ZF-12527: Zend_OpenId_Provider::_checkId - matching regular expression may be wrong (quick fix)

Description

In the {{_checkId}} method there is a regular expression to check for realm wildcards:


$regex = '/^'
       . preg_quote(substr($site, 0, $n+3), '/')
       . '[A-Za-z1-9_\.]+?'
       . preg_quote(substr($site, $n+4), '/')
       . '/';

The line '{{[A-Za-z1-9_.+?}}' should probably be {{'[A-Za-z0-9_.+?'}} As it is, if the realm has a 0 then it won't pass.


$regex = '/^'
       . preg_quote(substr($site, 0, $n+3), '/')
       . '[A-Za-z0-9_\.]+?'
       . preg_quote(substr($site, $n+4), '/')
       . '/';

In our implementation we did a workaround by explicitly authorizing the realm.

Comments

This bug is in ZF1 and ZF2 as well. Moreover the current regexp matches also a '\' character that is should not.

As defined in the OpenId specification [1] the realms should have structure defined by RFC3986 [2].

The structure is following.

ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )

So the correct regular expression (PCRE) is

/^[[:alpha:]][[:alnum:].+-]+/

The line

[A-Za-z1-9_.]+

should be changed to

[[:alpha:]][[:alnum:].+-]+

I will create a pull request for the ZF2 on GitHub. But I have no idea how to push code to ZF1.

[1] https://openid.net/specs/… [2] https://www.ietf.org/rfc/rfc3986.txt

Hmm, the JIRA markup has scrambled the regular expressions.

/^[[:alpha:]][[:alnum:].+-]/

Therefore the line in the code will be following.

[[:alpha:]][[:alnum:].+-]

Dah, one more fix. This one is final.

/^[[:alpha:]][[:alnum:].+-]+/

Line in the code

'[[:alpha:]][[:alnum:].+-]+'

Sorry. :-)

This issue has been closed on Jira and moved to GitHub for issue tracking. To continue following the resolution of this issues, please visit: https://github.com/zendframework/zf1/issues/57