Update pressflow to 6.36

catch56 · Jul 29, 2015 · 25e43a4 · 25e43a4
1 parent 5c36516
commit 25e43a4
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 5 deletions.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -1,3 +1,7 @@
+Drupal 6.36, 2015-06-17
+-----------------------
+- Fixed security issues (OpenID impersonation). See SA-CORE-2015-002.
+
 Drupal 6.35, 2015-03-18
 ----------------------
 - Fixed security issues (multiple vulnerabilities). See SA-CORE-2015-001.

diff --git a/modules/openid/openid.module b/modules/openid/openid.module
@@ -243,10 +243,34 @@ function openid_complete($response = array()) {
         if (openid_verify_assertion($service, $response)) {
           // If the returned claimed_id is different from the session claimed_id,
           // then we need to do discovery and make sure the op_endpoint matches.
-          if ($service['version'] == 2 && $response['openid.claimed_id'] != $claimed_id) {
-            $disco = openid_discovery($response['openid.claimed_id']);
-            if ($disco[0]['uri'] != $service['uri']) {
-              return $response;
+          if ($service['version'] == 2) {
+            // Returned Claimed Identifier could contain unique fragment
+            // identifier to allow identifier recycling so we need to preserve
+            // it in the response.
+            $response_claimed_id = _openid_normalize($response['openid.claimed_id']);
+
+            if ($response_claimed_id != $claimed_id || $response_claimed_id != $response['openid.identity']) {
+              $disco = openid_discovery($response['openid.claimed_id']);
+
+              if ($disco[0]['uri'] != $service['uri']) {
+                return $response;
+              }
+
+              if (!empty($disco[0]['localid'])) {
+                $identity = $disco[0]['localid'];
+              }
+              else if (!empty($disco[0]['delegate'])) {
+                $identity = $disco[0]['delegate'];
+              }
+              else {
+                $identity = FALSE;
+              }
+
+              // The OP-Local Identifier (if different than the Claimed
+              // Identifier) must be present in the XRDS document.
+              if ($response_claimed_id != $response['openid.identity'] && (!$identity || $identity != $response['openid.identity'])) {
+                return $response;
+              }
             }
           }
           else {

diff --git a/modules/system/system.module b/modules/system/system.module
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '6.35');
+define('VERSION', '6.36');
 
 /**
  * Core API compatibility.