This queue is for tickets about the Net-OpenID-Consumer CPAN distribution.

Report information
The Basics
Id:
24357
Status:
resolved
Priority:
Low/Low

People
Owner:
crew [...] cs.stanford.edu
Requestors:
CFAERBER [...] cpan.org
Cc:
AdminCc:

BugTracker
Severity:
Critical
Broken in:
  • 0.02
  • 0.03
  • 0.04
  • 0.05
  • 0.06
  • 0.07
  • 0.08
  • 0.09
  • 0.10
  • 0.11
  • 0.12
Fixed in:
  • 1.100099_001
  • 1.11



Subject: Broken HTML parsing
The HTML "parser" in lib/Net/OpenID/Consumer.pm function _find_semantic_info assumes that every document has a <head> start tag and a </head> end tag. As a result, it fails to parse perfectly valid HTML documents with the following error message: "Couldn't find OpenID servers due to no head tag." This is a serious violation of the HTML standard. It also assumes that the body starts with a <body> tag, which seems not to cause immediate problems, however. But it makes the defence agains injecting a HTML code less reliable. The module should probably use HTML::Parser, not a broken homebrew ad-hoc parser.
From: CFAERBER@cpan.org
The folling document illustrates an possible attack: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <link rel=openid2.provider href='http://openid.example.com/~user'> <title>Nice test</title> <form action="doit"> <p>Send me your co <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <link rel=openid2.provider href='http://openid.example.com/~user'> <title>Nice test</title> <form action="doit"> <p>Send me your comment: <input type=text name=comment value='<html><head><link rel=openid2.provider href="http://bogous.example.net"></head>'> <input type=submit> </form> mment: <input type=text name=comment value='<html><head><link rel=openid2.provider href="http://bogous.example.net"></head>'> <input type=submit> </form> Yes, this is valid HTML and yes, a HTML "sanitizer" that intends to do the shortest possible representation would really produce something like this.
Sorry, here's the correct HTML document: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <link rel=openid2.provider href='http://openid.example.com/~user'> <title>Nice test</title> <form action="doit"> <p>Send me your comment: <input type=text name=comment value='<html><head><link rel=openid2.provider href="http://bogous.example.net"></head>'> <input type=submit> </form>
I believe this is fixed in Net-OpenID-Consumer-1.11 If you want to try it out, please make sure you've also installed the latest Net-OpenID-Common. Feel free to re-open (or start a new ticket) if I'm mistaken about this. Thanks for the report and sorry this took so long to get to... - Roger Crew (new co-maintainer as of a few weeks ago)


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.