1
=== modified file 'identityprovider/models/openidmodels.py'
2
--- identityprovider/models/openidmodels.py	2010-07-28 14:25:25 +0000
3
+++ identityprovider/models/openidmodels.py	2010-09-29 13:19:43 +0000
4
@@ -109,6 +109,38 @@
5
109
        unique_together = ('server_url', 'timestamp', 'salt')
109
        unique_together = ('server_url', 'timestamp', 'salt')
6
110
110
7
111
111
8
112
class OpenIDRPConfigManager(models.Manager):
9
113
10
114
    def for_url(self, url):
11
115
        if url.endswith('/'):
12
116
            url = url[:-1]
13
117
        # We need to encode the % character in URLs, so that an
14
118
        # attacker can't maliciously take advantage of it as a
15
119
        # wildcard.  To do this, we select an escape character (~),
16
120
        # and then escape it as ~T and % as ~P.
17
121
        #
18
122
        # Although this hole only exists in the right-hand argument of
19
123
        # LIKE, this replacement happens in both the received URL and
20
124
        # the recorded trust_root, in case they have legitimate ~
21
125
        # characters that need to be matched.
22
126
        #
23
127
        # Python uses % for parameters in interpolated strings, and
24
128
        # PostgreSQL uses it as a wild card in LIKE-patterns; so
25
129
        # they're escaped here.
26
130
        condition = """
27
131
      replace(replace(%s,         '~', '~T'), '%%', '~P')
28
132
LIKE (replace(replace(trust_root, '~', '~T'), '%%', '~P') || '%%')
29
133
"""
30
134
31
135
        q = self.extra(
32
136
            select={'len': 'length(trust_root)'},
33
137
            where=[condition],
34
138
            params=(url,),
35
139
            order_by=['-len'] # Select the longest match
36
140
            )
37
141
        return q[0] if q else None
38
142
39
143
40
112
class OpenIDRPConfig(models.Model):
144
class OpenIDRPConfig(models.Model):
41
113
    trust_root = models.TextField(unique=True)
145
    trust_root = models.TextField(unique=True)
42
114
    displayname = models.TextField()
146
    displayname = models.TextField()
43
@@ -127,6 +159,8 @@
44
127
        verbose_name = _('OpenID RP Config')
159
        verbose_name = _('OpenID RP Config')
45
128
        verbose_name_plural = _('OpenID RP Configs')
160
        verbose_name_plural = _('OpenID RP Configs')
46
129
161
47
162
    objects = OpenIDRPConfigManager()
48
163
49
130
    def __unicode__(self):
164
    def __unicode__(self):
50
131
        return self.displayname
165
        return self.displayname
51
132
166
52
133
167
53
=== modified file 'identityprovider/tests/test_views_ui_logout.py'
54
--- identityprovider/tests/test_views_ui_logout.py	2010-09-22 00:43:01 +0000
55
+++ identityprovider/tests/test_views_ui_logout.py	2010-09-29 13:19:43 +0000
56
@@ -60,6 +60,38 @@
57
60
        return_to = self.view.get_return_to_url(trust_root, None)
60
        return_to = self.view.get_return_to_url(trust_root, None)
58
61
        self.assertEquals(return_to, trust_root)
61
        self.assertEquals(return_to, trust_root)
59
62
62
60
63
    def test_get_return_to_url_when_extends_root(self):
61
64
        trust_root = 'http://example.com/r'
62
65
        logout = trust_root + '/a'
63
66
        self.create_openid_rp_config(trust_root)
64
67
        return_to = self.view.get_return_to_url(logout, None)
65
68
        self.assertEquals(return_to, logout)
66
69
67
70
    def test_get_return_to_url_when_diminishes_root(self):
68
71
        logout = 'http://example.com/r'
69
72
        trust_root = logout + '/a'
70
73
        self.create_openid_rp_config(trust_root)
71
74
        return_to = self.view.get_return_to_url(logout, None)
72
75
        self.assertTrue(return_to is None)
73
76
74
77
    def test_get_return_to_url_when_tricky_trust(self):
75
78
        trust_root = 'http://%.example.com/r'
76
79
        self.create_openid_rp_config(trust_root)
77
80
        return_to = self.view.get_return_to_url('http://launchpad.net/?sneaky=.example.com/r', None)
78
81
        self.assertTrue(return_to is None)
79
82
80
83
    def test_get_return_to_url_when_tricky_return(self):
81
84
        trust_root = 'http://example.com/r'
82
85
        self.create_openid_rp_config(trust_root)
83
86
        return_to = self.view.get_return_to_url('http://%.com/r', None)
84
87
        self.assertTrue(return_to is None)
85
88
86
89
    def test_get_return_to_url_when_tilde(self):
87
90
        trust_root = 'http://example.com/~id'
88
91
        self.create_openid_rp_config(trust_root)
89
92
        return_to = self.view.get_return_to_url(trust_root, None)
90
93
        self.assertEquals(return_to, trust_root)
91
94
92
63
    def test_get_return_to_url_when_referer_mismatches_known_url(self):
95
    def test_get_return_to_url_when_referer_mismatches_known_url(self):
93
64
        trust_root = 'http://example.com/r'
96
        trust_root = 'http://example.com/r'
94
65
        self.create_openid_rp_config(trust_root)
97
        self.create_openid_rp_config(trust_root)
95
66
98
96
=== modified file 'identityprovider/views/ui.py'
97
--- identityprovider/views/ui.py	2010-09-22 08:04:03 +0000
98
+++ identityprovider/views/ui.py	2010-09-29 13:19:43 +0000
99
@@ -113,9 +113,8 @@
100
113
    def get_return_to_url(self, return_to, http_referer):
113
    def get_return_to_url(self, return_to, http_referer):
101
114
        if not return_to:
114
        if not return_to:
102
115
            return None
115
            return None
106
116
        known = OpenIDRPConfig.objects.filter(
116
        rp_config = OpenIDRPConfig.objects.for_url(return_to)
107
117
            trust_root=return_to).count() == 1
117
        if rp_config is not None:
105
118
        if known:
108
119
            if http_referer is not None and http_referer != return_to:
118
            if http_referer is not None and http_referer != return_to:
109
120
                return None
119
                return None
110
121
            return return_to
120
            return return_to
Reviewer	Review Type	Date Requested	Status
Łukasz Czyżykowski (community)		2010-09-29	Approve on 2010-09-29
Review via email: mp+36948@code.launchpad.net