New PHP OpenID Client/Server Implementation
ctd1500
ctd1500 at gmail.com
Tue Sep 6 23:18:41 PDT 2005
On 9/6/05, Martin Atkins <mart at degeneration.co.uk> wrote:
> Attached is a small patch containing the changes I had to make firstly
> to get it to run properly on my server here and to work with
> LiveJournal. It also features some more general fixes. In particular:
> * no SCRIPT_URI was being set on my server, so I added a best-guess fallback
> * you were sending the full URL in the HTTP request line rather than
> just the path component, which upset LiveJournal's mod_perl code.
> (Apache by default simply disregards the scheme and host part, but
> LiveJournal replaces the component that would normally do that and
> doesn't handle that case)
> * the return_url check was failing where there's no port number
> component in the URL.
>
> I've only tested this with your simple.php.
>
> In addition, I think you need to be more careful with the URLs you
> accept. Currently PHP's parse_url function is protecting you to a
> certain extent, but you should yourself ensure that the URL components
> don't feature any "unusual" characters (newlines, for example) before
> just throwing them at a socket like that.
>
> Finally, URL canonicalisation doesn't seem to be working. I'm not sure
> why, but leaving off the http:// caused it to fail as did leaving off
> the trailing slash on a URL which only has "/" as its path component.
>
> I don't have any servers running PHP 4, so I can't offer any comment on
> that.
>
>
> --- examples/simple.php Tue Sep 06 07:26:26 2005
> +++ examples/simple.php Tue Sep 06 19:34:20 2005
> @@ -82,6 +82,8 @@
>
> $parts = parse_url( $return_to );
>
> + if (! isset($parts["port"])) $parts["port"] = ($parts["scheme"] == 'https' ? 443 : 80);
> +
> // you should verify return_to host:port string match host and
> // port of this server
> if( $parts['host'] != HOST || $parts['port'] != PORT ) {
> @@ -170,10 +172,10 @@
> // based on your running location. In practice this may be static.
> // You will likely want it to be your entire website, not just
> // this script.
> - $trust_root = $_SERVER['SCRIPT_URI'];
> + $trust_root = isset($_SERVER['SCRIPT_URI']) ? $_SERVER['SCRIPT_URI'] : 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
>
> // build url to application for use in creating return_to
> - $app_url = $_SERVER['SCRIPT_URI'];
> + $app_url = isset($_SERVER['SCRIPT_URI']) ? $_SERVER['SCRIPT_URI'] : 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
>
> // create return_to url from app_url
> $return_to = $handler->createReturnTo($app_url, $identity_url);
> --- openid/httpclient.php Tue Sep 06 07:23:24 2005
> +++ openid/httpclient.php Tue Sep 06 19:57:40 2005
> @@ -97,9 +97,9 @@
> $scheme = isset( $parts['scheme'] ) ? $parts['scheme'] : null;
> $host = isset( $parts['host'] ) ? $parts['host'] : null;
> $port = isset( $parts['port'] ) ? $parts['port'] : ( $scheme == 'https' ? 443 : 80 );
> - $path = isset( $parts['path'] ) ? $parts['path'] : ( $scheme == 'https' ? 443 : 80 );
> - $query = isset( $parts['query'] ) ? $parts['query'] : ( $scheme == 'https' ? 443 : 80 );
> -
> + $path = isset( $parts['path'] ) ? $parts['path'] : null;
> + $query = isset( $parts['query'] ) ? $parts['query'] : null;
> +
> $uri = $path . ( $query ? '?' . $query : '' );
>
> if( !in_array( $scheme, array( 'http', 'https' ) ) || !$host || !$port || !$uri ) {
> @@ -111,7 +111,7 @@
>
> $user_agent = $this->user_agent;
> $headers =
> - "GET $url HTTP/1.0\r\n" .
> + "GET $path HTTP/1.0\r\n" .
> "User-Agent: $user_agent\r\n" .
> "Host: $host\r\n" .
> "Cache-Control: no-cache\r\n" .
>
Fix for URL canonicalization:
--- openid/consumer.php Tue Sep 06 15:39:25 2005
+++ openid/consumer.php Tue Sep 06 22:10:13 2005
@@ -66,8 +66,12 @@
function normalize_url($url) {
assert( 'is_string( $url )' );
$url = trim( $url );
if( !( oidUtil::startsWith( $url, 'http://') ||
oidUtil::startsWith( $url, 'https://')) ) {
$url = 'http://' . $url;
}
+ if (!preg_match("#(http(s)?)://.+/#is", $url)) {
+ $url .= "/";
+ }
+
// Porting Todo: handle unicode urls.
More information about the yadis
mailing list