::get_return_to() const {
@@ -308,13 +311,46 @@ namespace opkele {
             }
         }catch(failed_lookup&) { }
         if(o2) {
             assert(!nonce.empty());
             invalidate_nonce(nonce);
         }
         return oum;
     }catch(failed_check_authentication& ) {
         oum.set_field("is_valid","false");
         return oum;
     }
 
+    void basic_op::verify_return_to() {
+        string nrealm = opkele::util::rfc_3986_normalize_uri(realm);
+        if(nrealm.find('#')!=string::npos)
+            throw opkele::bad_realm(OPKELE_CP_ "authentication realm contains URI fragment");
+        string nrt = opkele::util::rfc_3986_normalize_uri(return_to);
+        string::size_type pr = nrealm.find("://");
+        string::size_type prt = nrt.find("://");
+        assert(!(pr==string::npos || prt==string::npos));
+        pr += sizeof("://")-1;
+        prt += sizeof("://")-1;
+        if(!strncmp(nrealm.c_str()+pr,"*.",2)) {
+            pr = nrealm.find('.',pr);
+            prt = nrt.find('.',prt);
+            assert(pr!=string::npos);
+            if(prt==string::npos)
+                throw bad_return_to(
+                        OPKELE_CP_ "return_to URL doesn't match realm");
+            // TODO: check for overgeneralized realm
+        }
+        string::size_type lr = nrealm.length();
+        string::size_type lrt = nrt.length();
+        if( (lrt-prt) < (lr-pr) )
+            throw bad_return_to(
+                    OPKELE_CP_ "return_to URL doesn't match realm");
+        pair<const char*,const char*> mp = mismatch(
+                nrealm.c_str()+pr,nrealm.c_str()+lr,
+                nrt.c_str()+prt);
+        if( (*(mp.first-1))!='/'
+                && !strchr("/?#",*mp.second) )
+            throw bad_return_to(
+                    OPKELE_CP_ "return_to URL doesn't match realm");
+    }
+
 }