Bug #41307 for Net-OpenID-Consumer: 2.0 spec requires certain resoponse fields to be signed, but Consumer doesn't enforce this.

RT for rt.cpan.org

This queue is for tickets about the Net-OpenID-Consumer CPAN distribution.

Report information

The Basics

Id:	41307
Status:	resolved
Priority:	0/
Queue:	Net-OpenID-Consumer

People

Owner:	MART [...] cpan.org
Requestors:	MART [...] cpan.org
Cc:
AdminCc:

Bug Information

Severity:	Important
Broken in:	1.01 1.02
Fixed in:	(no value)

History Show all quoted text

Sat Nov 29 18:22:02 2008 MART [...] cpan.org - Ticket created

Subject:

2.0 spec requires certain resoponse fields to be signed, but Consumer doesn't enforce this.

The 2.0 spec requires the following fields to be signed: "op_endpoint", "return_to" "response_nonce" and "assoc_handle" MUST be present and signed. "claimed_id" and "identity" must be signed only if they are present in the message. Currently Consumer doesn't verify this and will accept a message where none of the above are signed.

Sat Nov 29 20:42:29 2008 MART [...] cpan.org - Correspondence added

Fix checked in: http://code.sixapart.com/trac/openid/changeset/172

Sat Nov 29 21:02:29 2008 MART [...] cpan.org - Correspondence added

Fixed in 1.03.

Sat Nov 29 21:03:46 2008 MART [...] cpan.org - Status changed from 'open' to 'resolved'