Skip Menu |

This queue is for tickets about the Net-OpenID-Server CPAN distribution.

Report information
The Basics
Id: 40558
Status: resolved
Priority: 0/
Queue: Net-OpenID-Server
People
Owner: Nobody in particular
Requestors: hsw [...] rambler.ru
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 1.01
Fixed in: (no value)

History Show all quoted text
  Fri Oct 31 05:39:34 2008 http://id.rambler.ru/users/hsw/ - Ticket created
Subject: OpenID 2.0 implementation fixes
1. "8.2.4. Unsuccessful Response Parameters" (Establishing Associations) "If the OP does not support a session type or association type, it MUST respond with a direct error message indicating that the association request failed." 2. "10.2.1. In Response to Immediate Requests" (Negative Assertions) OpenID2 return 'mode=setup_needed' and 'ns', OpenID1 return 'mode=id_res' and 'user_setup_url'. 3. signed_return_url(): verify and remove 'realm', if provided. 4. _mode_checkid(): Pass 'ns' through setup_map.
Subject: Server.pm.patch
--- Server.pm.orig 2008-10-31 12:20:10.000000000 +0300 +++ Server.pm 2008-10-31 12:32:14.000000000 +0300 @@ -228,8 +228,11 @@ my $ns = delete $opts{'ns'}; my $extra_fields = delete $opts{'additional_fields'} || {}; - # verify the trust_root, if provided - if (my $trust_root = delete $opts{'trust_root'}) { + # verify the trust_root and realm, if provided + if (my $trust_root = delete $opts{'realm'}) { + return undef unless _url_is_under($trust_root, $return_to); + delete $opts{'trust_root'}; + } elsif (my $trust_root = delete $opts{'trust_root'}) { return undef unless _url_is_under($trust_root, $return_to); } Carp::croak("Unknown options: " . join(", ", keys %opts)) if %opts; @@ -357,15 +360,20 @@ $self->_setup_map("identity"), $identity, $self->_setup_map("assoc_handle"), $self->args("openid.assoc_handle"), ); - $setup_args{'ns'} = $self->args('openid.ns') if $self->args('openid.ns'); + $setup_args{$self->_setup_map('ns')} = $self->args('openid.ns') if $self->args('openid.ns'); my $setup_url = $self->{setup_url} or Carp::croak("No setup_url defined."); _push_url_arg(\$setup_url, %setup_args); if ($mode eq "checkid_immediate") { my $ret_url = $return_to; - _push_url_arg(\$ret_url, "openid.mode", "id_res"); - _push_url_arg(\$ret_url, "openid.user_setup_url", $setup_url); + if ($self->args('openid.ns') eq $OPENID2_NS) { + _push_url_arg(\$ret_url, "openid.ns", $self->args('openid.ns')); + _push_url_arg(\$ret_url, "openid.mode", "setup_needed"); + } else { + _push_url_arg(\$ret_url, "openid.mode", "id_res"); + _push_url_arg(\$ret_url, "openid.user_setup_url", $setup_url); + } return ("redirect", $ret_url); } else { # the "checkid_setup" mode, where we take control of the user-agent @@ -481,6 +489,19 @@ # FUTURE: protocol will let people choose their preferred authn scheme, # in which case we see if we support any of them, and override the # default value of HMAC-SHA1 + + if ($self->pargs('openid.ns') eq $OPENID2_NS && + ($self->pargs('openid.assoc_type') ne $assoc_type || + $self->pargs('openid.session_type') ne 'DH-SHA1')) { + + $prop{'ns'} = $self->pargs('openid.ns') if $self->pargs('openid.ns'); + $prop{'error_code'} = "unsupported-type"; + $prop{'error'} = "This server support $assoc_type only."; + $prop{'assoc_type'} = $assoc_type; + $prop{'session_type'} = "DH-SHA1"; + + return $self->_serialized_props(\%prop); + } my ($assoc_handle, $secret, $expires) = $self->_generate_association(type => $assoc_type);
  Fri Oct 31 06:18:35 2008 http://id.rambler.ru/users/hsw/ - Correspondence added
From: Sergey Homenkow
Show quoted text
> 3. signed_return_url(): verify and remove 'realm', if provided.
Small fix for '"my" variable $trust_root masks earlier declaration in same scope'
--- Server.pm.1 2008-10-31 13:14:02.000000000 +0300 +++ Server.pm 2008-10-31 13:14:32.000000000 +0300 @@ -229,8 +229,8 @@ my $extra_fields = delete $opts{'additional_fields'} || {}; # verify the trust_root and realm, if provided - if (my $trust_root = delete $opts{'realm'}) { - return undef unless _url_is_under($trust_root, $return_to); + if (my $realm = delete $opts{'realm'}) { + return undef unless _url_is_under($realm, $return_to); delete $opts{'trust_root'}; } elsif (my $trust_root = delete $opts{'trust_root'}) { return undef unless _url_is_under($trust_root, $return_to);
  Fri Oct 31 06:18:38 2008 The RT System itself - Status changed from 'new' to 'open'
  Fri Oct 31 14:01:36 2008 MART [...] cpan.org - Correspondence added
Thanks for the patch. I'll review it and try to get it checked in as soon as I can. On Fri Oct 31 05:39:34 2008, http://id.rambler.ru/users/hsw/ wrote: Show quoted text
> 1. "8.2.4. Unsuccessful Response Parameters" (Establishing
Associations) Show quoted text
> "If the OP does not support a session type or association type, it
MUST Show quoted text
> respond with a direct error message indicating that the association > request failed." > > 2. "10.2.1. In Response to Immediate Requests" (Negative Assertions) > OpenID2 return 'mode=setup_needed' and 'ns', > OpenID1 return 'mode=id_res' and 'user_setup_url'. > > 3. signed_return_url(): verify and remove 'realm', if provided. > > 4. _mode_checkid(): Pass 'ns' through setup_map.
  Thu Nov 20 08:12:43 2008 KAPPA [...] cpan.org - Correspondence added
Martin, good day! Any chances to get this released soon? :) Sorry to bother but the fixes are pretty important. On Fri Oct 31 14:01:36 2008, MART wrote: Show quoted text
> Thanks for the patch. I'll review it and try to get it checked in as > soon as I can. > > On Fri Oct 31 05:39:34 2008, http://id.rambler.ru/users/hsw/ wrote:
> > 1. "8.2.4. Unsuccessful Response Parameters" (Establishing
> Associations)
> > "If the OP does not support a session type or association type, it
> MUST
> > respond with a direct error message indicating that the association > > request failed." > > > > 2. "10.2.1. In Response to Immediate Requests" (Negative Assertions) > > OpenID2 return 'mode=setup_needed' and 'ns', > > OpenID1 return 'mode=id_res' and 'user_setup_url'. > > > > 3. signed_return_url(): verify and remove 'realm', if provided. > > > > 4. _mode_checkid(): Pass 'ns' through setup_map.
> >
  Sat Nov 29 18:57:56 2008 MART [...] cpan.org - Correspondence added
Checked in: http://code.sixapart.com/trac/openid/changeset/162 Note that this is in the 1.0 maintenence branch, not the trunk. This will be merged into trunk in due course. (I generally prefer one issue per ticket/patch, if possible, since it makes it easier to review and check in.) Thanks.
  Sat Nov 29 20:12:45 2008 MART [...] cpan.org - Correspondence added
Fixed in Net::OpenID::Server 1.02, coming soon to a CPAN near you.
  Sat Nov 29 20:12:47 2008 MART [...] cpan.org - Status changed from 'open' to 'resolved'