Bug #24196 for Net-OpenID-Consumer: PATCH: more robust signature matching

Wed Jan 03 02:06:50 2007 trs [...] bestpractical.com - Ticket created

Subject:	PATCH: more robust signature matching
Date:	Wed, 03 Jan 2007 02:06:44 -0500
To:	bug-Net-OpenID-Consumer [...] rt.cpan.org
From:	Thomas Sibley <trs [...] bestpractical.com>

Hi, It seems that some OpenID auth servers (LiveJournal's and MyOpenID's in particular) do not properly encode the openid.sig parameter when redirecting to openid.return_to. Pluses (+) are left as-is when they should be escaped (so not to be treated as spaces). I've included a (very) small patch which aims to reduce bogus signature mismatches because of this escaping issue. Cheers, Tom

--- Consumer.pm.orig 2007-01-03 01:46:57.000000000 -0500 +++ Consumer.pm 2007-01-03 01:50:07.000000000 -0500 @@ -385,6 +385,10 @@ my $a_ident = $self->args("openid.identity") or return $self->_fail("no_identity"); my $sig64 = $self->args("openid.sig") or return $self->_fail("no_sig"); + + # fix sig if the OpenID auth server failed to properly escape pluses (+) in the sig + $sig64 =~ s/ /+/g; + my $returnto = $self->args("openid.return_to") or return $self->_fail("no_return_to"); my $signed = $self->args("openid.signed");

Wed Feb 14 09:55:14 2007 brad [...] danga.com - Correspondence added

From:

BRADFITZ [...] cpan.org

how the hell do I close these bugs on this RT install? I don't see the [Resolve] links. anyway, fixed. thanks!

Wed Feb 14 09:55:17 2007 The RT System itself - Status changed from 'new' to 'open'

Wed Feb 14 10:04:11 2007 brad [...] danga.com - Correspondence added

Gotta open it and THEN resolve it. I see. Weird extra step from our RT install.

Wed Feb 14 10:04:15 2007 brad [...] danga.com - Status changed from 'open' to 'resolved'