From 2d920e05d563c9c327cf235b31ce18dfc4a83870 Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Tue, 29 Jun 2010 10:24:48 -0400 Subject: Update the (formerly) Janrain OpenID library to 2.2.2 -- bug fixes including PHP 5.3 compatibility fix. Upstream release was tagged at: http://github.com/openid/php-openid/commit/a287b2d85e753c84b3b883ed8ee3ffe8692c8477 --- extlib/Auth/OpenID.php | 63 +++++++++++--------- extlib/Auth/OpenID/AX.php | 23 ++++---- extlib/Auth/OpenID/Association.php | 23 ++++---- extlib/Auth/OpenID/BigMath.php | 31 ++-------- extlib/Auth/OpenID/Consumer.php | 66 ++++++++++----------- extlib/Auth/OpenID/CryptUtil.php | 5 +- extlib/Auth/OpenID/DatabaseConnection.php | 1 - extlib/Auth/OpenID/DiffieHellman.php | 6 +- extlib/Auth/OpenID/Discover.php | 94 ++++++++++++++++++++++++------ extlib/Auth/OpenID/DumbStore.php | 1 - extlib/Auth/OpenID/Extension.php | 3 +- extlib/Auth/OpenID/FileStore.php | 6 +- extlib/Auth/OpenID/HMAC.php | 1 - extlib/Auth/OpenID/Interface.php | 1 - extlib/Auth/OpenID/KVForm.php | 5 +- extlib/Auth/OpenID/MemcachedStore.php | 1 - extlib/Auth/OpenID/Message.php | 10 ++-- extlib/Auth/OpenID/MySQLStore.php | 1 - extlib/Auth/OpenID/Nonce.php | 1 - extlib/Auth/OpenID/PAPE.php | 11 ++-- extlib/Auth/OpenID/Parse.php | 37 ++++++++++-- extlib/Auth/OpenID/PostgreSQLStore.php | 1 - extlib/Auth/OpenID/SQLStore.php | 18 +----- extlib/Auth/OpenID/SQLiteStore.php | 1 - extlib/Auth/OpenID/SReg.php | 14 ++--- extlib/Auth/OpenID/Server.php | 95 ++++++++++++++++--------------- extlib/Auth/OpenID/ServerRequest.php | 1 - extlib/Auth/OpenID/TrustRoot.php | 21 ++++--- extlib/Auth/OpenID/URINorm.php | 2 +- extlib/Auth/Yadis/HTTPFetcher.php | 33 ++++++++++- extlib/Auth/Yadis/Manager.php | 20 ++----- extlib/Auth/Yadis/Misc.php | 1 - extlib/Auth/Yadis/ParanoidHTTPFetcher.php | 29 ++++++++-- extlib/Auth/Yadis/ParseHTML.php | 1 - extlib/Auth/Yadis/PlainHTTPFetcher.php | 3 +- extlib/Auth/Yadis/XML.php | 56 ++++++------------ extlib/Auth/Yadis/XRDS.php | 16 +++--- extlib/Auth/Yadis/XRI.php | 4 +- extlib/Auth/Yadis/XRIRes.php | 6 +- extlib/Auth/Yadis/Yadis.php | 20 +++---- 40 files changed, 397 insertions(+), 335 deletions(-) (limited to 'extlib/Auth') diff --git a/extlib/Auth/OpenID.php b/extlib/Auth/OpenID.php index db6164256..c9d977962 100644 --- a/extlib/Auth/OpenID.php +++ b/extlib/Auth/OpenID.php @@ -20,7 +20,7 @@ /** * The library version string */ -define('Auth_OpenID_VERSION', '2.1.3'); +define('Auth_OpenID_VERSION', '2.2.2'); /** * Require the fetcher code. @@ -102,9 +102,7 @@ define('Auth_OpenID_digits', define('Auth_OpenID_punct', "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"); -if (Auth_OpenID_getMathLib() === null) { - Auth_OpenID_setNoMathSupport(); -} +Auth_OpenID_include_init(); /** * The OpenID utility function class. @@ -120,7 +118,7 @@ class Auth_OpenID { * * @access private */ - function isFailure($thing) + static function isFailure($thing) { return is_a($thing, 'Auth_OpenID_FailureResponse'); } @@ -139,9 +137,12 @@ class Auth_OpenID { * Returns an empty array if neither GET nor POST was used, or if * POST was used but php://input cannot be opened. * + * See background: + * http://lists.openidenabled.com/pipermail/dev/2007-March/000395.html + * * @access private */ - function getQuery($query_str=null) + static function getQuery($query_str=null) { $data = array(); @@ -177,7 +178,7 @@ class Auth_OpenID { return $data; } - function params_from_string($str) + static function params_from_string($str) { $chunks = explode("&", $str); @@ -190,7 +191,7 @@ class Auth_OpenID { } list($k, $v) = $parts; - $data[$k] = urldecode($v); + $data[urldecode($k)] = urldecode($v); } return $data; @@ -203,7 +204,7 @@ class Auth_OpenID { * * @access private */ - function ensureDir($dir_name) + static function ensureDir($dir_name) { if (is_dir($dir_name) || @mkdir($dir_name)) { return true; @@ -225,7 +226,7 @@ class Auth_OpenID { * * @access private */ - function addPrefix($values, $prefix) + static function addPrefix($values, $prefix) { $new_values = array(); foreach ($values as $s) { @@ -241,7 +242,7 @@ class Auth_OpenID { * * @access private */ - function arrayGet($arr, $key, $fallback = null) + static function arrayGet($arr, $key, $fallback = null) { if (is_array($arr)) { if (array_key_exists($key, $arr)) { @@ -261,7 +262,7 @@ class Auth_OpenID { /** * Replacement for PHP's broken parse_str. */ - function parse_str($query) + static function parse_str($query) { if ($query === null) { return null; @@ -278,7 +279,7 @@ class Auth_OpenID { } list($key, $value) = $pair; - $new_parts[$key] = urldecode($value); + $new_parts[urldecode($key)] = urldecode($value); } return $new_parts; @@ -295,7 +296,7 @@ class Auth_OpenID { * pairs from $data into a URL query string * (e.g. "username=bob&id=56"). */ - function httpBuildQuery($data) + static function httpBuildQuery($data) { $pairs = array(); foreach ($data as $key => $value) { @@ -323,7 +324,7 @@ class Auth_OpenID { * @return string $url The original URL with the new parameters added. * */ - function appendArgs($url, $args) + static function appendArgs($url, $args) { if (count($args) == 0) { return $url; @@ -367,7 +368,7 @@ class Auth_OpenID { * @return string $url The URL resulting from assembling the * specified components. */ - function urlunparse($scheme, $host, $port = null, $path = '/', + static function urlunparse($scheme, $host, $port = null, $path = '/', $query = '', $fragment = '') { @@ -412,7 +413,7 @@ class Auth_OpenID { * @return mixed $new_url The URL after normalization, or null if * $url was malformed. */ - function normalizeUrl($url) + static function normalizeUrl($url) { @$parsed = parse_url($url); @@ -443,7 +444,7 @@ class Auth_OpenID { * * @access private */ - function intval($value) + static function intval($value) { $re = "/^\\d+$/"; @@ -461,7 +462,7 @@ class Auth_OpenID { * @param string $str The string of bytes to count. * @return int The number of bytes in $str. */ - function bytes($str) + static function bytes($str) { return strlen(bin2hex($str)) / 2; } @@ -470,7 +471,7 @@ class Auth_OpenID { * Get the bytes in a string independently of multibyte support * conditions. */ - function toBytes($str) + static function toBytes($str) { $hex = bin2hex($str); @@ -486,7 +487,7 @@ class Auth_OpenID { return $b; } - function urldefrag($url) + static function urldefrag($url) { $parts = explode("#", $url, 2); @@ -497,7 +498,7 @@ class Auth_OpenID { } } - function filter($callback, &$sequence) + static function filter($callback, &$sequence) { $result = array(); @@ -510,7 +511,7 @@ class Auth_OpenID { return $result; } - function update(&$dest, &$src) + static function update(&$dest, &$src) { foreach ($src as $k => $v) { $dest[$k] = $v; @@ -524,14 +525,14 @@ class Auth_OpenID { * * @param string $format_string The sprintf format for the message */ - function log($format_string) + static function log($format_string) { $args = func_get_args(); $message = call_user_func_array('sprintf', $args); error_log($message); } - function autoSubmitHTML($form, $title="OpenId transaction in progress") + static function autoSubmitHTML($form, $title="OpenId transaction in progress") { return("". "". @@ -549,4 +550,14 @@ class Auth_OpenID { "</html>"); } } -?> + +/* + * Function to run when this file is included. + * Abstracted to a function to make life easier + * for some PHP optimizers. + */ +function Auth_OpenID_include_init() { + if (Auth_OpenID_getMathLib() === null) { + Auth_OpenID_setNoMathSupport(); + } +} diff --git a/extlib/Auth/OpenID/AX.php b/extlib/Auth/OpenID/AX.php index 4a617ae30..7370715e3 100644 --- a/extlib/Auth/OpenID/AX.php +++ b/extlib/Auth/OpenID/AX.php @@ -38,7 +38,7 @@ class Auth_OpenID_AX { * @return bool true if $thing is an Auth_OpenID_AX_Error; false * if not. */ - function isError($thing) + static function isError($thing) { return is_a($thing, 'Auth_OpenID_AX_Error'); } @@ -191,7 +191,7 @@ class Auth_OpenID_AX_AttrInfo { * Construct an attribute information object. For parameter * details, see the constructor. */ - function make($type_uri, $count=1, $required=false, + static function make($type_uri, $count=1, $required=false, $alias=null) { if ($alias !== null) { @@ -235,7 +235,7 @@ class Auth_OpenID_AX_AttrInfo { * return null If an alias is present in the list of aliases but * is not present in the namespace map. */ -function Auth_OpenID_AX_toTypeURIs(&$namespace_map, $alias_list_s) +function Auth_OpenID_AX_toTypeURIs($namespace_map, $alias_list_s) { $uris = array(); @@ -386,7 +386,7 @@ class Auth_OpenID_AX_FetchRequest extends Auth_OpenID_AX_Message { * Auth_OpenID_AX_FetchRequest extracted from the request message if * successful */ - function &fromOpenIDRequest($request) + static function fromOpenIDRequest($request) { $m = $request->message; $obj = new Auth_OpenID_AX_FetchRequest(); @@ -484,7 +484,7 @@ class Auth_OpenID_AX_FetchRequest extends Auth_OpenID_AX_Message { Auth_OpenID::arrayGet($ax_args, 'required')); foreach ($required as $type_uri) { - $attrib =& $this->requested_attributes[$type_uri]; + $attrib = $this->requested_attributes[$type_uri]; $attrib->required = true; } @@ -587,7 +587,7 @@ class Auth_OpenID_AX_KeyValueMessage extends Auth_OpenID_AX_Message { * * @access private */ - function _getExtensionKVArgs(&$aliases) + function _getExtensionKVArgs($aliases) { if ($aliases === null) { $aliases = new Auth_OpenID_NamespaceMap(); @@ -652,7 +652,7 @@ class Auth_OpenID_AX_KeyValueMessage extends Auth_OpenID_AX_Message { foreach ($aliases->iteritems() as $pair) { list($type_uri, $alias) = $pair; - if (array_key_exists('count.' . $alias, $ax_args)) { + if (array_key_exists('count.' . $alias, $ax_args) && ($ax_args['count.' . $alias] !== Auth_OpenID_AX_UNLIMITED_VALUES)) { $count_key = 'count.' . $alias; $count_s = $ax_args[$count_key]; @@ -888,7 +888,7 @@ class Auth_OpenID_AX_FetchResponse extends Auth_OpenID_AX_KeyValueMessage { $ax_args['update_url'] = $update_url; } - Auth_OpenID::update(&$ax_args, $kv_args); + Auth_OpenID::update($ax_args, $kv_args); return $ax_args; } @@ -922,7 +922,7 @@ class Auth_OpenID_AX_FetchResponse extends Auth_OpenID_AX_KeyValueMessage { * @return $response A FetchResponse containing the data from the * OpenID message */ - function fromSuccessResponse($success_response, $signed=true) + static function fromSuccessResponse($success_response, $signed=true) { $obj = new Auth_OpenID_AX_FetchResponse(); if ($signed) { @@ -960,7 +960,7 @@ class Auth_OpenID_AX_StoreRequest extends Auth_OpenID_AX_KeyValueMessage { { $ax_args = $this->_newArgs(); $kv_args = $this->_getExtensionKVArgs($aliases); - Auth_OpenID::update(&$ax_args, $kv_args); + Auth_OpenID::update($ax_args, $kv_args); return $ax_args; } } @@ -980,7 +980,7 @@ class Auth_OpenID_AX_StoreResponse extends Auth_OpenID_AX_Message { * Returns Auth_OpenID_AX_Error on error or an * Auth_OpenID_AX_StoreResponse object on success. */ - function &make($succeeded=true, $error_message=null) + function make($succeeded=true, $error_message=null) { if (($succeeded) && ($error_message !== null)) { return new Auth_OpenID_AX_Error('An error message may only be '. @@ -1020,4 +1020,3 @@ class Auth_OpenID_AX_StoreResponse extends Auth_OpenID_AX_Message { } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/Association.php b/extlib/Auth/OpenID/Association.php index 37ce0cbf4..d1ac1ed9b 100644 --- a/extlib/Auth/OpenID/Association.php +++ b/extlib/Auth/OpenID/Association.php @@ -94,7 +94,7 @@ class Auth_OpenID_Association { * @return association An {@link Auth_OpenID_Association} * instance. */ - function fromExpiresIn($expires_in, $handle, $secret, $assoc_type) + static function fromExpiresIn($expires_in, $handle, $secret, $assoc_type) { $issued = time(); $lifetime = $expires_in; @@ -132,7 +132,7 @@ class Auth_OpenID_Association { $handle, $secret, $issued, $lifetime, $assoc_type) { if (!in_array($assoc_type, - Auth_OpenID_getSupportedAssociationTypes())) { + Auth_OpenID_getSupportedAssociationTypes(), true)) { $fmt = 'Unsupported association type (%s)'; trigger_error(sprintf($fmt, $assoc_type), E_USER_ERROR); } @@ -206,7 +206,7 @@ class Auth_OpenID_Association { * @param string $assoc_s Association as serialized by serialize() * @return Auth_OpenID_Association $result instance of this class */ - function deserialize($class_name, $assoc_s) + static function deserialize($class_name, $assoc_s) { $pairs = Auth_OpenID_KVForm::toArray($assoc_s, $strict = true); $keys = array(); @@ -327,7 +327,7 @@ class Auth_OpenID_Association { * * @access private */ - function _makePairs(&$message) + function _makePairs($message) { $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); if (!$signed || Auth_OpenID::isFailure($signed)) { @@ -352,7 +352,7 @@ class Auth_OpenID_Association { * * @access private */ - function getMessageSignature(&$message) + function getMessageSignature($message) { $pairs = $this->_makePairs($message); return base64_encode($this->sign($pairs)); @@ -364,7 +364,7 @@ class Auth_OpenID_Association { * * @access private */ - function checkMessageSignature(&$message) + function checkMessageSignature($message) { $sig = $message->getArg(Auth_OpenID_OPENID_NS, 'sig'); @@ -469,18 +469,16 @@ function Auth_OpenID_getOnlyEncryptedOrder() return $result; } -function &Auth_OpenID_getDefaultNegotiator() +function Auth_OpenID_getDefaultNegotiator() { - $x = new Auth_OpenID_SessionNegotiator( + return new Auth_OpenID_SessionNegotiator( Auth_OpenID_getDefaultAssociationOrder()); - return $x; } -function &Auth_OpenID_getEncryptedNegotiator() +function Auth_OpenID_getEncryptedNegotiator() { - $x = new Auth_OpenID_SessionNegotiator( + return new Auth_OpenID_SessionNegotiator( Auth_OpenID_getOnlyEncryptedOrder()); - return $x; } /** @@ -610,4 +608,3 @@ class Auth_OpenID_SessionNegotiator { } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/BigMath.php b/extlib/Auth/OpenID/BigMath.php index 45104947d..7fca2dc43 100644 --- a/extlib/Auth/OpenID/BigMath.php +++ b/extlib/Auth/OpenID/BigMath.php @@ -351,8 +351,7 @@ function Auth_OpenID_math_extensions() 'class' => 'Auth_OpenID_GmpMathWrapper'); } - $result[] = array( - 'modules' => array('bcmath', 'php_bcmath'), + $result[] = array('modules' => array('bcmath', 'php_bcmath'), 'extension' => 'bcmath', 'class' => 'Auth_OpenID_BcMathWrapper'); @@ -366,27 +365,9 @@ function Auth_OpenID_detectMathLibrary($exts) { $loaded = false; + $hasDl = function_exists('dl'); foreach ($exts as $extension) { - // See if the extension specified is already loaded. - if ($extension['extension'] && - extension_loaded($extension['extension'])) { - $loaded = true; - } - - // Try to load dynamic modules. - if (!$loaded) { - foreach ($extension['modules'] as $module) { - if (@dl($module . "." . PHP_SHLIB_SUFFIX)) { - $loaded = true; - break; - } - } - } - - // If the load succeeded, supply an instance of - // Auth_OpenID_MathWrapper which wraps the specified - // module's functionality. - if ($loaded) { + if (extension_loaded($extension['extension'])) { return $extension; } } @@ -405,7 +386,7 @@ function Auth_OpenID_detectMathLibrary($exts) * instance of a wrapper for that extension module. If no extension * module is found, an instance of {@link Auth_OpenID_MathWrapper} is * returned, which wraps the native PHP integer implementation. The - * proper calling convention for this method is $lib =& + * proper calling convention for this method is $lib = * Auth_OpenID_getMathLib(). * * This function checks for the existence of specific long number @@ -416,7 +397,7 @@ function Auth_OpenID_detectMathLibrary($exts) * * @package OpenID */ -function &Auth_OpenID_getMathLib() +function Auth_OpenID_getMathLib() { // The instance of Auth_OpenID_MathWrapper that we choose to // supply will be stored here, so that subseqent calls to this @@ -468,4 +449,4 @@ function Auth_OpenID_noMathSupport() return defined('Auth_OpenID_NO_MATH_SUPPORT'); } -?> + diff --git a/extlib/Auth/OpenID/Consumer.php b/extlib/Auth/OpenID/Consumer.php index 500890b65..021c03898 100644 --- a/extlib/Auth/OpenID/Consumer.php +++ b/extlib/Auth/OpenID/Consumer.php @@ -258,19 +258,19 @@ class Auth_OpenID_Consumer { * when creating the internal consumer object. This is used for * testing. */ - function Auth_OpenID_Consumer(&$store, $session = null, + function Auth_OpenID_Consumer($store, $session = null, $consumer_cls = null) { if ($session === null) { $session = new Auth_Yadis_PHPSession(); } - $this->session =& $session; + $this->session = $session; if ($consumer_cls !== null) { - $this->consumer =& new $consumer_cls($store); + $this->consumer = new $consumer_cls($store); } else { - $this->consumer =& new Auth_OpenID_GenericConsumer($store); + $this->consumer = new Auth_OpenID_GenericConsumer($store); } $this->_token_key = $this->session_key_prefix . $this->_token_suffix; @@ -281,7 +281,7 @@ class Auth_OpenID_Consumer { * * @access private */ - function getDiscoveryObject(&$session, $openid_url, + function getDiscoveryObject($session, $openid_url, $session_key_prefix) { return new Auth_Yadis_Discovery($session, $openid_url, @@ -339,7 +339,7 @@ class Auth_OpenID_Consumer { $this->consumer->fetcher); // Reset the 'stale' attribute of the manager. - $m =& $disco->getManager(); + $m = $disco->getManager(); if ($m) { $m->stale = false; $disco->session->set($disco->session_key, @@ -370,7 +370,7 @@ class Auth_OpenID_Consumer { * @return Auth_OpenID_AuthRequest $auth_request An OpenID * authentication request object. */ - function &beginWithoutDiscovery($endpoint, $anonymous=false) + function beginWithoutDiscovery($endpoint, $anonymous=false) { $loader = new Auth_OpenID_ServiceEndpointLoader(); $auth_req = $this->consumer->begin($endpoint); @@ -467,7 +467,7 @@ class Auth_OpenID_DiffieHellmanSHA1ConsumerSession { function getRequest() { - $math =& Auth_OpenID_getMathLib(); + $math = Auth_OpenID_getMathLib(); $cpub = $math->longToBase64($this->dh->public); @@ -496,7 +496,7 @@ class Auth_OpenID_DiffieHellmanSHA1ConsumerSession { return null; } - $math =& Auth_OpenID_getMathLib(); + $math = Auth_OpenID_getMathLib(); $spub = $math->base64ToLong($response->getArg(Auth_OpenID_OPENID_NS, 'dh_server_public')); @@ -611,11 +611,11 @@ class Auth_OpenID_GenericConsumer { * in the module description. The default value is False, which * disables immediate mode. */ - function Auth_OpenID_GenericConsumer(&$store) + function Auth_OpenID_GenericConsumer($store) { - $this->store =& $store; - $this->negotiator =& Auth_OpenID_getDefaultNegotiator(); - $this->_use_assocs = ($this->store ? true : false); + $this->store = $store; + $this->negotiator = Auth_OpenID_getDefaultNegotiator(); + $this->_use_assocs = (is_null($this->store) ? false : true); $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); @@ -665,14 +665,14 @@ class Auth_OpenID_GenericConsumer { $method = Auth_OpenID::arrayGet($mode_methods, $mode, '_completeInvalid'); - return call_user_func_array(array(&$this, $method), - array($message, $endpoint, $return_to)); + return call_user_func_array(array($this, $method), + array($message, &$endpoint, $return_to)); } /** * @access private */ - function _completeInvalid($message, &$endpoint, $unused) + function _completeInvalid($message, $endpoint, $unused) { $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode', '<No mode set>'); @@ -684,7 +684,7 @@ class Auth_OpenID_GenericConsumer { /** * @access private */ - function _complete_cancel($message, &$endpoint, $unused) + function _complete_cancel($message, $endpoint, $unused) { return new Auth_OpenID_CancelResponse($endpoint); } @@ -692,7 +692,7 @@ class Auth_OpenID_GenericConsumer { /** * @access private */ - function _complete_error($message, &$endpoint, $unused) + function _complete_error($message, $endpoint, $unused) { $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error'); $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact'); @@ -705,7 +705,7 @@ class Auth_OpenID_GenericConsumer { /** * @access private */ - function _complete_setup_needed($message, &$endpoint, $unused) + function _complete_setup_needed($message, $endpoint, $unused) { if (!$message->isOpenID2()) { return $this->_completeInvalid($message, $endpoint); @@ -719,7 +719,7 @@ class Auth_OpenID_GenericConsumer { /** * @access private */ - function _complete_id_res($message, &$endpoint, $return_to) + function _complete_id_res($message, $endpoint, $return_to) { $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS, 'user_setup_url'); @@ -1181,7 +1181,7 @@ class Auth_OpenID_GenericConsumer { // oidutil.log('Performing discovery on %s' % (claimed_id,)) list($unused, $services) = call_user_func($this->discoverMethod, $claimed_id, - $this->fetcher); + &$this->fetcher); if (!$services) { return new Auth_OpenID_FailureResponse(null, @@ -1197,7 +1197,7 @@ class Auth_OpenID_GenericConsumer { * @access private */ function _verifyDiscoveryServices($claimed_id, - &$services, &$to_match_endpoints) + $services, $to_match_endpoints) { // Search the services resulting from discovery to find one // that matches the information from the assertion @@ -1216,8 +1216,8 @@ class Auth_OpenID_GenericConsumer { } return new Auth_OpenID_FailureResponse(null, - sprintf('No matching endpoint found after discovering %s', - $claimed_id)); + sprintf('No matching endpoint found after discovering %s: %s', + $claimed_id, $result->message)); } /** @@ -1397,7 +1397,7 @@ class Auth_OpenID_GenericConsumer { * * @access private */ - function _httpResponseToMessage($response, $server_url) + static function _httpResponseToMessage($response, $server_url) { // Should this function be named Message.fromHTTPResponse instead? $response_message = Auth_OpenID_Message::fromKVForm($response->body); @@ -1461,7 +1461,7 @@ class Auth_OpenID_GenericConsumer { * * @access private */ - function _extractSupportedAssociationType(&$server_error, &$endpoint, + function _extractSupportedAssociationType($server_error, $endpoint, $assoc_type) { // Any error message whose code is not 'unsupported-type' @@ -1566,7 +1566,7 @@ class Auth_OpenID_GenericConsumer { /** * @access private */ - function _extractAssociation(&$assoc_response, &$assoc_session) + function _extractAssociation($assoc_response, $assoc_session) { // Extract the common fields from the response, raising an // exception if they are not found @@ -1748,10 +1748,10 @@ class Auth_OpenID_AuthRequest { * class. Instances of this class are created by the library when * needed. */ - function Auth_OpenID_AuthRequest(&$endpoint, $assoc) + function Auth_OpenID_AuthRequest($endpoint, $assoc) { $this->assoc = $assoc; - $this->endpoint =& $endpoint; + $this->endpoint = $endpoint; $this->return_to_args = array(); $this->message = new Auth_OpenID_Message( $endpoint->preferredNamespace()); @@ -1764,7 +1764,7 @@ class Auth_OpenID_AuthRequest { * $extension_request: An object that implements the extension * request interface for adding arguments to an OpenID message. */ - function addExtension(&$extension_request) + function addExtension($extension_request) { $extension_request->toMessage($this->message); } @@ -2089,7 +2089,7 @@ class Auth_OpenID_SuccessResponse extends Auth_OpenID_ConsumerResponse { foreach ($msg_args as $key => $value) { if (!$this->isSigned($ns_uri, $key)) { - return null; + unset($msg_args[$key]); } } @@ -2167,7 +2167,7 @@ class Auth_OpenID_ServerErrorContainer { /** * @access private */ - function fromMessage($message) + static function fromMessage($message) { $error_text = $message->getArg( Auth_OpenID_OPENID_NS, 'error', '<no error message supplied>'); @@ -2227,4 +2227,4 @@ class Auth_OpenID_SetupNeededResponse extends Auth_OpenID_ConsumerResponse { } } -?> + diff --git a/extlib/Auth/OpenID/CryptUtil.php b/extlib/Auth/OpenID/CryptUtil.php index aacc3cd39..a92626777 100644 --- a/extlib/Auth/OpenID/CryptUtil.php +++ b/extlib/Auth/OpenID/CryptUtil.php @@ -37,7 +37,7 @@ class Auth_OpenID_CryptUtil { * @param int $num_bytes The length of the return value * @return string $bytes random bytes */ - function getBytes($num_bytes) + static function getBytes($num_bytes) { static $f = null; $bytes = ''; @@ -77,7 +77,7 @@ class Auth_OpenID_CryptUtil { * @return string $result A string of randomly-chosen characters * from $chrs */ - function randomString($length, $population = null) + static function randomString($length, $population = null) { if ($population === null) { return Auth_OpenID_CryptUtil::getBytes($length); @@ -106,4 +106,3 @@ class Auth_OpenID_CryptUtil { } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/DatabaseConnection.php b/extlib/Auth/OpenID/DatabaseConnection.php index 9db6e0eb3..0c7d08f91 100644 --- a/extlib/Auth/OpenID/DatabaseConnection.php +++ b/extlib/Auth/OpenID/DatabaseConnection.php @@ -128,4 +128,3 @@ class Auth_OpenID_DatabaseConnection { } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/DiffieHellman.php b/extlib/Auth/OpenID/DiffieHellman.php index f4ded7eba..3e25b7dbb 100644 --- a/extlib/Auth/OpenID/DiffieHellman.php +++ b/extlib/Auth/OpenID/DiffieHellman.php @@ -51,9 +51,9 @@ class Auth_OpenID_DiffieHellman { $private = null, $lib = null) { if ($lib === null) { - $this->lib =& Auth_OpenID_getMathLib(); + $this->lib = Auth_OpenID_getMathLib(); } else { - $this->lib =& $lib; + $this->lib = $lib; } if ($mod === null) { @@ -110,4 +110,4 @@ class Auth_OpenID_DiffieHellman { } } -?> + diff --git a/extlib/Auth/OpenID/Discover.php b/extlib/Auth/OpenID/Discover.php index 62aeb1d2b..7b0c640c5 100644 --- a/extlib/Auth/OpenID/Discover.php +++ b/extlib/Auth/OpenID/Discover.php @@ -28,8 +28,34 @@ function Auth_OpenID_getOpenIDTypeURIs() Auth_OpenID_TYPE_2_0, Auth_OpenID_TYPE_1_2, Auth_OpenID_TYPE_1_1, - Auth_OpenID_TYPE_1_0, - Auth_OpenID_RP_RETURN_TO_URL_TYPE); + Auth_OpenID_TYPE_1_0); +} + +function Auth_OpenID_getOpenIDConsumerTypeURIs() +{ + return array(Auth_OpenID_RP_RETURN_TO_URL_TYPE); +} + + +/* + * Provides a user-readable interpretation of a type uri. + * Useful for error messages. + */ +function Auth_OpenID_getOpenIDTypeName($type_uri) { + switch ($type_uri) { + case Auth_OpenID_TYPE_2_0_IDP: + return 'OpenID 2.0 IDP'; + case Auth_OpenID_TYPE_2_0: + return 'OpenID 2.0'; + case Auth_OpenID_TYPE_1_2: + return 'OpenID 1.2'; + case Auth_OpenID_TYPE_1_1: + return 'OpenID 1.1'; + case Auth_OpenID_TYPE_1_0: + return 'OpenID 1.0'; + case Auth_OpenID_RP_RETURN_TO_URL_TYPE: + return 'OpenID relying party'; + } } /** @@ -124,7 +150,7 @@ class Auth_OpenID_ServiceEndpoint { return in_array(Auth_OpenID_TYPE_2_0_IDP, $this->type_uris); } - function fromOPEndpointURL($op_endpoint_url) + static function fromOPEndpointURL($op_endpoint_url) { // Construct an OP-Identifier OpenIDServiceEndpoint object for // a given OP Endpoint URL @@ -172,15 +198,34 @@ class Auth_OpenID_ServiceEndpoint { } /* - * Parse the given document as XRDS looking for OpenID services. + * Parse the given document as XRDS looking for OpenID consumer services. * * @return array of Auth_OpenID_ServiceEndpoint or null if the * document cannot be parsed. */ - function fromXRDS($uri, $xrds_text) + function consumerFromXRDS($uri, $xrds_text) { $xrds =& Auth_Yadis_XRDS::parseXRDS($xrds_text); + if ($xrds) { + $yadis_services = + $xrds->services(array('filter_MatchesAnyOpenIDConsumerType')); + return Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services); + } + + return null; + } + + /* + * Parse the given document as XRDS looking for OpenID services. + * + * @return array of Auth_OpenID_ServiceEndpoint or null if the + * document cannot be parsed. + */ + static function fromXRDS($uri, $xrds_text) + { + $xrds = Auth_Yadis_XRDS::parseXRDS($xrds_text); + if ($xrds) { $yadis_services = $xrds->services(array('filter_MatchesAnyOpenIDType')); @@ -197,7 +242,7 @@ class Auth_OpenID_ServiceEndpoint { * @return array of Auth_OpenID_ServiceEndpoint or null if * endpoints cannot be created. */ - function fromDiscoveryResult($discoveryResult) + static function fromDiscoveryResult($discoveryResult) { if ($discoveryResult->isXRDS()) { return Auth_OpenID_ServiceEndpoint::fromXRDS( @@ -210,7 +255,7 @@ class Auth_OpenID_ServiceEndpoint { } } - function fromHTML($uri, $html) + static function fromHTML($uri, $html) { $discovery_types = array( array(Auth_OpenID_TYPE_2_0, @@ -273,7 +318,7 @@ function Auth_OpenID_findOPLocalIdentifier($service, $type_uris) $service->parser->registerNamespace('xrd', Auth_Yadis_XMLNS_XRD_2_0); - $parser =& $service->parser; + $parser = $service->parser; $permitted_tags = array(); @@ -305,7 +350,7 @@ function Auth_OpenID_findOPLocalIdentifier($service, $type_uris) return $local_id; } -function filter_MatchesAnyOpenIDType(&$service) +function filter_MatchesAnyOpenIDType($service) { $uris = $service->getTypes(); @@ -318,6 +363,19 @@ function filter_MatchesAnyOpenIDType(&$service) return false; } +function filter_MatchesAnyOpenIDConsumerType(&$service) +{ + $uris = $service->getTypes(); + + foreach ($uris as $uri) { + if (in_array($uri, Auth_OpenID_getOpenIDConsumerTypeURIs())) { + return true; + } + } + + return false; +} + function Auth_OpenID_bestMatchingService($service, $preferred_types) { // Return the index of the first matching type, or something @@ -415,7 +473,7 @@ function Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services) return $s; } -function Auth_OpenID_discoverWithYadis($uri, &$fetcher, +function Auth_OpenID_discoverWithYadis($uri, $fetcher, $endpoint_filter='Auth_OpenID_getOPOrUserServices', $discover_function=null) { @@ -433,12 +491,12 @@ function Auth_OpenID_discoverWithYadis($uri, &$fetcher, $openid_services = array(); $response = call_user_func_array($discover_function, - array($uri, &$fetcher)); + array($uri, $fetcher)); $yadis_url = $response->normalized_uri; $yadis_services = array(); - if ($response->isFailure()) { + if ($response->isFailure() && !$response->isXRDS()) { return array($uri, array()); } @@ -460,18 +518,18 @@ function Auth_OpenID_discoverWithYadis($uri, &$fetcher, } $openid_services = call_user_func_array($endpoint_filter, - array(&$openid_services)); + array($openid_services)); return array($yadis_url, $openid_services); } -function Auth_OpenID_discoverURI($uri, &$fetcher) +function Auth_OpenID_discoverURI($uri, $fetcher) { $uri = Auth_OpenID::normalizeUrl($uri); return Auth_OpenID_discoverWithYadis($uri, $fetcher); } -function Auth_OpenID_discoverWithoutYadis($uri, &$fetcher) +function Auth_OpenID_discoverWithoutYadis($uri, $fetcher) { $http_resp = @$fetcher->get($uri); @@ -490,7 +548,7 @@ function Auth_OpenID_discoverWithoutYadis($uri, &$fetcher) return array($identity_url, $openid_services); } -function Auth_OpenID_discoverXRI($iname, &$fetcher) +function Auth_OpenID_discoverXRI($iname, $fetcher) { $resolver = new Auth_Yadis_ProxyResolver($fetcher); list($canonicalID, $yadis_services) = @@ -513,7 +571,7 @@ function Auth_OpenID_discoverXRI($iname, &$fetcher) return array($iname, $openid_services); } -function Auth_OpenID_discover($uri, &$fetcher) +function Auth_OpenID_discover($uri, $fetcher) { // If the fetcher (i.e., PHP) doesn't support SSL, we can't do // discovery on an HTTPS URL. @@ -545,4 +603,4 @@ function Auth_OpenID_discover($uri, &$fetcher) return $result; } -?> + diff --git a/extlib/Auth/OpenID/DumbStore.php b/extlib/Auth/OpenID/DumbStore.php index 22fd2d366..e8f29ace5 100644 --- a/extlib/Auth/OpenID/DumbStore.php +++ b/extlib/Auth/OpenID/DumbStore.php @@ -97,4 +97,3 @@ class Auth_OpenID_DumbStore extends Auth_OpenID_OpenIDStore { } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/Extension.php b/extlib/Auth/OpenID/Extension.php index f362a4b38..c4e38c038 100644 --- a/extlib/Auth/OpenID/Extension.php +++ b/extlib/Auth/OpenID/Extension.php @@ -39,7 +39,7 @@ class Auth_OpenID_Extension { * * Returns the message with the extension arguments added. */ - function toMessage(&$message) + function toMessage($message) { $implicit = $message->isOpenID1(); $added = $message->namespaces->addAlias($this->ns_uri, @@ -59,4 +59,3 @@ class Auth_OpenID_Extension { } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/FileStore.php b/extlib/Auth/OpenID/FileStore.php index 29d8d20e7..074421a0b 100644 --- a/extlib/Auth/OpenID/FileStore.php +++ b/extlib/Auth/OpenID/FileStore.php @@ -367,7 +367,7 @@ class Auth_OpenID_FileStore extends Auth_OpenID_OpenIDStore { } if ( abs($timestamp - time()) > $Auth_OpenID_SKEW ) { - return False; + return false; } if ($server_url) { @@ -519,7 +519,7 @@ class Auth_OpenID_FileStore extends Auth_OpenID_OpenIDStore { /** * @access private */ - function _mkdtemp($dir) + static function _mkdtemp($dir) { foreach (range(0, 4) as $i) { $name = $dir . strval(DIRECTORY_SEPARATOR) . strval(getmypid()) . @@ -615,4 +615,4 @@ class Auth_OpenID_FileStore extends Auth_OpenID_OpenIDStore { } } -?> + diff --git a/extlib/Auth/OpenID/HMAC.php b/extlib/Auth/OpenID/HMAC.php index ec42db8df..e9779bd4e 100644 --- a/extlib/Auth/OpenID/HMAC.php +++ b/extlib/Auth/OpenID/HMAC.php @@ -96,4 +96,3 @@ if (function_exists('hash_hmac') && define('Auth_OpenID_HMACSHA256_SUPPORTED', false); } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/Interface.php b/extlib/Auth/OpenID/Interface.php index f4c6062f8..eca6b9c50 100644 --- a/extlib/Auth/OpenID/Interface.php +++ b/extlib/Auth/OpenID/Interface.php @@ -194,4 +194,3 @@ class Auth_OpenID_OpenIDStore { } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/KVForm.php b/extlib/Auth/OpenID/KVForm.php index fb342a001..dd02661d8 100644 --- a/extlib/Auth/OpenID/KVForm.php +++ b/extlib/Auth/OpenID/KVForm.php @@ -26,7 +26,7 @@ class Auth_OpenID_KVForm { * @static * @access private */ - function toArray($kvs, $strict=false) + static function toArray($kvs, $strict=false) { $lines = explode("\n", $kvs); @@ -78,7 +78,7 @@ class Auth_OpenID_KVForm { * @static * @access private */ - function fromArray($values) + static function fromArray($values) { if ($values === null) { return null; @@ -109,4 +109,3 @@ class Auth_OpenID_KVForm { } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/MemcachedStore.php b/extlib/Auth/OpenID/MemcachedStore.php index d357c6b11..fc10800b1 100644 --- a/extlib/Auth/OpenID/MemcachedStore.php +++ b/extlib/Auth/OpenID/MemcachedStore.php @@ -205,4 +205,3 @@ class Auth_OpenID_MemcachedStore extends Auth_OpenID_OpenIDStore { } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/Message.php b/extlib/Auth/OpenID/Message.php index 5ab115a86..9aa1fa468 100644 --- a/extlib/Auth/OpenID/Message.php +++ b/extlib/Auth/OpenID/Message.php @@ -143,7 +143,7 @@ class Auth_OpenID_Mapping { * Returns true if $thing is an Auth_OpenID_Mapping object; false * if not. */ - function isA($thing) + static function isA($thing) { return (is_object($thing) && strtolower(get_class($thing)) == 'auth_openid_mapping'); @@ -442,7 +442,7 @@ class Auth_OpenID_Message { return $this->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS; } - function fromPostArgs($args) + static function fromPostArgs($args) { // Construct a Message containing a set of POST arguments $obj = new Auth_OpenID_Message(); @@ -477,7 +477,7 @@ class Auth_OpenID_Message { } } - function fromOpenIDArgs($openid_args) + static function fromOpenIDArgs($openid_args) { // Takes an array. @@ -594,7 +594,7 @@ class Auth_OpenID_Message { return $this->_openid_ns_uri; } - function fromKVForm($kvform_string) + static function fromKVForm($kvform_string) { // Create a Message from a KVForm string return Auth_OpenID_Message::fromOpenIDArgs( @@ -917,4 +917,4 @@ class Auth_OpenID_Message { } } -?> + diff --git a/extlib/Auth/OpenID/MySQLStore.php b/extlib/Auth/OpenID/MySQLStore.php index eb08af016..810f059f1 100644 --- a/extlib/Auth/OpenID/MySQLStore.php +++ b/extlib/Auth/OpenID/MySQLStore.php @@ -75,4 +75,3 @@ class Auth_OpenID_MySQLStore extends Auth_OpenID_SQLStore { } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/Nonce.php b/extlib/Auth/OpenID/Nonce.php index effecac38..b83c5911f 100644 --- a/extlib/Auth/OpenID/Nonce.php +++ b/extlib/Auth/OpenID/Nonce.php @@ -106,4 +106,3 @@ function Auth_OpenID_mkNonce($when = null) return $time_str . $salt; } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/PAPE.php b/extlib/Auth/OpenID/PAPE.php index 62cba8a91..f08ca8bd0 100644 --- a/extlib/Auth/OpenID/PAPE.php +++ b/extlib/Auth/OpenID/PAPE.php @@ -21,7 +21,7 @@ define('PAPE_AUTH_PHISHING_RESISTANT', 'http://schemas.openid.net/pape/policies/2007/06/phishing-resistant'); define('PAPE_TIME_VALIDATOR', - '^[0-9]{4,4}-[0-9][0-9]-[0-9][0-9]T[0-9][0-9]:[0-9][0-9]:[0-9][0-9]Z$'); + '/^[0-9]{4,4}-[0-9][0-9]-[0-9][0-9]T[0-9][0-9]:[0-9][0-9]:[0-9][0-9]Z$/'); /** * A Provider Authentication Policy request, sent from a relying party * to a provider @@ -82,7 +82,7 @@ class Auth_OpenID_PAPE_Request extends Auth_OpenID_Extension { * Instantiate a Request object from the arguments in a checkid_* * OpenID message */ - function fromOpenIDRequest($request) + static function fromOpenIDRequest($request) { $obj = new Auth_OpenID_PAPE_Request(); $args = $request->message->getArgs(Auth_OpenID_PAPE_NS_URI); @@ -201,7 +201,7 @@ class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension { * @returns: A provider authentication policy response from the * data that was supplied with the id_res response. */ - function fromSuccessResponse($success_response) + static function fromSuccessResponse($success_response) { $obj = new Auth_OpenID_PAPE_Response(); @@ -262,7 +262,7 @@ class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension { $auth_time = Auth_OpenID::arrayGet($args, 'auth_time'); if ($auth_time !== null) { - if (ereg(PAPE_TIME_VALIDATOR, $auth_time)) { + if (preg_match(PAPE_TIME_VALIDATOR, $auth_time)) { $this->auth_time = $auth_time; } else if ($strict) { return false; @@ -287,7 +287,7 @@ class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension { } if ($this->auth_time !== null) { - if (!ereg(PAPE_TIME_VALIDATOR, $this->auth_time)) { + if (!preg_match(PAPE_TIME_VALIDATOR, $this->auth_time)) { return false; } @@ -298,4 +298,3 @@ class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension { } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/Parse.php b/extlib/Auth/OpenID/Parse.php index 546f34f6b..6c2e72169 100644 --- a/extlib/Auth/OpenID/Parse.php +++ b/extlib/Auth/OpenID/Parse.php @@ -101,7 +101,7 @@ class Auth_OpenID_Parse { * Starts with the tag name at a word boundary, where the tag name * is not a namespace */ - var $_tag_expr = "<%s\b(?!:)([^>]*?)(?:\/>|>(.*?)(?:<\/?%s\s*>|\Z))"; + var $_tag_expr = "<%s\b(?!:)([^>]*?)(?:\/>|>(.*)(?:<\/?%s\s*>|\Z))"; var $_attr_find = '\b(\w+)=("[^"]*"|\'[^\']*\'|[^\'"\s\/<>]+)'; @@ -215,11 +215,31 @@ class Auth_OpenID_Parse { return $str; } } + + function match($regexp, $text, &$match) + { + if (!is_callable('mb_ereg_search_init')) { + return preg_match($regexp, $text, $match); + } + + $regexp = substr($regexp, 1, strlen($regexp) - 2 - strlen($this->_re_flags)); + mb_ereg_search_init($text); + if (!mb_ereg_search($regexp)) { + return false; + } + list($match) = mb_ereg_search_getregs(); + return true; + } /** * Find all link tags in a string representing a HTML document and * return a list of their attributes. * + * @todo This is quite ineffective and may fail with the default + * pcre.backtrack_limit of 100000 in PHP 5.2, if $html is big. + * It should rather use stripos (in PHP5) or strpos()+strtoupper() + * in PHP4 to manage this. + * * @param string $html The text to parse * @return array $list An array of arrays of attributes, one for each * link tag @@ -244,18 +264,23 @@ class Auth_OpenID_Parse { $stripped = substr($stripped, $html_begin, $html_end - $html_begin); + // Workaround to prevent PREG_BACKTRACK_LIMIT_ERROR: + $old_btlimit = ini_set( 'pcre.backtrack_limit', -1 ); + // Try to find the <HEAD> tag. $head_re = $this->headFind(); - $head_matches = array(); - if (!preg_match($head_re, $stripped, $head_matches)) { - return array(); + $head_match = ''; + if (!$this->match($head_re, $stripped, $head_match)) { + ini_set( 'pcre.backtrack_limit', $old_btlimit ); + return array(); } $link_data = array(); $link_matches = array(); - if (!preg_match_all($this->_link_find, $head_matches[0], + if (!preg_match_all($this->_link_find, $head_match, $link_matches)) { + ini_set( 'pcre.backtrack_limit', $old_btlimit ); return array(); } @@ -273,6 +298,7 @@ class Auth_OpenID_Parse { $link_data[] = $link_attrs; } + ini_set( 'pcre.backtrack_limit', $old_btlimit ); return $link_data; } @@ -349,4 +375,3 @@ function Auth_OpenID_legacy_discover($html_text, $server_rel, } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/PostgreSQLStore.php b/extlib/Auth/OpenID/PostgreSQLStore.php index 69d95e7b8..d90e43e00 100644 --- a/extlib/Auth/OpenID/PostgreSQLStore.php +++ b/extlib/Auth/OpenID/PostgreSQLStore.php @@ -110,4 +110,3 @@ class Auth_OpenID_PostgreSQLStore extends Auth_OpenID_SQLStore { } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/SQLStore.php b/extlib/Auth/OpenID/SQLStore.php index da93c6aa2..c04059732 100644 --- a/extlib/Auth/OpenID/SQLStore.php +++ b/extlib/Auth/OpenID/SQLStore.php @@ -13,16 +13,6 @@ * @license http://www.apache.org/licenses/LICENSE-2.0 Apache */ -/** - * Require the PEAR DB module because we'll need it for the SQL-based - * stores implemented here. We silence any errors from the inclusion - * because it might not be present, and a user of the SQL stores may - * supply an Auth_OpenID_DatabaseConnection instance that implements - * its own storage. - */ -global $__Auth_OpenID_PEAR_AVAILABLE; -$__Auth_OpenID_PEAR_AVAILABLE = @include_once 'DB.php'; - /** * @access private */ @@ -89,8 +79,6 @@ class Auth_OpenID_SQLStore extends Auth_OpenID_OpenIDStore { $associations_table = null, $nonces_table = null) { - global $__Auth_OpenID_PEAR_AVAILABLE; - $this->associations_table_name = "oid_associations"; $this->nonces_table_name = "oid_nonces"; @@ -113,7 +101,7 @@ class Auth_OpenID_SQLStore extends Auth_OpenID_OpenIDStore { // constant, so only try to use it if PEAR is present. Note // that Auth_Openid_Databaseconnection instances need not // implement ::setFetchMode for this reason. - if ($__Auth_OpenID_PEAR_AVAILABLE) { + if (is_subclass_of($this->connection, 'db_common')) { $this->connection->setFetchMode(DB_FETCHMODE_ASSOC); } @@ -482,7 +470,7 @@ class Auth_OpenID_SQLStore extends Auth_OpenID_OpenIDStore { global $Auth_OpenID_SKEW; if ( abs($timestamp - time()) > $Auth_OpenID_SKEW ) { - return False; + return false; } return $this->_add_nonce($server_url, $timestamp, $salt); @@ -566,4 +554,4 @@ class Auth_OpenID_SQLStore extends Auth_OpenID_OpenIDStore { } } -?> + diff --git a/extlib/Auth/OpenID/SQLiteStore.php b/extlib/Auth/OpenID/SQLiteStore.php index ec2bf58e4..4558fa1c3 100644 --- a/extlib/Auth/OpenID/SQLiteStore.php +++ b/extlib/Auth/OpenID/SQLiteStore.php @@ -68,4 +68,3 @@ class Auth_OpenID_SQLiteStore extends Auth_OpenID_SQLStore { } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/SReg.php b/extlib/Auth/OpenID/SReg.php index 63280769f..5ece70724 100644 --- a/extlib/Auth/OpenID/SReg.php +++ b/extlib/Auth/OpenID/SReg.php @@ -94,7 +94,7 @@ Auth_OpenID_registerNamespaceAlias(Auth_OpenID_SREG_NS_URI_1_1, 'sreg'); * $endpoint: The endpoint object as returned by OpenID discovery. * returns whether an sreg type was advertised by the endpoint */ -function Auth_OpenID_supportsSReg(&$endpoint) +function Auth_OpenID_supportsSReg($endpoint) { return ($endpoint->usesExtension(Auth_OpenID_SREG_NS_URI_1_1) || $endpoint->usesExtension(Auth_OpenID_SREG_NS_URI_1_0)); @@ -122,7 +122,7 @@ class Auth_OpenID_SRegBase extends Auth_OpenID_Extension { * * @access private */ - function _getSRegNS(&$message) + static function _getSRegNS($message) { $alias = null; $found_ns_uri = null; @@ -173,7 +173,7 @@ class Auth_OpenID_SRegRequest extends Auth_OpenID_SRegBase { /** * Initialize an empty simple registration request. */ - function build($required=null, $optional=null, + static function build($required=null, $optional=null, $policy_url=null, $sreg_ns_uri=Auth_OpenID_SREG_NS_URI, $cls='Auth_OpenID_SRegRequest') @@ -213,7 +213,7 @@ class Auth_OpenID_SRegRequest extends Auth_OpenID_SRegBase { * * Returns the newly created simple registration request */ - function fromOpenIDRequest($request, $cls='Auth_OpenID_SRegRequest') + static function fromOpenIDRequest($request, $cls='Auth_OpenID_SRegRequest') { $obj = call_user_func_array(array($cls, 'build'), @@ -442,7 +442,7 @@ class Auth_OpenID_SRegResponse extends Auth_OpenID_SRegBase { * string (unicode) value. For instance, the nickname should be * stored under the key 'nickname'. */ - function extractResponse($request, $data) + static function extractResponse($request, $data) { $obj = new Auth_OpenID_SRegResponse(); $obj->ns_uri = $request->ns_uri; @@ -471,7 +471,7 @@ class Auth_OpenID_SRegResponse extends Auth_OpenID_SRegBase { * Returns a simple registration response containing the data that * was supplied with the C{id_res} response. */ - function fromSuccessResponse(&$success_response, $signed_only=true) + static function fromSuccessResponse($success_response, $signed_only=true) { global $Auth_OpenID_sreg_data_fields; @@ -518,4 +518,4 @@ class Auth_OpenID_SRegResponse extends Auth_OpenID_SRegBase { } } -?> + diff --git a/extlib/Auth/OpenID/Server.php b/extlib/Auth/OpenID/Server.php index f1db4d872..cc8ba961c 100644 --- a/extlib/Auth/OpenID/Server.php +++ b/extlib/Auth/OpenID/Server.php @@ -43,7 +43,7 @@ * consumers to add extensions to their requests. For example, with * sites using the Simple Registration * Extension - * (http://www.openidenabled.com/openid/simple-registration-extension/), + * (http://openid.net/specs/openid-simple-registration-extension-1_0.html), * a user can agree to have their nickname and e-mail address sent to * a site when they sign up. * @@ -365,7 +365,7 @@ class Auth_OpenID_CheckAuthRequest extends Auth_OpenID_Request { $this->message = null; } - function fromMessage($message, $server=null) + static function fromMessage($message, $server=null) { $required_keys = array('assoc_handle', 'sig', 'signed'); @@ -396,7 +396,7 @@ class Auth_OpenID_CheckAuthRequest extends Auth_OpenID_Request { return $result; } - function answer(&$signatory) + function answer($signatory) { $is_valid = $signatory->verify($this->assoc_handle, $this->signed); @@ -436,7 +436,7 @@ class Auth_OpenID_PlainTextServerSession { var $needs_math = false; var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256'); - function fromMessage($unused_request) + static function fromMessage($unused_request) { return new Auth_OpenID_PlainTextServerSession(); } @@ -469,7 +469,7 @@ class Auth_OpenID_DiffieHellmanSHA1ServerSession { $this->consumer_pubkey = $consumer_pubkey; } - function getDH($message) + static function getDH($message) { $dh_modulus = $message->getArg(Auth_OpenID_OPENID_NS, 'dh_modulus'); $dh_gen = $message->getArg(Auth_OpenID_OPENID_NS, 'dh_gen'); @@ -489,7 +489,7 @@ class Auth_OpenID_DiffieHellmanSHA1ServerSession { $missing); } - $lib =& Auth_OpenID_getMathLib(); + $lib = Auth_OpenID_getMathLib(); if ($dh_modulus || $dh_gen) { $dh_modulus = $lib->base64ToLong($dh_modulus); @@ -523,7 +523,7 @@ class Auth_OpenID_DiffieHellmanSHA1ServerSession { return array($dh, $consumer_pubkey); } - function fromMessage($message) + static function fromMessage($message) { $result = Auth_OpenID_DiffieHellmanSHA1ServerSession::getDH($message); @@ -538,7 +538,7 @@ class Auth_OpenID_DiffieHellmanSHA1ServerSession { function answer($secret) { - $lib =& Auth_OpenID_getMathLib(); + $lib = Auth_OpenID_getMathLib(); $mac_key = $this->dh->xorSecret($this->consumer_pubkey, $secret, $this->hash_func); return array( @@ -560,7 +560,7 @@ class Auth_OpenID_DiffieHellmanSHA256ServerSession var $hash_func = 'Auth_OpenID_SHA256'; var $allowed_assoc_types = array('HMAC-SHA256'); - function fromMessage($message) + static function fromMessage($message) { $result = Auth_OpenID_DiffieHellmanSHA1ServerSession::getDH($message); @@ -582,7 +582,7 @@ class Auth_OpenID_DiffieHellmanSHA256ServerSession class Auth_OpenID_AssociateRequest extends Auth_OpenID_Request { var $mode = "associate"; - function getSessionClasses() + static function getSessionClasses() { return array( 'no-encryption' => 'Auth_OpenID_PlainTextServerSession', @@ -590,14 +590,14 @@ class Auth_OpenID_AssociateRequest extends Auth_OpenID_Request { 'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ServerSession'); } - function Auth_OpenID_AssociateRequest(&$session, $assoc_type) + function Auth_OpenID_AssociateRequest($session, $assoc_type) { - $this->session =& $session; + $this->session = $session; $this->namespace = Auth_OpenID_OPENID2_NS; $this->assoc_type = $assoc_type; } - function fromMessage($message, $server=null) + static function fromMessage($message, $server=null) { if ($message->isOpenID1()) { $session_type = $message->getArg(Auth_OpenID_OPENID_NS, @@ -696,7 +696,7 @@ class Auth_OpenID_AssociateRequest extends Auth_OpenID_Request { 'session_type', $preferred_session_type); } - + $response->code = AUTH_OPENID_HTTP_ERROR; return $response; } } @@ -734,7 +734,7 @@ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { */ var $namespace; - function make(&$message, $identity, $return_to, $trust_root = null, + static function make($message, $identity, $return_to, $trust_root = null, $immediate = false, $assoc_handle = null, $server = null) { if ($server === null) { @@ -752,7 +752,7 @@ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { $assoc_handle, $server); $r->namespace = $message->getOpenIDNamespace(); - $r->message =& $message; + $r->message = $message; if (!$r->trustRootValid()) { return new Auth_OpenID_UntrustedReturnURL($message, @@ -778,7 +778,7 @@ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { } $this->return_to = $return_to; $this->trust_root = $trust_root; - $this->server =& $server; + $this->server = $server; if ($immediate) { $this->immediate = true; @@ -817,11 +817,12 @@ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { */ function returnToVerified() { + $fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); return call_user_func_array($this->verifyReturnTo, - array($this->trust_root, $this->return_to)); + array($this->trust_root, $this->return_to, $fetcher)); } - - function fromMessage(&$message, $server) + + static function fromMessage($message, $server) { $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode'); $immediate = null; @@ -1097,7 +1098,7 @@ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { in OpenID 1.x immediate mode.'); } - $setup_request =& new Auth_OpenID_CheckIDRequest( + $setup_request = new Auth_OpenID_CheckIDRequest( $this->identity, $this->return_to, $this->trust_root, @@ -1183,9 +1184,9 @@ class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request { */ class Auth_OpenID_ServerResponse { - function Auth_OpenID_ServerResponse(&$request) + function Auth_OpenID_ServerResponse($request) { - $this->request =& $request; + $this->request = $request; $this->fields = new Auth_OpenID_Message($this->request->namespace); } @@ -1310,10 +1311,10 @@ class Auth_OpenID_Signatory { /** * Create a new signatory using a given store. */ - function Auth_OpenID_Signatory(&$store) + function Auth_OpenID_Signatory($store) { // assert store is not None - $this->store =& $store; + $this->store = $store; } /** @@ -1447,7 +1448,7 @@ class Auth_OpenID_Encoder { * Encode an {@link Auth_OpenID_ServerResponse} and return an * {@link Auth_OpenID_WebResponse}. */ - function encode(&$response) + function encode($response) { $cls = $this->responseFactory; @@ -1463,10 +1464,14 @@ class Auth_OpenID_Encoder { array('location' => $location)); } else if ($encode_as == Auth_OpenID_ENCODE_HTML_FORM) { $wr = new $cls(AUTH_OPENID_HTTP_OK, array(), - $response->toFormMarkup()); + $response->toHTML()); } else { return new Auth_OpenID_EncodingError($response); } + /* Allow the response to carry a custom error code (ex: for Association errors) */ + if(isset($response->code)) { + $wr->code = $response->code; + } return $wr; } } @@ -1478,16 +1483,16 @@ class Auth_OpenID_Encoder { */ class Auth_OpenID_SigningEncoder extends Auth_OpenID_Encoder { - function Auth_OpenID_SigningEncoder(&$signatory) + function Auth_OpenID_SigningEncoder($signatory) { - $this->signatory =& $signatory; + $this->signatory = $signatory; } /** * Sign an {@link Auth_OpenID_ServerResponse} and return an * {@link Auth_OpenID_WebResponse}. */ - function encode(&$response) + function encode($response) { // the isinstance is a bit of a kludge... it means there isn't // really an adapter to make the interfaces quite match. @@ -1516,9 +1521,9 @@ class Auth_OpenID_SigningEncoder extends Auth_OpenID_Encoder { */ class Auth_OpenID_Decoder { - function Auth_OpenID_Decoder(&$server) + function Auth_OpenID_Decoder($server) { - $this->server =& $server; + $this->server = $server; $this->handlers = array( 'checkid_setup' => 'Auth_OpenID_CheckIDRequest', @@ -1599,9 +1604,9 @@ class Auth_OpenID_Decoder { * @package OpenID */ class Auth_OpenID_EncodingError { - function Auth_OpenID_EncodingError(&$response) + function Auth_OpenID_EncodingError($response) { - $this->response =& $response; + $this->response = $response; } } @@ -1674,14 +1679,14 @@ class Auth_OpenID_UntrustedReturnURL extends Auth_OpenID_ServerError { * @package OpenID */ class Auth_OpenID_Server { - function Auth_OpenID_Server(&$store, $op_endpoint=null) + function Auth_OpenID_Server($store, $op_endpoint=null) { - $this->store =& $store; - $this->signatory =& new Auth_OpenID_Signatory($this->store); - $this->encoder =& new Auth_OpenID_SigningEncoder($this->signatory); - $this->decoder =& new Auth_OpenID_Decoder($this); + $this->store = $store; + $this->signatory = new Auth_OpenID_Signatory($this->store); + $this->encoder = new Auth_OpenID_SigningEncoder($this->signatory); + $this->decoder = new Auth_OpenID_Decoder($this); $this->op_endpoint = $op_endpoint; - $this->negotiator =& Auth_OpenID_getDefaultNegotiator(); + $this->negotiator = Auth_OpenID_getDefaultNegotiator(); } /** @@ -1699,7 +1704,7 @@ class Auth_OpenID_Server { { if (method_exists($this, "openid_" . $request->mode)) { $handler = array($this, "openid_" . $request->mode); - return call_user_func($handler, $request); + return call_user_func($handler, &$request); } return null; } @@ -1707,7 +1712,7 @@ class Auth_OpenID_Server { /** * The callback for 'check_authentication' messages. */ - function openid_check_authentication(&$request) + function openid_check_authentication($request) { return $request->answer($this->signatory); } @@ -1715,7 +1720,7 @@ class Auth_OpenID_Server { /** * The callback for 'associate' messages. */ - function openid_associate(&$request) + function openid_associate($request) { $assoc_type = $request->assoc_type; $session_type = $request->session->session_type; @@ -1738,7 +1743,7 @@ class Auth_OpenID_Server { * Encodes as response in the appropriate format suitable for * sending to the user agent. */ - function encodeResponse(&$response) + function encodeResponse($response) { return $this->encoder->encode($response); } @@ -1757,4 +1762,4 @@ class Auth_OpenID_Server { } } -?> + diff --git a/extlib/Auth/OpenID/ServerRequest.php b/extlib/Auth/OpenID/ServerRequest.php index 33a8556ce..69222a5e0 100644 --- a/extlib/Auth/OpenID/ServerRequest.php +++ b/extlib/Auth/OpenID/ServerRequest.php @@ -34,4 +34,3 @@ class Auth_OpenID_ServerRequest { } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/TrustRoot.php b/extlib/Auth/OpenID/TrustRoot.php index 4919a6065..000440b58 100644 --- a/extlib/Auth/OpenID/TrustRoot.php +++ b/extlib/Auth/OpenID/TrustRoot.php @@ -58,7 +58,7 @@ class Auth_OpenID_TrustRoot { * @return The URL upon which relying party discovery should be * run in order to verify the return_to URL */ - function buildDiscoveryURL($realm) + static function buildDiscoveryURL($realm) { $parsed = Auth_OpenID_TrustRoot::_parse($realm); @@ -93,7 +93,7 @@ class Auth_OpenID_TrustRoot { * @return mixed $parsed Either an associative array of trust root * parts or false if parsing failed. */ - function _parse($trust_root) + static function _parse($trust_root) { $trust_root = Auth_OpenID_urinorm($trust_root); if ($trust_root === null) { @@ -199,7 +199,7 @@ class Auth_OpenID_TrustRoot { * @param string $trust_root The trust root to check * @return bool $sanity Whether the trust root looks OK */ - function isSane($trust_root) + static function isSane($trust_root) { $parts = Auth_OpenID_TrustRoot::_parse($trust_root); if ($parts === false) { @@ -269,7 +269,7 @@ class Auth_OpenID_TrustRoot { * @return bool $matches Whether the URL matches against the * trust root */ - function match($trust_root, $url) + static function match($trust_root, $url) { $trust_root_parsed = Auth_OpenID_TrustRoot::_parse($trust_root); $url_parsed = Auth_OpenID_TrustRoot::_parse($url); @@ -341,7 +341,7 @@ class Auth_OpenID_TrustRoot { * @returns: The endpoint URL or None if the endpoint is not a * relying party endpoint. */ -function filter_extractReturnURL(&$endpoint) +function filter_extractReturnURL($endpoint) { if ($endpoint->matchTypes(array(Auth_OpenID_RP_RETURN_TO_URL_TYPE))) { return $endpoint; @@ -394,14 +394,14 @@ function Auth_OpenID_returnToMatches($allowed_return_to_urls, $return_to) * Given a relying party discovery URL return a list of return_to * URLs. */ -function Auth_OpenID_getAllowedReturnURLs($relying_party_url, &$fetcher, +function Auth_OpenID_getAllowedReturnURLs($relying_party_url, $fetcher, $discover_function=null) { if ($discover_function === null) { $discover_function = array('Auth_Yadis_Yadis', 'discover'); } - $xrds_parse_cb = array('Auth_OpenID_ServiceEndpoint', 'fromXRDS'); + $xrds_parse_cb = array('Auth_OpenID_ServiceEndpoint', 'consumerFromXRDS'); list($rp_url_after_redirects, $endpoints) = Auth_Yadis_getServiceEndpoints($relying_party_url, $xrds_parse_cb, @@ -413,7 +413,7 @@ function Auth_OpenID_getAllowedReturnURLs($relying_party_url, &$fetcher, } call_user_func_array($discover_function, - array($relying_party_url, $fetcher)); + array($relying_party_url, &$fetcher)); $return_to_urls = array(); $matching_endpoints = Auth_OpenID_extractReturnURL($endpoints); @@ -435,7 +435,7 @@ function Auth_OpenID_getAllowedReturnURLs($relying_party_url, &$fetcher, * * @return true if the return_to URL is valid for the realm */ -function Auth_OpenID_verifyReturnTo($realm_str, $return_to, &$fetcher, +function Auth_OpenID_verifyReturnTo($realm_str, $return_to, $fetcher, $_vrfy='Auth_OpenID_getAllowedReturnURLs') { $disco_url = Auth_OpenID_TrustRoot::buildDiscoveryURL($realm_str); @@ -445,7 +445,7 @@ function Auth_OpenID_verifyReturnTo($realm_str, $return_to, &$fetcher, } $allowable_urls = call_user_func_array($_vrfy, - array($disco_url, &$fetcher)); + array($disco_url, $fetcher)); // The realm_str could not be parsed. if ($allowable_urls === false) { @@ -459,4 +459,3 @@ function Auth_OpenID_verifyReturnTo($realm_str, $return_to, &$fetcher, } } -?> \ No newline at end of file diff --git a/extlib/Auth/OpenID/URINorm.php b/extlib/Auth/OpenID/URINorm.php index f821d836a..c051b550a 100644 --- a/extlib/Auth/OpenID/URINorm.php +++ b/extlib/Auth/OpenID/URINorm.php @@ -246,4 +246,4 @@ function Auth_OpenID_urinorm($uri) return $scheme . '://' . $authority . $path . $query . $fragment; } -?> + diff --git a/extlib/Auth/Yadis/HTTPFetcher.php b/extlib/Auth/Yadis/HTTPFetcher.php index 963b9a49a..148cde1b2 100644 --- a/extlib/Auth/Yadis/HTTPFetcher.php +++ b/extlib/Auth/Yadis/HTTPFetcher.php @@ -115,12 +115,40 @@ class Auth_Yadis_HTTPFetcher { /** * @access private */ - function _findRedirect($headers) + function _findRedirect($headers, $url) { foreach ($headers as $line) { if (strpos(strtolower($line), "location: ") === 0) { $parts = explode(" ", $line, 2); - return $parts[1]; + $loc = $parts[1]; + $ppos = strpos($loc, "://"); + if ($ppos === false || $ppos > strpos($loc, "/")) { + /* no host; add it */ + $hpos = strpos($url, "://"); + $prt = substr($url, 0, $hpos+3); + $url = substr($url, $hpos+3); + if (substr($loc, 0, 1) == "/") { + /* absolute path */ + $fspos = strpos($url, "/"); + if ($fspos) $loc = $prt.substr($url, 0, $fspos).$loc; + else $loc = $prt.$url.$loc; + } else { + /* relative path */ + $pp = $prt; + while (1) { + $xpos = strpos($url, "/"); + if ($xpos === false) break; + $apos = strpos($url, "?"); + if ($apos !== false && $apos < $xpos) break; + $apos = strpos($url, "&"); + if ($apos !== false && $apos < $xpos) break; + $pp .= substr($url, 0, $xpos+1); + $url = substr($url, $xpos+1); + } + $loc = $pp.$loc; + } + } + return $loc; } } return null; @@ -144,4 +172,3 @@ class Auth_Yadis_HTTPFetcher { } } -?> \ No newline at end of file diff --git a/extlib/Auth/Yadis/Manager.php b/extlib/Auth/Yadis/Manager.php index d50cf7ad6..ee6f68bcb 100644 --- a/extlib/Auth/Yadis/Manager.php +++ b/extlib/Auth/Yadis/Manager.php @@ -387,11 +387,11 @@ class Auth_Yadis_Discovery { * @param string $session_key_suffix The optional session key * suffix override. */ - function Auth_Yadis_Discovery(&$session, $url, + function Auth_Yadis_Discovery($session, $url, $session_key_suffix = null) { /// Initialize a discovery object - $this->session =& $session; + $this->session = $session; $this->url = $url; if ($session_key_suffix === null) { $session_key_suffix = $this->DEFAULT_SUFFIX; @@ -405,7 +405,7 @@ class Auth_Yadis_Discovery { * Return the next authentication service for the pair of * user_input and session. This function handles fallback. */ - function getNextService($discover_cb, &$fetcher) + function getNextService($discover_cb, $fetcher) { $manager = $this->getManager(); if (!$manager || (!$manager->services)) { @@ -413,7 +413,7 @@ class Auth_Yadis_Discovery { list($yadis_url, $services) = call_user_func($discover_cb, $this->url, - $fetcher); + &$fetcher); $manager = $this->createManager($services, $yadis_url); } @@ -466,7 +466,7 @@ class Auth_Yadis_Discovery { * @param $force True if the manager should be returned regardless * of whether it's a manager for $this->url. */ - function &getManager($force=false) + function getManager($force=false) { // Extract the YadisServiceManager for this object's URL and // suffix from the session. @@ -481,16 +481,13 @@ class Auth_Yadis_Discovery { if ($manager && ($manager->forURL($this->url) || $force)) { return $manager; - } else { - $unused = null; - return $unused; } } /** * @access private */ - function &createManager($services, $yadis_url = null) + function createManager($services, $yadis_url = null) { $key = $this->getSessionKey(); if ($this->getManager()) { @@ -504,10 +501,6 @@ class Auth_Yadis_Discovery { $this->session->set($this->session_key, serialize($loader->toSession($manager))); return $manager; - } else { - // Oh, PHP. - $unused = null; - return $unused; } } @@ -526,4 +519,3 @@ class Auth_Yadis_Discovery { } } -?> \ No newline at end of file diff --git a/extlib/Auth/Yadis/Misc.php b/extlib/Auth/Yadis/Misc.php index 1134a4ff4..a5afa8e9a 100644 --- a/extlib/Auth/Yadis/Misc.php +++ b/extlib/Auth/Yadis/Misc.php @@ -56,4 +56,3 @@ function Auth_Yadis_startswith($s, $stuff) return strpos($s, $stuff) === 0; } -?> \ No newline at end of file diff --git a/extlib/Auth/Yadis/ParanoidHTTPFetcher.php b/extlib/Auth/Yadis/ParanoidHTTPFetcher.php index 6a418260e..4da7c94c0 100644 --- a/extlib/Auth/Yadis/ParanoidHTTPFetcher.php +++ b/extlib/Auth/Yadis/ParanoidHTTPFetcher.php @@ -109,9 +109,9 @@ class Auth_Yadis_ParanoidHTTPFetcher extends Auth_Yadis_HTTPFetcher { } curl_setopt($c, CURLOPT_WRITEFUNCTION, - array(&$this, "_writeData")); + array($this, "_writeData")); curl_setopt($c, CURLOPT_HEADERFUNCTION, - array(&$this, "_writeHeader")); + array($this, "_writeHeader")); if ($extra_headers) { curl_setopt($c, CURLOPT_HTTPHEADER, $extra_headers); @@ -128,6 +128,10 @@ class Auth_Yadis_ParanoidHTTPFetcher extends Auth_Yadis_HTTPFetcher { curl_setopt($c, CURLOPT_TIMEOUT, $off); curl_setopt($c, CURLOPT_URL, $url); + if (defined('Auth_OpenID_VERIFY_HOST')) { + curl_setopt($c, CURLOPT_SSL_VERIFYPEER, true); + curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 2); + } curl_exec($c); $code = curl_getinfo($c, CURLINFO_HTTP_CODE); @@ -142,12 +146,17 @@ class Auth_Yadis_ParanoidHTTPFetcher extends Auth_Yadis_HTTPFetcher { } if (in_array($code, array(301, 302, 303, 307))) { - $url = $this->_findRedirect($headers); + $url = $this->_findRedirect($headers, $url); $redir = true; } else { $redir = false; curl_close($c); + if (defined('Auth_OpenID_VERIFY_HOST') && + $this->isHTTPS($url)) { + Auth_OpenID::log('OpenID: Verified SSL host %s using '. + 'curl/get', $url); + } $new_headers = array(); foreach ($headers as $header) { @@ -190,7 +199,12 @@ class Auth_Yadis_ParanoidHTTPFetcher extends Auth_Yadis_HTTPFetcher { curl_setopt($c, CURLOPT_TIMEOUT, $this->timeout); curl_setopt($c, CURLOPT_URL, $url); curl_setopt($c, CURLOPT_WRITEFUNCTION, - array(&$this, "_writeData")); + array($this, "_writeData")); + + if (defined('Auth_OpenID_VERIFY_HOST')) { + curl_setopt($c, CURLOPT_SSL_VERIFYPEER, true); + curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 2); + } curl_exec($c); @@ -198,9 +212,15 @@ class Auth_Yadis_ParanoidHTTPFetcher extends Auth_Yadis_HTTPFetcher { if (!$code) { Auth_OpenID::log("Got no response code when fetching %s", $url); + Auth_OpenID::log("CURL error (%s): %s", + curl_errno($c), curl_error($c)); return null; } + if (defined('Auth_OpenID_VERIFY_HOST') && $this->isHTTPS($url)) { + Auth_OpenID::log('OpenID: Verified SSL host %s using '. + 'curl/post', $url); + } $body = $this->data; curl_close($c); @@ -223,4 +243,3 @@ class Auth_Yadis_ParanoidHTTPFetcher extends Auth_Yadis_HTTPFetcher { } } -?> \ No newline at end of file diff --git a/extlib/Auth/Yadis/ParseHTML.php b/extlib/Auth/Yadis/ParseHTML.php index 297ccbd2c..6f0f8b7e2 100644 --- a/extlib/Auth/Yadis/ParseHTML.php +++ b/extlib/Auth/Yadis/ParseHTML.php @@ -256,4 +256,3 @@ class Auth_Yadis_ParseHTML { } } -?> \ No newline at end of file diff --git a/extlib/Auth/Yadis/PlainHTTPFetcher.php b/extlib/Auth/Yadis/PlainHTTPFetcher.php index 3e0ca2bb0..26890539a 100644 --- a/extlib/Auth/Yadis/PlainHTTPFetcher.php +++ b/extlib/Auth/Yadis/PlainHTTPFetcher.php @@ -122,7 +122,7 @@ class Auth_Yadis_PlainHTTPFetcher extends Auth_Yadis_HTTPFetcher { $code = $http_code[1]; if (in_array($code, array('301', '302'))) { - $url = $this->_findRedirect($headers); + $url = $this->_findRedirect($headers, $url); $redir = true; } else { $redir = false; @@ -246,4 +246,3 @@ class Auth_Yadis_PlainHTTPFetcher extends Auth_Yadis_HTTPFetcher { } } -?> \ No newline at end of file diff --git a/extlib/Auth/Yadis/XML.php b/extlib/Auth/Yadis/XML.php index 81b2ce221..cf1f5c41b 100644 --- a/extlib/Auth/Yadis/XML.php +++ b/extlib/Auth/Yadis/XML.php @@ -310,20 +310,16 @@ $__Auth_Yadis_defaultParser = null; * @param Auth_Yadis_XMLParser $parser An instance of a * Auth_Yadis_XMLParser subclass. */ -function Auth_Yadis_setDefaultParser(&$parser) +function Auth_Yadis_setDefaultParser($parser) { global $__Auth_Yadis_defaultParser; - $__Auth_Yadis_defaultParser =& $parser; + $__Auth_Yadis_defaultParser = $parser; } function Auth_Yadis_getSupportedExtensions() { - return array( - 'dom' => array('classname' => 'Auth_Yadis_dom', - 'libname' => array('dom.so', 'dom.dll')), - 'domxml' => array('classname' => 'Auth_Yadis_domxml', - 'libname' => array('domxml.so', 'php_domxml.dll')), - ); + return array('dom' => 'Auth_Yadis_dom', + 'domxml' => 'Auth_Yadis_domxml'); } /** @@ -332,43 +328,25 @@ function Auth_Yadis_getSupportedExtensions() * Auth_Yadis_setDefaultParser has been called, the parser used in * that call will be returned instead. */ -function &Auth_Yadis_getXMLParser() +function Auth_Yadis_getXMLParser() { global $__Auth_Yadis_defaultParser; - + if (isset($__Auth_Yadis_defaultParser)) { return $__Auth_Yadis_defaultParser; } - - $p = null; - $classname = null; - - $extensions = Auth_Yadis_getSupportedExtensions(); - - // Return a wrapper for the resident implementation, if any. - foreach ($extensions as $name => $params) { - if (!extension_loaded($name)) { - foreach ($params['libname'] as $libname) { - if (@dl($libname)) { - $classname = $params['classname']; - } - } - } else { - $classname = $params['classname']; - } - if (isset($classname)) { - $p = new $classname(); - return $p; - } - } - - if (!isset($p)) { - trigger_error('No XML parser was found', E_USER_ERROR); - } else { + + foreach(Auth_Yadis_getSupportedExtensions() as $extension => $classname) + { + if (extension_loaded($extension)) + { + $p = new $classname(); Auth_Yadis_setDefaultParser($p); + return $p; + } } - - return $p; + + return false; } -?> + diff --git a/extlib/Auth/Yadis/XRDS.php b/extlib/Auth/Yadis/XRDS.php index f14a7948e..1f5af96fb 100644 --- a/extlib/Auth/Yadis/XRDS.php +++ b/extlib/Auth/Yadis/XRDS.php @@ -255,11 +255,11 @@ class Auth_Yadis_XRDS { * Instantiate a Auth_Yadis_XRDS object. Requires an XPath * instance which has been used to parse a valid XRDS document. */ - function Auth_Yadis_XRDS(&$xmlParser, &$xrdNodes) + function Auth_Yadis_XRDS($xmlParser, $xrdNodes) { - $this->parser =& $xmlParser; + $this->parser = $xmlParser; $this->xrdNode = $xrdNodes[count($xrdNodes) - 1]; - $this->allXrdNodes =& $xrdNodes; + $this->allXrdNodes = $xrdNodes; $this->serviceList = array(); $this->_parse(); } @@ -273,7 +273,7 @@ class Auth_Yadis_XRDS { * @return mixed $xrds An instance of Auth_Yadis_XRDS or null, * depending on the validity of $xml_string */ - function &parseXRDS($xml_string, $extra_ns_map = null) + static function parseXRDS($xml_string, $extra_ns_map = null) { $_null = null; @@ -352,9 +352,9 @@ class Auth_Yadis_XRDS { $services = $this->parser->evalXPath('xrd:Service', $this->xrdNode); foreach ($services as $node) { - $s =& new Auth_Yadis_Service(); + $s = new Auth_Yadis_Service(); $s->element = $node; - $s->parser =& $this->parser; + $s->parser = $this->parser; $priority = $s->getPriority(); @@ -428,7 +428,8 @@ class Auth_Yadis_XRDS { $matches = 0; foreach ($filters as $filter) { - if (call_user_func_array($filter, array($service))) { + + if (call_user_func_array($filter, array(&$service))) { $matches++; if ($filter_mode == SERVICES_YADIS_MATCH_ANY) { @@ -475,4 +476,3 @@ class Auth_Yadis_XRDS { } } -?> \ No newline at end of file diff --git a/extlib/Auth/Yadis/XRI.php b/extlib/Auth/Yadis/XRI.php index 4e3462317..0143a692e 100644 --- a/extlib/Auth/Yadis/XRI.php +++ b/extlib/Auth/Yadis/XRI.php @@ -190,7 +190,7 @@ function Auth_Yadis_getCanonicalID($iname, $xrds) // Now nodes are in reverse order. $xrd_list = array_reverse($xrds->allXrdNodes); - $parser =& $xrds->parser; + $parser = $xrds->parser; $node = $xrd_list[0]; $canonicalID_nodes = $parser->evalXPath('xrd:CanonicalID', $node); @@ -231,4 +231,4 @@ function Auth_Yadis_getCanonicalID($iname, $xrds) return $canonicalID; } -?> + diff --git a/extlib/Auth/Yadis/XRIRes.php b/extlib/Auth/Yadis/XRIRes.php index 4e8e8d037..5e1158735 100644 --- a/extlib/Auth/Yadis/XRIRes.php +++ b/extlib/Auth/Yadis/XRIRes.php @@ -8,9 +8,9 @@ require_once 'Auth/Yadis/XRDS.php'; require_once 'Auth/Yadis/XRI.php'; class Auth_Yadis_ProxyResolver { - function Auth_Yadis_ProxyResolver(&$fetcher, $proxy_url = null) + function Auth_Yadis_ProxyResolver($fetcher, $proxy_url = null) { - $this->fetcher =& $fetcher; + $this->fetcher = $fetcher; $this->proxy_url = $proxy_url; if (!$this->proxy_url) { $this->proxy_url = Auth_Yadis_getDefaultProxy(); @@ -69,4 +69,4 @@ class Auth_Yadis_ProxyResolver { } } -?> + diff --git a/extlib/Auth/Yadis/Yadis.php b/extlib/Auth/Yadis/Yadis.php index d89f77c6d..9ea2db7f9 100644 --- a/extlib/Auth/Yadis/Yadis.php +++ b/extlib/Auth/Yadis/Yadis.php @@ -105,7 +105,7 @@ class Auth_Yadis_DiscoveryResult { function usedYadisLocation() { // Was the Yadis protocol's indirection used? - return $this->normalized_uri != $this->xrds_uri; + return ($this->xrds_uri && $this->normalized_uri != $this->xrds_uri); } function isXRDS() @@ -141,7 +141,7 @@ function Auth_Yadis_getServiceEndpoints($input_url, $xrds_parse_func, } $yadis_result = call_user_func_array($discover_func, - array($input_url, $fetcher)); + array($input_url, &$fetcher)); if ($yadis_result === null) { return array($input_url, array()); @@ -196,7 +196,7 @@ function Auth_Yadis_getServiceEndpoints($input_url, $xrds_parse_func, * The filter functions (whose names appear in the array passed to * services()) take the following form: * - * <pre> function myFilter(&$service) { + * <pre> function myFilter($service) { * // Query $service object here. Return true if the service * // matches your query; false if not. * }</pre> @@ -207,7 +207,7 @@ function Auth_Yadis_getServiceEndpoints($input_url, $xrds_parse_func, * this contrived example): * * <pre> - * function URIMatcher(&$service) { + * function URIMatcher($service) { * foreach ($service->getElements('xrd:URI') as $uri) { * if (preg_match("/some_pattern/", * $service->parser->content($uri))) { @@ -250,7 +250,7 @@ class Auth_Yadis_Yadis { * If Auth_Yadis_CURL_OVERRIDE is defined, this method will always * return a {@link Auth_Yadis_PlainHTTPFetcher}. */ - function getHTTPFetcher($timeout = 20) + static function getHTTPFetcher($timeout = 20) { if (Auth_Yadis_Yadis::curlPresent() && (!defined('Auth_Yadis_CURL_OVERRIDE'))) { @@ -261,7 +261,7 @@ class Auth_Yadis_Yadis { return $fetcher; } - function curlPresent() + static function curlPresent() { return function_exists('curl_init'); } @@ -269,7 +269,7 @@ class Auth_Yadis_Yadis { /** * @access private */ - function _getHeader($header_list, $names) + static function _getHeader($header_list, $names) { foreach ($header_list as $name => $value) { foreach ($names as $n) { @@ -285,7 +285,7 @@ class Auth_Yadis_Yadis { /** * @access private */ - function _getContentType($content_type_header) + static function _getContentType($content_type_header) { if ($content_type_header) { $parts = explode(";", $content_type_header); @@ -317,7 +317,7 @@ class Auth_Yadis_Yadis { * Auth_Yadis_Yadis, depending on whether the discovery * succeeded. */ - function discover($uri, &$fetcher, + static function discover($uri, $fetcher, $extra_ns_map = null, $timeout = 20) { $result = new Auth_Yadis_DiscoveryResult($uri); @@ -379,4 +379,4 @@ class Auth_Yadis_Yadis { } } -?> + -- cgit v1.2.3-54-g00ecf From f0620a74c8a1a25ceb957819e528ef5a7d044d6e Mon Sep 17 00:00:00 2001 From: Brion Vibber <brion@pobox.com> Date: Mon, 19 Jul 2010 16:47:49 -0700 Subject: Provisional OAuth, OpenID token check timing attack patches --- extlib/Auth/OpenID/Association.php | 37 ++++++++++++++++++++++++++++++++++++- extlib/OAuth.php | 18 ++++++++++++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) (limited to 'extlib/Auth') diff --git a/extlib/Auth/OpenID/Association.php b/extlib/Auth/OpenID/Association.php index d1ac1ed9b..7fdf399a3 100644 --- a/extlib/Auth/OpenID/Association.php +++ b/extlib/Auth/OpenID/Association.php @@ -374,7 +374,42 @@ class Auth_OpenID_Association { } $calculated_sig = $this->getMessageSignature($message); - return $calculated_sig == $sig; + + return $this->constantTimeCompare($calculated_sig, $sig); + } + + /** + * String comparison function which will complete in a constant time + * for strings of any given matching length, to help prevent an attacker + * from distinguishing how much of a signature token they have guessed + * correctly. + * + * For this usage, it's assumed that the length of the string is known, + * so we may safely short-circuit on mismatched lengths which will be known + * to be invalid by the attacker. + * + * http://lists.openid.net/pipermail/openid-security/2010-July/001156.html + * http://rdist.root.org/2010/01/07/timing-independent-array-comparison/ + */ + private function constantTimeCompare($a, $b) + { + $len = strlen($a); + if (strlen($b) !== $len) { + // Short-circuit on length mismatch; attackers will already know + // the correct target length so this is safe. + return false; + } + if ($len == 0) { + // 0-length valid input shouldn't really happen. :) + return true; + } + $result = 0; + for ($i = 0; $i < strlen($a); $i++) { + // We use scary bitwise operations to avoid logical short-circuits + // in lower-level code. + $result |= ord($a{$i}) ^ ord($b{$i}); + } + return ($result == 0); } } diff --git a/extlib/OAuth.php b/extlib/OAuth.php index 648627b57..04984d5fa 100644 --- a/extlib/OAuth.php +++ b/extlib/OAuth.php @@ -54,6 +54,24 @@ class OAuthSignatureMethod {/*{{{*/ public function check_signature(&$request, $consumer, $token, $signature) { $built = $this->build_signature($request, $consumer, $token); return $built == $signature; + + // Check for zero length, although unlikely here + if (strlen($built) == 0 || strlen($signature) == 0) { + return false; + } + + if (strlen($built) != strlen($signature)) { + return false; + } + + $result = 0; + + // Avoid a timing leak with a (hopefully) time insensitive compare + for ($i = 0; $i < strlen($signature); $i++) { + $result |= ord($built{$i}) ^ ord($signature{$i}); + } + + return $result == 0; } }/*}}}*/ -- cgit v1.2.3-54-g00ecf