diff --git a/includes/SSO_Helpers.php b/includes/SSO_Helpers.php index e07b57b..e1aae56 100644 --- a/includes/SSO_Helpers.php +++ b/includes/SSO_Helpers.php @@ -17,7 +17,7 @@ class SSO_Helpers { /** * Generate an SSO token for a user. * - * @param int $user_id + * @param int $user_id user id * * @return string */ @@ -25,11 +25,11 @@ public static function generateToken( $user_id ) { return base64_encode( implode( ':', - [ + array( $user_id, time(), - wp_generate_password( 64, true, true ) - ] + wp_generate_password( 64, true, true ), + ) ) ); } @@ -126,8 +126,10 @@ public static function shouldThrottle() { /** * Trigger an SSO failure. + * + * @param string $error_type type of error */ - public static function triggerFailure() { + public static function triggerFailure( $error_type = '' ) { self::logFailure(); @@ -138,9 +140,19 @@ public static function triggerFailure() { do_action( 'newfold_sso_fail' ); - wp_safe_redirect( wp_login_url() ); + if ( empty( $error_type ) ) { + wp_safe_redirect( wp_login_url() ); + } else { + wp_safe_redirect( + add_query_arg( + array( + 'error' => $error_type, + ), + wp_login_url() + ) + ); + } exit; - } /** @@ -168,7 +180,6 @@ public static function triggerSuccess( \WP_User $user ) { wp_safe_redirect( $redirect ); exit; - } /** @@ -206,7 +217,6 @@ public static function getSuccessUrl() { $url = add_query_arg( $key, $value, $url ); } } - } if ( ! $url ) { @@ -248,8 +258,13 @@ public static function handleLogin( $token ) { exit; } - self::triggerSuccess( self::getUserFromToken( $token ) ); - + $user = self::getUserFromToken( $token ); + if ( $user ) { + if ( preg_match( "/['\"\\\\]/", $user->user_login ) ) { + self::triggerFailure( 'invalid_username' ); + exit; + } + } + self::triggerSuccess( $user ); } - } diff --git a/includes/SSO_Helpers_Legacy.php b/includes/SSO_Helpers_Legacy.php index e87fcee..297e1a7 100644 --- a/includes/SSO_Helpers_Legacy.php +++ b/includes/SSO_Helpers_Legacy.php @@ -38,6 +38,13 @@ public static function handleLegacyLogin( $nonce, $salt ) { exit; } + if ( $user ) { + if ( preg_match( "/['\"\\\\<]/", $user->user_login ) ) { + self::triggerFailure( 'invalid_username' ); + exit; + } + } + // Validate token $token = substr( base64_encode( hash( 'sha256', $nonce . $salt, false ) ), 0, 64 ); $stored_token = get_transient( 'sso_token' ); diff --git a/sso.php b/sso.php index b3bb91d..8018a4e 100644 --- a/sso.php +++ b/sso.php @@ -15,7 +15,7 @@ function () { add_action( 'cli_init', - function() { + function () { WP_CLI::add_command( 'newfold sso', 'NewFoldLabs\WP\Module\SSO\SSO_CLI', @@ -28,13 +28,33 @@ function() { } ); -\add_action( 'init', - function() { - \load_plugin_textdomain( +add_action( + 'init', + function () { + load_plugin_textdomain( 'wp-module-sso', false, NFD_SSO_DIR . '/languages' ); - }, - 100 + }, + 100 +); + +add_action( + 'login_message', + function () { + $error = sanitize_key( $_GET['error'] ?? '' ); + if ( ! empty( $error ) ) { + $message = ''; + switch ( $error ) { + case 'invalid_username': + $message = __( 'SSO failed: username cannot contain invalid characters.', 'wp-module-sso' ); + break; + default: + $message = __( 'An unknown error occurred. Please try again.', 'wp-module-sso' ); + break; + } + return "
{$message}
"; + } + } );