Security: Fix SQL injection vulnerability by escaping assoc_handle in openid login

AngelFQC · AngelFQC · commit 613eb19a0fac · 2025-04-09T17:21:44.000-05:00
diff --git a/main/auth/openid/login.php b/main/auth/openid/login.php
@@ -298,10 +298,17 @@ function openid_verify_assertion($op_endpoint, $response) {
 
     //TODO
     $openid_association = Database::get_main_table(TABLE_MAIN_OPENID_ASSOCIATION);
-    $sql = sprintf("SELECT * FROM $openid_association WHERE assoc_handle = '%s'", $response['openid.assoc_handle']);
-    $res = Database::query($sql);
-    $association = Database::fetch_object($res);
-    if ($association && isset($association->session_type)) {
+    $association = Database::select(
+        '*',
+        $openid_association,
+        [
+            'where' => [
+                'assoc_handle = ?' => [$response['openid.assoc_handle']],
+            ]
+        ],
+        'first'
+    );
+    if ($association && isset($association['session_type'])) {
         $keys_to_sign = explode(',', $response['openid.signed']);
         $self_sig = _openid_signature($association, $response, $keys_to_sign);
         if ($self_sig == $response['openid.sig']) {
diff --git a/main/auth/openid/openid.lib.php b/main/auth/openid/openid.lib.php
@@ -201,14 +201,14 @@ function _openid_meta_httpequiv($equiv, $html) {
 
 /**
  * Sign certain keys in a message
- * @param $association - object loaded from openid_association or openid_server_association table
+ * @param $association - array loaded from openid_association or openid_server_association table
  *              - important fields are ->assoc_type and ->mac_key
  * @param $message_array - array of entire message about to be sent
  * @param $keys_to_sign - keys in the message to include in signature (without
  *  'openid.' appended)
  */
-function _openid_signature($association, $message_array, $keys_to_sign) {
-    $signature = '';
+function _openid_signature(array $association, $message_array, $keys_to_sign): string
+{
     $sign_data = array();
 
     foreach ($keys_to_sign as $key) {
@@ -218,7 +218,7 @@ function _openid_signature($association, $message_array, $keys_to_sign) {
     }
 
     $message = _openid_create_message($sign_data);
-    $secret = base64_decode($association->mac_key);
+    $secret = base64_decode($association['mac_key']);
     $signature = _openid_hmac($secret, $message);
 
     return base64_encode($signature);
