Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Authentication: Add auth_openid_allowed_providers configuration setti…
Browse files Browse the repository at this point in the history
…ng to limit openid providers

Fix GHSA-rp2w-g734-jf8h
AngelFQC committed Oct 10, 2024

Verified

This commit was signed with the committer’s verified signature.
AngelFQC Angel Fernando Quiroz Campos
1 parent 252da36 commit 79f2e8b
Showing 3 changed files with 41 additions and 3 deletions.
27 changes: 27 additions & 0 deletions main/auth/openid/login.php
Original file line number Diff line number Diff line change
@@ -461,3 +461,30 @@ function openid_http_request($url, $headers = array(), $method = 'GET', $data =
$result->code = $code;
return $result;
}

function openid_is_allowed_provider($identityUrl): bool
{
$allowedProviders = api_get_configuration_value('auth_openid_allowed_providers');

if (false === $allowedProviders) {
return true;
}

$host = parse_url($identityUrl, PHP_URL_HOST) ?: $identityUrl;

foreach ($allowedProviders as $provider) {
if (strpos($provider, '*') !== false) {
$regex = '/^' . str_replace('\*', '.*', preg_quote($provider, '/')) . '$/';

if (preg_match($regex, $host)) {
return true;
}
} else {
if ($host === $provider) {
return true;
}
}
}

return false;
}
11 changes: 8 additions & 3 deletions main/inc/local.inc.php
Original file line number Diff line number Diff line change
@@ -975,9 +975,14 @@
$openidForm = openid_form();
if ($openidForm->validate() && $openidForm->isSubmitted()) {
$openidUrl = $openidForm->exportValue('openid_url');
openid_begin($openidUrl, api_get_path(WEB_PATH).'index.php');
//this last function should trigger a redirect, so we can die here safely
exit('Openid login redirection should be in progress');

if (openid_is_allowed_provider($openidUrl)) {
openid_begin($openidUrl, api_get_path(WEB_PATH).'index.php');
//this last function should trigger a redirect, so we can die here safely
exit('Openid login redirection should be in progress');
} else {
$loginFailed = true;
}
} elseif (!empty($_GET['openid_identity'])) { //it's usual for PHP to replace '.' (dot) by '_' (underscore) in URL parameters
$res = openid_complete($_GET);
if ($res['status'] == 'success') {
6 changes: 6 additions & 0 deletions main/install/configuration.dist.php
Original file line number Diff line number Diff line change
@@ -2260,6 +2260,12 @@
// Salt to use for admin ldap password decryption
//$_configuration['ldap_admin_password_salt'] = 'salt';

// Limit providers for OpenID (classic) authentication
/*$_configuration['auth_openid_allowed_providers'] = [
'example.com',
'*.example.com',
];*/

// Option to hide the teachers info on courses about info page.
//$_configuration['course_about_teacher_name_hide'] = false;

0 comments on commit 79f2e8b

Please sign in to comment.