summaryrefslogtreecommitdiffabout
Side-by-side diff
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--include/opkele/exception.h9
-rw-r--r--lib/basic_op.cc36
2 files changed, 45 insertions, 0 deletions
diff --git a/include/opkele/exception.h b/include/opkele/exception.h
index 5c8418e..33f89cc 100644
--- a/include/opkele/exception.h
+++ b/include/opkele/exception.h
@@ -354,9 +354,18 @@ namespace opkele {
class non_identity : public exception {
public:
non_identity(OPKELE_E_PARS)
: exception(OPKELE_E_CONS) { }
};
+ /**
+ * thrown if return_to URL doesn't match realm
+ */
+ class bad_return_to : public exception {
+ public:
+ bad_return_to(OPKELE_E_PARS)
+ : exception(OPKELE_E_CONS) { }
+ };
+
}
#endif /* __OPKELE_EXCEPTION_H */
diff --git a/lib/basic_op.cc b/lib/basic_op.cc
index 22012bc..f7573aa 100644
--- a/lib/basic_op.cc
+++ b/lib/basic_op.cc
@@ -1,17 +1,20 @@
#include <time.h>
#include <cassert>
+#include <algorithm>
#include <openssl/sha.h>
#include <openssl/hmac.h>
#include <opkele/data.h>
#include <opkele/basic_op.h>
#include <opkele/exception.h>
#include <opkele/util.h>
#include <opkele/uris.h>
namespace opkele {
+ using std::pair;
+ using std::mismatch;
void basic_op::reset_vars() {
assoc.reset();
return_to.clear(); realm.clear();
claimed_id.clear(); identity.clear();
invalidate_handle.clear();
@@ -314,7 +317,40 @@ namespace opkele {
return oum;
}catch(failed_check_authentication& ) {
oum.set_field("is_valid","false");
return oum;
}
+ void basic_op::verify_return_to() {
+ string nrealm = opkele::util::rfc_3986_normalize_uri(realm);
+ if(nrealm.find('#')!=string::npos)
+ throw opkele::bad_realm(OPKELE_CP_ "authentication realm contains URI fragment");
+ string nrt = opkele::util::rfc_3986_normalize_uri(return_to);
+ string::size_type pr = nrealm.find("://");
+ string::size_type prt = nrt.find("://");
+ assert(!(pr==string::npos || prt==string::npos));
+ pr += sizeof("://")-1;
+ prt += sizeof("://")-1;
+ if(!strncmp(nrealm.c_str()+pr,"*.",2)) {
+ pr = nrealm.find('.',pr);
+ prt = nrt.find('.',prt);
+ assert(pr!=string::npos);
+ if(prt==string::npos)
+ throw bad_return_to(
+ OPKELE_CP_ "return_to URL doesn't match realm");
+ // TODO: check for overgeneralized realm
+ }
+ string::size_type lr = nrealm.length();
+ string::size_type lrt = nrt.length();
+ if( (lrt-prt) < (lr-pr) )
+ throw bad_return_to(
+ OPKELE_CP_ "return_to URL doesn't match realm");
+ pair<const char*,const char*> mp = mismatch(
+ nrealm.c_str()+pr,nrealm.c_str()+lr,
+ nrt.c_str()+prt);
+ if( (*(mp.first-1))!='/'
+ && !strchr("/?#",*mp.second) )
+ throw bad_return_to(
+ OPKELE_CP_ "return_to URL doesn't match realm");
+ }
+
}