Ticket #269 (closed defect: fixed)

Opened 5 months ago

Last modified 5 months ago

The library fails to retrieve the identity for yahoo.com with the PHP library (possibly others)

Reported by: http://szeber.myopenid.com/ Assigned to:
Priority: major Milestone:
Keywords: Cc:
Project: php-openid OpenID Protocol:
Series: Web Browser:

Description

When trying to authenticate a user through Yahoo's OpenID service it fails instantly. The problem seemes to be caused by the library sending a RANGE HTTP request header, and receiving a 206 status code, while only accepting 200. The problem can be fixed by either of the following ways:

Removing the following 2 lines (130-131) from the Auth_Yadis_ParanoidHTTPFetcher class's get method: 

            curl_setopt($c, CURLOPT_RANGE, 
                       "0-".(1024 * Auth_OpenID_FETCHER_MAX_RESPONSE_KB));

Adjusting lines 335 and 364 to accept the 206 status code too. 

        if (!$response || ($response->status != 200)) {

and 

                if ((!$response) || ($response->status != 200)) {

to: 

        if (!$response || ($response->status != 200 && $response->status != 206)) {

and 

                if ((!$response) || ($response->status != 200 && $response->status !=  206)) {

or other methods like in_array().

If using the second method, the code should be reviewed to see if the same problem can occur elsewhere.

If the purpose of the RANGE header is to avoid a possible DOS attack against the server, than method 2 would be preferable, but the 206 status code should be accepted everywhere.

I'm also attaching patches for both fixes.

Attachments

fix1.patch (0.7 kB) - added by http://szeber.myopenid.com/ on 06/27/08 13:38:03.
Patch for fix #1, removing the range header
fix2.patch (0.9 kB) - added by http://szeber.myopenid.com/ on 06/27/08 13:39:00.
Patch for fix #2, accepting 206 status code

Change History

06/27/08 13:38:03 changed by http://szeber.myopenid.com/

  • attachment fix1.patch added.

Patch for fix #1, removing the range header

06/27/08 13:39:00 changed by http://szeber.myopenid.com/

  • attachment fix2.patch added.

Patch for fix #2, accepting 206 status code

06/27/08 13:41:38 changed by http://szeber.myopenid.com/

Sorry left out the class name for the second fix. Lines 335 and 364 should be adjusted in the Auth_Yadis_Yadis class.

06/27/08 16:19:26 changed by http://keturn.myopenid.com/

  • status changed from new to closed.
  • resolution set to fixed.

Thanks for the patch! But I think somebody else beat you to it. In the future, you may want to check out the latest development version with darcs before you go to the trouble of preparing a diff.

This should be fixed in today's release.