Update extlibs

y
RedEnchilada · May 26, 2016 · 0b1ec4d · 0b1ec4d
1 parent fc4fe19
commit 0b1ec4d
Show file tree

Hide file tree

Showing 20 changed files with 162 additions and 115 deletions.
diff --git a/extlib/Auth/OpenID/Association.php b/extlib/Auth/OpenID/Association.php
@@ -374,42 +374,7 @@ function checkMessageSignature($message)
         }
 
         $calculated_sig = $this->getMessageSignature($message);
-
-        return $this->constantTimeCompare($calculated_sig, $sig);
-    }
-
-    /**
-     * String comparison function which will complete in a constant time
-     * for strings of any given matching length, to help prevent an attacker
-     * from distinguishing how much of a signature token they have guessed
-     * correctly.
-     *
-     * For this usage, it's assumed that the length of the string is known,
-     * so we may safely short-circuit on mismatched lengths which will be known
-     * to be invalid by the attacker.
-     *
-     * http://lists.openid.net/pipermail/openid-security/2010-July/001156.html
-     * http://rdist.root.org/2010/01/07/timing-independent-array-comparison/
-     */
-    private function constantTimeCompare($a, $b)
-    {
-        $len = strlen($a);
-        if (strlen($b) !== $len) {
-            // Short-circuit on length mismatch; attackers will already know
-            // the correct target length so this is safe.
-            return false;
-        }
-        if ($len == 0) {
-            // 0-length valid input shouldn't really happen. :)
-            return true;
-        }
-        $result = 0;
-        for ($i = 0; $i < strlen($a); $i++) {
-            // We use scary bitwise operations to avoid logical short-circuits
-            // in lower-level code.
-            $result |= ord($a{$i}) ^ ord($b{$i});
-        }
-        return ($result == 0);
+        return Auth_OpenID_CryptUtil::constEq($calculated_sig, $sig);
     }
 }
 

diff --git a/extlib/Auth/OpenID/BigMath.php b/extlib/Auth/OpenID/BigMath.php
@@ -365,7 +365,6 @@ function Auth_OpenID_detectMathLibrary($exts)
 {
     $loaded = false;
 
-	$hasDl = function_exists('dl');
     foreach ($exts as $extension) {
         if (extension_loaded($extension['extension'])) {
             return $extension;

diff --git a/extlib/Auth/OpenID/Consumer.php b/extlib/Auth/OpenID/Consumer.php
@@ -29,7 +29,7 @@
  * identity check.
  *
  * LIBRARY DESIGN
- * 
+ *
  * This consumer library is designed with that flow in mind.  The goal
  * is to make it as easy as possible to perform the above steps
  * securely.
@@ -427,7 +427,7 @@ function complete($current_url, $query=null)
             $loader->fromSession($endpoint_data);
 
         $message = Auth_OpenID_Message::fromPostArgs($query);
-        $response = $this->consumer->complete($message, $endpoint, 
+        $response = $this->consumer->complete($message, $endpoint,
                                               $current_url);
         $this->session->del($this->_token_key);
 
@@ -616,6 +616,9 @@ function Auth_OpenID_GenericConsumer($store)
         $this->store = $store;
         $this->negotiator = Auth_OpenID_getDefaultNegotiator();
         $this->_use_assocs = (is_null($this->store) ? false : true);
+        if (get_class($this->store) == "Auth_OpenID_DumbStore") {
+            $this->_use_assocs = false;
+        }
 
         $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
 
@@ -666,7 +669,7 @@ function complete($message, $endpoint, $return_to)
                                         '_completeInvalid');
 
         return call_user_func_array(array($this, $method),
-                                    array($message, &$endpoint, $return_to));
+                                    array($message, $endpoint, $return_to));
     }
 
     /**
@@ -957,6 +960,10 @@ function _idResCheckSignature($message, $server_url)
             }
 
             if (!$assoc->checkMessageSignature($message)) {
+                // If we get a "bad signature" here, it means that the association
+                // is unrecoverabley corrupted in some way. Any futher attempts
+                // to login with this association is likely to fail. Drop it.
+                $this->store->removeAssociation($server_url, $assoc_handle);
                 return new Auth_OpenID_FailureResponse(null,
                                                        "Bad signature");
             }
@@ -1179,9 +1186,11 @@ function _verifyDiscoveryResultsOpenID2($message, $endpoint)
     function _discoverAndVerify($claimed_id, $to_match_endpoints)
     {
         // oidutil.log('Performing discovery on %s' % (claimed_id,))
-        list($unused, $services) = call_user_func($this->discoverMethod,
-                                                  $claimed_id,
-												  &$this->fetcher);
+        list($unused, $services) = call_user_func_array($this->discoverMethod,
+                                                        array(
+                                                            $claimed_id,
+                                                            $this->fetcher,
+                                                        ));
 
         if (!$services) {
             return new Auth_OpenID_FailureResponse(null,
@@ -1196,15 +1205,15 @@ function _discoverAndVerify($claimed_id, $to_match_endpoints)
     /**
      * @access private
      */
-    function _verifyDiscoveryServices($claimed_id, 
+    function _verifyDiscoveryServices($claimed_id,
                                       $services, $to_match_endpoints)
     {
         // Search the services resulting from discovery to find one
         // that matches the information from the assertion
 
         foreach ($services as $endpoint) {
             foreach ($to_match_endpoints as $to_match_endpoint) {
-                $result = $this->_verifyDiscoverySingle($endpoint, 
+                $result = $this->_verifyDiscoverySingle($endpoint,
                                                         $to_match_endpoint);
 
                 if (!Auth_OpenID::isFailure($result)) {
@@ -1362,7 +1371,7 @@ function _createCheckAuthRequest($message)
             }
         }
         $ca_message = $message->copy();
-        $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode', 
+        $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode',
                             'check_authentication');
         return $ca_message;
     }
@@ -1600,7 +1609,7 @@ function _extractAssociation($assoc_response, $assoc_session)
 
         $expires_in = Auth_OpenID::intval($expires_in_str);
         if ($expires_in === false) {
-            
+
             $err = sprintf("Could not parse expires_in from association ".
                            "response %s", print_r($assoc_response, true));
             return new Auth_OpenID_FailureResponse(null, $err);
@@ -1947,7 +1956,7 @@ function formMarkup($realm, $return_to=null, $immediate=false,
     function htmlMarkup($realm, $return_to=null, $immediate=false,
                         $form_tag_attrs=null)
     {
-        $form = $this->formMarkup($realm, $return_to, $immediate, 
+        $form = $this->formMarkup($realm, $return_to, $immediate,
                                   $form_tag_attrs);
 
         if (Auth_OpenID::isFailure($form)) {

diff --git a/extlib/Auth/OpenID/CryptUtil.php b/extlib/Auth/OpenID/CryptUtil.php
@@ -20,7 +20,7 @@
      * The filename for a source of random bytes. Define this yourself
      * if you have a different source of randomness.
      */
-        define('Auth_OpenID_RAND_SOURCE', '/dev/urandom');
+    define('Auth_OpenID_RAND_SOURCE', '/dev/urandom');
 }
 
 class Auth_OpenID_CryptUtil {
@@ -104,5 +104,19 @@ static function randomString($length, $population = null)
 
         return $str;
     }
+
+    static function constEq($s1, $s2)
+    {
+        if (strlen($s1) != strlen($s2)) {
+            return false;
+        }
+
+        $result = true;
+        $length = strlen($s1);
+        for ($i = 0; $i < $length; $i++) {
+            $result &= ($s1[$i] == $s2[$i]);
+        }
+        return $result;
+    }
 }
 
diff --git a/extlib/Auth/OpenID/Extension.php b/extlib/Auth/OpenID/Extension.php
@@ -39,7 +39,7 @@ function getExtensionArgs()
      *
      * Returns the message with the extension arguments added.
      */
-    function toMessage($message)
+    function toMessage($message, $request = null)
     {
         $implicit = $message->isOpenID1();
         $added = $message->namespaces->addAlias($this->ns_uri,
@@ -53,8 +53,13 @@ function toMessage($message)
             }
         }
 
-        $message->updateArgs($this->ns_uri,
-                             $this->getExtensionArgs());
+        if ($request !== null) {
+            $message->updateArgs($this->ns_uri,
+                                 $this->getExtensionArgs($request));
+        } else {
+            $message->updateArgs($this->ns_uri,
+                                 $this->getExtensionArgs());
+        }
         return $message;
     }
 }

diff --git a/extlib/Auth/OpenID/FileStore.php b/extlib/Auth/OpenID/FileStore.php
@@ -300,13 +300,22 @@ function _getAssociation($filename)
             return null;
         }
 
+        if (file_exists($filename) !== true) {
+            return null;
+        }
+
         $assoc_file = @fopen($filename, 'rb');
 
         if ($assoc_file === false) {
             return null;
         }
 
-        $assoc_s = fread($assoc_file, filesize($filename));
+        $filesize = filesize($filename);
+        if ($filesize === false || $filesize <= 0) {
+            return null;
+        }
+
+        $assoc_s = fread($assoc_file, $filesize);
         fclose($assoc_file);
 
         if (!$assoc_s) {
@@ -473,7 +482,7 @@ function _rmtree($dir)
         }
 
         if ($handle = opendir($dir)) {
-            while ($item = readdir($handle)) {
+            while (false !== ($item = readdir($handle))) {
                 if (!in_array($item, array('.', '..'))) {
                     if (is_dir($dir . $item)) {
 

diff --git a/extlib/Auth/OpenID/HMAC.php b/extlib/Auth/OpenID/HMAC.php
@@ -60,6 +60,13 @@ function Auth_OpenID_HMACSHA1($key, $text)
         $key = Auth_OpenID_SHA1($key, true);
     }
 
+    if (function_exists('hash_hmac') &&
+        function_exists('hash_algos') &&
+        (in_array('sha1', hash_algos()))) {
+        return hash_hmac('sha1', $text, $key, true);
+    }
+    // Home-made solution
+
     $key = str_pad($key, Auth_OpenID_SHA1_BLOCKSIZE, chr(0x00));
     $ipad = str_repeat(chr(0x36), Auth_OpenID_SHA1_BLOCKSIZE);
     $opad = str_repeat(chr(0x5c), Auth_OpenID_SHA1_BLOCKSIZE);

diff --git a/extlib/Auth/OpenID/Message.php b/extlib/Auth/OpenID/Message.php
@@ -675,7 +675,7 @@ function toFormMarkup($action_url, $form_tag_attrs = null,
 
         if ($form_tag_attrs) {
             foreach ($form_tag_attrs as $name => $attr) {
-                $form .= sprintf(" %s=\"%s\"", $name, $attr);
+                $form .= sprintf(" %s=\"%s\"", $name, htmlspecialchars($attr));
             }
         }
 
@@ -684,11 +684,11 @@ function toFormMarkup($action_url, $form_tag_attrs = null,
         foreach ($this->toPostArgs() as $name => $value) {
             $form .= sprintf(
                         "<input type=\"hidden\" name=\"%s\" value=\"%s\" />\n",
-                        $name, $value);
+                        htmlspecialchars($name), htmlspecialchars($value));
         }
 
         $form .= sprintf("<input type=\"submit\" value=\"%s\" />\n",
-                         $submit_text);
+                         htmlspecialchars($submit_text));
 
         $form .= "</form>\n";
 

diff --git a/extlib/Auth/OpenID/MySQLStore.php b/extlib/Auth/OpenID/MySQLStore.php
@@ -32,7 +32,7 @@ function setSQL()
 
         $this->sql['assoc_table'] =
             "CREATE TABLE %s (\n".
-            "  server_url BLOB NOT NULL,\n".
+            "  server_url VARCHAR(2047) NOT NULL,\n".
             "  handle VARCHAR(255) NOT NULL,\n".
             "  secret BLOB NOT NULL,\n".
             "  issued INTEGER NOT NULL,\n".

diff --git a/extlib/Auth/OpenID/Parse.php b/extlib/Auth/OpenID/Parse.php
@@ -219,15 +219,19 @@ function removeQuotes($str)
     function match($regexp, $text, &$match)
     {
         if (!is_callable('mb_ereg_search_init')) {
-            return preg_match($regexp, $text, $match);
+            if (!preg_match($regexp, $text, $match)) {
+                return false;
+            }
+            $match = $match[0];
+            return true;
         }
 
         $regexp = substr($regexp, 1, strlen($regexp) - 2 - strlen($this->_re_flags));
         mb_ereg_search_init($text);
         if (!mb_ereg_search($regexp)) {
             return false;
         }
-        list($match) = mb_ereg_search_getregs();
+        $match = mb_ereg_search_getregs();
         return true;
     }
 
@@ -269,7 +273,7 @@ function parseLinkAttrs($html)
 
         // Try to find the <HEAD> tag.
         $head_re = $this->headFind();
-        $head_match = '';
+        $head_match = array();
         if (!$this->match($head_re, $stripped, $head_match)) {
                      ini_set( 'pcre.backtrack_limit', $old_btlimit );
                      return array();
@@ -278,7 +282,7 @@ function parseLinkAttrs($html)
         $link_data = array();
         $link_matches = array();
 
-        if (!preg_match_all($this->_link_find, $head_match,
+        if (!preg_match_all($this->_link_find, $head_match[0],
                             $link_matches)) {
             ini_set( 'pcre.backtrack_limit', $old_btlimit );
             return array();

diff --git a/extlib/Auth/OpenID/SQLStore.php b/extlib/Auth/OpenID/SQLStore.php
@@ -166,7 +166,7 @@ function tableExists($table_name)
      */
     function isError($value)
     {
-        return PEAR::isError($value);
+        return @PEAR::isError($value);
     }
 
     /**

diff --git a/extlib/Auth/OpenID/Server.php b/extlib/Auth/OpenID/Server.php
@@ -817,11 +817,11 @@ function equals($other)
      */
     function returnToVerified()
     {
-    	$fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
+        $fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
         return call_user_func_array($this->verifyReturnTo,
                                     array($this->trust_root, $this->return_to, $fetcher));
     }
-    
+
     static function fromMessage($message, $server)
     {
         $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
@@ -1704,7 +1704,7 @@ function handleRequest($request)
     {
         if (method_exists($this, "openid_" . $request->mode)) {
             $handler = array($this, "openid_" . $request->mode);
-            return call_user_func($handler, &$request);
+            return call_user_func_array($handler, array($request));
         }
         return null;
     }

diff --git a/extlib/Auth/OpenID/TrustRoot.php b/extlib/Auth/OpenID/TrustRoot.php
@@ -210,7 +210,7 @@ static function isSane($trust_root)
         if ($parts['host'] == 'localhost') {
             return true;
         }
-        
+
         $host_parts = explode('.', $parts['host']);
         if ($parts['wildcard']) {
             // Remove the empty string from the beginning of the array
@@ -413,7 +413,7 @@ function Auth_OpenID_getAllowedReturnURLs($relying_party_url, $fetcher,
     }
 
     call_user_func_array($discover_function,
-                         array($relying_party_url, &$fetcher));
+                         array($relying_party_url, $fetcher));
 
     $return_to_urls = array();
     $matching_endpoints = Auth_OpenID_extractReturnURL($endpoints);