Permalink
Browse files

[project @ SECURITY FIX: Claimed identifier verification was inadvert…

…ently comparing values that would always return true (thanks to jbradley@mac.com)]

Ignore-this: f69797d1383b08b6e58da70f183edb39
  • Loading branch information...
1 parent 9c6715d commit 5c85bf362bd7e9e7d4e6794d626bb3e262c3e0fa tailor committed Apr 17, 2009
Showing with 20 additions and 4 deletions.
  1. +4 −4 lib/openid/consumer/idres.rb
  2. +16 −0 test/test_idres.rb
@@ -469,14 +469,14 @@ def verify_discovery_single(endpoint, to_match)
# Fragments do not influence discovery, so we can't compare a
# claimed identifier with a fragment to discovered information.
defragged_claimed_id =
- case Yadis::XRI.identifier_scheme(endpoint.claimed_id)
+ case Yadis::XRI.identifier_scheme(to_match.claimed_id)
when :xri
- endpoint.claimed_id
+ to_match.claimed_id
when :uri
begin
- parsed = URI.parse(endpoint.claimed_id)
+ parsed = URI.parse(to_match.claimed_id)
rescue URI::InvalidURIError
- endpoint.claimed_id
+ to_match.claimed_id
else
parsed.fragment = nil
parsed.to_s
View
@@ -693,6 +693,22 @@ def test_openid2_mismatched_does_disco
assert(endpoint.equal?(result))
end
+ def test_verify_discovery_single_claimed_id_mismatch
+ idres = IdResHandler.new(nil, nil)
+ @endpoint.local_id = 'my identity'
+ @endpoint.claimed_id = 'http://i-am-sam/'
+ @endpoint.server_url = 'Phone Home'
+ @endpoint.type_uris = [OPENID_2_0_TYPE]
+
+ to_match = @endpoint.dup
+ to_match.claimed_id = 'http://something.else/'
+
+ e = assert_raises(ProtocolError) {
+ idres.send(:verify_discovery_single, @endpoint, to_match)
+ }
+ assert(e.to_s =~ /different subjects/)
+ end
+
def test_openid2_use_pre_discovered
@endpoint.local_id = 'my identity'
@endpoint.claimed_id = 'http://i-am-sam/'

0 comments on commit 5c85bf3

Please sign in to comment.