Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Zend_OpenId_Provider::_checkId - matching regular expression may be wrong (quick fix) #57

Open
zfbot opened this Issue · 5 comments

3 participants

@zfbot
Owner

Jira Information

Original Issue: ZF-12527
Issue Type: Bug
Reporter: Alan B. Dee
Created: 02/20/13
Assignee: froschdesign
Components: Zend_OpenId

Description

In the {{_checkId}} method there is a regular expression to check for realm wildcards:

$regex = '/^'
       . preg_quote(substr($site, 0, $n+3), '/')
       . '[A-Za-z1-9_\.]+?'
       . preg_quote(substr($site, $n+4), '/')
       . '/';

The line '{{[A-Za-z1-9_.+?}}' should probably be {{'[A-Za-z0-9_.+?'}}
As it is, if the realm has a 0 then it won't pass.

$regex = '/^'
       . preg_quote(substr($site, 0, $n+3), '/')
       . '[A-Za-z0-9_\.]+?'
       . preg_quote(substr($site, $n+4), '/')
       . '/';

In our implementation we did a workaround by explicitly authorizing the realm.

@zfbot
Owner

(Originally posted by: draculus on 02/21/13)

This bug is in ZF1 and ZF2 as well. Moreover the current regexp matches also a '\' character that is should not.

As defined in the OpenId specification [1] the realms should have structure defined by RFC3986 [2].

The structure is following.

ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )

So the correct regular expression (PCRE) is

/^[[:alpha:]][[:alnum:].+-]+/

The line

[A-Za-z1-9_.]+

should be changed to

[[:alpha:]][[:alnum:].+-]+

I will create a pull request for the ZF2 on GitHub. But I have no idea how to push code to ZF1.

[1] https://openid.net/specs/openid-authentication-2_0.html#realms
[2] https://www.ietf.org/rfc/rfc3986.txt

@zfbot
Owner

(Originally posted by: draculus on 02/21/13)

Hmm, the JIRA markup has scrambled the regular expressions.

/^[[:alpha:]][[:alnum:].+-]/

Therefore the line in the code will be following.

[[:alpha:]][[:alnum:].+-]
@zfbot
Owner

(Originally posted by: draculus on 02/21/13)

Dah, one more fix. This one is final.

/^[[:alpha:]][[:alnum:].+-]+/

Line in the code

'[[:alpha:]][[:alnum:].+-]+'

Sorry. :-)

@zfbot
Owner

This issue was ported from the ZF2 Jira Issue Tracker at
http://framework.zend.com/issues/browse/ZF-12527

Known GitHub users mentioned in the original message or comment:
@froschdesign, @draculus

@draculus

There is a pull request already from the ZF2 for the same issue. I am currently working on test case for that issue.

zendframework/ZendOpenId#5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.