|
@@ -159,7 +159,43 @@
|
159
|
159
|
return self::addArguments(false, $args);
|
160
|
160
|
}
|
161
|
161
|
|
162
|
|
- public static function getCurrentURL() {
|
|
162
|
+ public static function isValidReturnToURL($url) {
|
|
163
|
+ // 11.1: The URL scheme, authority, and path MUST be the same between the two URLs.
|
|
164
|
+ // Any query parameters that are present in the "openid.return_to" URL MUST
|
|
165
|
+ // also be present with the same values in the URL of the HTTP request the
|
|
166
|
+ // RP received.
|
|
167
|
+
|
|
168
|
+ $actual = parse_url(self::getCurrentURL(true));
|
|
169
|
+ $return = parse_url($url);
|
|
170
|
+
|
|
171
|
+ foreach (array('scheme', 'host', 'port', 'user', 'pass', 'path') as $part) {
|
|
172
|
+ if ($part == 'port') {
|
|
173
|
+ if (!isset($actual['port'])) { $actual['port'] = $actual['scheme'] == 'https' ? 443 : 80; }
|
|
174
|
+ if (!isset($return['port'])) { $return['port'] = $return['scheme'] == 'https' ? 443 : 80; }
|
|
175
|
+ }
|
|
176
|
+
|
|
177
|
+ if (isset($actual[$part]) ^ isset($return[$part])) {
|
|
178
|
+ // Present in one but not the other
|
|
179
|
+ return false;
|
|
180
|
+ } else if (isset($actual[$part]) && $actual[$part] != $return[$part]) {
|
|
181
|
+ // Present in both but different
|
|
182
|
+ return false;
|
|
183
|
+ }
|
|
184
|
+ }
|
|
185
|
+
|
|
186
|
+ parse_str($actual['query'], $actualVars);
|
|
187
|
+ parse_str($return['query'], $returnVars);
|
|
188
|
+
|
|
189
|
+ foreach ($returnVars as $key => $value) {
|
|
190
|
+ if (!isset($actualVars[$key]) || $actualVars[$key] != $value) {
|
|
191
|
+ return false;
|
|
192
|
+ }
|
|
193
|
+ }
|
|
194
|
+
|
|
195
|
+ return true;
|
|
196
|
+ }
|
|
197
|
+
|
|
198
|
+ public static function getCurrentURL($raw = false) {
|
163
|
199
|
$res = 'http';
|
164
|
200
|
|
165
|
201
|
if (isset($_SERVER['HTTPS'])) {
|
|
@@ -168,14 +204,16 @@
|
168
|
204
|
|
169
|
205
|
$res .= '://' . $_SERVER['SERVER_NAME'];
|
170
|
206
|
|
171
|
|
- if ($_SERVER['SERVER_PORT'] != 80) {
|
|
207
|
+ if ($_SERVER['SERVER_PORT'] != (isset($_SERVER['HTTPS']) ? 443 : 80)) {
|
172
|
208
|
$res .= ':' . $_SERVER['SERVER_PORT'];
|
173
|
209
|
}
|
174
|
210
|
|
175
|
211
|
$url = $_SERVER['REQUEST_URI'];
|
176
|
212
|
|
177
|
|
- while (preg_match('/([\?&])openid[\._](.*?)=(.*?)(&|$)/', $url, $m)) {
|
178
|
|
- $url = str_replace($m[0], $m[1], $url);
|
|
213
|
+ if (!$raw) {
|
|
214
|
+ while (preg_match('/([\?&])openid[\._](.*?)=(.*?)(&|$)/', $url, $m)) {
|
|
215
|
+ $url = str_replace($m[0], $m[1], $url);
|
|
216
|
+ }
|
179
|
217
|
}
|
180
|
218
|
|
181
|
219
|
$url = preg_replace('/\??&*$/', '', $url);
|