This queue is for tickets about the Net-OpenID-Consumer CPAN distribution.

Report information
The Basics
Id:
24196
Status:
resolved
Priority:
Low/Low

People
Owner:
Nobody in particular
Requestors:
trs [...] bestpractical.com
Cc:
AdminCc:

BugTracker
Severity:
(no value)
Broken in:
(no value)
Fixed in:
(no value)



Subject: PATCH: more robust signature matching
Date: Wed, 03 Jan 2007 02:06:44 -0500
To: bug-Net-OpenID-Consumer@rt.cpan.org
From: Thomas Sibley <trs@bestpractical.com>
Hi, It seems that some OpenID auth servers (LiveJournal's and MyOpenID's in particular) do not properly encode the openid.sig parameter when redirecting to openid.return_to. Pluses (+) are left as-is when they should be escaped (so not to be treated as spaces). I've included a (very) small patch which aims to reduce bogus signature mismatches because of this escaping issue. Cheers, Tom
--- Consumer.pm.orig 2007-01-03 01:46:57.000000000 -0500 +++ Consumer.pm 2007-01-03 01:50:07.000000000 -0500 @@ -385,6 +385,10 @@ my $a_ident = $self->args("openid.identity") or return $self->_fail("no_identity"); my $sig64 = $self->args("openid.sig") or return $self->_fail("no_sig"); + + # fix sig if the OpenID auth server failed to properly escape pluses (+) in the sig + $sig64 =~ s/ /+/g; + my $returnto = $self->args("openid.return_to") or return $self->_fail("no_return_to"); my $signed = $self->args("openid.signed");
From: BRADFITZ@cpan.org
how the hell do I close these bugs on this RT install? I don't see the [Resolve] links. anyway, fixed. thanks!
Gotta open it and THEN resolve it. I see. Weird extra step from our RT install.


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.