Issue 53: Response validation fails when request() does not pick curl
Status:  Accepted
Owner: ----
Reported by kAlvaro, Nov 18, 2011
Running the "example.php" file in the source code on one of my servers, I was getting this all the time:

    is_valid:false
    ns:http://specs.openid.net/auth/2.0

I've been able to track down the issue to the request() method:

    protected function request($url, $method='GET', $params=array(), $update_claimed_id=false)
    {
        if (function_exists('curl_init')
            && (!in_array('https', stream_get_wrappers()) || !ini_get('safe_mode') && !ini_get('open_basedir'))
        ) {
            return $this->request_curl($url, $method, $params, $update_claimed_id);
        }
        return $this->request_streams($url, $method, $params, $update_claimed_id);
    }

In such server, LightOpenID chooses to use request_streams() and validation fails. However, if I comment out some lines and force it to use request_curl(), validation is successful.

So there're two issues here:

1. CURL is not used although it's available.
2. file_get_contents() does something wrong that goes undetected.

Some extra info:

function_exists('curl_init'): bool(true)
stream_get_wrappers(): array(11) {
  [0]=>
  string(5) "https"
  [1]=>
  string(4) "ftps"
  [2]=>
  string(13) "compress.zlib"
  [3]=>
  string(3) "php"
  [4]=>
  string(4) "file"
  [5]=>
  string(4) "glob"
  [6]=>
  string(4) "data"
  [7]=>
  string(4) "http"
  [8]=>
  string(3) "ftp"
  [9]=>
  string(4) "phar"
  [10]=>
  string(3) "zip"
}
in_array('https', stream_get_wrappers()): bool(true)
ini_get('safe_mode'): string(1) "0"
ini_get('open_basedir'): string(43) "/home/ahr:/opt/php5.3/lib/php:/tmp:/usr/bin"

I guess the if() returns FALSE because open_basedir() is set. However, that's not an obstacle, not at least in my hosting account.



Nov 18, 2011
Project Member #1 mewp...@gmail.com
When open_basedir is set, the Location HTTP header can't be followed (at least by curl), and that's why it's disabled.

As for validation returning false when using streams, it's a valid (and separate) bug, but you haven't posted any details that might help me with debugging. Obviously, it works for me.

So, I'm waiting for more details on that.
Nov 19, 2011
#2 kAlvaro
You are right about curl. I had overlooked my log files. It worked by pure chance: in my case, there were no redirections to follow.

I've been able to reproduce the streams issue in my dev box so I'm in position to gather as much information as required.

I'm not familiar with the OpenID internals but request_streams() does something I can't understand. When validating the response, it calls this:

    $data = file_get_contents($url, false, $context);

...on line 345 to make a POST request to https://myvidoop.com/openid. The server's response is this:

    is_valid:true 
    ns:http://specs.openid.net/auth/2.0

But the $data variable is never used. On line 352 we see this:

    return file_get_contents($url, false, $context);

... which makes exactly the same POST request and this time obtains:

    is_valid:false
    ns:http://specs.openid.net/auth/2.0

My guts say that line 352 should be:

    return $data;
Nov 19, 2011
Project Member #3 mewp...@gmail.com
Ok, I think I know what the problem is now. I'll try to fix it soon.
Status: Accepted
Apr 28, 2012
#4 94m3k...@gmail.com
Problem still exists... (i'm using safe_mode = on)
Apr 28, 2012
#5 94m3k...@gmail.com
sorry, i'm not using safe_mode, it's open_basedir.