Merge branch '1.11.x' of github.com:chamilo/chamilo-lms into 1.11.x

1 year ago · 6482a4741f
parent 7118284fc6 43a9bd1fb8
commit 6482a4741f
5 changed files with 63 additions and 9 deletions
--- a/main/auth/openid/login.php
+++ b/main/auth/openid/login.php
@ -14,7 +14,7 @@
 require_once 'openid.lib.php';
 require_once 'xrds.lib.php';

-function openid_form()
+function openid_form(): FormValidator
 {
    $form = new FormValidator(
        'openid_login',
@ -25,8 +25,10 @@ function openid_form()
    );
    $form -> addElement('text', 'openid_url', array(get_lang('OpenIDURL'), Display::url(get_lang('OpenIDWhatIs'), 'main/auth/openid/whatis.php')), array('class' => 'openid_input'));
    $form -> addElement('button', 'submit', get_lang('Login'));
+    $form->applyFilter('openid_url', 'trim');
+    $form->protect();

-    return $form->returnForm();
+    return $form;
 }

 /**
@ -459,3 +461,30 @@ function openid_http_request($url, $headers = array(), $method = 'GET', $data =
    $result->code = $code;
    return $result;
 }
+
+function openid_is_allowed_provider($identityUrl): bool
+{
+    $allowedProviders = api_get_configuration_value('auth_openid_allowed_providers');
+
+    if (false === $allowedProviders) {
+        return true;
+    }
+
+    $host = parse_url($identityUrl, PHP_URL_HOST) ?: $identityUrl;
+
+    foreach ($allowedProviders as $provider) {
+        if (strpos($provider, '*') !== false) {
+            $regex = '/^' . str_replace('\*', '.*', preg_quote($provider, '/')) . '$/';
+
+            if (preg_match($regex, $host)) {
+                return true;
+            }
+        } else {
+            if ($host === $provider) {
+                return true;
+            }
+        }
+    }
+
+    return false;
+}
--- a/main/inc/lib/formvalidator/FormValidator.class.php
+++ b/main/inc/lib/formvalidator/FormValidator.class.php
@ -1106,6 +1106,7 @@ EOT;

        $this->addElement('html_editor', $name, $label, $attributes, $config);
        $this->applyFilter($name, 'trim');
+        $this->applyFilter($name, 'attr_on_filter');
        if ($required) {
            $this->addRule($name, get_lang('ThisFieldIsRequired'), 'required');
        }
@ -2097,3 +2098,15 @@ function plain_url_filter($html, $mode = NO_HTML)

    return kses_split($html, $allowed_html_fixed, ['http', 'https']);
 }
+
+/**
+ * Prevent execution of event handlers in HTML elements.
+ *
+ * @param string $html
+ * @return string
+ */
+function attr_on_filter($html) {
+    $prefix = uniqid('data-cke-').'-';
+
+    return preg_replace('/(\s)(on)/i', '$1'.$prefix.'$2', $html);
+}
--- a/main/inc/lib/template.lib.php
+++ b/main/inc/lib/template.lib.php
@ -1318,7 +1318,7 @@ class Template
        $html = $form->returnForm();
        if (api_get_setting('openid_authentication') == 'true') {
            include_once api_get_path(SYS_CODE_PATH).'auth/openid/login.php';
-            $html .= '<div>'.openid_form().'</div>';
+            $html .= '<div>'.openid_form()->returnForm().'</div>';
        }

        $pluginKeycloak = api_get_plugin_setting('keycloak', 'tool_enable') === 'true';
--- a/main/inc/local.inc.php
+++ b/main/inc/local.inc.php
@ -971,13 +971,19 @@ if (!empty($_SESSION['_user']['user_id']) && !($login || $logout)) {
            $osso->logout(); //redirects and exits
        }
    } elseif (api_get_setting('openid_authentication') == 'true') {
-        if (!empty($_POST['openid_url'])) {
        include api_get_path(SYS_CODE_PATH).'auth/openid/login.php';
-            openid_begin(trim($_POST['openid_url']), api_get_path(WEB_PATH).'index.php');
+        $openidForm = openid_form();
+        if ($openidForm->validate() && $openidForm->isSubmitted()) {
+            $openidUrl = $openidForm->exportValue('openid_url');
+
+            if (openid_is_allowed_provider($openidUrl)) {
+                openid_begin($openidUrl, api_get_path(WEB_PATH).'index.php');
                //this last function should trigger a redirect, so we can die here safely
                exit('Openid login redirection should be in progress');
+            } else {
+                $loginFailed = true;
+            }
        } elseif (!empty($_GET['openid_identity'])) { //it's usual for PHP to replace '.' (dot) by '_' (underscore) in URL parameters
-            include api_get_path(SYS_CODE_PATH).'auth/openid/login.php';
            $res = openid_complete($_GET);
            if ($res['status'] == 'success') {
                $id1 = Database::escape_string($res['openid.identity']);
--- a/main/install/configuration.dist.php
+++ b/main/install/configuration.dist.php
@ -2260,6 +2260,12 @@ VALUES (21, 13, 'send_notification_at_a_specific_date', 'Send notification at a
 // Salt to use for admin ldap password decryption
 //$_configuration['ldap_admin_password_salt'] = 'salt';

+// Limit providers for OpenID (classic) authentication
+/*$_configuration['auth_openid_allowed_providers'] = [
+    'example.com',
+    '*.example.com',
+];*/
+
 // Option to hide the teachers info on courses about info page.
 //$_configuration['course_about_teacher_name_hide'] = false;