chantasaur / lightopenid

Automatically exported from code.google.com/p/lightopenid
0 stars 0 forks source link

Response validation fails when request() does not pick curl #53

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Running the "example.php" file in the source code on one of my servers, I was 
getting this all the time:

    is_valid:false
    ns:http://specs.openid.net/auth/2.0

I've been able to track down the issue to the request() method:

    protected function request($url, $method='GET', $params=array(), $update_claimed_id=false)
    {
        if (function_exists('curl_init')
            && (!in_array('https', stream_get_wrappers()) || !ini_get('safe_mode') && !ini_get('open_basedir'))
        ) {
            return $this->request_curl($url, $method, $params, $update_claimed_id);
        }
        return $this->request_streams($url, $method, $params, $update_claimed_id);
    }

In such server, LightOpenID chooses to use request_streams() and validation 
fails. However, if I comment out some lines and force it to use request_curl(), 
validation is successful.

So there're two issues here:

1. CURL is not used although it's available.
2. file_get_contents() does something wrong that goes undetected.

Some extra info:

function_exists('curl_init'): bool(true)
stream_get_wrappers(): array(11) {
  [0]=>
  string(5) "https"
  [1]=>
  string(4) "ftps"
  [2]=>
  string(13) "compress.zlib"
  [3]=>
  string(3) "php"
  [4]=>
  string(4) "file"
  [5]=>
  string(4) "glob"
  [6]=>
  string(4) "data"
  [7]=>
  string(4) "http"
  [8]=>
  string(3) "ftp"
  [9]=>
  string(4) "phar"
  [10]=>
  string(3) "zip"
}
in_array('https', stream_get_wrappers()): bool(true)
ini_get('safe_mode'): string(1) "0"
ini_get('open_basedir'): string(43) 
"/home/ahr:/opt/php5.3/lib/php:/tmp:/usr/bin"

I guess the if() returns FALSE because open_basedir() is set. However, that's 
not an obstacle, not at least in my hosting account.

Original issue reported on code.google.com by kAlvaro on 18 Nov 2011 at 8:14

GoogleCodeExporter commented 8 years ago
When open_basedir is set, the Location HTTP header can't be followed (at least 
by curl), and that's why it's disabled.

As for validation returning false when using streams, it's a valid (and 
separate) bug, but you haven't posted any details that might help me with 
debugging. Obviously, it works for me.

So, I'm waiting for more details on that.

Original comment by mewp...@gmail.com on 18 Nov 2011 at 8:29

GoogleCodeExporter commented 8 years ago
You are right about curl. I had overlooked my log files. It worked by pure 
chance: in my case, there were no redirections to follow.

I've been able to reproduce the streams issue in my dev box so I'm in position 
to gather as much information as required.

I'm not familiar with the OpenID internals but request_streams() does something 
I can't understand. When validating the response, it calls this:

    $data = file_get_contents($url, false, $context);

...on line 345 to make a POST request to https://myvidoop.com/openid. The 
server's response is this:

    is_valid:true 
    ns:http://specs.openid.net/auth/2.0

But the $data variable is never used. On line 352 we see this:

    return file_get_contents($url, false, $context);

... which makes exactly the same POST request and this time obtains:

    is_valid:false
    ns:http://specs.openid.net/auth/2.0

My guts say that line 352 should be:

    return $data;

Original comment by kAlvaro on 19 Nov 2011 at 7:31

GoogleCodeExporter commented 8 years ago
Ok, I think I know what the problem is now. I'll try to fix it soon.

Original comment by mewp...@gmail.com on 19 Nov 2011 at 7:46

GoogleCodeExporter commented 8 years ago
Problem still exists... (i'm using safe_mode = on)

Original comment by 94m3k...@gmail.com on 28 Apr 2012 at 2:25

GoogleCodeExporter commented 8 years ago
sorry, i'm not using safe_mode, it's open_basedir.

Original comment by 94m3k...@gmail.com on 28 Apr 2012 at 3:47