ZF-12527: Zend_OpenId_Provider::_checkId - matching regular expression may be wrong (quick fix)


In the {{_checkId}} method there is a regular expression to check for realm wildcards:

$regex = '/^'
       . preg_quote(substr($site, 0, $n+3), '/')
       . '[A-Za-z1-9_\.]+?'
       . preg_quote(substr($site, $n+4), '/')
       . '/';

The line '{{[A-Za-z1-9_.+?}}' should probably be {{'[A-Za-z0-9_.+?'}} As it is, if the realm has a 0 then it won't pass.

$regex = '/^'
       . preg_quote(substr($site, 0, $n+3), '/')
       . '[A-Za-z0-9_\.]+?'
       . preg_quote(substr($site, $n+4), '/')
       . '/';

In our implementation we did a workaround by explicitly authorizing the realm.


This bug is in ZF1 and ZF2 as well. Moreover the current regexp matches also a '\' character that is should not.

As defined in the OpenId specification [1] the realms should have structure defined by RFC3986 [2].

The structure is following.

ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )

So the correct regular expression (PCRE) is


The line


should be changed to


I will create a pull request for the ZF2 on GitHub. But I have no idea how to push code to ZF1.

[1] https://openid.net/specs/… [2] https://www.ietf.org/rfc/rfc3986.txt

Hmm, the JIRA markup has scrambled the regular expressions.


Therefore the line in the code will be following.


Dah, one more fix. This one is final.


Line in the code


Sorry. :-)

This issue has been closed on Jira and moved to GitHub for issue tracking. To continue following the resolution of this issues, please visit: https://github.com/zendframework/zf1/issues/57