search

fritte02 / lightopenid

Automatically exported from code.google.com/p/lightopenid
0 stars 0 forks source link

PHP warnings on invalid domain #6

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
If a user enters an invalid domain like http://not.exists the following PHP 
warnings are generated:

Warning: get_headers() [function.get-headers]: php_network_getaddresses: 
getaddrinfo failed: Name or service not known in 
/srv/www/stendhal/lib/openid/lightopenid.php on line 148

Warning: get_headers(http://not.existing/) [function.get-headers]: failed to 
open stream: php_network_getaddresses: getaddrinfo failed: Name or service not 
known in /srv/www/stendhal/lib/openid/lightopenid.php on line 148

Warning: file_get_contents() [function.file-get-contents]: 
php_network_getaddresses: getaddrinfo failed: Name or service not known in 
/srv/www/stendhal/lib/openid/lightopenid.php on line 156

Warning: file_get_contents(http://not.existing/) [function.file-get-contents]: 
failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or 
service not known in /srv/www/stendhal/lib/openid/lightopenid.php on line 156

Warning: file_get_contents() [function.file-get-contents]: 
php_network_getaddresses: getaddrinfo failed: Name or service not known in 
/srv/www/stendhal/lib/openid/lightopenid.php on line 156

Warning: file_get_contents(http://not.existing/) [function.file-get-contents]: 
failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or 
service not known in /srv/www/stendhal/lib/openid/lightopenid.php on line 156

Original issue reported on code.google.com by HendrikU...@nexgo.de on 26 Sep 2010 at 3:39

GoogleCodeExporter commented 9 years ago 
I have thought about how to fix the problem, but have no idea so far.

I know of no method to check validity of the url without actually connecting to 
it, and therefore generating a warning.

There is checkdnsrr() function, but it only works for dns names (so for example 
"localhost" wouldn't work).

Suppressing the error with @ isn't a good solution either, because it will 
generate the error anyway (interfering with custom error handlers).

If you (or anyone else) have any idea how to do it, please tell me.

Original comment by mewp...@gmail.com on 27 Sep 2010 at 10:45

GoogleCodeExporter commented 9 years ago 
Sorry, I don't have a good idea.

The following code handles the case of invalid domains by using gethostbynamel 
which supports both "localhost" and ip-addresses. 

But if the domain exists and there is just no webserver, it will still cause a 
silent error.

--- lightopenid.php     27 Sep 2010 17:46:37 -0000      1.5
+++ lightopenid.php     27 Sep 2010 18:32:10 -0000
@@ -148,8 +148,16 @@
             );

             $url = $url . ($params ? '?' . $params : '');
-            $headers_tmp = get_headers ($url);
-            
+
+            # connecting to server
+            if (!$this->doesServerExist($url)) {
+                return null;
+            }
+            $headers_tmp = @get_headers($url);
+            if (!isset($headers_tmp)) {
+                return null;
+            }
+
             # Parsing headers.
             $headers = array();
             foreach($headers_tmp as $header) {
@@ -225,6 +233,9 @@
         for ($i = 0; $i < 5; $i ++) {
             if ($yadis) {
                 $headers = $this->request($url, 'HEAD');
+                if (!isset($headers)) {
+                    throw new ErrorException('No servers found!');
+                }

                 $next = false;
                     if (isset($headers['x-xrds-location'])) {
@@ -602,4 +613,24 @@
         }
         return $this->getSregAttributes();
     }
+
+    /**
+     * checks if the server specified in the url exists.
+     *
+     * @param $url url to check
+     * @return true, if the server exists; false otherwise
+     */
+    function doesServerExist($url)
+    {
+        if (strpos($url, '/') === false) {
+            $server = $url;
+        } else {
+            $server = @parse_url($url, PHP_URL_HOST);
+        }
+        if ($server === false) {
+            return false;
+        }
+        $ip = gethostbynamel($server);
+        return ($ip !== false);
+    }
 }

phpunit:
<?php
require_once('lib/openid/lightopenid.php');

class LightOpenidTest extends PHPUnit_Framework_TestCase {

    public function testDoesServerExist() {
        $openid = new LightOpenID();
        $this->assertTrue($openid->doesServerExist("localhost"));
        $this->assertTrue($openid->doesServerExist("www.google.com"));
        $this->assertTrue($openid->doesServerExist("ip6-loopback"));
        $this->assertTrue($openid->doesServerExist("127.0.0.1"));
        $this->assertFalse($openid->doesServerExist("not.exists"));

        $this->assertTrue($openid->doesServerExist("http://me.yahoo.com"));
        $this->assertTrue($openid->doesServerExist("http://me.yahoo.com/"));
        $this->assertTrue($openid->doesServerExist("http://me.yahoo.com:80"));
        $this->assertTrue($openid->doesServerExist("http://me.yahoo.com:80/"));

        $this->assertFalse($openid->doesServerExist("http://not.exists"));
        $this->assertFalse($openid->doesServerExist("http://not.exists/"));
        $this->assertFalse($openid->doesServerExist("http://not.exists:80/"));
    }
}

PS: Thanks a lot for your fixes and providing lightopenid in the first place.

Original comment by HendrikU...@nexgo.de on 27 Sep 2010 at 6:36

GoogleCodeExporter commented 9 years ago 
Thanks! I'll include the fix.

However, throwing an error after the first HEAD fails isn't correct behavior. 

From section 7.3 of the spec:
If the Yadis protocol fails [realized mostly by a HEAD request] and no valid 
XRDS document is retrieved, or no Service Elements are found in the XRDS 
document, the URL is retrieved and HTML-Based discovery SHALL be attempted.

And anyway, $headers would be set and equal to null, so that isset($headers) == 
true, and empty($headers) == true.

I would however throw an error if the server isn't found, because further 
discovery is impossible.

Original comment by mewp...@gmail.com on 27 Sep 2010 at 7:09

GoogleCodeExporter commented 9 years ago 
Ok, it's commited now, with some changes and unrelated bugfixes.

Also, I'm sure that you will test it, so please tell me if you find that 
everything works, so I can upload the current version as lightopenid-0.3.

Original comment by mewp...@gmail.com on 27 Sep 2010 at 9:39

GoogleCodeExporter commented 9 years ago 
I successfully tested it with myopenid.com, delegation to myopenid.com, google 
and yahoo. And there are no more php warning on invalid domains.

Thanks a lot.

Original comment by HendrikU...@nexgo.de on 28 Sep 2010 at 6:26