ZF-12527: Zend_OpenId_Provider::_checkId - matching regular expression may be wrong (quick fix)


In the {{_checkId}} method there is a regular expression to check for realm wildcards:

$regex = '/^'
       . preg_quote(substr($site, 0, $n+3), '/')
       . '[A-Za-z1-9_\.]+?'
       . preg_quote(substr($site, $n+4), '/')
       . '/';

The line '{{[A-Za-z1-9_.+?}}' should probably be {{'[A-Za-z0-9_.+?'}} As it is, if the realm has a 0 then it won't pass.

$regex = '/^'
       . preg_quote(substr($site, 0, $n+3), '/')
       . '[A-Za-z0-9_\.]+?'
       . preg_quote(substr($site, $n+4), '/')
       . '/';

In our implementation we did a workaround by explicitly authorizing the realm.


This bug is in ZF1 and ZF2 as well. Moreover the current regexp matches also a '\' character that is should not.

As defined in the OpenId specification [1] the realms should have structure defined by RFC3986 [2].

The structure is following.

ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )

So the correct regular expression (PCRE) is


The line


should be changed to


I will create a pull request for the ZF2 on GitHub. But I have no idea how to push code to ZF1.

[1]… [2]

Hmm, the JIRA markup has scrambled the regular expressions.


Therefore the line in the code will be following.


Dah, one more fix. This one is final.


Line in the code


Sorry. :-)

This issue has been closed on Jira and moved to GitHub for issue tracking. To continue following the resolution of this issues, please visit: