ZF-12527: Zend_OpenId_Provider::_checkId - matching regular expression may be wrong (quick fix)
Description
In the {{_checkId}} method there is a regular expression to check for realm wildcards:
$regex = '/^'
. preg_quote(substr($site, 0, $n+3), '/')
. '[A-Za-z1-9_\.]+?'
. preg_quote(substr($site, $n+4), '/')
. '/';
The line '{{[A-Za-z1-9_.+?}}' should probably be {{'[A-Za-z0-9_.+?'}} As it is, if the realm has a 0 then it won't pass.
$regex = '/^'
. preg_quote(substr($site, 0, $n+3), '/')
. '[A-Za-z0-9_\.]+?'
. preg_quote(substr($site, $n+4), '/')
. '/';
In our implementation we did a workaround by explicitly authorizing the realm.
Comments
Posted by Pavel Kačer (draculus) on 2013-02-21T10:02:29.000+0000
This bug is in ZF1 and ZF2 as well. Moreover the current regexp matches also a '\' character that is should not.
As defined in the OpenId specification [1] the realms should have structure defined by RFC3986 [2].
The structure is following.
ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
So the correct regular expression (PCRE) is
/^[[:alpha:]][[:alnum:].+-]+/
The line
[A-Za-z1-9_.]+
should be changed to
[[:alpha:]][[:alnum:].+-]+
I will create a pull request for the ZF2 on GitHub. But I have no idea how to push code to ZF1.
[1] https://openid.net/specs/… [2] https://www.ietf.org/rfc/rfc3986.txt
Posted by Pavel Kačer (draculus) on 2013-02-21T10:06:57.000+0000
Hmm, the JIRA markup has scrambled the regular expressions.
Therefore the line in the code will be following.
Posted by Pavel Kačer (draculus) on 2013-02-21T10:09:41.000+0000
Dah, one more fix. This one is final.
Line in the code
Sorry. :-)
Posted by Ralph Schindler (ralph) on 2013-04-05T16:06:58.000+0000
This issue has been closed on Jira and moved to GitHub for issue tracking. To continue following the resolution of this issues, please visit: https://github.com/zendframework/zf1/issues/57