| Issue 53: | Response validation fails when request() does not pick curl | |
| 4 people starred this issue and may be notified of changes. | Back to list |
Running the "example.php" file in the source code on one of my servers, I was getting this all the time:
is_valid:false
ns:http://specs.openid.net/auth/2.0
I've been able to track down the issue to the request() method:
protected function request($url, $method='GET', $params=array(), $update_claimed_id=false)
{
if (function_exists('curl_init')
&& (!in_array('https', stream_get_wrappers()) || !ini_get('safe_mode') && !ini_get('open_basedir'))
) {
return $this->request_curl($url, $method, $params, $update_claimed_id);
}
return $this->request_streams($url, $method, $params, $update_claimed_id);
}
In such server, LightOpenID chooses to use request_streams() and validation fails. However, if I comment out some lines and force it to use request_curl(), validation is successful.
So there're two issues here:
1. CURL is not used although it's available.
2. file_get_contents() does something wrong that goes undetected.
Some extra info:
function_exists('curl_init'): bool(true)
stream_get_wrappers(): array(11) {
[0]=>
string(5) "https"
[1]=>
string(4) "ftps"
[2]=>
string(13) "compress.zlib"
[3]=>
string(3) "php"
[4]=>
string(4) "file"
[5]=>
string(4) "glob"
[6]=>
string(4) "data"
[7]=>
string(4) "http"
[8]=>
string(3) "ftp"
[9]=>
string(4) "phar"
[10]=>
string(3) "zip"
}
in_array('https', stream_get_wrappers()): bool(true)
ini_get('safe_mode'): string(1) "0"
ini_get('open_basedir'): string(43) "/home/ahr:/opt/php5.3/lib/php:/tmp:/usr/bin"
I guess the if() returns FALSE because open_basedir() is set. However, that's not an obstacle, not at least in my hosting account.
Nov 18, 2011
Project Member
#1
mewp...@gmail.com
Nov 19, 2011
You are right about curl. I had overlooked my log files. It worked by pure chance: in my case, there were no redirections to follow.
I've been able to reproduce the streams issue in my dev box so I'm in position to gather as much information as required.
I'm not familiar with the OpenID internals but request_streams() does something I can't understand. When validating the response, it calls this:
$data = file_get_contents($url, false, $context);
...on line 345 to make a POST request to https://myvidoop.com/openid. The server's response is this:
is_valid:true
ns:http://specs.openid.net/auth/2.0
But the $data variable is never used. On line 352 we see this:
return file_get_contents($url, false, $context);
... which makes exactly the same POST request and this time obtains:
is_valid:false
ns:http://specs.openid.net/auth/2.0
My guts say that line 352 should be:
return $data;
Nov 19, 2011
Ok, I think I know what the problem is now. I'll try to fix it soon.
Status:
Accepted
Apr 28, 2012
Problem still exists... (i'm using safe_mode = on)
Apr 28, 2012
sorry, i'm not using safe_mode, it's open_basedir. |