From 5f32f0a47174d8e5fb8e301c265d772be72b5c72 Mon Sep 17 00:00:00 2001
From: Helmut Hummel <helmut.hummel@typo3.org>
Date: Tue, 10 Dec 2013 10:54:48 +0100
Subject: [PATCH] [SECURITY] Fix open redirection in openid extension

The eID script of the openid extension does not
validate the given redirect url, leading to
an open redirection vulnerability.

Add and verify hmac of the redirect url.

Change-Id: I0d65390b61dd5cf92151d36e490a194624b98b8f
Fixes: #54099
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 5c6a45c0f843a93ab048a3df4bb352b8e02099b2
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26220
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
---
 typo3/sysext/openid/Classes/OpenidEid.php     | 17 ++++++++++++++++-
 typo3/sysext/openid/Classes/OpenidService.php | 13 +++++--------
 2 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/typo3/sysext/openid/Classes/OpenidEid.php b/typo3/sysext/openid/Classes/OpenidEid.php
index e53ace1ee57f..c810c4e2f5a7 100644
--- a/typo3/sysext/openid/Classes/OpenidEid.php
+++ b/typo3/sysext/openid/Classes/OpenidEid.php
@@ -23,6 +23,10 @@ namespace TYPO3\CMS\Openid;
  *
  *  This copyright notice MUST APPEAR in all copies of the script!
  ***************************************************************/
+
+use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Core\Utility\HttpUtility;
+
 /**
  * This class is the OpenID return script for the TYPO3 Frontend.
  *
@@ -46,7 +50,18 @@ class OpenidEid {
 		\TYPO3\CMS\Frontend\Utility\EidUtility::initFeUser();
 		// Redirect to the original location in any case (authenticated or not)
 		@ob_end_clean();
-		\TYPO3\CMS\Core\Utility\HttpUtility::redirect(\TYPO3\CMS\Core\Utility\GeneralUtility::_GP('tx_openid_location'), \TYPO3\CMS\Core\Utility\HttpUtility::HTTP_STATUS_303);
+		if ($this->getSignature(GeneralUtility::_GP('tx_openid_location')) === GeneralUtility::_GP('tx_openid_location_signature')) {
+			HttpUtility::redirect(GeneralUtility::_GP('tx_openid_location'), HttpUtility::HTTP_STATUS_303);
+		}
 	}
 
+	/**
+	 * Signs a GET parameter.
+	 *
+	 * @param string $parameter
+	 * @return string
+	 */
+	protected function getSignature($parameter) {
+		return GeneralUtility::hmac($parameter, 'openid');
+	}
 }
diff --git a/typo3/sysext/openid/Classes/OpenidService.php b/typo3/sysext/openid/Classes/OpenidService.php
index f219cdb53d28..081c8a45478c 100644
--- a/typo3/sysext/openid/Classes/OpenidService.php
+++ b/typo3/sysext/openid/Classes/OpenidService.php
@@ -422,21 +422,18 @@ class OpenidService extends \TYPO3\CMS\Core\Service\AbstractService {
 		} else {
 			$requestURL = GeneralUtility::getIndpEnv('TYPO3_REQUEST_URL');
 		}
-		$returnURL .= 'tx_openid_location=' . rawurlencode($requestURL) . '&' . 'tx_openid_mode=finish&' . 'tx_openid_claimed=' . rawurlencode($claimedIdentifier) . '&' . 'tx_openid_signature=' . $this->getSignature($claimedIdentifier);
+		$returnURL .= 'tx_openid_location=' . rawurlencode($requestURL) . '&tx_openid_location_signature=' . $this->getSignature($requestURL) . '&tx_openid_mode=finish&tx_openid_claimed=' . rawurlencode($claimedIdentifier) . '&tx_openid_signature=' . $this->getSignature($claimedIdentifier);
 		return GeneralUtility::locationHeaderUrl($returnURL);
 	}
 
 	/**
-	 * Signs claimed id.
+	 * Signs a GET parameter.
 	 *
-	 * @param string $claimedIdentifier
+	 * @param string $parameter
 	 * @return string
 	 */
-	protected function getSignature($claimedIdentifier) {
-		return GeneralUtility::hmac(
-			implode('/', array($claimedIdentifier, strval(strlen($claimedIdentifier)))),
-			$this->extKey
-		);
+	protected function getSignature($parameter) {
+		return GeneralUtility::hmac($parameter, $this->extKey);
 	}
 
 	/**
-- 
GitLab