svn commit: r939052 - in /shindig/trunk/php: src/common/sample/ src/gadgets/ src/social/servlet/ test/common/

lindner Wed, 28 Apr 2010 11:51:35 -0700

Author: lindner
Date: Wed Apr 28 18:50:40 2010
New Revision: 939052

URL: http://svn.apache.org/viewvc?rev=939052&view=rev
Log:
SHINDIG-1316 | Patch from Evgeny Bogdanov | Security token parsing breaks when 
url contains ':'


Modified:
    shindig/trunk/php/src/common/sample/BasicBlobCrypter.php
    shindig/trunk/php/src/common/sample/BasicSecurityTokenDecoder.php
    shindig/trunk/php/src/gadgets/GadgetContext.php
    shindig/trunk/php/src/gadgets/MetadataHandler.php
    shindig/trunk/php/src/social/servlet/ApiServlet.php
    shindig/trunk/php/test/common/BasicBlobCrypterTest.php

Modified: shindig/trunk/php/src/common/sample/BasicBlobCrypter.php
URL: 
http://svn.apache.org/viewvc/shindig/trunk/php/src/common/sample/BasicBlobCrypter.php?rev=939052&r1=939051&r2=939052&view=diff
==============================================================================
--- shindig/trunk/php/src/common/sample/BasicBlobCrypter.php (original)
+++ shindig/trunk/php/src/common/sample/BasicBlobCrypter.php Wed Apr 28 
18:50:40 2010
@@ -83,8 +83,9 @@ class BasicBlobCrypter extends BlobCrypt
    */
   public function unwrap($in, $maxAgeSec) {
     //TODO remove this once we have a better way to generate a fake token in 
the example files
-    if ($this->allowPlaintextToken && count(explode(':', $in)) == 7) {
-      $data = explode(":", $in);
+    if ($this->allowPlaintextToken && count(explode(':', $in)) >= 7) {
+      //Parses the security token in the form st=o:v:a:d:u:m:c
+      $data = $this->parseToken($in);
       $out = array();
       $out['o'] = $data[0];
       $out['v'] = $data[1];
@@ -113,6 +114,22 @@ class BasicBlobCrypter extends BlobCrypt
     return $out;
   }
 
+  /**
+   * {...@inheritdoc}
+   *
+   * Parses the security token
+   */
+  private function parseToken($stringToken) {
+    $data = explode(":", $stringToken);
+       $url_number = count($data)-6;
+
+       //get array elements conrresponding to broken url - 
http://host:port/gadget.xml -> ["http","//host","port/gadget.xml"]
+       $url_array = array_slice($data,4,$url_number) ;
+       $url = implode(":",$url_array);
+       array_splice($data,4,$url_number,$url);
+    return $data;
+  }
+
   private function deserialize($plain) {
     $map = array();
     parse_str($plain, $map);

Modified: shindig/trunk/php/src/common/sample/BasicSecurityTokenDecoder.php
URL: 
http://svn.apache.org/viewvc/shindig/trunk/php/src/common/sample/BasicSecurityTokenDecoder.php?rev=939052&r1=939051&r2=939052&view=diff
==============================================================================
--- shindig/trunk/php/src/common/sample/BasicSecurityTokenDecoder.php (original)
+++ shindig/trunk/php/src/common/sample/BasicSecurityTokenDecoder.php Wed Apr 
28 18:50:40 2010
@@ -40,8 +40,10 @@ class BasicSecurityTokenDecoder extends 
     try {
       //TODO remove this once we have a better way to generate a fake token
       // in the example files
-      if (Config::get('allow_plaintext_token') && count(explode(':', 
$stringToken)) == 7) {
-        $tokens = explode(":", $stringToken);
+      if (Config::get('allow_plaintext_token') && count(explode(':', 
$stringToken)) >= 7) {
+       //Parses the security token in the form st=o:v:a:d:u:m:c
+           $tokens = $this->parseToken($stringToken);
+           
         return new BasicSecurityToken(null, null, 
urldecode($tokens[$this->OWNER_INDEX]), 
urldecode($tokens[$this->VIEWER_INDEX]), 
urldecode($tokens[$this->APP_ID_INDEX]), 
urldecode($tokens[$this->DOMAIN_INDEX]), 
urldecode($tokens[$this->APP_URL_INDEX]), 
urldecode($tokens[$this->MODULE_ID_INDEX]), 
urldecode($tokens[$this->CONTAINER_INDEX]));
       } else {
         return BasicSecurityToken::createFromToken($stringToken, 
Config::get('token_max_age'));
@@ -50,4 +52,21 @@ class BasicSecurityTokenDecoder extends 
       throw new GadgetException('INVALID_GADGET_TOKEN');
     }
   }
+
+  /**
+   * {...@inheritdoc}
+   *
+   * Parses the security token
+   */
+  private function parseToken($stringToken) {
+    $data = explode(":", $stringToken);
+       $url_number = count($data)-6;
+
+       //get array elements conrresponding to broken url - 
http://host:port/gadget.xml -> ["http","//host","port/gadget.xml"]
+       $url_array = array_slice($data,4,$url_number) ;
+       $url = implode(":",$url_array);
+       array_splice($data,4,$url_number,$url);
+    return $data;
+  }
+
 }

Modified: shindig/trunk/php/src/gadgets/GadgetContext.php
URL: 
http://svn.apache.org/viewvc/shindig/trunk/php/src/gadgets/GadgetContext.php?rev=939052&r1=939051&r2=939052&view=diff
==============================================================================
--- shindig/trunk/php/src/gadgets/GadgetContext.php (original)
+++ shindig/trunk/php/src/gadgets/GadgetContext.php Wed Apr 28 18:50:40 2010
@@ -284,7 +284,7 @@ class GadgetContext {
    * @return SecurityToken An object representation of the token data.
    */
   public function validateToken($token, $signer) {
-    if (count(explode(':', $token)) != 7) {
+    if (count(explode(':', $token)) < 7) {
       $token = urldecode(base64_decode($token));
     }
     if (empty($token)) {

Modified: shindig/trunk/php/src/gadgets/MetadataHandler.php
URL: 
http://svn.apache.org/viewvc/shindig/trunk/php/src/gadgets/MetadataHandler.php?rev=939052&r1=939051&r2=939052&view=diff
==============================================================================
--- shindig/trunk/php/src/gadgets/MetadataHandler.php (original)
+++ shindig/trunk/php/src/gadgets/MetadataHandler.php Wed Apr 28 18:50:40 2010
@@ -53,7 +53,7 @@ class MetadataHandler {
         return null;
       }
     }
-    if (count(explode(':', $token)) != 7) {
+    if (count(explode(':', $token)) < 7) {
       $token = urldecode(base64_decode($token));
     }
     $gadgetSigner = Config::get('security_token_signer');

Modified: shindig/trunk/php/src/social/servlet/ApiServlet.php
URL: 
http://svn.apache.org/viewvc/shindig/trunk/php/src/social/servlet/ApiServlet.php?rev=939052&r1=939051&r2=939052&view=diff
==============================================================================
--- shindig/trunk/php/src/social/servlet/ApiServlet.php (original)
+++ shindig/trunk/php/src/social/servlet/ApiServlet.php Wed Apr 28 18:50:40 2010
@@ -131,7 +131,7 @@ abstract class ApiServlet extends HttpSe
         return null;
       }
     }
-    if (count(explode(':', $token)) != 7) {
+    if (count(explode(':', $token)) < 7) {
       $token = urldecode(base64_decode($token));
     }
     $gadgetSigner = Config::get('security_token_signer');

Modified: shindig/trunk/php/test/common/BasicBlobCrypterTest.php
URL: 
http://svn.apache.org/viewvc/shindig/trunk/php/test/common/BasicBlobCrypterTest.php?rev=939052&r1=939051&r2=939052&view=diff
==============================================================================
--- shindig/trunk/php/test/common/BasicBlobCrypterTest.php (original)
+++ shindig/trunk/php/test/common/BasicBlobCrypterTest.php Wed Apr 28 18:50:40 
2010
@@ -89,5 +89,19 @@ class BasicBlobCrypterTest extends PHPUn
     $this->BasicBlobCrypter->unwrap($wrapped, - 4000);
   }
 
+  /**
+   * Tests BasicBlobCrypter->unwrap() with plaintext token
+   */
+  public function testUnwrapPlaintextToken() {
+    $token = "o:v:a:d:http://host:80/gadget.xml:m:c";;
+    $unwrapped = $this->BasicBlobCrypter->unwrap($token, null);
+    $this->assertEquals($unwrapped['o'], 'o');
+    $this->assertEquals($unwrapped['v'], 'v');
+    $this->assertEquals($unwrapped['a'], 'a');
+    $this->assertEquals($unwrapped['d'], 'd');
+    $this->assertEquals($unwrapped['u'], 'http://host:80/gadget.xml');
+    $this->assertEquals($unwrapped['m'], 'm');
+  }
+
 }

svn commit: r939052 - in /shindig/trunk/php: src/common/sample/ src/gadgets/ src/social/servlet/ test/common/

Reply via email to