Skip Menu |

This queue is for tickets about the Net-OpenID-Consumer CPAN distribution.

Report information
The Basics
Id: 24357
Status: resolved
Priority: 0/
Queue: Net-OpenID-Consumer
People
Owner: crew [...] cs.stanford.edu
Requestors: CFAERBER [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in:
  • 0.02
  • 0.03
  • 0.04
  • 0.05
  • 0.06
  • 0.07
  • 0.08
  • 0.09
  • 0.10
  • 0.11
  • 0.12
Fixed in:
  • 1.100099_001
  • 1.11

History Show all quoted text
  Sat Jan 13 21:46:08 2007 CFAERBER [...] cpan.org - Ticket created
Subject: Broken HTML parsing
The HTML "parser" in lib/Net/OpenID/Consumer.pm function _find_semantic_info assumes that every document has a <head> start tag and a </head> end tag. As a result, it fails to parse perfectly valid HTML documents with the following error message: "Couldn't find OpenID servers due to no head tag." This is a serious violation of the HTML standard. It also assumes that the body starts with a <body> tag, which seems not to cause immediate problems, however. But it makes the defence agains injecting a HTML code less reliable. The module should probably use HTML::Parser, not a broken homebrew ad-hoc parser.
  Fri Jan 19 10:20:35 2007 CFAERBER [...] cpan.org - Correspondence added
From: CFAERBER [...] cpan.org
The folling document illustrates an possible attack: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <link rel=openid2.provider href='http://openid.example.com/~user'> <title>Nice test</title> <form action="doit"> <p>Send me your co <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <link rel=openid2.provider href='http://openid.example.com/~user'> <title>Nice test</title> <form action="doit"> <p>Send me your comment: <input type=text name=comment value='<html><head><link rel=openid2.provider href="http://bogous.example.net"></head>'> <input type=submit> </form> mment: <input type=text name=comment value='<html><head><link rel=openid2.provider href="http://bogous.example.net"></head>'> <input type=submit> </form> Yes, this is valid HTML and yes, a HTML "sanitizer" that intends to do the shortest possible representation would really produce something like this.
  Fri Jan 19 10:22:05 2007 CFAERBER [...] cpan.org - Correspondence added
Sorry, here's the correct HTML document: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <link rel=openid2.provider href='http://openid.example.com/~user'> <title>Nice test</title> <form action="doit"> <p>Send me your comment: <input type=text name=comment value='<html><head><link rel=openid2.provider href="http://bogous.example.net"></head>'> <input type=submit> </form>
  Fri Jan 19 10:22:14 2007 CFAERBER [...] cpan.org - Status changed from 'new' to 'open'
  Wed Oct 19 21:00:30 2011 crew [...] cs.stanford.edu - Taken
  Tue Oct 25 21:19:47 2011 crew [...] cs.stanford.edu - Fixed in 1.100099_001 added
  Sun Nov 06 14:32:27 2011 crew [...] cs.stanford.edu - Fixed in 1.11 added
  Sat Nov 12 20:29:10 2011 crew [...] cs.stanford.edu - Correspondence added
I believe this is fixed in Net-OpenID-Consumer-1.11 If you want to try it out, please make sure you've also installed the latest Net-OpenID-Common. Feel free to re-open (or start a new ticket) if I'm mistaken about this. Thanks for the report and sorry this took so long to get to... - Roger Crew (new co-maintainer as of a few weeks ago)
  Sat Nov 12 20:30:17 2011 crew [...] cs.stanford.edu - Status changed from 'open' to 'resolved'