From 8a4c31a6740a949cdc29d956c276ba3c4021dfa8 Mon Sep 17 00:00:00 2001
From: Vadim Shaulski <sh.vadim@gmail.com>
Date: Tue, 16 Apr 2019 19:34:35 +0300
Subject: [PATCH] Avoid SSRF for claimed_id request

`verify_discovery_results` sends a request to openid.claimed_id URL.
Anybody can change claimed_id URL but request still will be sent.
For example, sending a request to the internal network or localhost:
https://myserver/callback?_method=post&openid.claimed_id=http://localhost:3000/do_method.....

I think, we must check signature before use any data from the URL
---
 lib/openid/consumer/idres.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/openid/consumer/idres.rb b/lib/openid/consumer/idres.rb
index 16c1d809..6c4e0a3b 100644
--- a/lib/openid/consumer/idres.rb
+++ b/lib/openid/consumer/idres.rb
@@ -72,9 +72,9 @@ def signed_fields
       def id_res
         check_for_fields
         verify_return_to
-        verify_discovery_results
         check_signature
         check_nonce
+        verify_discovery_results
       end
 
       def server_url