"+" bug in mac_key?

Michael 'hacker' Krelin hacker at klever.net
Tue Aug 2 14:38:42 PDT 2005


On Tue, Aug 02, 2005 at 02:36:04PM -0700, Brad Fitzpatrick wrote:
> Wechsler,
> 
> All that comes to mind is that somebody escaping/descaping the parameter
> as a URL parameter one too many/few times.
> 
> Let me know if it's a bug with LiveJournal's (the Perl) libraries.

If my guess was right, this may be thought of as bug, but definitely the
one you will want to make into a feature and maintain compatibility
with. On the other hand, I believe this can be fixed without breaking
compatibility.

Love,
H
> 
> - Brad
> 
> 
> On Tue, 2 Aug 2005, Wechsler wrote:
> 
> > Long shot:
> >
> > I've got a smart mode consumer, written in PHP, that seems to be working
> > in the main, but every so often the HMAC_SHA1 signature from the server
> > won't match the one I generate.
> >
> > Every time this has happened, the raw openid mac_key I've received by
> > association has a plus (+) in it. This key is stored in a MySQL database
> > (could this corrupt in in any way?), and the ones that have failed are:
> >
> > PF+MFObP6aGEMA1hul5Y7WY+4Jo=
> > VJjofcv5SHf/LYSo6lPdZtkD+PU=
> > X+WsOnVw+u+audJ4K5o/WRV90Ck=
> >
> > The code uses GMP support for the HMAC and DH code, and uses PHP's
> > pack() function (which I've seen to be flaky in the past). If anyone
> > knows of any flaws with these, I'd love to hear about it. Equally, if
> > anyone wants to see the (still somewhat clunky) code, let me know.
> >
> > Now, I appreciate that this is a bit of a weird bug, but I thought I'd
> > throw it into the mix and see if it meant anything to anyone.
> >
> > TIA,
> > 	Wechsler
> >
> >
> 


More information about the yadis mailing list