core security update

modules/openid/openid.info

@@ -5,8 +5,8 @@ package = Core
 core = 7.x
 files[] = openid.test
 
-; Information added by Drupal.org packaging script on 2015-04-02
-version = "7.36"
+; Information added by Drupal.org packaging script on 2016-10-05
+version = "7.51"
 project = "drupal"
-datestamp = "1427943826"
+datestamp = "1475694174"
 

modules/openid/openid.module

@@ -365,14 +365,20 @@ function openid_complete($response = array()) {
             // to the OpenID Provider, we need to do discovery on the returned
             // identififer to make sure that the provider is authorized to
             // respond on behalf of this.
-            if ($response_claimed_id != $claimed_id) {
+            if ($response_claimed_id != $claimed_id || $response_claimed_id != $response['openid.identity']) {
               $discovery = openid_discovery($response['openid.claimed_id']);
+              $uris = array();
               if ($discovery && !empty($discovery['services'])) {
-                $uris = array();
                 foreach ($discovery['services'] as $discovered_service) {
-                  if (in_array('http://specs.openid.net/auth/2.0/server', $discovered_service['types']) || in_array('http://specs.openid.net/auth/2.0/signon', $discovered_service['types'])) {
-                    $uris[] = $discovered_service['uri'];
+                  if (!in_array('http://specs.openid.net/auth/2.0/server', $discovered_service['types']) && !in_array('http://specs.openid.net/auth/2.0/signon', $discovered_service['types'])) {
+                    continue;
                   }
+                  // The OP-Local Identifier (if different than the Claimed
+                  // Identifier) must be present in the XRDS document.
+                  if ($response_claimed_id != $response['openid.identity'] && (!isset($discovered_service['identity']) || $discovered_service['identity'] != $response['openid.identity'])) {
+                    continue;
+                  }
+                  $uris[] = $discovered_service['uri'];
                 }
               }
               if (!in_array($service['uri'], $uris)) {

modules/openid/openid.test

@@ -94,7 +94,7 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
     $identity = url('openid-test/yadis/xrds/dummy-user', array('absolute' => TRUE, 'fragment' => $this->randomName()));
     // Tell openid_test.module to respond with this identifier. If the fragment
     // part is present in the identifier, it should be retained.
-    variable_set('openid_test_response', array('openid.claimed_id' => $identity));
+    variable_set('openid_test_response', array('openid.claimed_id' => $identity, 'openid.identity' => openid_normalize($identity)));
     $this->addIdentity(url('openid-test/yadis/xrds/server', array('absolute' => TRUE)), 2, 'http://specs.openid.net/auth/2.0/identifier_select', $identity);
     variable_set('openid_test_response', array());
 
@@ -680,11 +680,11 @@ class OpenIDTestCase extends DrupalWebTestCase {
    * Test _openid_dh_XXX_to_XXX() functions.
    */
   function testConversion() {
-    $this->assertEqual(_openid_dh_long_to_base64('12345678901234567890123456789012345678901234567890'), 'CHJ/Y2mq+DyhUCZ0evjH8ZbOPwrS', '_openid_dh_long_to_base64() returned expected result.');
-    $this->assertEqual(_openid_dh_base64_to_long('BsH/g8Nrpn2dtBSdu/sr1y8hxwyx'), '09876543210987654321098765432109876543210987654321', '_openid_dh_base64_to_long() returned expected result.');
+    $this->assertIdentical(_openid_dh_long_to_base64('12345678901234567890123456789012345678901234567890'), 'CHJ/Y2mq+DyhUCZ0evjH8ZbOPwrS', '_openid_dh_long_to_base64() returned expected result.');
+    $this->assertIdentical(_openid_dh_base64_to_long('BsH/g8Nrpn2dtBSdu/sr1y8hxwyx'), '9876543210987654321098765432109876543210987654321', '_openid_dh_base64_to_long() returned expected result.');
 
-    $this->assertEqual(_openid_dh_long_to_binary('12345678901234567890123456789012345678901234567890'), "\x08r\x7fci\xaa\xf8<\xa1P&tz\xf8\xc7\xf1\x96\xce?\x0a\xd2", '_openid_dh_long_to_binary() returned expected result.');
-    $this->assertEqual(_openid_dh_binary_to_long("\x06\xc1\xff\x83\xc3k\xa6}\x9d\xb4\x14\x9d\xbb\xfb+\xd7/!\xc7\x0c\xb1"), '09876543210987654321098765432109876543210987654321', '_openid_dh_binary_to_long() returned expected result.');
+    $this->assertIdentical(_openid_dh_long_to_binary('12345678901234567890123456789012345678901234567890'), "\x08r\x7fci\xaa\xf8<\xa1P&tz\xf8\xc7\xf1\x96\xce?\x0a\xd2", '_openid_dh_long_to_binary() returned expected result.');
+    $this->assertIdentical(_openid_dh_binary_to_long("\x06\xc1\xff\x83\xc3k\xa6}\x9d\xb4\x14\x9d\xbb\xfb+\xd7/!\xc7\x0c\xb1"), '9876543210987654321098765432109876543210987654321', '_openid_dh_binary_to_long() returned expected result.');
   }
 
   /**

modules/openid/tests/openid_test.info

@@ -6,8 +6,8 @@ core = 7.x
 dependencies[] = openid
 hidden = TRUE
 
-; Information added by Drupal.org packaging script on 2015-04-02
-version = "7.36"
+; Information added by Drupal.org packaging script on 2016-10-05
+version = "7.51"
 project = "drupal"
-datestamp = "1427943826"
+datestamp = "1475694174"
 

modules/openid/tests/openid_test.module

@@ -150,6 +150,7 @@ function openid_test_yadis_xrds() {
           <Service priority="20">
             <Type>http://specs.openid.net/auth/2.0/server</Type>
             <URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
+            <LocalID>' . url('openid-test/yadis/xrds/server', array('absolute' => TRUE)) . '</LocalID>
           </Service>';
     }
     elseif (arg(3) == 'delegate') {