Issues

ZF-12527: Zend_OpenId_Provider::_checkId - matching regular expression may be wrong (quick fix)

Issue Type: Bug Created: 2013-02-20T21:11:26.000+0000 Last Updated: 2013-04-05T16:06:58.000+0000 Status: Closed Fix version(s): Reporter: Alan B. Dee (alanbdee) Assignee: Frank Brückner (frosch) Tags: - Zend_OpenId

Related issues: Attachments:

Description

In the _checkId method there is a regular expression to check for realm wildcards:

<pre class="highlight">
$regex = '/^'
       . preg_quote(substr($site, 0, $n+3), '/')
       . '[A-Za-z1-9_\.]+?'
       . preg_quote(substr($site, $n+4), '/')
       . '/';

The line '[A-Za-z1-9_.+?' should probably be '[A-Za-z0-9_.+?' As it is, if the realm has a 0 then it won't pass.

<pre class="highlight">
$regex = '/^'
       . preg_quote(substr($site, 0, $n+3), '/')
       . '[A-Za-z0-9_\.]+?'
       . preg_quote(substr($site, $n+4), '/')
       . '/';

In our implementation we did a workaround by explicitly authorizing the realm.

Comments

Posted by Pavel Kačer (draculus) on 2013-02-21T10:02:29.000+0000

This bug is in ZF1 and ZF2 as well. Moreover the current regexp matches also a '\' character that is should not.

As defined in the OpenId specification [1] the realms should have structure defined by RFC3986 [2].

The structure is following.

ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )

So the correct regular expression (PCRE) is

/^[[:alpha:]][[:alnum:].+-]+/

The line

[A-Za-z1-9_.]+

should be changed to

[[:alpha:]][[:alnum:].+-]+

I will create a pull request for the ZF2 on GitHub. But I have no idea how to push code to ZF1.

[1] https://openid.net/specs/… [2] https://www.ietf.org/rfc/rfc3986.txt

Posted by Pavel Kačer (draculus) on 2013-02-21T10:06:57.000+0000

Hmm, the JIRA markup has scrambled the regular expressions.

<pre class="literal">
/^[[:alpha:]][[:alnum:].+-]/

Therefore the line in the code will be following.

<pre class="literal">
[[:alpha:]][[:alnum:].+-]

Posted by Pavel Kačer (draculus) on 2013-02-21T10:09:41.000+0000

Dah, one more fix. This one is final.

<pre class="literal">
/^[[:alpha:]][[:alnum:].+-]+/

Line in the code

<pre class="literal">
'[[:alpha:]][[:alnum:].+-]+'

Sorry. :-)

Posted by Ralph Schindler (ralph) on 2013-04-05T16:06:58.000+0000

This issue has been closed on Jira and moved to GitHub for issue tracking. To continue following the resolution of this issues, please visit: https://github.com/zendframework/zf1/issues/57

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts