bachir/popsu-d7
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security update core+modules

Browse Source
This commit is contained in:
Bachir Soussi Chiadmi
2015-04-26 18:38:56 +02:00
parent 2f45ea820a
commit 7c96373038
1022 changed files with 30319 additions and 11259 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
modules/openid/openid.module
View File

@@ -787,7 +787,21 @@ function openid_authentication_request($claimed_id, $identity, $return_to = '',
$request = array_merge($request, module_invoke_all('openid', 'request', $request));
return $request;
// module_invoke_all() uses array_merge_recursive() which might return nested
// arrays if two or more modules alter a given parameter, resulting in an
// invalid request format. To ensure this doesn't happen, we flatten the returned
// value by taking the last entry in the array if an array is returned.
$flattened_request = array();
foreach ($request as $key => $value) {
if (is_array($value)) {
$flattened_request[$key] = end($value);
}
else {
$flattened_request[$key] = $value;
}
}
return $flattened_request;
}
/**
@@ -825,7 +839,7 @@ function openid_verify_assertion($service, $response) {
// direct verification: ignore the openid.assoc_handle, even if present.
// See http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.1
if (!empty($response['openid.assoc_handle']) && empty($response['openid.invalidate_handle'])) {
$association = db_query("SELECT * FROM {openid_association} WHERE assoc_handle = :assoc_handle", array(':assoc_handle' => $response['openid.assoc_handle']))->fetchObject();
$association = db_query("SELECT * FROM {openid_association} WHERE idp_endpoint_uri = :endpoint AND assoc_handle = :assoc_handle", array(':endpoint' => $service['uri'], ':assoc_handle' => $response['openid.assoc_handle']))->fetchObject();
}
if ($association && isset($association->session_type)) {
@@ -857,6 +871,7 @@ function openid_verify_assertion($service, $response) {
// database to avoid reusing it again on a subsequent authentication request.
// See http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.2.2
db_delete('openid_association')
->condition('idp_endpoint_uri', $service['uri'])
->condition('assoc_handle', $response['invalidate_handle'])
->execute();
}