From renerattur at gmail.com Mon Apr 2 08:52:18 2007 From: renerattur at gmail.com (Rene Rattur) Date: Mon, 2 Apr 2007 18:52:18 +0300 Subject: Bug in SQLStore ? Message-ID: I'm using python OpenID 1.2.0 combo. Here's the traceback: File "C:\Documents and Settings\Lessel'id\Desktop\Rene\code-other\todo-ie\todo \controllers.py", line 736, in login auth = consumer.begin(ident) File "C:\Python24\Lib\site-packages\openid\consumer\consumer.py", line 308, in begin return self.beginWithoutDiscovery(service) File "C:\Python24\Lib\site-packages\openid\consumer\consumer.py", line 331, in beginWithoutDiscovery auth_req = self.consumer.begin(service) File "C:\Python24\Lib\site-packages\openid\consumer\consumer.py", line 423, in begin assoc = self._getAssociation(service_endpoint.server_url) File "C:\Python24\Lib\site-packages\openid\consumer\consumer.py", line 616, in _getAssociation assoc = self.store.getAssociation(server_url) File "C:\Python24\Lib\site-packages\openid\store\sqlstore.py", line 13, in wra pped return self._callInTransaction(func, self, *args, **kwargs) File "C:\Python24\Lib\site-packages\openid\store\sqlstore.py", line 159, in _c allInTransaction ret = func(*args, **kwargs) File "C:\Python24\Lib\site-packages\openid\store\sqlstore.py", line 242, in tx n_getAssociation assoc.secret = self.blobDecode(assoc.secret) File "C:\Python24\Lib\site-packages\openid\store\sqlstore.py", line 426, in bl obDecode return blob.tostring() AttributeError: 'str' object has no attribute 'tostring' -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openidenabled.com/pipermail/dev/attachments/20070402/93b7b49f/attachment.htm From cygnus at janrain.com Mon Apr 2 09:13:26 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Mon, 2 Apr 2007 09:13:26 -0700 Subject: Bug in SQLStore ? In-Reply-To: References: Message-ID: <20070402161326.GH26386@janrain.com> # return blob.tostring() # AttributeError: 'str' object has no attribute 'tostring' Which version of the MySQLdb module are you using? -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From kevin at janrain.com Tue Apr 3 15:51:18 2007 From: kevin at janrain.com (Kevin Turner) Date: Tue, 03 Apr 2007 15:51:18 -0700 Subject: ANN: Python OpenID 2.0.0. Release Candidate 2 Message-ID: <1175640678.26980.29.camel@localhost> A second release candidate for Python OpenID 2.0.0: http://www.openidenabled.com/resources/downloads/python-openid/python-openid-2.0.0-rc2.tar.gz Changes from last Friday's release candidate include a fix to examples/consumer.py immediate mode (thanks to Johannes Berg for reporting that) and updating the type and namespace URIs to match the latest draft spec. (No, that didn't change in the spec recently, it was our bad for not updating those constants in the code earlier.) Please bang on this a bit and let us know how it goes. We're especially interested in hearing from other people implementing from the OpenID 2.0 spec, as it's important that our implementations play well together. You needn't be a Python guru to try it out, python 2.5 has all the dependencies you need to run the examples. (Python 2.4 requires at least the installation of ElementTree.) Those who do dabble in Python may enjoy the included Django examples. Thanks, - JanRain's OpenID people, many of whom can be found in #openid on irc.freenode.net sha1sums: 69fbe608e51847d13bdfd48b72c2f84d6932a180 python-openid-2.0.0-rc2.tar.gz 549ef126f07b8c9f7e32704b64cf2e76b5617b9b python-openid-2.0.0-rc2.zip From cweiske at cweiske.de Thu Apr 5 12:48:02 2007 From: cweiske at cweiske.de (Christian Weiske) Date: Thu, 05 Apr 2007 21:48:02 +0200 Subject: cannot subscribe to mailing list without openid Message-ID: <46155272.9020401@cweiske.de> Hello, I don't have an openId and wanted to subscribe to this mailing list. I always get an error: The OpenID URL you supplied was invalid. I think an id should not be necessary to get onto the list. -- Regards/Mit freundlichen Gr??en Christian Weiske -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.openidenabled.com/pipermail/dev/attachments/20070405/466e93bc/attachment.pgp From cweiske at cweiske.de Thu Apr 5 12:51:45 2007 From: cweiske at cweiske.de (Christian Weiske) Date: Thu, 05 Apr 2007 21:51:45 +0200 Subject: PHP OpenID php problems Message-ID: <46155351.3010108@cweiske.de> Hello, It seems nobody ever tested the PHP OpenID example server with short_open_tags=Off or with E_NOTICEs enabled (error_reporting). setup.php is totally unusable with short_open_tags set to off. Further, lib/session.php#34 should be changed to > $s = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] ? 's' : ''; to prevent a notice to be emitted when this function is called. -- Regards/Mit freundlichen Gr??en Christian Weiske -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.openidenabled.com/pipermail/dev/attachments/20070405/6c847958/attachment.pgp From cweiske at cweiske.de Thu Apr 5 12:58:23 2007 From: cweiske at cweiske.de (Christian Weiske) Date: Thu, 05 Apr 2007 21:58:23 +0200 Subject: PHP OpenID php problems In-Reply-To: <46155351.3010108@cweiske.de> References: <46155351.3010108@cweiske.de> Message-ID: <461554DF.5060206@cweiske.de> > It seems nobody ever tested the PHP OpenID example server with > short_open_tags=Off or with E_NOTICEs enabled (error_reporting). I forgot to say that the "download config" button result file does not include php tags. -- Regards/Mit freundlichen Gr??en Christian Weiske -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.openidenabled.com/pipermail/dev/attachments/20070405/3cf0fa5d/attachment.pgp From cygnus at janrain.com Thu Apr 5 13:04:01 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Thu, 5 Apr 2007 13:04:01 -0700 Subject: PHP OpenID php problems In-Reply-To: <46155351.3010108@cweiske.de> References: <46155351.3010108@cweiske.de> Message-ID: <20070405200401.GE5361@janrain.com> # It seems nobody ever tested the PHP OpenID example server with # short_open_tags=Off or with E_NOTICEs enabled (error_reporting). The example code and library are tested on "stock" PHP configurations in addition to particularly problematic PHP configurations that people have reported. (There are just *too* many configuration options in the PHP config file to make that kind of testing practical or even useful. In the relatively near future, we're going to accept contributions of Buildbot buildslaves to increase our testing coverage.) # setup.php is totally unusable with short_open_tags set to off. Further, # lib/session.php#34 should be changed to # > $s = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] ? 's' : ''; # to prevent a notice to be emitted when this function is called. Thanks! I'll update the library accordingly. -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From norman at rasmussen.co.za Thu Apr 5 14:04:42 2007 From: norman at rasmussen.co.za (Norman Rasmussen) Date: Thu, 5 Apr 2007 23:04:42 +0200 Subject: cannot subscribe to mailing list without openid In-Reply-To: <46155272.9020401@cweiske.de> References: <46155272.9020401@cweiske.de> Message-ID: <5b698f5a0704051404j515896cawec76979b196a1919@mail.gmail.com> I hardly think that having an OpenID is a unreasonable requirement for joining the development list, after all dog-fooding is the best test bed in the world :-) On 4/5/07, Christian Weiske wrote: > Hello, > > > I don't have an openId and wanted to subscribe to this mailing list. I > always get an error: > The OpenID URL you supplied was invalid. > > I think an id should not be necessary to get onto the list. > -- > Regards/Mit freundlichen Gr??en > Christian Weiske > > > _______________________________________________ > Dev mailing list > Dev at lists.openidenabled.com > http://lists.openidenabled.com/mailman/listinfo/dev > > > -- - Norman Rasmussen - Email: norman at rasmussen.co.za - Home page: http://norman.rasmussen.co.za/ From cygnus at janrain.com Thu Apr 5 14:16:04 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Thu, 5 Apr 2007 14:16:04 -0700 Subject: cannot subscribe to mailing list without openid In-Reply-To: <5b698f5a0704051404j515896cawec76979b196a1919@mail.gmail.com> References: <46155272.9020401@cweiske.de> <5b698f5a0704051404j515896cawec76979b196a1919@mail.gmail.com> Message-ID: <20070405211604.GF5361@janrain.com> # I hardly think that having an OpenID is a unreasonable requirement # for joining the development list, after all dog-fooding is the best # test bed in the world :-) I'm inclined to agree, but I can definitely think of a case where someone might want to see what the development community is like before getting involved, even if that means getting a personal OpenID. At any rate, I'm pretty sure that is a bug in the OpenID code in mailman. (Dag? Do you think you could poke at it and adjust the form processing so it doesn't require an OpenID?) -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From cweiske at cweiske.de Thu Apr 5 14:31:11 2007 From: cweiske at cweiske.de (Christian Weiske) Date: Thu, 05 Apr 2007 23:31:11 +0200 Subject: cannot subscribe to mailing list without openid In-Reply-To: <20070405211604.GF5361@janrain.com> References: <46155272.9020401@cweiske.de> <5b698f5a0704051404j515896cawec76979b196a1919@mail.gmail.com> <20070405211604.GF5361@janrain.com> Message-ID: <46156A9F.7090102@cweiske.de> > # I hardly think that having an OpenID is a unreasonable requirement > # for joining the development list, after all dog-fooding is the best > # test bed in the world :-) I do still have some problems setting up my own openid server, and so I don't have an openid yet. -- Regards/Mit freundlichen Gr??en Christian Weiske -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.openidenabled.com/pipermail/dev/attachments/20070405/c4c79466/attachment-0001.pgp From trevor at corevx.com Thu Apr 5 14:37:50 2007 From: trevor at corevx.com (Trevor Wennblom) Date: Thu, 5 Apr 2007 16:37:50 -0500 Subject: cannot subscribe to mailing list without openid In-Reply-To: <46156A9F.7090102@cweiske.de> References: <46155272.9020401@cweiske.de> <5b698f5a0704051404j515896cawec76979b196a1919@mail.gmail.com> <20070405211604.GF5361@janrain.com> <46156A9F.7090102@cweiske.de> Message-ID: <119C8A87-AF19-4B51-AD51-797E04E9A6F8@corevx.com> On Apr 5, 2007, at 4:31 PM, Christian Weiske wrote: >> # I hardly think that having an OpenID is a unreasonable requirement >> # for joining the development list, after all dog-fooding is the best >> # test bed in the world :-) > > I do still have some problems setting up my own openid server, and > so I > don't have an openid yet. http://openid.net/wiki/index.php/OpenIDServers From cygnus at janrain.com Thu Apr 5 14:40:07 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Thu, 5 Apr 2007 14:40:07 -0700 Subject: cannot subscribe to mailing list without openid In-Reply-To: <46156A9F.7090102@cweiske.de> References: <46155272.9020401@cweiske.de> <5b698f5a0704051404j515896cawec76979b196a1919@mail.gmail.com> <20070405211604.GF5361@janrain.com> <46156A9F.7090102@cweiske.de> Message-ID: <20070405214007.GG5361@janrain.com> # I do still have some problems setting up my own openid server, and # so I don't have an openid yet. In the mean time, you can still set up your own OpenID URL and just delegate to a temporary server in the mean time. Once you get your own server set up, you can delegate to that instead. -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From cygnus at janrain.com Thu Apr 5 15:45:57 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Thu, 5 Apr 2007 15:45:57 -0700 Subject: ANN: PHP OpenID 2.0.0-rc1 Message-ID: <20070405224557.GA9608@janrain.com> Hello, I'm pleased to release an implementation of OpenID 2.0 for PHP. PHP OpenID 2.0.0-rc1 implements revision 294 of the OpenID 2 specification. I'd very much like it if you can give it a try. With only a few changes to your application, you should be able to upgrade from version 1.2.2. Otherwise, the library transparently supports OpenID 1 and OpenID 2 relying parties and servers. This release also incorporates numerous bugfixes and feedback from library users. See NEWS for information on API changes and see CHANGELOG for a summary of changes to the code. Library: http://www.openidenabled.com/resources/downloads/php-openid/PHP-openid-2.0.0-rc1.tar.gz http://www.openidenabled.com/resources/downloads/php-openid/PHP-openid-2.0.0-rc1.zip Docs: http://www.openidenabled.com/resources/docs/openid/php/2.0.0-rc1/ Enjoy! -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From cweiske at cweiske.de Thu Apr 5 21:59:57 2007 From: cweiske at cweiske.de (Christian Weiske) Date: Fri, 06 Apr 2007 06:59:57 +0200 Subject: ANN: PHP OpenID 2.0.0-rc1 In-Reply-To: <20070405224557.GA9608@janrain.com> References: <20070405224557.GA9608@janrain.com> Message-ID: <4615D3CD.90107@cweiske.de> Jonathan, > http://www.openidenabled.com/resources/downloads/php-openid/PHP-openid-2.0.0-rc1.tar.gz > http://www.openidenabled.com/resources/downloads/php-openid/PHP-openid-2.0.0-rc1.zip Do you already have a PEAR-installable package for it? I really liked it to see that 1.22 was installable so easily. -- Regards/Mit freundlichen Gr??en Christian Weiske -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.openidenabled.com/pipermail/dev/attachments/20070406/8cc6ea81/attachment.pgp From cweiske at cweiske.de Thu Apr 5 22:07:39 2007 From: cweiske at cweiske.de (Christian Weiske) Date: Fri, 06 Apr 2007 07:07:39 +0200 Subject: cannot subscribe to mailing list without openid In-Reply-To: <119C8A87-AF19-4B51-AD51-797E04E9A6F8@corevx.com> References: <46155272.9020401@cweiske.de> <5b698f5a0704051404j515896cawec76979b196a1919@mail.gmail.com> <20070405211604.GF5361@janrain.com> <46156A9F.7090102@cweiske.de> <119C8A87-AF19-4B51-AD51-797E04E9A6F8@corevx.com> Message-ID: <4615D59B.3060206@cweiske.de> Trevor, > http://openid.net/wiki/index.php/OpenIDServers I just wanted to show that there are cases in which you want to join the list but don't have an ID. -- Regards/Mit freundlichen Gr??en Christian Weiske -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.openidenabled.com/pipermail/dev/attachments/20070406/1ac9ceeb/attachment.pgp From cweiske at cweiske.de Thu Apr 5 22:53:58 2007 From: cweiske at cweiske.de (Christian Weiske) Date: Fri, 06 Apr 2007 07:53:58 +0200 Subject: PHP OpenID php problems In-Reply-To: <46155351.3010108@cweiske.de> References: <46155351.3010108@cweiske.de> Message-ID: <4615E076.40201@cweiske.de> Jonathan, (about PHP-openid-2.0.0-rc1.tar.gz) The example README still tells nothing about setup.php and still advises to modify config.php which simple does not exist. setup.php has some more problems when E_NOTICE is enabled in php's error_reporting: all the "store method" fields do have a text in them since the variable is not defined: > Notice: Undefined index: fs_path in > /data/html/cweiske/id.cweiske.de/server/setup.php on line 316 Perhaps this is intented, but there is no way to add users in setup.php anymore. After setup, running server.php: > Notice: Constant login_needed_pat already defined in > /data/html/cweiske/id.cweiske.de/server/lib/render/idpage.php > on line 17 (the constant is already defined in login.php) When doing my first login (clicking on the login button on the server.php top), I reach the login page with following text: > Enter your identity URL and password into this form > to log in to this server. This server must be configured > to accept your identity URL. It's just that there is no password field. Just typing in my username and clicking Login, I get: > PHP OpenID Server ? You are logged in as http://cweiske.de/ > (URL: http://id.bogo/server/server.php/idpage?user=http://cweiske.de/) All the pages should have a no-cache tag set, since browsers will cache the pages otherwise. This happened to me with an 1.22 example server, showing me outdated pages when I already had been logged in. So for once, a HTTP header should be sent, and the html should contain in the head: Since the lib now supports xrds, the readme and the server start page should also show the correct html header parts as shown in http://www.openidenabled.com/openid/use-your-own-url-as-an-openid Why is there no "trusted sites" feature in the server anymore -- Regards/Mit freundlichen Gr??en Christian Weiske -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.openidenabled.com/pipermail/dev/attachments/20070406/5a4bbba0/attachment.pgp From renerattur at gmail.com Fri Apr 6 06:57:08 2007 From: renerattur at gmail.com (Rene Rattur) Date: Fri, 6 Apr 2007 16:57:08 +0300 Subject: Bug in SQLStore ? Message-ID: Version 1.2.2 final > Message: 3 > Date: Mon, 2 Apr 2007 09:13:26 -0700 > From: Jonathan Daugherty > Subject: Re: Bug in SQLStore ? > To: discuss OpenID libraries and development > > Message-ID: <20070402161326.GH26386 at janrain.com> > Content-Type: text/plain; charset=us-ascii > > # return blob.tostring() > # AttributeError: 'str' object has no attribute 'tostring' > > Which version of the MySQLdb module are you using? > > -- > Jonathan Daugherty > JanRain, Inc. > irc.freenode.net: cygnus in #openid > cygnus.myopenid.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openidenabled.com/pipermail/dev/attachments/20070406/0f8829c8/attachment.htm From cygnus at janrain.com Fri Apr 6 09:54:37 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Fri, 6 Apr 2007 09:54:37 -0700 Subject: ANN: PHP OpenID 2.0.0-rc1 In-Reply-To: <1175816382.7646.80.camel@zhora> References: <20070405224557.GA9608@janrain.com> <1175816382.7646.80.camel@zhora> Message-ID: <20070406165437.GC10049@janrain.com> # > I'm pleased to release an implementation of OpenID 2.0 for PHP. # > PHP OpenID 2.0.0-rc1 implements revision 294 of the OpenID 2 # > specification. I'd very much like it if you can give it a try. # > With only a few changes to your application, you should be able to # > upgrade from version 1.2.2. Otherwise, the library transparently # > supports OpenID 1 and OpenID 2 relying parties and servers. # # This sounds great. Question about end-of-life for the PHP OpenID 1.x # line, though. How long will bug and security fixes be supported on # that older branch? We're happy to maintain security fixes in the 1.x.x library branch, but we don't have the engineering resources to backport bugfixes. The OpenID 2 branch, while not yet stable, already includes some bugfixes that do not exist in the 1.x.x branch. However, we're more than happy to accept, review, and commit patches to the 1.x.x library to fix bugs, and we're happy to cut releases accordingly. Hope that helps. Do you mind if I forward this to the list? This is something people will be interested to know. Thanks, -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From cygnus at janrain.com Fri Apr 6 10:10:50 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Fri, 6 Apr 2007 10:10:50 -0700 Subject: Bug in SQLStore ? In-Reply-To: References: Message-ID: <20070406171050.GD10049@janrain.com> # Version 1.2.2 final That's why. 1.2.2 includes a change to the type conversion of BLOBs which broke the library. Neat! MySQLdb 1.2.1 returns an array.array object; 1.2.2 and later return a str. Here's the change: http://tinyurl.com/2b4bss Evidently this change was in response to a "bug" report, http://tinyurl.com/ypy25z For you and others running MySQLdb 1.2.2, I think the cleanest solution is to just create a new store class and fix blobDecode. Then, instantiate that store class instead of sqlstore.MySQLStore. from openid.store import sqlstore class FixedMySQLStore(sqlstore.MySQLStore): def blobDecode(self, blob): """ MySQLdb 1.2.2 returns a str, so we don't need to do any conversion. """ return blob # In RP or server code: store = FixedMySQLStore(conn, ...) -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From cygnus at janrain.com Fri Apr 6 11:07:36 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Fri, 6 Apr 2007 11:07:36 -0700 Subject: PHP OpenID php problems In-Reply-To: <4615E076.40201@cweiske.de> References: <46155351.3010108@cweiske.de> <4615E076.40201@cweiske.de> Message-ID: <20070406180736.GE10049@janrain.com> # The example README still tells nothing about setup.php and still # advises to modify config.php which simple does not exist. You're right; I'll update the README to clearly (and correctly) explain how to configure the example server. # setup.php has some more problems when E_NOTICE is enabled in php's # error_reporting: all the "store method" fields do have a text in them # since the variable is not defined: # > Notice: Undefined index: fs_path in # > /data/html/cweiske/id.cweiske.de/server/setup.php on line 316 This (and others) fixed. # Perhaps this is intented, but there is no way to add users in # setup.php anymore. That's correct. The server is not intended to be anything more than an illustration of how to use the library, and account management is not part of that (see below). # After setup, running server.php: # > Notice: Constant login_needed_pat already defined in # > /data/html/cweiske/id.cweiske.de/server/lib/render/idpage.php # > on line 17 # (the constant is already defined in login.php) Fixed. # When doing my first login (clicking on the login button on the # server.php top), I reach the login page with following text: # > Enter your identity URL and password into this form # > to log in to this server. This server must be configured # > to accept your identity URL. # It's just that there is no password field. Fixed (the text is wrong). I've recorded a patch to clarify the text on the login page. # Just typing in my username and clicking Login, I get: # > PHP OpenID Server ? You are logged in as http://cweiske.de/ # > (URL: http://id.bogo/server/server.php/idpage?user=http://cweiske.de/) This is fixed by the login form text clarification. The value you should enter (in the new example) is not a URL, but a username string. (See below.) # All the pages should have a no-cache tag set, since browsers will # cache the pages otherwise. This happened to me with an 1.22 example # server, showing me outdated pages when I already had been logged in. # So for once, a HTTP header should be sent, and the html should # contain in the head: # # On my example server, no-cache is automatically sent using both Cache-Control and Pragma. I suspect it's a configuration problem on your end, but I'll add the META tags. # Since the lib now supports xrds, the readme and the server start # page should also show the correct html header parts as shown in # http://www.openidenabled.com/openid/use-your-own-url-as-an-openid Fixed: user-specific XRDS rendering added, HTTP-Equiv added, header added. # Why is there no "trusted sites" feature in the server anymore The 2.0.0-rc1 library's example server is different from the 1.x.x example server in the following ways: - It serves its own identity pages, whose URLs are of the form http://.../server/server.php/idpage?user=USERNAME In particular, it no longer responds to OpenID requests for arbitrary identifiers. - It does not require passwords. - It does not support a "trusted sites" page, as you pointed out. In general, the example server is not supposed to be treated as a fully-equiped OpenID server (i.e., with user accounts and other state). That is why we removed some of its features. It is intended to be an example of how to write a server that uses the PHP library, and we tried to remove things that were not necessary to show how to use the library. I'll add this information to an upgrading section in the README. I've recorded patches to fix the issues you brought up; you can go ahead and try out that code by checking out a copy of the PHP repository: darcs get http://www.openidenabled.com/resources/repos/php/openid/ Hope that helps, and thanks for your feedback! -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From cygnus at janrain.com Fri Apr 6 11:12:05 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Fri, 6 Apr 2007 11:12:05 -0700 Subject: ANN: PHP OpenID 2.0.0-rc1 In-Reply-To: <4615D3CD.90107@cweiske.de> References: <20070405224557.GA9608@janrain.com> <4615D3CD.90107@cweiske.de> Message-ID: <20070406181205.GF10049@janrain.com> # Do you already have a PEAR-installable package for it? I really # liked it to see that 1.22 was installable so easily. We currently do not plan to support PEAR packaging for future PHP library releases. You can read more about the decision here: http://lists.openidenabled.com/pipermail/dev/2007-March/000383.html If you're interested in helping out, please let me know. -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From cweiske at cweiske.de Sat Apr 7 04:42:47 2007 From: cweiske at cweiske.de (Christian Weiske) Date: Sat, 07 Apr 2007 13:42:47 +0200 Subject: ANN: PHP OpenID 2.0.0-rc1 In-Reply-To: <20070406181205.GF10049@janrain.com> References: <20070405224557.GA9608@janrain.com> <4615D3CD.90107@cweiske.de> <20070406181205.GF10049@janrain.com> Message-ID: <461783B7.2050801@cweiske.de> Jonathan, > We currently do not plan to support PEAR packaging for future PHP > library releases. You can read more about the decision here: > http://lists.openidenabled.com/pipermail/dev/2007-March/000383.html That's bad to hear. > If you're interested in helping out, please let me know. I took the freedom to create a php script that uses PEAR's PackageFileManager package to automatically create a package.xml from the OpenID sources. You can find it at http://tmp.cweiske.de/genpackagexml.phps Some notes in response to the no-pear-anymore mail: - There is no need for two package.xml files. package.xml v1 has been used years ago and is still supported for BC reasons. All new packages should use package.xml v2 which my script creates. v1 does not need to be written anymore, since people need a current version of PEAR anyway (I set the pear installer dep to a recent 1.5.0). With this, there should be no more problems with files getting installed in the wrong directories anymore, too. Put the script into the admin/ directory and run it from the package root: $ php admin/genpackagexml.php If the package.xml looks good (it's echoed on cmdline), add a "make" parameter: $ php admin/genpackagexml.php make The package.xml file will be written out, and you can do "pear package" to get the file. -- Regards/Mit freundlichen Gr??en Christian Weiske -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.openidenabled.com/pipermail/dev/attachments/20070407/364fff0d/attachment.pgp From norman at rasmussen.co.za Sat Apr 7 05:03:40 2007 From: norman at rasmussen.co.za (Norman Rasmussen) Date: Sat, 7 Apr 2007 14:03:40 +0200 Subject: PHP OpenID php problems In-Reply-To: <20070406180736.GE10049@janrain.com> References: <46155351.3010108@cweiske.de> <4615E076.40201@cweiske.de> <20070406180736.GE10049@janrain.com> Message-ID: <5b698f5a0704070503j1415bfb9s837f87e2bfef6258@mail.gmail.com> On 4/6/07, Jonathan Daugherty wrote: > In general, the example server is not supposed to be treated as a > fully-equiped OpenID server (i.e., with user accounts and other > state). That is why we removed some of its features. It is intended > to be an example of how to write a server that uses the PHP library, > and we tried to remove things that were not necessary to show how to > use the library. :-( I think it's a good idea to have a extract, configure and go install for setting up your own IDP. With this release it sounds like it's no longer possible. -- - Norman Rasmussen - Email: norman at rasmussen.co.za - Home page: http://norman.rasmussen.co.za/ From cygnus at janrain.com Mon Apr 9 09:53:15 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Mon, 9 Apr 2007 09:53:15 -0700 Subject: PHP OpenID php problems In-Reply-To: <5b698f5a0704070503j1415bfb9s837f87e2bfef6258@mail.gmail.com> References: <46155351.3010108@cweiske.de> <4615E076.40201@cweiske.de> <20070406180736.GE10049@janrain.com> <5b698f5a0704070503j1415bfb9s837f87e2bfef6258@mail.gmail.com> Message-ID: <20070409165315.GJ10049@janrain.com> # I think it's a good idea to have a extract, configure and go install # for setting up your own IDP. With this release it sounds like it's # no longer possible. It was not possible before, although I suppose it's even less possible now. The libraries we've released thus far are exactly that; other contributors and developers on the web have created various types of IDP and RP software packages for one framework or another. Building a good, secure IDP is neither easy nor trivial, and making it available in a *library* package doesn't really make sense. It's the sort of thing that is best built and maintained as a third-party package by a larger group of contributors who are invested in making it a good package. With that said, if you're interested, I'm sure there are others that would be happy to work on such a project. -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From cygnus at janrain.com Mon Apr 9 10:01:42 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Mon, 9 Apr 2007 10:01:42 -0700 Subject: ANN: PHP OpenID 2.0.0-rc1 In-Reply-To: <461783B7.2050801@cweiske.de> References: <20070405224557.GA9608@janrain.com> <4615D3CD.90107@cweiske.de> <20070406181205.GF10049@janrain.com> <461783B7.2050801@cweiske.de> Message-ID: <20070409170142.GK10049@janrain.com> # - There is no need for two package.xml files. package.xml v1 has # been used years ago and is still supported for BC reasons. All new # packages should use package.xml v2 which my script creates. v1 does # not need to be written anymore, since people need a current version # of PEAR anyway (I set the pear installer dep to a recent 1.5.0). Thanks for this info. If you're at all connected with the folks who maintain the PEAR package maintaner's guide and associated documentation, it would be great if the docs said this; the only reason we implemented support for both is because it was unclear whether both were in use. (Which is to say, merely noting that v1 is "deprecated" in the docs does not give me any idea about actual deployment, and in PHP-land, there is *plenty* of bitrot on deployed PHP versions.) If you're interested in making PEAR packages available upon release of the PHP library, we'd be happy to link to your package repository from the library project page, which currently lives at http://www.openidenabled.com/openid/libraries/php/ Thanks for your help! -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From norman at rasmussen.co.za Mon Apr 9 14:33:04 2007 From: norman at rasmussen.co.za (Norman Rasmussen) Date: Mon, 9 Apr 2007 23:33:04 +0200 Subject: PHP OpenID php problems In-Reply-To: <20070409165315.GJ10049@janrain.com> References: <46155351.3010108@cweiske.de> <4615E076.40201@cweiske.de> <20070406180736.GE10049@janrain.com> <5b698f5a0704070503j1415bfb9s837f87e2bfef6258@mail.gmail.com> <20070409165315.GJ10049@janrain.com> Message-ID: <5b698f5a0704091433v666163c8o81cc3f9ab34085fa@mail.gmail.com> Sorry I think I'm confused, maybe you can check me on this: Are the example server provided with the library and the 'Standalone Server' [1] two seperate products? If so then that's cool, because the standalone server will continue to be maintained as a 'extract-configure-and-go' download. I'm happy that an example server in the library download is teenie-tiny and very simple with no backend support. [1] http://www.openidenabled.com/openid/php-standalone-openid-server/ On 4/9/07, Jonathan Daugherty wrote: > # I think it's a good idea to have a extract, configure and go install > # for setting up your own IDP. With this release it sounds like it's > # no longer possible. > > It was not possible before, although I suppose it's even less possible > now. The libraries we've released thus far are exactly that; other > contributors and developers on the web have created various types of > IDP and RP software packages for one framework or another. Building a > good, secure IDP is neither easy nor trivial, and making it available > in a *library* package doesn't really make sense. It's the sort of > thing that is best built and maintained as a third-party package by a > larger group of contributors who are invested in making it a good > package. With that said, if you're interested, I'm sure there are > others that would be happy to work on such a project. > > -- > Jonathan Daugherty > JanRain, Inc. > irc.freenode.net: cygnus in #openid > cygnus.myopenid.com > > _______________________________________________ > Dev mailing list > Dev at lists.openidenabled.com > http://lists.openidenabled.com/mailman/listinfo/dev > -- - Norman Rasmussen - Email: norman at rasmussen.co.za - Home page: http://norman.rasmussen.co.za/ From cygnus at janrain.com Mon Apr 9 14:36:47 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Mon, 9 Apr 2007 14:36:47 -0700 Subject: PHP OpenID php problems In-Reply-To: <5b698f5a0704091433v666163c8o81cc3f9ab34085fa@mail.gmail.com> References: <46155351.3010108@cweiske.de> <4615E076.40201@cweiske.de> <20070406180736.GE10049@janrain.com> <5b698f5a0704070503j1415bfb9s837f87e2bfef6258@mail.gmail.com> <20070409165315.GJ10049@janrain.com> <5b698f5a0704091433v666163c8o81cc3f9ab34085fa@mail.gmail.com> Message-ID: <20070409213647.GR10049@janrain.com> # Are the example server provided with the library and the 'Standalone # Server' [1] two seperate products? Yes. The standalone server *is* intended to be something you just unpack and run (well, with a little configuration). However, in the future we hope to get more help working on that codebase, too, so we can focus on library development. -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From niels at quotar.com Mon Apr 9 14:55:22 2007 From: niels at quotar.com (Niels Berkers) Date: Mon, 09 Apr 2007 23:55:22 +0200 Subject: captcha isn't checked Message-ID: <461AB64A.6040509@quotar.com> ------------------------------------------------------------------------ *From:* Jonathan Daugherty [mailto:cygnus at janrain.com] *To:* Niels Berkers [mailto:niels.berkers at tros.nl] *Cc:* general at openid.net *Sent:* Mon, 09 Apr 2007 19:36:37 +0200 *Subject:* Re: [OpenID] general Digest, Vol 8, Issue 16 # BTW the captcha in the registation process isn't checked when the # form is submitted. Yes, it is; please see src/render.php, function render_register. In addition, posts related to this package would best be sent to the Janrain development list. You can sign up at http://lists.openidenabled.com/mailman/listinfo/dev Thanks! the captcha is checked indeed, all clear on that. The error is added if the captcha is false. and $success is set false. Later on $error is checked (but was never filled if the captcha was wrong) See Adjustment ( rearanged the code a bit for better security ) ---original code (added debug info) ---------------------------------- $success = true; echo $hash." !== ".md5($request['captcha_text'])." ".$request['captcha_text']."\n"; if ($hash !== md5($request['captcha_text'])) { $template->addError('Security code does not match image. Please try again.'); echo " no success here"; $success = false; } $errors = Server_accountCheck($request['username'], $request['pass1'], $request['pass2']); if ($errors) { foreach ($errors as $e) { $template->addError($e); } } else { . . . } -------------------------------------------------------------------- ---------- Adjustment ------------------------------------------- $bSuccess = (bool)true; $aErrors = array(); $aErrors = Server_accountCheck($request['username'], $request['pass1'], $request['pass2']); if ($hash !== md5($request['captcha_text'])) { $aErrors[] = 'Security code does not match image. Please try again.'; $bSuccess = false; } if ( count($aErrors) === 0 && $bSuccess !== FALSE) { // Good. . . . } else { foreach ($aErrors as $e) { $template->addError($e); } } ------------------------------------------------------------------- From norman at rasmussen.co.za Mon Apr 9 14:59:58 2007 From: norman at rasmussen.co.za (Norman Rasmussen) Date: Mon, 9 Apr 2007 23:59:58 +0200 Subject: PHP OpenID php problems In-Reply-To: <20070409213647.GR10049@janrain.com> References: <46155351.3010108@cweiske.de> <4615E076.40201@cweiske.de> <20070406180736.GE10049@janrain.com> <5b698f5a0704070503j1415bfb9s837f87e2bfef6258@mail.gmail.com> <20070409165315.GJ10049@janrain.com> <5b698f5a0704091433v666163c8o81cc3f9ab34085fa@mail.gmail.com> <20070409213647.GR10049@janrain.com> Message-ID: <5b698f5a0704091459l74da954ake438b1c3aec411ee@mail.gmail.com> On 4/9/07, Jonathan Daugherty wrote: > # Are the example server provided with the library and the 'Standalone > # Server' [1] two seperate products? > > Yes. The standalone server *is* intended to be something you just > unpack and run (well, with a little configuration). However, in the > future we hope to get more help working on that codebase, too, so we > can focus on library development. Cool, no worries then. I look forward to seeing what happens to that codebase. (My patch for OpenID auth is here: http://norman.rasmussen.co.za/107/xmpp-auth-for-openid/) -- - Norman Rasmussen - Email: norman at rasmussen.co.za - Home page: http://norman.rasmussen.co.za/ From cygnus at janrain.com Mon Apr 9 15:07:36 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Mon, 9 Apr 2007 15:07:36 -0700 Subject: captcha isn't checked In-Reply-To: <461AB64A.6040509@quotar.com> References: <461AB64A.6040509@quotar.com> Message-ID: <20070409220736.GS10049@janrain.com> # the captcha is checked indeed, all clear on that. The error is added # if the captcha is false. and $success is set false. Later on $error # is checked (but was never filled if the captcha was wrong) The code should short-circuit and not call Server_accountCheck if the captcha check fails (which is something neither my code nor yours does). At any rate, $errors is not set by the catpcha check because it is set by Server_accountCheck, which returns an array. Thanks for taking a look at it, -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From niels at quotar.com Mon Apr 9 15:09:59 2007 From: niels at quotar.com (Niels Berkers) Date: Tue, 10 Apr 2007 00:09:59 +0200 Subject: debugging info auth.php Message-ID: <461AB9B7.60807@quotar.com> # in http://www.openidenabled.com/resources/downloads/php-server/PHP-server-1.1.tar.gz # # their is still some debugging info active.... # # src/auth.php line 105: print_r($result); # src/auth.php line 105: # print_r($result); Thanks, Niels. Considering what it's printing, I'm inclined to believe it's probably best that it stay; that error condition indicates catastrophic failure anyway, so it's best that you find out exactly what went wrong. -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com -------------------------------------------------- I disagree with that... if their is a database error the user will get this whole dump on screen. This is not in a rare occassion. Because their is no check in place if the username already exists in the database, a user could trigger a duplicate key error. so better turn it off... in case if you have more users who want to use the name John ;) br, Niels function newAccount($username, $password, $query) { $username = strtolower($username); $result = $this->db->query("INSERT INTO accounts (username, password) " . "VALUES (?, ?)", array($username, $this->_encodePassword($password))); // $query is ignored for this implementation, but you might // choose to change the login process to incorporate other // user details like an email address. $query is the HTTP // query in which the account registration form was submitted. // You'll only need to bother with $query if you've modified // the account registration form template and need to access // your new fields. if (PEAR::isError($result)) { // print_r($result); return false; } else { return true; } } From cygnus at janrain.com Mon Apr 9 15:13:19 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Mon, 9 Apr 2007 15:13:19 -0700 Subject: debugging info auth.php In-Reply-To: <461AB9B7.60807@quotar.com> References: <461AB9B7.60807@quotar.com> Message-ID: <20070409221319.GT10049@janrain.com> # I disagree with that... if their is a database error the user will # get this whole dump on screen. This is not in a rare # occassion. Because their is no check in place if the username # already exists in the database, a user could trigger a duplicate key # error. I was actually partially kidding, before. And you're right, it will print a nasty PEAR error object in the case of a duplicate account violation. The line was left in as debugging output, but I overlooked the duplicate-account case. I've patched the trunk source, so it'll be out in the next release. -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From niels at quotar.com Mon Apr 9 15:21:22 2007 From: niels at quotar.com (Niels Berkers) Date: Tue, 10 Apr 2007 00:21:22 +0200 Subject: captcha isn't checked In-Reply-To: <20070409220736.GS10049@janrain.com> References: <461AB64A.6040509@quotar.com> <20070409220736.GS10049@janrain.com> Message-ID: <461ABC62.2010803@quotar.com> Jonathan Daugherty wrote: > # the captcha is checked indeed, all clear on that. The error is added > # if the captcha is false. and $success is set false. Later on $error > # is checked (but was never filled if the captcha was wrong) > > The code should short-circuit and not call Server_accountCheck if the > captcha check fails (which is something neither my code nor yours > does). At any rate, $errors is not set by the catpcha check because > it is set by Server_accountCheck, which returns an array. Thanks for > taking a look at it, > Ok i've implemented the code... it seems to work fine now. A short-circuit would be better indeed. Server_accountCheck won't harm anyone. Maybe it's even a nice feature if you get full feedback on what went wrong in the form. br, Niels From cygnus at janrain.com Mon Apr 9 15:25:00 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Mon, 9 Apr 2007 15:25:00 -0700 Subject: captcha isn't checked In-Reply-To: <461ABC62.2010803@quotar.com> References: <461AB64A.6040509@quotar.com> <20070409220736.GS10049@janrain.com> <461ABC62.2010803@quotar.com> Message-ID: <20070409222500.GU10049@janrain.com> FYI, if you're interested in checking out the standalone server codebase, the repository lives here: http://www.openidenabled.com/resources/repos/php/phpserver/ I'm more than happy to look at patches sent to me with "darcs send" (or feel free to post diffs to this list). Thanks again, -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From paul at virtual-techno.com Tue Apr 10 01:24:03 2007 From: paul at virtual-techno.com (Paul Tanner) Date: Tue, 10 Apr 2007 09:24:03 +0100 Subject: PHP Consumer Example/ Extension Arguments Message-ID: Spent some time trying to find simple consumer examples in PHP. The problem was that I was using the 1.2.1 PHP library download which did not include an examples directory. That is now resolved with the 1.2.2 download and the consumer example works fine. Except: To test Extension Arguments I added in try_auth.php $auth_request->addExtensionArg('sreg', 'optional', 'postcode); # just after the similar line for email This had the effect of correctly passing the postcode from my OpenID through to finish_auth.php. However , it caused the email address to no longer be passed. Is this a defect or is there a problem with passing more than one extension argument? From daniel-hofstetter at gmx.ch Tue Apr 10 05:26:38 2007 From: daniel-hofstetter at gmx.ch (Daniel Hofstetter) Date: Tue, 10 Apr 2007 14:26:38 +0200 Subject: PHP Consumer Example/ Extension Arguments In-Reply-To: References: Message-ID: <461B827E.9050002@gmx.ch> Paul Tanner wrote: > Spent some time trying to find simple consumer examples in PHP. The > problem was that I was using the 1.2.1 PHP library download which did > not include an examples directory. That is now resolved with the > 1.2.2 download and the consumer example works fine. Except: > > To test Extension Arguments I added in try_auth.php > > $auth_request->addExtensionArg('sreg', 'optional', 'postcode); # > just after the similar line for email > > This had the effect of correctly passing the postcode from my OpenID > through to finish_auth.php. However , it caused the email address to > no longer be passed. Is this a defect or is there a problem with > passing more than one extension argument? You have to use it in the following way: $auth_request->addExtensionArg('sreg', 'optional', 'postcode,email'); -- Daniel Hofstetter http://cakebaker.42dh.com From amm03 at tid.es Tue Apr 10 06:53:08 2007 From: amm03 at tid.es (Antonio Martinez Martinez) Date: Tue, 10 Apr 2007 15:53:08 +0200 Subject: OpenID and LDAP Message-ID: <461B96C4.1020502@tid.es> Hi all, I've been working with the JanRain php library 'standalone' version. I had already worked with PHP and MySQL in other projects, so it was less difficult to me to understand this. But now, I'm thinking about the way of using LDAP instead MySQL and I'd like somebody advise to me about this idea. How difficult would it be? Anybody has tried it? Thanks in advance, and please, forgive my english. Cheers, -------------- next part -------------- A non-text attachment was scrubbed... Name: amm03.vcf Type: text/x-vcard Size: 320 bytes Desc: not available Url : http://lists.openidenabled.com/pipermail/dev/attachments/20070410/78d3647e/attachment.vcf From eugene.louw at gmail.com Tue Apr 10 08:41:37 2007 From: eugene.louw at gmail.com (Eugene Louw) Date: Tue, 10 Apr 2007 08:41:37 -0700 Subject: OpenID and LDAP In-Reply-To: <461B96C4.1020502@tid.es> References: <461B96C4.1020502@tid.es> Message-ID: <1779a05f0704100841g7dffeb03v6cca117c18683b42@mail.gmail.com> It is dead simple, all you need to do is create a new store. Just extend Auth_OpenID_OpenIDStore and fill in the blanks. Regards, Eugene Louw On 4/10/07, Antonio Martinez Martinez wrote: > > Hi all, > > I've been working with the JanRain php library 'standalone' version. I > had already worked with PHP and MySQL in other projects, so it was less > difficult to me to understand this. But now, I'm thinking about the way > of using LDAP instead MySQL and I'd like somebody advise to me about > this idea. How difficult would it be? Anybody has tried it? > > Thanks in advance, and please, forgive my english. > > Cheers, > > _______________________________________________ > Dev mailing list > Dev at lists.openidenabled.com > http://lists.openidenabled.com/mailman/listinfo/dev > > > -- ------------------------------------------------ Eugene Louw Nowhere, South Africa ------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openidenabled.com/pipermail/dev/attachments/20070410/cb626f9b/attachment.html From cygnus at janrain.com Tue Apr 10 10:04:54 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Tue, 10 Apr 2007 10:04:54 -0700 Subject: PHP Consumer Example/ Extension Arguments In-Reply-To: References: Message-ID: <20070410170454.GV10049@janrain.com> # Spent some time trying to find simple consumer examples in PHP. The # problem was that I was using the 1.2.1 PHP library download which # did not include an examples directory. The PEAR package does not include the examples directory (or admin/ and doc/ for that matter). The full tarball, however, includes everything. # $auth_request->addExtensionArg('sreg', 'optional', 'postcode'); # # This had the effect of correctly passing the postcode from my OpenID # through to finish_auth.php. However , it caused the email address # to no longer be passed. This is a common mistake and is remedied by the OpenID 2 library's SReg module. (Follow-up by someone else answered this.) In particular, read about the format of the 'optional' and 'required' fields here: http://openid.net/specs/openid-simple-registration-extension-1_1-01.html#anchor3 -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From cygnus at janrain.com Tue Apr 10 10:08:57 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Tue, 10 Apr 2007 10:08:57 -0700 Subject: OpenID and LDAP In-Reply-To: <461B96C4.1020502@tid.es> References: <461B96C4.1020502@tid.es> Message-ID: <20070410170857.GW10049@janrain.com> # I've been working with the JanRain php library 'standalone' version. If you're referring to the "standalone PHP OpenID server" located at http://www.openidenabled.com/openid/php-standalone-openid-server/ then the solution is to implement a new "auth" backend. The package lets you specify your own auth backend if you have decided to implement one; the default is src/auth.php:AuthBackend_MYSQL. The solution is to write a class that implements the same interface as AuthBackend_MYSQL and update config.php to use it. For example, implement AuthBackend_LDAP and update AUTH_BACKEND in config.php to the value 'LDAP'. (And, of course, make sure AuthBackend_LDAP is included in the namespace.) HTH, -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From niels at quotar.com Tue Apr 10 14:16:07 2007 From: niels at quotar.com (Niels Berkers) Date: Tue, 10 Apr 2007 23:16:07 +0200 Subject: patch 4 Auth/OpenID/Consumer.php Message-ID: <461BFE97.8040207@quotar.com> Hi All, querying the openid server gives a problem in Auth/OpenID/Consumer.php A second call on function addExtensionArg will over write the previous set argument. So the URL will only contain a query for the last call (per $key * $namespace that is) http://openid.net/specs/openid-simple-registration-extension-1_1-01.html patch in Auth/OpenID/Consumer.php from line 971-978 -original----------------------------- function addExtensionArg($namespace, $key, $value) { $arg_name = implode('.', array('openid', $namespace, $key)); $this->extra_args[$arg_name] = $value; } -------------------------------------- -patch-------------------------------- function addExtensionArg($namespace, $key, $value) { $arg_name = implode('.', array('openid', $namespace, $key)); if (count($this->extra_args[$arg_name]) > 0){ $this->extra_args[$arg_name] .= ",".$value; } else { $this->extra_args[$arg_name] = $value; } } ----------------------------------- br, Niels Berkers Quotar Internet & new media http://openid.quotar.com From cygnus at janrain.com Tue Apr 10 14:27:56 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Tue, 10 Apr 2007 14:27:56 -0700 Subject: patch 4 Auth/OpenID/Consumer.php In-Reply-To: <461BFE97.8040207@quotar.com> References: <461BFE97.8040207@quotar.com> Message-ID: <20070410212756.GX10049@janrain.com> # querying the openid server gives a problem in # Auth/OpenID/Consumer.php A second call on function addExtensionArg # will over write the previous set argument. So the URL will only # contain a query for the last call (per $key * $namespace that is) This is by design. The method is intended to be called only *once* for required parameters, and only once for optional parameters. If you use the OpenID 2 library, there is an entire module dedicated to the use of Simple Registration which is more straightforward than the API supplied by the 1.x.x libraries. -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From niels at quotar.com Tue Apr 10 14:39:38 2007 From: niels at quotar.com (Niels Berkers) Date: Tue, 10 Apr 2007 23:39:38 +0200 Subject: patch 4 Auth/OpenID/Consumer.php In-Reply-To: <20070410212756.GX10049@janrain.com> References: <461BFE97.8040207@quotar.com> <20070410212756.GX10049@janrain.com> Message-ID: <461C041A.8080703@quotar.com> Jonathan Daugherty wrote: > # querying the openid server gives a problem in > # Auth/OpenID/Consumer.php A second call on function addExtensionArg > # will over write the previous set argument. So the URL will only > # contain a query for the last call (per $key * $namespace that is) > > This is by design. The method is intended to be called only *once* > for required parameters, and only once for optional parameters. If > you use the OpenID 2 library, there is an entire module dedicated to > the use of Simple Registration which is more straightforward than the > API supplied by the 1.x.x libraries. > uhmmm... ok (the specs claimed CSV's) But if there is a newer version of this library i will use that one... np here. Could give me a pointer where i can get it? Just did an other little patch in case someone still wants to use it :) It checks for optional and required. so you can use the function to set the policy_url ---------------------- function addExtensionArg($namespace, $key, $value) { $arg_name = implode('.', array('openid', $namespace, $key)); if ((count($this->extra_args[$arg_name]) > 0) && ($key == "optional" || $key == "required")){ $this->extra_args[$arg_name] .= ",".$value; } else { $this->extra_args[$arg_name] = $value; } } ---------------------------------- br, Niels Berkers Quotar Internet & new media http://openid.quotar.com From cygnus at janrain.com Tue Apr 10 14:41:05 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Tue, 10 Apr 2007 14:41:05 -0700 Subject: patch 4 Auth/OpenID/Consumer.php In-Reply-To: <461C041A.8080703@quotar.com> References: <461BFE97.8040207@quotar.com> <20070410212756.GX10049@janrain.com> <461C041A.8080703@quotar.com> Message-ID: <20070410214105.GY10049@janrain.com> # uhmmm... ok (the specs claimed CSV's) That's right; the intended use is: $auth_req->addExtensionArg('sreg', 'optional', 'email,nickname'); # But if there is a newer version of this library i will use that # one... np here. Could give me a pointer where i can get it? You can get it here: http://www.openidenabled.com/resources/downloads/php-openid/PHP-openid-2.0.0-rc1.tar.gz -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From niels at quotar.com Tue Apr 10 14:50:52 2007 From: niels at quotar.com (Niels Berkers) Date: Tue, 10 Apr 2007 23:50:52 +0200 Subject: patch 4 Auth/OpenID/Consumer.php In-Reply-To: <20070410214105.GY10049@janrain.com> References: <461BFE97.8040207@quotar.com> <20070410212756.GX10049@janrain.com> <461C041A.8080703@quotar.com> <20070410214105.GY10049@janrain.com> Message-ID: <461C06BC.3010209@quotar.com> Jonathan Daugherty wrote: > # uhmmm... ok (the specs claimed CSV's) > > That's right; the intended use is: > > $auth_req->addExtensionArg('sreg', 'optional', 'email,nickname'); > i see ... yeah that will work :) never thought of that. There are more ways to Rome ;-) > # But if there is a newer version of this library i will use that > # one... np here. Could give me a pointer where i can get it? > > You can get it here: > > http://www.openidenabled.com/resources/downloads/php-openid/PHP-openid-2.0.0-rc1.tar.gz > Thanks! is it backward competable with PHP-server-1.1? br, Niels Berkers From cygnus at janrain.com Tue Apr 10 14:53:24 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Tue, 10 Apr 2007 14:53:24 -0700 Subject: patch 4 Auth/OpenID/Consumer.php In-Reply-To: <461C06BC.3010209@quotar.com> References: <461BFE97.8040207@quotar.com> <20070410212756.GX10049@janrain.com> <461C041A.8080703@quotar.com> <20070410214105.GY10049@janrain.com> <461C06BC.3010209@quotar.com> Message-ID: <20070410215324.GZ10049@janrain.com> # i see ... yeah that will work :) never thought of that. There are # more ways to Rome ;-) Yeah. Unfortunately, many people have been bitten by that, even though the example consumer code contains correct code to help avoid the problem. At any rate, the SReg module in the OpenID 2.0.0-rc1 library is going to fix that. # Thanks! is it backward competable with PHP-server-1.1? No. -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From niels at quotar.com Tue Apr 10 15:30:13 2007 From: niels at quotar.com (Niels Berkers) Date: Wed, 11 Apr 2007 00:30:13 +0200 Subject: security bug in PHP-server-1.1 Message-ID: <461C0FF5.4000109@quotar.com> Hi All, i found a security bug in PHP-server-1.1 with this line set in the example consumer I call my openID server: Which will result in two javascript alert popups. I'm not much of a hacker but i know this could lead to much bigger problems like injections in PHP. The leased you should do is strip the htmltags from all $sreg values in function setRequestInfo or better in function Server_requestSregData ( earlier in the data processing ) --------------------- $auth_request->addExtensionArg('sreg', 'policy_url', 'http://www.openid.net">openidopenid href="http://www.openid.net'); > --------------------- > > > > function setRequestInfo($info=null, $sreg=null) > { > if (!isset($info)) { > unset($_SESSION['request']); > } else { > $_SESSION['request'] = serialize($info); > $_SESSION['sreg_request'] = serialize($sreg); > } > } > > function getRequestInfo() > { > if (isset($_SESSION['request'])) { > return array(unserialize($_SESSION['request']), > unserialize($_SESSION['sreg_request'])); > } else { > return false; > } > } > on common.php line 271+ patched function The input fields on the persona page aren't cleaned either. function Server_requestSregData($request) { $optional = array(); $required = array(); $policy_url = null; $request = Auth_OpenID::fixArgs($request); if (array_key_exists('openid.sreg.required', $request)) { $required = explode(",", htmlentities(strip_tags($request['openid.sreg.required']),ENT_QUOTES)); } if (array_key_exists('openid.sreg.optional', $request)) { $optional = explode(",", htmlentities(strip_tags($request['openid.sreg.optional']),ENT_QUOTES)); } if (array_key_exists('openid.sreg.policy_url', $request)) { $policy_url = htmlentities(strip_tags($request['openid.sreg.policy_url'],ENT_QUOTES)); } return array($optional, $required, $policy_url); } br, Niels Berkers http://openid.quotar.com/ ( patched ;) ) From niels at quotar.com Tue Apr 10 16:24:10 2007 From: niels at quotar.com (Niels Berkers) Date: Wed, 11 Apr 2007 01:24:10 +0200 Subject: security bug in PHP-server-1.1 In-Reply-To: <461C17AC.1010503@quotar.com> References: <461C0FF5.4000109@quotar.com> <461C17AC.1010503@quotar.com> Message-ID: <461C1C9A.7090303@quotar.com> Niels Berkers wrote: > Niels Berkers wrote: >> Hi All, >> >> i found a security bug in PHP-server-1.1 >> >> with this line set in the example consumer I call my openID server: >> Which will result in two javascript alert popups. I'm not much of a >> hacker but i know this could lead to much bigger problems like >> injections in PHP. The leased you should do is strip the htmltags from >> all $sreg values in function setRequestInfo or better in function >> Server_requestSregData ( earlier in the data processing ) >> --------------------- >> $auth_request->addExtensionArg('sreg', 'policy_url', >> 'http://www.openid.net">openid> href="http://www.openid.net'); >> --------------------- >> >> >> >> function setRequestInfo($info=null, $sreg=null) >> { >> if (!isset($info)) { >> unset($_SESSION['request']); >> } else { >> $_SESSION['request'] = serialize($info); >> $_SESSION['sreg_request'] = serialize($sreg); >> } >> } >> >> function getRequestInfo() >> { >> if (isset($_SESSION['request'])) { >> return array(unserialize($_SESSION['request']), >> unserialize($_SESSION['sreg_request'])); >> } else { >> return false; >> } >> } >> > > > on common.php line 271+ patched function > The input fields on the persona page aren't cleaned either. > > > function Server_requestSregData($request) > { > $optional = array(); > $required = array(); > $policy_url = null; > > $request = Auth_OpenID::fixArgs($request); > > if (array_key_exists('openid.sreg.required', $request)) { > $required = explode(",", > htmlentities(strip_tags($request['openid.sreg.required']),ENT_QUOTES)); > } > > if (array_key_exists('openid.sreg.optional', $request)) { > $optional = explode(",", > htmlentities(strip_tags($request['openid.sreg.optional']),ENT_QUOTES)); > } > > if (array_key_exists('openid.sreg.policy_url', $request)) { > $policy_url = > htmlentities(strip_tags($request['openid.sreg.policy_url'],ENT_QUOTES)); > } > > return array($optional, $required, $policy_url); > } > > br, > > Niels Berkers > http://openid.quotar.com/ ( patched ;) ) > some other patches for userinput render.php line 168+ --org------------------- foreach ($sreg_fields as $field) { $profile[$field] $profile_form[$field]; } ------------------------ --new------------------- foreach ($sreg_fields as $field) { $profile[$field] = htmlentities(strip_tags($profile_form[$field]),ENT_QUOTES); } ------------------------ common.php line 179+ ( patch + username a-z,0-9,_ ) -org-------------------- function Server_accountCheck($username, $pass1, $pass2) { $errors = array(); if ($pass1 != $pass2) { $errors[] = "Passwords must match."; } else if (strlen($pass1) < MIN_PASSWORD_LENGTH) { $errors[] = 'Password must be at least '. MIN_PASSWORD_LENGTH.' characters long.'; } if (strlen($username) < MIN_USERNAME_LENGTH) { $errors[] = 'Username must be at least '. MIN_USERNAME_LENGTH.' characters long.'; } return $errors; } ------------------------- -new-------------------- function Server_accountCheck($username, $pass1, $pass2) { $errors = array(); $username = htmlentities(strip_tags($username),ENT_QUOTES); $pass1 = htmlentities(strip_tags($pass1),ENT_QUOTES); if ($pass1 != $pass2) { $errors[] = "Passwords must match."; } else if (strlen($pass1) < MIN_PASSWORD_LENGTH) { $errors[] = 'Password must be at least '. MIN_PASSWORD_LENGTH.' characters long.'; } if (strlen($username) < MIN_USERNAME_LENGTH) { $errors[] = 'Username must be at least '. MIN_USERNAME_LENGTH.' characters long.'; } if (preg_match("/(\W+)/",$username)){ $errors[] = 'Username can only consist of a-z,0-9,_'; } return $errors; } ------------------------- From cygnus at janrain.com Tue Apr 10 16:29:19 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Tue, 10 Apr 2007 16:29:19 -0700 Subject: security bug in PHP-server-1.1 In-Reply-To: <461C1C9A.7090303@quotar.com> References: <461C0FF5.4000109@quotar.com> <461C17AC.1010503@quotar.com> <461C1C9A.7090303@quotar.com> Message-ID: <20070410232919.GA10049@janrain.com> Howdy, Thanks for taking the time to produce these patches. When I get some time, I will definitely do a pass to be sure that output is properly escaped. In the mean time, it would be extremely helpful if you can: - Produce patches using the "diff" command - Modify the templates -- not the PHP code itself -- when escaping output. The templates are the correct place for that; the PHP code is not. Thanks! -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From niels at quotar.com Tue Apr 10 16:50:45 2007 From: niels at quotar.com (Niels Berkers) Date: Wed, 11 Apr 2007 01:50:45 +0200 Subject: security bug in PHP-server-1.1 In-Reply-To: <20070410232919.GA10049@janrain.com> References: <461C0FF5.4000109@quotar.com> <461C17AC.1010503@quotar.com> <461C1C9A.7090303@quotar.com> <20070410232919.GA10049@janrain.com> Message-ID: <461C22D5.5010404@quotar.com> Jonathan Daugherty wrote: > Howdy, > > Thanks for taking the time to produce these patches. When I get some > time, I will definitely do a pass to be sure that output is properly > escaped. In the mean time, it would be extremely helpful if you can: > > - Produce patches using the "diff" command > uhmmm... diff? Well i never worked with diff before... but i'll take a look at it. > - Modify the templates -- not the PHP code itself -- when escaping > output. The templates are the correct place for that; the PHP code > is not. > why? templates are for output, not for processing... AND as soon as you get the data in your system you should clean it. Not just before presentation. All harm could have been done. Besides I like to fight the bull by it's horns, not by it's tail. br, Niels From cygnus at janrain.com Tue Apr 10 17:06:55 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Tue, 10 Apr 2007 17:06:55 -0700 Subject: security bug in PHP-server-1.1 In-Reply-To: <461C22D5.5010404@quotar.com> References: <461C0FF5.4000109@quotar.com> <461C17AC.1010503@quotar.com> <461C1C9A.7090303@quotar.com> <20070410232919.GA10049@janrain.com> <461C22D5.5010404@quotar.com> Message-ID: <20070411000655.GB10049@janrain.com> # why? templates are for output, not for processing... AND as soon as # you get the data in your system you should clean it. Yes, that's true. But you clean it so output is safe, and so that passing it through services (i.e., a database) is safe. There's no point in cleaning the data until you use it in a dangerous context; escape content in templates and quote strings that are used to build SQL. (The latter is taken care of by PEAR.) The escaping should be done in templates because it is only an output detail, not a processing one. That's something I clearly didn't do enough of in the current templates (and error-reporting). -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From amm03 at tid.es Wed Apr 11 00:42:35 2007 From: amm03 at tid.es (Antonio Martinez Martinez) Date: Wed, 11 Apr 2007 09:42:35 +0200 Subject: OpenID and LDAP In-Reply-To: <20070410170857.GW10049@janrain.com> References: <461B96C4.1020502@tid.es> <20070410170857.GW10049@janrain.com> Message-ID: <461C916B.8080005@tid.es> Jonathan Daugherty escribi?: > # I've been working with the JanRain php library 'standalone' version. > > If you're referring to the "standalone PHP OpenID server" located at > > http://www.openidenabled.com/openid/php-standalone-openid-server/ > > then the solution is to implement a new "auth" backend. The package > lets you specify your own auth backend if you have decided to > implement one; the default is src/auth.php:AuthBackend_MYSQL. The > solution is to write a class that implements the same interface as > AuthBackend_MYSQL and update config.php to use it. For example, > implement AuthBackend_LDAP and update AUTH_BACKEND in config.php to > the value 'LDAP'. (And, of course, make sure AuthBackend_LDAP is > included in the namespace.) > > HTH, > > Thanks a lot for your comment, Jonathan, but I'm still having 2 doubts: 1) When you say "make sure AuthBackend_LDAP is included in the namespace", what do you refer exactly? I don't understand what "namespace" is at all. 2) I've been reviewing the package's files, and I think that I should change some more files, shouldn't I? I'm refering, for example, to "storage.php", "common.php" or "backend.php". If I'm wrong, I'd thank you to tell me which files are the only to change and how many classes or new files should I create. Newly, thanks in advance. Regards, Antonio -------------- next part -------------- A non-text attachment was scrubbed... Name: amm03.vcf Type: text/x-vcard Size: 321 bytes Desc: not available Url : http://lists.openidenabled.com/pipermail/dev/attachments/20070411/c64b91a3/attachment.vcf From norman at rasmussen.co.za Wed Apr 11 04:21:40 2007 From: norman at rasmussen.co.za (Norman Rasmussen) Date: Wed, 11 Apr 2007 13:21:40 +0200 Subject: security bug in PHP-server-1.1 In-Reply-To: <20070411000655.GB10049@janrain.com> References: <461C0FF5.4000109@quotar.com> <461C17AC.1010503@quotar.com> <461C1C9A.7090303@quotar.com> <20070410232919.GA10049@janrain.com> <461C22D5.5010404@quotar.com> <20070411000655.GB10049@janrain.com> Message-ID: <5b698f5a0704110421t1a9fd66ck571b8153e2289239@mail.gmail.com> On 4/11/07, Jonathan Daugherty wrote: > # why? templates are for output, not for processing... AND as soon as > # you get the data in your system you should clean it. > > Yes, that's true. But you clean it so output is safe, and so that > passing it through services (i.e., a database) is safe. There's no > point in cleaning the data until you use it in a dangerous context; Agreed! You never know when someone might find a way to inject unsafe data into your database. It's much safer to escape it as you output it. (Also you might output it in different places, requiring different escaping) -- - Norman Rasmussen - Email: norman at rasmussen.co.za - Home page: http://norman.rasmussen.co.za/ From niels at quotar.com Wed Apr 11 10:01:01 2007 From: niels at quotar.com (Niels Berkers) Date: Wed, 11 Apr 2007 19:01:01 +0200 Subject: security bug in PHP-server-1.1 In-Reply-To: <5b698f5a0704110421t1a9fd66ck571b8153e2289239@mail.gmail.com> References: <461C0FF5.4000109@quotar.com> <461C17AC.1010503@quotar.com> <461C1C9A.7090303@quotar.com> <20070410232919.GA10049@janrain.com> <461C22D5.5010404@quotar.com> <20070411000655.GB10049@janrain.com> <5b698f5a0704110421t1a9fd66ck571b8153e2289239@mail.gmail.com> Message-ID: <461D144D.3050808@quotar.com> Norman Rasmussen wrote: > On 4/11/07, Jonathan Daugherty wrote: >> # why? templates are for output, not for processing... AND as soon as >> # you get the data in your system you should clean it. >> >> Yes, that's true. But you clean it so output is safe, and so that nope i clean it so my server / databases with personal information from users are save. >> passing it through services (i.e., a database) is safe. There's no >> point in cleaning the data until you use it in a dangerous context; Yes there is. This is a , what we call in dutch a "drogreden", which mains something like a false reason. This is like saying well im online, but i don't use a firewall, virusscanner and adblockers, nor install security updates/patches. Because hey if i don't handle the content there is no problem. Really there is not one developer I work with that would agree to that. And if they would give me that reason, i would have a very serious chat with them. Incomming data must be checked in the web form and at first arrival at the server. Neither we're in place in the PHP-Server-1.1 My advice to you: make it very clear on the download location that this software is unsave and a potential hazard to your server and database. > > Agreed! You never know when someone might find a way to inject unsafe > data into your database. It's much safer to escape it as you output > it. (Also you might output it in different places, requiring > different escaping) > Sorry ... can't believe im reading this. Any software security specialist would disagree. br, Niels From cygnus at janrain.com Wed Apr 11 10:01:04 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Wed, 11 Apr 2007 10:01:04 -0700 Subject: OpenID and LDAP In-Reply-To: <461C916B.8080005@tid.es> References: <461B96C4.1020502@tid.es> <20070410170857.GW10049@janrain.com> <461C916B.8080005@tid.es> Message-ID: <20070411170104.GC10049@janrain.com> # 1) When you say "make sure AuthBackend_LDAP is included in the # namespace", what do you refer exactly? I don't understand what # "namespace" is at all. If AuthBackend_LDAP is in file MyAuth.php, make sure that file has been included/required using include_once or require_once. # 2) I've been reviewing the package's files, and I think that I # should change some more files, shouldn't I? I'm refering, for # example, to "storage.php", "common.php" or "backend.php". Well, we are talking specifically about authentication; not storage of the identity URLs used by the server. If you create the class as I described and update your config.php to use the new backend, that is all you should have to do. HTH, -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From niels at quotar.com Wed Apr 11 10:33:57 2007 From: niels at quotar.com (Niels Berkers) Date: Wed, 11 Apr 2007 19:33:57 +0200 Subject: security bug in PHP-server-1.1 In-Reply-To: <461D144D.3050808@quotar.com> References: <461C0FF5.4000109@quotar.com> <461C17AC.1010503@quotar.com> <461C1C9A.7090303@quotar.com> <20070410232919.GA10049@janrain.com> <461C22D5.5010404@quotar.com> <20070411000655.GB10049@janrain.com> <5b698f5a0704110421t1a9fd66ck571b8153e2289239@mail.gmail.com> <461D144D.3050808@quotar.com> Message-ID: <461D1C05.70302@quotar.com> for those who like to clean incomming content before your server is hacked. The following code line 216 in common.php function Server_cleanRequest($aReq){ foreach ($aReq as $sKey => $mValue){ if (FALSE != is_array($mValue)){ foreach ($mValue as $mValueKey => $mValueValue){ $mValue[$mValueKey] = htmlentities(strip_tags($mValueValue),ENT_QUOTES); } $aReq[$sKey] = $mValue; } else { $aReq[$sKey] = htmlentities(strip_tags($mValue),ENT_QUOTES); } } return $aReq; } function Server_getRequest() { $method = $_SERVER['REQUEST_METHOD']; switch ($method) { case 'GET': return array($method, Server_cleanRequest($_GET)); break; case 'POST': return array($method, Server_cleanRequest($_POST)); break; } return array($method, null); } Niels Berkers wrote: > Norman Rasmussen wrote: >> On 4/11/07, Jonathan Daugherty wrote: >>> # why? templates are for output, not for processing... AND as soon as >>> # you get the data in your system you should clean it. >>> >>> Yes, that's true. But you clean it so output is safe, and so that > > nope i clean it so my server / databases with personal information from > users are save. > >>> passing it through services (i.e., a database) is safe. There's no >>> point in cleaning the data until you use it in a dangerous context; > > Yes there is. This is a , what we call in dutch a "drogreden", which > mains something like a false reason. This is like saying well im online, > but i don't use a firewall, virusscanner and adblockers, nor install > security updates/patches. Because hey if i don't handle the content > there is no problem. Really there is not one developer I work with that > would agree to that. And if they would give me that reason, i would have > a very serious chat with them. Incomming data must be checked in the web > form and at first arrival at the server. Neither we're in place in the > PHP-Server-1.1 > > My advice to you: make it very clear on the download location that this > software is unsave and a potential hazard to your server and database. > >> Agreed! You never know when someone might find a way to inject unsafe >> data into your database. It's much safer to escape it as you output >> it. (Also you might output it in different places, requiring >> different escaping) >> > > Sorry ... can't believe im reading this. Any software security > specialist would disagree. > > br, > > Niels > > _______________________________________________ > Dev mailing list > Dev at lists.openidenabled.com > http://lists.openidenabled.com/mailman/listinfo/dev From cygnus at janrain.com Wed Apr 11 10:39:01 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Wed, 11 Apr 2007 10:39:01 -0700 Subject: security bug in PHP-server-1.1 In-Reply-To: <461D1C05.70302@quotar.com> References: <461C0FF5.4000109@quotar.com> <461C17AC.1010503@quotar.com> <461C1C9A.7090303@quotar.com> <20070410232919.GA10049@janrain.com> <461C22D5.5010404@quotar.com> <20070411000655.GB10049@janrain.com> <5b698f5a0704110421t1a9fd66ck571b8153e2289239@mail.gmail.com> <461D144D.3050808@quotar.com> <461D1C05.70302@quotar.com> Message-ID: <20070411173901.GE10049@janrain.com> # for those who like to clean incomming content before your server is # hacked. The following code line 216 in common.php This patch will break the server. (Most notably, it will break OpenID authentication.) In particular, it will break whenever an input value is url-encoded differently than it will be by htmlentities(). -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From niels at quotar.com Wed Apr 11 10:56:47 2007 From: niels at quotar.com (Niels Berkers) Date: Wed, 11 Apr 2007 19:56:47 +0200 Subject: security bug in PHP-server-1.1 In-Reply-To: <20070411173901.GE10049@janrain.com> References: <461C0FF5.4000109@quotar.com> <461C17AC.1010503@quotar.com> <461C1C9A.7090303@quotar.com> <20070410232919.GA10049@janrain.com> <461C22D5.5010404@quotar.com> <20070411000655.GB10049@janrain.com> <5b698f5a0704110421t1a9fd66ck571b8153e2289239@mail.gmail.com> <461D144D.3050808@quotar.com> <461D1C05.70302@quotar.com> <20070411173901.GE10049@janrain.com> Message-ID: <461D215F.7020904@quotar.com> Jonathan Daugherty wrote: > # for those who like to clean incomming content before your server is > # hacked. The following code line 216 in common.php > > This patch will break the server. (Most notably, it will break OpenID > authentication.) In particular, it will break whenever an input value > is url-encoded differently than it will be by htmlentities(). > at leased it is secure now :-( From niels at quotar.com Wed Apr 11 11:07:01 2007 From: niels at quotar.com (Niels Berkers) Date: Wed, 11 Apr 2007 20:07:01 +0200 Subject: security bug in PHP-server-1.1 In-Reply-To: <461D215F.7020904@quotar.com> References: <461C0FF5.4000109@quotar.com> <461C17AC.1010503@quotar.com> <461C1C9A.7090303@quotar.com> <20070410232919.GA10049@janrain.com> <461C22D5.5010404@quotar.com> <20070411000655.GB10049@janrain.com> <5b698f5a0704110421t1a9fd66ck571b8153e2289239@mail.gmail.com> <461D144D.3050808@quotar.com> <461D1C05.70302@quotar.com> <20070411173901.GE10049@janrain.com> <461D215F.7020904@quotar.com> Message-ID: <461D23C5.5060903@quotar.com> Niels Berkers wrote: > Jonathan Daugherty wrote: >> # for those who like to clean incomming content before your server is >> # hacked. The following code line 216 in common.php >> >> This patch will break the server. (Most notably, it will break OpenID >> authentication.) In particular, it will break whenever an input value >> is url-encoded differently than it will be by htmlentities(). >> > at leased it is secure now :-( > tested it against livejournal.com and my own testscript ... works fine as far as i can see. htmlentities() maybe.. can use addslashes instead... guess that will take out most of the risk -> sql injections br, Niels From cygnus at janrain.com Wed Apr 11 11:16:07 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Wed, 11 Apr 2007 11:16:07 -0700 Subject: security bug in PHP-server-1.1 In-Reply-To: <461D23C5.5060903@quotar.com> References: <461C1C9A.7090303@quotar.com> <20070410232919.GA10049@janrain.com> <461C22D5.5010404@quotar.com> <20070411000655.GB10049@janrain.com> <5b698f5a0704110421t1a9fd66ck571b8153e2289239@mail.gmail.com> <461D144D.3050808@quotar.com> <461D1C05.70302@quotar.com> <20070411173901.GE10049@janrain.com> <461D215F.7020904@quotar.com> <461D23C5.5060903@quotar.com> Message-ID: <20070411181607.GF10049@janrain.com> # htmlentities() maybe.. can use addslashes instead... guess that will # take out most of the risk -> sql injections There is no risk of injections; all SQL built with external data is properly cleaned by PEAR. There is no place in the entire package where a user-supplied value is inserted directly into an SQL string. Please see the documentation for PEAR (or, indeed, any modern database adapter) for more information. -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From chowells at janrain.com Wed Apr 11 11:27:49 2007 From: chowells at janrain.com (Carl Howells) Date: Wed, 11 Apr 2007 11:27:49 -0700 Subject: security bug in PHP-server-1.1 In-Reply-To: <461D1C05.70302@quotar.com> References: <461C0FF5.4000109@quotar.com> <461C17AC.1010503@quotar.com> <461C1C9A.7090303@quotar.com> <20070410232919.GA10049@janrain.com> <461C22D5.5010404@quotar.com> <20070411000655.GB10049@janrain.com> <5b698f5a0704110421t1a9fd66ck571b8153e2289239@mail.gmail.com> <461D144D.3050808@quotar.com> <461D1C05.70302@quotar.com> Message-ID: <461D28A5.2010806@janrain.com> Niels Berkers wrote: > for those who like to clean incomming content before your server is > hacked. You seem to attribute magical hacking powers to data. If *receiving* data can hack your system, you need to install a version of PHP without those buffer overflows. There's nothing you can do about it in PHP. Assuming your version of PHP doesn't have any exploitable buffer overflows, the received data can't do anything to your system by itself. You need to do something with it, first. The two main avenues of attack are SQL injection and semantic display character injection. To protect against SQL injection, you sanitize data before putting it into the database. As Jonathan points out, Pear, and every other modern database adapter, does that automatically if you use the adapter to build your statements for you properly, instead of just appending strings. For dealing with display injection attacks (html, javascript, whatever you're generating dynamically based on user input), you sanitize the data just before displaying it. You don't sanitize it any earlier, because the rules for correct sanitization depend on the context. Using the data in javascript, in a tag attribute, or as the contents of a
tag each require different escaping methods. It's quite common to want to use the same data in multiple places. Because of that, escaping the data any earlier than display-time will likely lead to bugs. Just remember: data can't hack you by itself. You have to do something wrong with it, first. Carl From kevin at janrain.com Wed Apr 11 11:52:01 2007 From: kevin at janrain.com (Kevin Turner) Date: Wed, 11 Apr 2007 11:52:01 -0700 Subject: [OpenID] ANN: Python OpenID 2.0.0 Release Candidate 1 In-Reply-To: <20070411134725.GE5361@wiggy.net> References: <1175305982.6235.26.camel@localhost> <20070404171809.GB13748@wiggy.net> <1175729801.31712.22.camel@localhost> <20070411134725.GE5361@wiggy.net> Message-ID: <1176317521.6041.37.camel@localhost> (Moving the code-specific discussion to the dev list. Wichert, are you on this list?) On Wed, 2007-04-11 at 15:47 +0200, Wichert Akkerman wrote: > The NEWS file contains no hints about needed code changes when moving > from 1.2 to 2.0 unfortunately. This is a list of needed changes I could > easily spot before doing any real testing: Thanks for taking a look at this. > * HTTPFetchingError is now found in openid.fetchers instead of > urljr.fetchers I'll update the documentation to mention it, but I'll also mention that I think we've caught HTTPFetchingError when necessary, so it should be an internal implementation detail you don't have to worry about. If you find a public method in the Consumer or AuthRequest classes that leaks that exception, let me know, because that's a bug. > * yadis is not available as openid.yadis instead of direct yadis I'll go check out your code to see where you're importing the yadis module. I wasn't aware of folks depending on it directly. > * the request object has a new shouldSendRedirect method which needs to > be checked before request.redirectURL can be used. If a redirect is > not used a new formMarkup method must be used to generate a > redirection html (?) Shh! I was hoping you wouldn't notice that part. shouldSendRedirect will recommend that you use a form-POST if the provider supports OpenID v2, but redirect will still work. Using a form-POST requires more changes to your code; you need to include that form on a HTML page and either get the user to click a button or include a javascript hack to do it. The only versions of that javascript hack I've seen tend to make it impossible to use the browser's Back button. So, if I didn't go out of my way to encourage people to start using that feature, that's why. The only time you'll need it is if you're transferring more data in an OpenID extension than will fit in a GET request. If you're upgrading an OpenID 1.1 application, you're not doing that. When you are, you'll figure it out. So there certainly are changes that haven't been documented in the NEWS file. (Although I wouldn't say there are /no/ hints; the first bullet point directs people using extensionResponse to look at openid.sreg and the upgrading section talks about passing return_to to Consumer.complete.) But I have had at least one report of a smooth and successful upgrade without needing to know any more than that. Cheers, - Kevin From niels at quotar.com Wed Apr 11 11:59:08 2007 From: niels at quotar.com (Niels Berkers) Date: Wed, 11 Apr 2007 20:59:08 +0200 Subject: security bug in PHP-server-1.1 In-Reply-To: <461D28A5.2010806@janrain.com> References: <461C0FF5.4000109@quotar.com> <461C17AC.1010503@quotar.com> <461C1C9A.7090303@quotar.com> <20070410232919.GA10049@janrain.com> <461C22D5.5010404@quotar.com> <20070411000655.GB10049@janrain.com> <5b698f5a0704110421t1a9fd66ck571b8153e2289239@mail.gmail.com> <461D144D.3050808@quotar.com> <461D1C05.70302@quotar.com> <461D28A5.2010806@janrain.com> Message-ID: <461D2FFC.7070108@quotar.com> Carl Howells wrote: > Niels Berkers wrote: >> for those who like to clean incomming content before your server is >> hacked. > > You seem to attribute magical hacking powers to data. If *receiving* > data can hack your system, you need to install a version of PHP without > those buffer overflows. There's nothing you can do about it in PHP. > > Assuming your version of PHP doesn't have any exploitable buffer > overflows, the received data can't do anything to your system by itself. > You need to do something with it, first. > > The two main avenues of attack are SQL injection and semantic display > character injection. > > To protect against SQL injection, you sanitize data before putting it > into the database. As Jonathan points out, Pear, and every other modern > database adapter, does that automatically if you use the adapter to > build your statements for you properly, instead of just appending strings. > > For dealing with display injection attacks (html, javascript, whatever > you're generating dynamically based on user input), you sanitize the > data just before displaying it. You don't sanitize it any earlier, > because the rules for correct sanitization depend on the context. Using > the data in javascript, in a tag attribute, or as the contents of a >
tag each require different escaping methods. It's quite common to > want to use the same data in multiple places. Because of that, escaping > the data any earlier than display-time will likely lead to bugs. > > Just remember: data can't hack you by itself. You have to do something > wrong with it, first. > > Carl > a quick google brought this up; software security principles: 1. Identify and reinforce the weakest link. 2. Provide defense in depth, which means you should manage software risk by providing redundant security solutions. Usually, one level of redundancy is worthwhile; whether you need more depends on your particular project. 3. Secure failure: Make sure that if the system could possibly fail, it will fail in a secure manner. 4. Least privilege: Do not give out more privileges than necessary, and do not extend privileges longer than necessary. 5. Compartmentalization: Try to keep failures in one part of a system from having an impact on the rest of the system. 6. Keep it simple. 7. Privacy: Don't give out any unnecessary information. 8. It's hard to hide secrets. 9. Don't extend trust easily. 10. Trust the community. source: http://www-128.ibm.com/developerworks/library/s-princ5.html Not securing data when it comes in is like sticking your head in the sand. I have worked too long as webdeveloper (for a broadcaster) to know; relaying on just one layer of security is not the smartest move you can make. br, Niels From norman at rasmussen.co.za Wed Apr 11 13:33:11 2007 From: norman at rasmussen.co.za (Norman Rasmussen) Date: Wed, 11 Apr 2007 22:33:11 +0200 Subject: security bug in PHP-server-1.1 In-Reply-To: <461D144D.3050808@quotar.com> References: <461C0FF5.4000109@quotar.com> <461C17AC.1010503@quotar.com> <461C1C9A.7090303@quotar.com> <20070410232919.GA10049@janrain.com> <461C22D5.5010404@quotar.com> <20070411000655.GB10049@janrain.com> <5b698f5a0704110421t1a9fd66ck571b8153e2289239@mail.gmail.com> <461D144D.3050808@quotar.com> Message-ID: <5b698f5a0704111333y65b79ebicea1fd15610408a1@mail.gmail.com> On 4/11/07, Niels Berkers wrote: > Norman Rasmussen wrote: > > Agreed! You never know when someone might find a way to inject unsafe > > data into your database. It's much safer to escape it as you output > > it. (Also you might output it in different places, requiring > > different escaping) > Sorry ... can't believe im reading this. Any software security > specialist would disagree. Huh? Sorry your response confuses me. You can't escape data (for output) when it arrives because you could output it in any form. (You only need to escape it as you add it to the database, if you're database layer doesn't support parameters (or some other escaping mechanism)). You need to escape the data as you display it _in the display module_- so that you know how to escape it. If you only escape data as it enters the system, then you can't trust that there won't be a loophole somewhere that allows unescaped data to enter the database - that would be displayed to the user on a normal page (it's impossible to secure all incoming points). If you escape as you render data (including if you have to - dynamic sql - yegh). Then you escape data everywhere you display it. So you remain in control of _all_ the points in the system where data is rendered to the user, and can ensure that it's safe. I really hope you misread my statement, and that you don't think that output escaping is not worth it, and that input escaping is the be-all-and-end-all. -- - Norman Rasmussen - Email: norman at rasmussen.co.za - Home page: http://norman.rasmussen.co.za/ From norman at rasmussen.co.za Wed Apr 11 14:03:41 2007 From: norman at rasmussen.co.za (Norman Rasmussen) Date: Wed, 11 Apr 2007 23:03:41 +0200 Subject: security bug in PHP-server-1.1 In-Reply-To: <461D2FFC.7070108@quotar.com> References: <461C0FF5.4000109@quotar.com> <461C1C9A.7090303@quotar.com> <20070410232919.GA10049@janrain.com> <461C22D5.5010404@quotar.com> <20070411000655.GB10049@janrain.com> <5b698f5a0704110421t1a9fd66ck571b8153e2289239@mail.gmail.com> <461D144D.3050808@quotar.com> <461D1C05.70302@quotar.com> <461D28A5.2010806@janrain.com> <461D2FFC.7070108@quotar.com> Message-ID: <5b698f5a0704111403i6111b34aqe428cc5520f4dfb7@mail.gmail.com> On 4/11/07, Niels Berkers wrote: > a quick google brought this up; software security principles: > 1. Identify and reinforce the weakest link. > 2. Provide defense in depth, which means you should manage software > risk by providing redundant security solutions. Usually, one level of > redundancy is worthwhile; whether you need more depends on your > particular project. > 3. Secure failure: Make sure that if the system could possibly fail, > it will fail in a secure manner. > 4. Least privilege: Do not give out more privileges than necessary, > and do not extend privileges longer than necessary. > 5. Compartmentalization: Try to keep failures in one part of a > system from having an impact on the rest of the system. > 6. Keep it simple. > 7. Privacy: Don't give out any unnecessary information. > 8. It's hard to hide secrets. > 9. Don't extend trust easily. > 10. Trust the community. > > source: > http://www-128.ibm.com/developerworks/library/s-princ5.html > > Not securing data when it comes in is like sticking your head in the > sand. I have worked too long as webdeveloper (for a broadcaster) to > know; relaying on just one layer of security is not the smartest move > you can make. I think you're confusing securing data, with escaping data. Security is: you can't read this list of email addresses because you're not an administrator. Escaping data is: you can't inject some sql in this search box, and retrieve a full list of all users in the system, including their email addresses and passwords. FYI: Google also produced this interesting project (which is written a good five years after the IBM article): http://chris.vandenberghe.org/publications/csse_raid2005.pdf -- - Norman Rasmussen - Email: norman at rasmussen.co.za - Home page: http://norman.rasmussen.co.za/ From niels at quotar.com Wed Apr 11 14:16:29 2007 From: niels at quotar.com (Niels Berkers) Date: Wed, 11 Apr 2007 23:16:29 +0200 Subject: security bug in PHP-server-1.1 In-Reply-To: <5b698f5a0704111333y65b79ebicea1fd15610408a1@mail.gmail.com> References: <461C0FF5.4000109@quotar.com> <461C17AC.1010503@quotar.com> <461C1C9A.7090303@quotar.com> <20070410232919.GA10049@janrain.com> <461C22D5.5010404@quotar.com> <20070411000655.GB10049@janrain.com> <5b698f5a0704110421t1a9fd66ck571b8153e2289239@mail.gmail.com> <461D144D.3050808@quotar.com> <5b698f5a0704111333y65b79ebicea1fd15610408a1@mail.gmail.com> Message-ID: <461D502D.3050401@quotar.com> Norman Rasmussen wrote: > On 4/11/07, Niels Berkers wrote: >> Norman Rasmussen wrote: > >>> Agreed! You never know when someone might find a way to inject unsafe >>> data into your database. It's much safer to escape it as you output >>> it. (Also you might output it in different places, requiring >>> different escaping) > >> Sorry ... can't believe im reading this. Any software security >> specialist would disagree. > > Huh? Sorry your response confuses me. > > You can't escape data (for output) when it arrives because you could > output it in any form. (You only need to escape it as you add it to > the database, if you're database layer doesn't support parameters (or > some other escaping mechanism)). You need to escape the data as you > display it _in the display module_- so that you know how to escape it. > In my opinion security goes in front of any action. This is how i design server-platforms and websites. So as soon as unknown data enters a system it has to be cleaned and cleared. Since i don't want to output a potential danger in any form, there is no need to keep it in a potential hazardous state. (The cleaning process as described is always reversible BTW.) If you know for sure you need some opening in the code eg. to allow html-tags you make an exception. > If you only escape data as it enters the system, then you can't trust > that there won't be a loophole somewhere that allows unescaped data to > enter the database - that would be displayed to the user on a normal > page (it's impossible to secure all incoming points). > In general there are less places where stuff enters the system than it is represented. So this will give a better security that only escaping the output. In security you work with layers of trust. The futher unclean data can penetrate your system the less secure your application becomes... this allways goes. eg. inet -> dsl provider -> gateway + firewall -> PC + firewall -> virusscanner -> appliction to manage passwords > If you escape as you render data (including if you have to - dynamic > sql - yegh). Then you escape data everywhere you display it. So you > remain in control of _all_ the points in the system where data is > rendered to the user, and can ensure that it's safe. > > I really hope you misread my statement, and that you don't think that > output escaping is not worth it, and that input escaping is the > be-all-and-end-all. > im not saying output escaping is not worth it, but is the end of the line in securing a webserver and the application it's serving. And in most of the cases the template builders are not the ones that have the best knowlegde of systems / programming language. So one of the most difficult tasks, is put in the hands of those less likely to have the best solution. br, Niels From norman at rasmussen.co.za Wed Apr 11 16:04:27 2007 From: norman at rasmussen.co.za (Norman Rasmussen) Date: Thu, 12 Apr 2007 01:04:27 +0200 Subject: security bug in PHP-server-1.1 In-Reply-To: <461D502D.3050401@quotar.com> References: <461C0FF5.4000109@quotar.com> <461C17AC.1010503@quotar.com> <461C1C9A.7090303@quotar.com> <20070410232919.GA10049@janrain.com> <461C22D5.5010404@quotar.com> <20070411000655.GB10049@janrain.com> <5b698f5a0704110421t1a9fd66ck571b8153e2289239@mail.gmail.com> <461D144D.3050808@quotar.com> <5b698f5a0704111333y65b79ebicea1fd15610408a1@mail.gmail.com> <461D502D.3050401@quotar.com> Message-ID: <5b698f5a0704111604r8ccf192p9ec7c7cc41eeaf24@mail.gmail.com> On 4/11/07, Niels Berkers wrote: > And in > most of the cases the template builders are not the ones that have the > best knowlegde of systems / programming language. So one of the most > difficult tasks, is put in the hands of those less likely to have the > best solution. yes, true. I guess in an ideal world we'd have automated tests that check that the templates escape their data correctly. Also the template engine should either implicitly encode for output, or make it extremely easy to - because things always get coded the easiest way. -- - Norman Rasmussen - Email: norman at rasmussen.co.za - Home page: http://norman.rasmussen.co.za/ From jm.marchetti at gmail.com Thu Apr 12 04:13:15 2007 From: jm.marchetti at gmail.com (Jean-Mathieu Marchetti-Ettori) Date: Thu, 12 Apr 2007 13:13:15 +0200 Subject: render_trust Problem PHP Standalone Server 1.1 Message-ID: Hello world, I'm running PHP Standalone Server 1.1 and I'm having a problem when I want to trust a site with an OpenId. There's no problem when I authenticate, but when it's done, I'm forwarded to the root page. In fact, the http://server/?action=trust always redirect me to the root page of the server. I think the problem is in render_trust where I can't get the $request_info (null) with the GetRequestInfo() method. It could be the unserialization done by this method that fails. If someone have some advises to solve this problem... Thanks a lot, Regards, Jm -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openidenabled.com/pipermail/dev/attachments/20070412/129201d9/attachment.html From david at collantes.us Thu Apr 12 07:31:22 2007 From: david at collantes.us (David Collantes) Date: Thu, 12 Apr 2007 10:31:22 -0400 Subject: PHP Standalone OpenID Server Message-ID: <461E42BA.7090000@collantes.us> Hi there all, I have found a problem on my end with the PHP Standalone OpenID server (using 1.1), that I am not sure it is a library (using 1.2.2) error/bug or the OpenID server implementation itself. If you register as a new user, successfully, then come back and try to register using the same user name, an ugly dump shows on display which contains, among a huge amount of raw PHP code, your user, database name and password for the server main database, user accounts values dump, etc. Really, really bad, really nasty. Can anyone confirm this? I want to make sure it isn't me only. Cheers, -- David From cweiske at cweiske.de Thu Apr 12 07:40:58 2007 From: cweiske at cweiske.de (Christian Weiske) Date: Thu, 12 Apr 2007 16:40:58 +0200 Subject: PHP Standalone OpenID Server In-Reply-To: <461E42BA.7090000@collantes.us> References: <461E42BA.7090000@collantes.us> Message-ID: <461E44FA.2000307@cweiske.de> David, > If you register as a new user, successfully, then come back and try to > register using the same user name, an ugly dump shows on display which > contains, among a huge amount of raw PHP code, your user, database name > and password for the server main database, user accounts values dump, etc. > Really, really bad, really nasty. > > Can anyone confirm this? I want to make sure it isn't me only. Replace all occurences of " References: <461E42BA.7090000@collantes.us> Message-ID: <461E4523.3060908@tid.es> David Collantes escribi?: > Hi there all, > > I have found a problem on my end with the PHP Standalone OpenID server > (using 1.1), that I am not sure it is a library (using 1.2.2) error/bug or > the OpenID server implementation itself. > > If you register as a new user, successfully, then come back and try to > register using the same user name, an ugly dump shows on display which > contains, among a huge amount of raw PHP code, your user, database name > and password for the server main database, user accounts values dump, etc. > Really, really bad, really nasty. > > Can anyone confirm this? I want to make sure it isn't me only. > > Cheers, > > > Hi David, I have the same problem and also thought it was only me, but I'm realizing not. I hope somebody can solve this doubt. Regards -------------- next part -------------- A non-text attachment was scrubbed... Name: amm03.vcf Type: text/x-vcard Size: 321 bytes Desc: not available Url : http://lists.openidenabled.com/pipermail/dev/attachments/20070412/a2ad5f4d/attachment.vcf From david at collantes.us Thu Apr 12 07:47:47 2007 From: david at collantes.us (David Collantes) Date: Thu, 12 Apr 2007 10:47:47 -0400 Subject: PHP Standalone OpenID Server In-Reply-To: <461E44FA.2000307@cweiske.de> References: <461E42BA.7090000@collantes.us> <461E44FA.2000307@cweiske.de> Message-ID: <461E4693.8060300@collantes.us> On 4/12/2007 10:40 AM, Christian Weiske wrote: > David, > >> If you register as a new user, successfully, then come back and try to >> register using the same user name, an ugly dump shows on display which >> contains, among a huge amount of raw PHP code, your user, database name >> and password for the server main database, user accounts values dump, etc. >> Really, really bad, really nasty. >> >> Can anyone confirm this? I want to make sure it isn't me only. > > Replace all occurences of " should fix it I am not sure what are you talking about. All .PHP files on the server use the long form, . Cheers, -- David From cweiske at cweiske.de Thu Apr 12 07:50:56 2007 From: cweiske at cweiske.de (Christian Weiske) Date: Thu, 12 Apr 2007 16:50:56 +0200 Subject: PHP Standalone OpenID Server In-Reply-To: <461E4693.8060300@collantes.us> References: <461E42BA.7090000@collantes.us> <461E44FA.2000307@cweiske.de> <461E4693.8060300@collantes.us> Message-ID: <461E4750.1010409@cweiske.de> David, > I am not sure what are you talking about. All .PHP files on the server use > the long form, . I thought that was the problem. -- Regards/Mit freundlichen Gr??en Christian Weiske -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.openidenabled.com/pipermail/dev/attachments/20070412/084647e8/attachment-0001.pgp From webmaster at sysadm.org Thu Apr 12 07:56:48 2007 From: webmaster at sysadm.org (Webmaster) Date: Thu, 12 Apr 2007 16:56:48 +0200 Subject: PHP Standalone OpenID Server In-Reply-To: <461E4750.1010409@cweiske.de> References: <461E42BA.7090000@collantes.us> <461E44FA.2000307@cweiske.de> <461E4693.8060300@collantes.us> <461E4750.1010409@cweiske.de> Message-ID: Hi ! In auth.php, comment out the line 41 (?): print_r 40 if (PEAR::isError($result)) { 41 print_r($result); 42 return false; 43 } else { On 4/12/07, Christian Weiske wrote: > David, > > > I am not sure what are you talking about. All .PHP files on the server use > > the long form, . > I thought that was the problem. > > -- > Regards/Mit freundlichen Gr??en > Christian Weiske > > > _______________________________________________ > Dev mailing list > Dev at lists.openidenabled.com > http://lists.openidenabled.com/mailman/listinfo/dev > > > From webmaster at sysadm.org Thu Apr 12 07:58:01 2007 From: webmaster at sysadm.org (Webmaster) Date: Thu, 12 Apr 2007 16:58:01 +0200 Subject: PHP Standalone OpenID Server In-Reply-To: References: <461E42BA.7090000@collantes.us> <461E44FA.2000307@cweiske.de> <461E4693.8060300@collantes.us> <461E4750.1010409@cweiske.de> Message-ID: Comment, the line, not uncomment, excuse me. On 4/12/07, Webmaster wrote: > Hi ! > In auth.php, comment out the line 41 (?): > print_r > > 40 if (PEAR::isError($result)) { > 41 print_r($result); > 42 return false; > 43 } else { > > > On 4/12/07, Christian Weiske wrote: > > David, > > > > > I am not sure what are you talking about. All .PHP files on the server use > > > the long form, . > > I thought that was the problem. > > > > -- > > Regards/Mit freundlichen Gr??en > > Christian Weiske > > > > > > _______________________________________________ > > Dev mailing list > > Dev at lists.openidenabled.com > > http://lists.openidenabled.com/mailman/listinfo/dev > > > > > > > From david at collantes.us Thu Apr 12 07:58:05 2007 From: david at collantes.us (David Collantes) Date: Thu, 12 Apr 2007 10:58:05 -0400 Subject: PHP Standalone OpenID Server In-Reply-To: <461E4750.1010409@cweiske.de> References: <461E42BA.7090000@collantes.us> <461E44FA.2000307@cweiske.de> <461E4693.8060300@collantes.us> <461E4750.1010409@cweiske.de> Message-ID: <461E48FD.5070803@collantes.us> On 4/12/2007 10:50 AM, Christian Weiske wrote: > David, > >> I am not sure what are you talking about. All .PHP files on the server use >> the long form, . > I thought that was the problem. Wish it was that easy, but it isn't (as far as the short/long tags). This is not good people. Any fix? Cheers, -- David From david at collantes.us Thu Apr 12 08:02:15 2007 From: david at collantes.us (David Collantes) Date: Thu, 12 Apr 2007 11:02:15 -0400 Subject: PHP Standalone OpenID Server In-Reply-To: References: <461E42BA.7090000@collantes.us> <461E44FA.2000307@cweiske.de> <461E4693.8060300@collantes.us> <461E4750.1010409@cweiske.de> Message-ID: <461E49F7.9000908@collantes.us> On 4/12/2007 10:58 AM, Webmaster wrote: > Comment, the line, not uncomment, excuse me. > > On 4/12/07, Webmaster wrote: >> Hi ! >> In auth.php, comment out the line 41 (?): >> print_r >> >> 40 if (PEAR::isError($result)) { >> 41 print_r($result); >> 42 return false; >> 43 } else { That does it. You wrote it right on the first email, comment out. Thank you. People with access to the code/SVN/CVS/etc, take note, please. Thanks! Cheers, -- David From marco at kaywa.com Thu Apr 12 08:31:20 2007 From: marco at kaywa.com (Marco Bonetti) Date: Thu, 12 Apr 2007 17:31:20 +0200 Subject: PHP OpenID 2.0.0RC1 and Sreg Message-ID: <461E50C8.9050302@kaywa.com> Hello, I'm writing an OpenID server based on the 2.0RC1 PHP OpenID library. The authentication itself works pretty well, but I'm having a slight issue with relaying parties requesting sreg data: [...]openid.sreg.required=email%2Cnickname[...] My server replies: [...] openid.mode=id_res [...] openid.ext0.email=my%40email.com&openid.ext0.nickname=mynickname [...] openid.ns.ext0=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1 [...] Unfortunately, all the RPs I tested choked on this. Could this be a bug in my code (or in the library) or rather an incompatibility issue, i.e. the RPs expecting an sreg/1.0 reply and being unable to handle the sreg/1.1 chunk they receive instead? Do you see any way around this issue? TIA, cheers, -M From cygnus at janrain.com Thu Apr 12 09:49:28 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Thu, 12 Apr 2007 09:49:28 -0700 Subject: PHP Standalone OpenID Server In-Reply-To: <461E49F7.9000908@collantes.us> References: <461E42BA.7090000@collantes.us> <461E44FA.2000307@cweiske.de> <461E4693.8060300@collantes.us> <461E4750.1010409@cweiske.de> <461E49F7.9000908@collantes.us> Message-ID: <20070412164928.GJ10049@janrain.com> # That does it. You wrote it right on the first email, comment # out. Thank you. People with access to the code/SVN/CVS/etc, take # note, please. Thanks! That bug has already been reported and fixed in the upstream code, although it has not yet been released. To get the latest code, install darcs (darcs.net) and run darcs get http://www.openidenabled.com/resources/repos/php/phpserver/ HTH, -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From cygnus at janrain.com Thu Apr 12 10:01:24 2007 From: cygnus at janrain.com (Jonathan Daugherty) Date: Thu, 12 Apr 2007 10:01:24 -0700 Subject: PHP OpenID 2.0.0RC1 and Sreg In-Reply-To: <461E50C8.9050302@kaywa.com> References: <461E50C8.9050302@kaywa.com> Message-ID: <20070412170124.GK10049@janrain.com> # [...] openid.mode=id_res [...] # openid.ext0.email=my%40email.com&openid.ext0.nickname=mynickname [...] # openid.ns.ext0=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1 [...] # # Unfortunately, all the RPs I tested choked on this. That looks like a PHP OpenID library bug. I'll take a look; thanks! -- Jonathan Daugherty JanRain, Inc. irc.freenode.net: cygnus in #openid cygnus.myopenid.com From lists.anders at feder.dk Fri Apr 13 06:30:33 2007 From: lists.anders at feder.dk (Anders Feder) Date: Fri, 13 Apr 2007 15:30:33 +0200 Subject: PHP OpenID 1.2.2: Halts on include Message-ID: <461F85F9.4050805@feder.dk> Hello, I'm trying to set up a PHP OpenID 1.2.2 consumer on my web server. The web server has previously run the example consumer script successfully. However, immediately after I include (with require_once()) the necessary files in my own script, execution of the script is terminated. Does anyone know what could be the cause of this? Thanks, Anders Feder From jm.marchetti at gmail.com Thu Apr 19 01:52:30 2007 From: jm.marchetti at gmail.com (Jean-Mathieu Marchetti-Ettori) Date: Thu, 19 Apr 2007 10:52:30 +0200 Subject: PHP Standalone Server 1.1 Checkid_Setup Message-ID: Hi, I managed to set up the PHP OpenID standalone Server 1.1, and then I wanted to test it with the Diagnose-server tool. That's where the problem is. The first test was successfull, but since the checkid_setup test, I always get some errors from the assoc_handle. When I try to trust any site I always get the same error : "check_auth failed : is_valid was false". It seems that there is a signature problem. I'm running PHP standalone Server, so I think it's not the store that is misconfigured (MySQL). If you have any suggestions that would help me to pass these tests... For information, here is the output I get from the diagnose-server tool: Server responds that checkAuth call is not valid Latest response: Successful checkid_setup - Redirecting to http://my.server.com/index.php/serve?openid.assoc_handle=%7BHMAC-SHA1%7D%7B46272298%7D%7BoyHiKQ%3D%3D%7D&openid.identity=http%3A%2F%2Fmy.server.com%2Fopenid%2Fjm&openid.mode=checkid_setup&openid.return_to=http%3A%2F%2Fwww.openidenabled.com%2Fresources%2Fopenid-test%2Fdiagnose-server%2FTestCheckidSetup%2F%3Faction%3Dresponse%26attempt%3D1%26nonce%3DhRexoKvw&openid.trust_root=http%3A%2F%2Fwww.openidenabled.com%2Fresources%2Fopenid-test%2Fdiagnose-server%2FTestCheckidSetup%2F openid.assoc_handle{HMAC-SHA1}{46272298}{oyHiKQ==} openid.identity http://my.server/jm openid.modecheckid_setup openid.return_to http://www.openidenabled.com/resources/openid-test/diagnose-server/TestCheckidSetup/?action=response&attempt=1&nonce=hRexoKvw openid.trust_root http://www.openidenabled.com/resources/openid-test/diagnose-server/TestCheckidSetup/ - Response received: actionresponse attempt1 noncehRexoKvw openid.assoc_handle{HMAC-SHA1}{462722a3}{tEurKg==} openid.identity http://my.server.com/jm openid.invalidate_handle {HMAC-SHA1}{46272298}{oyHiKQ==} openid.modeid_res openid.return_to http://www.openidenabled.com/resources/openid-test/diagnose-server/TestCheckidSetup/?action=response&attempt=1&nonce=hRexoKvw openid.sig/td2pm3cJsF8otpQpkE0PjLcalw= openid.signed identity,return_to,mode - Server denied check_authentication This attempt is *failing*. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openidenabled.com/pipermail/dev/attachments/20070419/654033c2/attachment.htm From jm.marchetti at gmail.com Thu Apr 19 02:03:01 2007 From: jm.marchetti at gmail.com (Jean-Mathieu Marchetti-Ettori) Date: Thu, 19 Apr 2007 11:03:01 +0200 Subject: PHP Standalone Server 1.1 Checkid_Setup In-Reply-To: References: Message-ID: I just managed to fix the problem ! It seems that the OpenID tables were corrupted (oid_associations, oid_nonces, oid_settings) so the solution is to remove manually the 3 files. Now the trust site phase works well. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openidenabled.com/pipermail/dev/attachments/20070419/cf908d64/attachment-0001.html From norman at rasmussen.co.za Thu Apr 19 02:04:59 2007 From: norman at rasmussen.co.za (Norman Rasmussen) Date: Thu, 19 Apr 2007 11:04:59 +0200 Subject: PHP Standalone Server 1.1 Checkid_Setup In-Reply-To: References: Message-ID: <5b698f5a0704190204w38ff06d2h64ec9973f7499f7@mail.gmail.com> On 4/19/07, Jean-Mathieu Marchetti-Ettori wrote: > > The first test was successfull, but since the checkid_setup test, I always > get some errors from the assoc_handle. When I try to trust any site I always > get the same error : "check_auth failed : is_valid was false". It seems > that there is a signature problem. > > I'm running PHP standalone Server, so I think it's not the store that is > misconfigured (MySQL). > > If you have any suggestions that would help me to pass these tests... > How may tables do you have in the db? You should have 3 if I remember correctly. The issue I had was that they were not created automatically correctly. So what ends up happening is assoc_handle's are generated but never stored, so it always fails. -- - Norman Rasmussen - Email: norman at rasmussen.co.za - Home page: http://norman.rasmussen.co.za/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openidenabled.com/pipermail/dev/attachments/20070419/e1e464e8/attachment.htm From jm.marchetti at gmail.com Thu Apr 19 05:06:38 2007 From: jm.marchetti at gmail.com (Jean-Mathieu Marchetti-Ettori) Date: Thu, 19 Apr 2007 14:06:38 +0200 Subject: PHP Standalone Server 1.1 Checkid_Setup In-Reply-To: References: Message-ID: Yes there are 3 tables in the db. They have been created, but due to an unknown reason, they have been corrupted. (i.e the tables are listed in mysql, but when trying to drop : table doesn't exist). So the solution is to delete the corresponding files in the mysql directory. After that everything is OK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openidenabled.com/pipermail/dev/attachments/20070419/109238ac/attachment.html From amm03 at tid.es Tue Apr 24 01:56:32 2007 From: amm03 at tid.es (Antonio Martinez Martinez) Date: Tue, 24 Apr 2007 10:56:32 +0200 Subject: Wrapping openid identities Message-ID: <462DC640.2070709@tid.es> Hi all, I'm looking for some method or library that let me transform an openid identity such "http://path/to/server/my_name" into something like "my_name.my_dom.com" when trying to log in my openid server. Any idea? Thanks in advance for your attention. Cheers, Antonio -- From marco at kaywa.com Tue Apr 24 02:14:49 2007 From: marco at kaywa.com (Marco Bonetti) Date: Tue, 24 Apr 2007 11:14:49 +0200 Subject: Wrapping openid identities In-Reply-To: <462DC640.2070709@tid.es> References: <462DC640.2070709@tid.es> Message-ID: <462DCA89.2000005@kaywa.com> Antonio, I hope I understood you correctly, but this sounds like it can be solved by OpenID delegation. See e.g. http://simonwillison.net/2006/Dec/19/openid/ Hope this helps, -m Antonio Martinez Martinez wrote: > Hi all, > > I'm looking for some method or library that let me transform an openid > identity such "http://path/to/server/my_name" into something like > "my_name.my_dom.com" when trying to log in my openid server. Any idea? > > Thanks in advance for your attention. > > Cheers, > > Antonio From amm03 at tid.es Tue Apr 24 03:33:42 2007 From: amm03 at tid.es (Antonio Martinez Martinez) Date: Tue, 24 Apr 2007 12:33:42 +0200 Subject: Wrapping openid identities In-Reply-To: <462DCA89.2000005@kaywa.com> References: <462DC640.2070709@tid.es> <462DCA89.2000005@kaywa.com> Message-ID: <462DDD06.10100@tid.es> An HTML attachment was scrubbed... URL: http://lists.openidenabled.com/pipermail/dev/attachments/20070424/f09e1a59/attachment.htm From marco at kaywa.com Tue Apr 24 05:46:27 2007 From: marco at kaywa.com (Marco Bonetti) Date: Tue, 24 Apr 2007 14:46:27 +0200 Subject: Wrapping openid identities In-Reply-To: <462DDD06.10100@tid.es> References: <462DC640.2070709@tid.es> <462DCA89.2000005@kaywa.com> <462DDD06.10100@tid.es> Message-ID: <462DFC23.5080706@kaywa.com> Antonio, I think I see what you mean, now. Assuming you are using the Apache webserver and virtual hosts, you probably want to look into mod_rewrite and set up a wildcard redirector in the Apache configuration file of your virtual server. Something like this should do (please note: completely untested!) RewriteEngine on # match usernames containing lowercase chars and dots. RewriteCond %{HTTP_HOST} ^([a-z\.]+)\.my_server\.com$ RewriteRule (.*) /%{DOCUMENT_ROOT}/path1/path2/?user=%1$1 [L] You'll also have to set up your name server (DNS) to resolve wildcard domains, e.g. *.my_server.com IN A ip.address.of.vhost More on this subject here: http://www.easymodrewrite.com/example-subdomains http://httpd.apache.org/docs/2.0/misc/rewriteguide.html Hope this helps, best, -m > I have my own server, we say > "http://my_server.com", and the identities it provides are like > "http://my_server.com/path1/path2/?user=my_user". I'd like to transform > this into "my_user.my_server.com". > From webmaster at sysadm.org Tue Apr 24 09:54:22 2007 From: webmaster at sysadm.org (Webmaster) Date: Tue, 24 Apr 2007 18:54:22 +0200 Subject: Wrapping openid identities In-Reply-To: <462DFC23.5080706@kaywa.com> References: <462DC640.2070709@tid.es> <462DCA89.2000005@kaywa.com> <462DDD06.10100@tid.es> <462DFC23.5080706@kaywa.com> Message-ID: It's in spanish, but the rewrites are universal :-) , for the PHP Standalone OpenID Server: http://www.sysadm.org/blog/servidor-miopenid-identificacion-con-nombre-de-host-estilo-nombremiopenides/ On 4/24/07, Marco Bonetti wrote: > Antonio, > > I think I see what you mean, now. > > Assuming you are using the Apache webserver and virtual hosts, you > probably want to look into mod_rewrite and set up a wildcard redirector > in the Apache configuration file of your virtual server. > > Something like this should do (please note: completely untested!) > > > RewriteEngine on > # match usernames containing lowercase chars and dots. > RewriteCond %{HTTP_HOST} ^([a-z\.]+)\.my_server\.com$ > > > RewriteRule (.*) /%{DOCUMENT_ROOT}/path1/path2/?user=%1$1 [L] > > > You'll also have to set up your name server (DNS) to resolve wildcard > domains, e.g. > > *.my_server.com IN A ip.address.of.vhost > > > More on this subject here: > > http://www.easymodrewrite.com/example-subdomains > http://httpd.apache.org/docs/2.0/misc/rewriteguide.html > > > > Hope this helps, > best, > > -m > > > > I have my own server, we say > > "http://my_server.com", and the identities it provides are like > > "http://my_server.com/path1/path2/?user=my_user". I'd like to transform > > this into "my_user.my_server.com". > > > > _______________________________________________ > Dev mailing list > Dev at lists.openidenabled.com > http://lists.openidenabled.com/mailman/listinfo/dev > From amm03 at tid.es Wed Apr 25 07:55:41 2007 From: amm03 at tid.es (Antonio Martinez Martinez) Date: Wed, 25 Apr 2007 16:55:41 +0200 Subject: Rewrites for the PHP,Standalone OpenID Server Message-ID: <462F6BED.6060500@tid.es> An HTML attachment was scrubbed... URL: http://lists.openidenabled.com/pipermail/dev/attachments/20070425/c72e45e5/attachment.html From vkusnaya at gmail.com Wed Apr 25 09:11:37 2007 From: vkusnaya at gmail.com (Supercharged) Date: Wed, 25 Apr 2007 22:11:37 +0600 Subject: Rewrites for the PHP,Standalone OpenID Server In-Reply-To: <462F6BED.6060500@tid.es> References: <462F6BED.6060500@tid.es> Message-ID: You have your .htaccess located at host http://my_server, but http://my_user.my_server is completely different host, so your .htaccess does not matter at all. What you should do, is to make all http://*.my_server subdomains to redirect to http://my_server. You should go to your DNS settings and add a DNS-alias. And probably add ServerAlias to your Apache configuration. Try googling for 'virtual subdomain dns' or something like that. On 4/25/07, Antonio Martinez Martinez wrote: > Hi all, > > First of all, thanks a lot to the webmaster for his/her support. But I'm > still in troubles, :-( > > I'm using a consumer I found here. > > It's a php class that uses CURL. Concretely, the function that makes the > CURL request is: > > function CURL_Request($url, $method="GET", $params