function _verifyReturnToArgs($query)
{
// Verify that the arguments in the return_to URL are present in this
// response.
$message = Auth_OpenID_Message::fromPostArgs($query);
$return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');
if (Auth_OpenID::isFailure($return_to)) {
return $return_to;
}
// XXX: this should be checked by _idResCheckForFields
if (!$return_to) {
return new Auth_OpenID_FailureResponse(null, "Response has no return_to");
}
$parsed_url = parse_url($return_to);
$q = array();
if (array_key_exists('query', $parsed_url)) {
$rt_query = $parsed_url['query'];
$q = Auth_OpenID::parse_str($rt_query);
}
foreach ($q as $rt_key => $rt_value) {
if (!array_key_exists($rt_key, $query)) {
return new Auth_OpenID_FailureResponse(null, sprintf("return_to parameter %s absent from query", $rt_key));
} else {
$value = $query[$rt_key];
if ($rt_value != $value) {
return new Auth_OpenID_FailureResponse(null, sprintf("parameter %s value %s does not match " . "return_to value %s", $rt_key, $value, $rt_value));
}
}
}
// Make sure all non-OpenID arguments in the response are also
// in the signed return_to.
$bare_args = $message->getArgs(Auth_OpenID_BARE_NS);
foreach ($bare_args as $key => $value) {
if (Auth_OpenID::arrayGet($q, $key) != $value) {
return new Auth_OpenID_FailureResponse(null, sprintf("Parameter %s = %s not in return_to URL", $key, $value));
}
}
return true;
} /**
* @access private
*/
function _checkReturnTo($message, $return_to)
{
// Check an OpenID message and its openid.return_to value
// against a return_to URL from an application. Return True
// on success, False on failure.
// Check the openid.return_to args against args in the
// original message.
$result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs($message->toPostArgs());
if (Auth_OpenID::isFailure($result)) {
return false;
}
// Check the return_to base URL against the one in the
// message.
$msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');
if (Auth_OpenID::isFailure($return_to)) {
// XXX log me
return false;
}
$return_to_parts = parse_url(Auth_OpenID_urinorm($return_to));
$msg_return_to_parts = parse_url(Auth_OpenID_urinorm($msg_return_to));
// If port is absent from both, add it so it's equal in the
// check below.
if (!array_key_exists('port', $return_to_parts) && !array_key_exists('port', $msg_return_to_parts)) {
$return_to_parts['port'] = null;
$msg_return_to_parts['port'] = null;
}
// If path is absent from both, add it so it's equal in the
// check below.
if (!array_key_exists('path', $return_to_parts) && !array_key_exists('path', $msg_return_to_parts)) {
$return_to_parts['path'] = null;
$msg_return_to_parts['path'] = null;
}
// The URL scheme, authority, and path MUST be the same
// between the two URLs.
foreach (array('scheme', 'host', 'port', 'path') as $component) {
// If the url component is absent in either URL, fail.
// There should always be a scheme, host, port, and path.
if (!array_key_exists($component, $return_to_parts)) {
return false;
}
if (!array_key_exists($component, $msg_return_to_parts)) {
return false;
}
if (Auth_OpenID::arrayGet($return_to_parts, $component) !== Auth_OpenID::arrayGet($msg_return_to_parts, $component)) {
return false;
}
}
return true;
}
