summaryrefslogtreecommitdiffabout
authorMichael Krelin <hacker@klever.net>2008-02-02 19:57:52 (UTC)
committer Michael Krelin <hacker@klever.net>2008-02-02 19:57:52 (UTC)
commit529c53f0eb63040735b4cad7806cef6d5e65144b (patch) (side-by-side diff)
tree711cd9e8d30a9f251de529cdfcfcd05ac0e871b3
parent4efb668baed49ede14846c3cdac31cc561451cd1 (diff)
downloadlibopkele-529c53f0eb63040735b4cad7806cef6d5e65144b.zip
libopkele-529c53f0eb63040735b4cad7806cef6d5e65144b.tar.gz
libopkele-529c53f0eb63040735b4cad7806cef6d5e65144b.tar.bz2
check if return_to matches realm
Signed-off-by: Michael Krelin <hacker@klever.net>
Diffstat (more/less context) (show whitespace changes)
-rw-r--r--include/opkele/exception.h9
-rw-r--r--lib/basic_op.cc36
2 files changed, 45 insertions, 0 deletions
diff --git a/include/opkele/exception.h b/include/opkele/exception.h
index 5c8418e..33f89cc 100644
--- a/include/opkele/exception.h
+++ b/include/opkele/exception.h
@@ -352,11 +352,20 @@ namespace opkele {
* thrown when querying identity of non-identity related request
*/
class non_identity : public exception {
public:
non_identity(OPKELE_E_PARS)
: exception(OPKELE_E_CONS) { }
};
+ /**
+ * thrown if return_to URL doesn't match realm
+ */
+ class bad_return_to : public exception {
+ public:
+ bad_return_to(OPKELE_E_PARS)
+ : exception(OPKELE_E_CONS) { }
+ };
+
}
#endif /* __OPKELE_EXCEPTION_H */
diff --git a/lib/basic_op.cc b/lib/basic_op.cc
index 22012bc..f7573aa 100644
--- a/lib/basic_op.cc
+++ b/lib/basic_op.cc
@@ -1,19 +1,22 @@
#include <time.h>
#include <cassert>
+#include <algorithm>
#include <openssl/sha.h>
#include <openssl/hmac.h>
#include <opkele/data.h>
#include <opkele/basic_op.h>
#include <opkele/exception.h>
#include <opkele/util.h>
#include <opkele/uris.h>
namespace opkele {
+ using std::pair;
+ using std::mismatch;
void basic_op::reset_vars() {
assoc.reset();
return_to.clear(); realm.clear();
claimed_id.clear(); identity.clear();
invalidate_handle.clear();
}
@@ -312,9 +315,42 @@ namespace opkele {
invalidate_nonce(nonce);
}
return oum;
}catch(failed_check_authentication& ) {
oum.set_field("is_valid","false");
return oum;
}
+ void basic_op::verify_return_to() {
+ string nrealm = opkele::util::rfc_3986_normalize_uri(realm);
+ if(nrealm.find('#')!=string::npos)
+ throw opkele::bad_realm(OPKELE_CP_ "authentication realm contains URI fragment");
+ string nrt = opkele::util::rfc_3986_normalize_uri(return_to);
+ string::size_type pr = nrealm.find("://");
+ string::size_type prt = nrt.find("://");
+ assert(!(pr==string::npos || prt==string::npos));
+ pr += sizeof("://")-1;
+ prt += sizeof("://")-1;
+ if(!strncmp(nrealm.c_str()+pr,"*.",2)) {
+ pr = nrealm.find('.',pr);
+ prt = nrt.find('.',prt);
+ assert(pr!=string::npos);
+ if(prt==string::npos)
+ throw bad_return_to(
+ OPKELE_CP_ "return_to URL doesn't match realm");
+ // TODO: check for overgeneralized realm
+ }
+ string::size_type lr = nrealm.length();
+ string::size_type lrt = nrt.length();
+ if( (lrt-prt) < (lr-pr) )
+ throw bad_return_to(
+ OPKELE_CP_ "return_to URL doesn't match realm");
+ pair<const char*,const char*> mp = mismatch(
+ nrealm.c_str()+pr,nrealm.c_str()+lr,
+ nrt.c_str()+prt);
+ if( (*(mp.first-1))!='/'
+ && !strchr("/?#",*mp.second) )
+ throw bad_return_to(
+ OPKELE_CP_ "return_to URL doesn't match realm");
+ }
+
}