Closed GoogleCodeExporter closed 8 years ago
Probably we want that modifier ungreedy, like so:
$uri = preg_replace('#((?<=\?)|&)openid\..*?(?>=&|$)#','',$uri);
but I don't think the parameters would get mixed anyway.
Original comment by mrubio...@gmail.com
on 22 Nov 2010 at 8:14
That regex needs some work now that I look at it, but I think I made my point.
Original comment by mrubio...@gmail.com
on 22 Nov 2010 at 8:17
We need the "($this->data['openid_return_to'] != $this->returnUrl)", because
without it, someone could send an openid response meant for another relying
party, and it would still validate. That would enable a rogue RP to
authenticate into LightOpenID RP-s, effectively hijacking the user's account on
those sites.
Besides, the protocol requires that openid.return_to has to be checked, and
it's enough reason to do that. See section 11 and 11.1 of the spec for the
details.
As for the regex, I'll test it later and commit the fix if it works.
Original comment by mewp...@gmail.com
on 22 Nov 2010 at 11:33
I have slightly modified the regex and commited the fix.
Original comment by mewp...@gmail.com
on 22 Nov 2010 at 3:30
Original issue reported on code.google.com by
mrubio...@gmail.com
on 22 Nov 2010 at 8:12