summaryrefslogtreecommitdiffabout
Side-by-side diff
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--include/opkele/exception.h9
-rw-r--r--lib/basic_op.cc36
2 files changed, 45 insertions, 0 deletions
diff --git a/include/opkele/exception.h b/include/opkele/exception.h
index 5c8418e..33f89cc 100644
--- a/include/opkele/exception.h
+++ b/include/opkele/exception.h
@@ -348,15 +348,24 @@ namespace opkele {
: exception(OPKELE_E_CONS) { }
};
/**
* thrown when querying identity of non-identity related request
*/
class non_identity : public exception {
public:
non_identity(OPKELE_E_PARS)
: exception(OPKELE_E_CONS) { }
};
+ /**
+ * thrown if return_to URL doesn't match realm
+ */
+ class bad_return_to : public exception {
+ public:
+ bad_return_to(OPKELE_E_PARS)
+ : exception(OPKELE_E_CONS) { }
+ };
+
}
#endif /* __OPKELE_EXCEPTION_H */
diff --git a/lib/basic_op.cc b/lib/basic_op.cc
index 22012bc..f7573aa 100644
--- a/lib/basic_op.cc
+++ b/lib/basic_op.cc
@@ -1,23 +1,26 @@
#include <time.h>
#include <cassert>
+#include <algorithm>
#include <openssl/sha.h>
#include <openssl/hmac.h>
#include <opkele/data.h>
#include <opkele/basic_op.h>
#include <opkele/exception.h>
#include <opkele/util.h>
#include <opkele/uris.h>
namespace opkele {
+ using std::pair;
+ using std::mismatch;
void basic_op::reset_vars() {
assoc.reset();
return_to.clear(); realm.clear();
claimed_id.clear(); identity.clear();
invalidate_handle.clear();
}
bool basic_op::has_return_to() const {
return !return_to.empty();
}
const string& basic_op::get_return_to() const {
@@ -308,13 +311,46 @@ namespace opkele {
}
}catch(failed_lookup&) { }
if(o2) {
assert(!nonce.empty());
invalidate_nonce(nonce);
}
return oum;
}catch(failed_check_authentication& ) {
oum.set_field("is_valid","false");
return oum;
}
+ void basic_op::verify_return_to() {
+ string nrealm = opkele::util::rfc_3986_normalize_uri(realm);
+ if(nrealm.find('#')!=string::npos)
+ throw opkele::bad_realm(OPKELE_CP_ "authentication realm contains URI fragment");
+ string nrt = opkele::util::rfc_3986_normalize_uri(return_to);
+ string::size_type pr = nrealm.find("://");
+ string::size_type prt = nrt.find("://");
+ assert(!(pr==string::npos || prt==string::npos));
+ pr += sizeof("://")-1;
+ prt += sizeof("://")-1;
+ if(!strncmp(nrealm.c_str()+pr,"*.",2)) {
+ pr = nrealm.find('.',pr);
+ prt = nrt.find('.',prt);
+ assert(pr!=string::npos);
+ if(prt==string::npos)
+ throw bad_return_to(
+ OPKELE_CP_ "return_to URL doesn't match realm");
+ // TODO: check for overgeneralized realm
+ }
+ string::size_type lr = nrealm.length();
+ string::size_type lrt = nrt.length();
+ if( (lrt-prt) < (lr-pr) )
+ throw bad_return_to(
+ OPKELE_CP_ "return_to URL doesn't match realm");
+ pair<const char*,const char*> mp = mismatch(
+ nrealm.c_str()+pr,nrealm.c_str()+lr,
+ nrt.c_str()+prt);
+ if( (*(mp.first-1))!='/'
+ && !strchr("/?#",*mp.second) )
+ throw bad_return_to(
+ OPKELE_CP_ "return_to URL doesn't match realm");
+ }
+
}