From cl-openid-devel at common-lisp.net  Sun Jul 20 17:30:43 2008
From: cl-openid-devel at common-lisp.net (cl-openid)
Date: Sun, 20 Jul 2008 17:30:43 -0000
Subject: [cl-openid-ticket] #9: Verifying the Return URL error
Message-ID: <084.39528bbe3c48bb8dbb47c9e8e1fbe16c@common-lisp.net>

#9: Verifying the Return URL error
------------------------+---------------------------------------------------
 Reporter:  avodonosov  |       Owner:  mpasternacki           
     Type:  defect      |      Status:  new                    
 Priority:  major       |   Milestone:  HTTP client portability
Component:  code        |     Version:  0.5 nonportable        
 Keywords:              |  
------------------------+---------------------------------------------------
 OpenID authentication 2.0, 11.1. "Verifying the Return URL".

 RP must verify that URI of "openid.return_to" parameter in the assertion
 matches the URI of the current request.

 But we verify this parameter against the "openid.return_to" passed to
 OP during authentication request.

 Note. puri:uri= compares URI queries literally, but we must ensure
 that 'Any query parameters that are present in the "openid.return_to" URL
 MUST also be present with the same values in the URL of the HTTP
 request the RP received.' (because OP adds another parameters to
 the URI to form the assertion).

-- 
Ticket URL: <http://trac.common-lisp.net/cl-openid/ticket/9>
cl-openid <http://common-lisp.net/project/cl-openid>
cl-openid

From cl-openid-devel at common-lisp.net  Sun Jul 20 17:35:25 2008
From: cl-openid-devel at common-lisp.net (cl-openid)
Date: Sun, 20 Jul 2008 17:35:25 -0000
Subject: [cl-openid-ticket] #10: possible DOS attack
Message-ID: <084.bfbb01873fe6fd804eb726a24da7e445@common-lisp.net>

#10: possible DOS attack
------------------------+---------------------------------------------------
 Reporter:  avodonosov  |       Owner:  mpasternacki           
     Type:  defect      |      Status:  new                    
 Priority:  major       |   Milestone:  HTTP client portability
Component:  code        |     Version:  0.5 nonportable        
 Keywords:              |  
------------------------+---------------------------------------------------
 As RP fetches any user supplied URI, it is easy to enter URL of some big
 file
 (say 1 GB) as a value of OpenID login and submit the form 20-30 times.

 The RP server will quickly run our of memory.

 IMHO limiting the size of fetched content is sufficient to prevent this
 problem.

-- 
Ticket URL: <http://trac.common-lisp.net/cl-openid/ticket/10>
cl-openid <http://common-lisp.net/project/cl-openid>
cl-openid

From cl-openid-devel at common-lisp.net  Mon Jul 21 08:23:30 2008
From: cl-openid-devel at common-lisp.net (cl-openid)
Date: Mon, 21 Jul 2008 08:23:30 -0000
Subject: [cl-openid-ticket] #11: error while loging with SmugMug OpenID
	identifier
Message-ID: <084.51e1264eabb57bbebd5d173cb27fd9b8@common-lisp.net>

#11: error while loging with SmugMug OpenID identifier
------------------------+---------------------------------------------------
 Reporter:  avodonosov  |       Owner:  mpasternacki           
     Type:  defect      |      Status:  new                    
 Priority:  major       |   Milestone:  HTTP client portability
Component:  code        |     Version:  0.5 nonportable        
 Keywords:              |  
------------------------+---------------------------------------------------
 I have tested our RP prototype with various providers listed
 at http://openid.net/get/. All of them I tested so far
 work OK, except for SmugMug.

 When logging in into our test RP by SmugMug OpenID identifier,
 an error appears: OpenID assertion error: Invalid signature.

 livejournal is able to login this ID.

 Account details:
 ID:       http://clopenid.smugmug.com
 email:    clopenid at gmail.com
 password: verysecret123

 This is a 14 days trial account, it will expire
 at August 03 2008.

 Backtrace:

 [2008-07-19 20:10:50] 87.252.227.42 - "GET /cl-openid/ HTTP/1.1" 200 518
 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.16)
 Gecko/20080702 Firefox/2.0.0.16"
 [2008-07-19 20:10:55 [DEBUG]] Associating v1-compatible with
 http://www.smugmug.com/services/openid/server/ (assoc "HMAC-SHA1", session
 "DH-SHA1")
 [2008-07-19 20:10:56] 87.252.227.42 - "GET /cl-
 openid/?openid_identifier=http%3A%2F%2Fclopenid.smugmug.com&openid_action=Login
 HTTP/1.1" 302 706 "http://myhost:4242/cl-openid/" "Mozilla/5.0 (Windows;
 U; Windows NT 5.1; ru; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16"
 [2008-07-19 20:10:59 [ERROR]] OpenID assertion error: Invalid signature
 0: (BACKTRACE 536870911 #<SB-IMPL::STRING-OUTPUT-STREAM {AC8C089}>)
 1: (HUNCHENTOOT:GET-BACKTRACE #<unavailable argument>)
 2: ((LAMBDA (COND)) #<CL-OPENID::OPENID-ASSERTION-ERROR {AC87089}>)
 3: ((LAMBDA (COND)) #<CL-OPENID::OPENID-ASSERTION-ERROR {AC87089}>)
 4: (SIGNAL #<CL-OPENID::OPENID-ASSERTION-ERROR {AC87089}>)
 5: (ERROR CL-OPENID::OPENID-ASSERTION-ERROR)
 6: (CL-OPENID::HANDLE-INDIRECT-REPLY
     (("openid.mode" . "id_res")
      ("openid.identity" . "http://clopenid.smugmug.com/")
      ("openid.return_to" . "http://myhost:4242/cl-openid/ID1")
      ("openid.assoc_handle" . "8398644882829021ef7")
      ("openid.signed" . "mode,identity,return_to")
      ("openid.sig" . "tHfd+BICtd4hMNWPR5aA/8b2o/c="))
     ((:RETURN-TO . #<PURI:URI http://myhost:4242/cl-openid/ID1>)
      (:TIMESTAMP . 3425501455) (:PROTOCOL-VERSION 1 . 1)
      (:OP-ENDPOINT-URL
       . #<PURI:URI http://www.smugmug.com/services/openid/server/>)
      (:CLAIMED-ID . #<PURI:URI http://clopenid.smugmug.com/>)))
 7: (CL-OPENID::HANDLE-OPENID-REQUEST
     #<PURI:URI http://myhost:4242/cl-openid/>
     #<PURI:URI http://myhost:4242>
     (("openid.mode" . "id_res")
      ("openid.identity" . "http://clopenid.smugmug.com/")
      ("openid.return_to" . "http://myhost:4242/cl-openid/ID1")
      ("openid.assoc_handle" . "8398644882829021ef7")
      ("openid.signed" . "mode,identity,return_to")
      ("openid.sig" . "tHfd+BICtd4hMNWPR5aA/8b2o/c="))
     "ID1")
 8: ((LAMBDA ()))
 9: (HUNCHENTOOT::PROCESS-REQUEST
     ((:HOST . "myhost:4242")
      (:USER-AGENT
       . "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.16)
 Gecko/20080702 Firefox/2.0.0.16")
      (:ACCEPT
       .
 "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5")
      (:ACCEPT-LANGUAGE . "ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3")
      (:ACCEPT-ENCODING . "gzip,deflate")
      (:ACCEPT-CHARSET . "windows-1251,utf-8;q=0.7,*;q=0.7")
      (:KEEP-ALIVE . "300") (:CONNECTION . "keep-alive")
      (:REFERER . "http://myhost:4242/cl-openid/"))
     #<FLEXI-STREAMS:FLEXI-IO-STREAM {AC2C4C1}>
     :GET
     "/cl-
 openid/ID1?openid.mode=id_res&openid.identity=http://clopenid.smugmug.com/&openid.return_to=http://myhost:4242
 /cl-
 openid/ID1&openid.assoc_handle=8398644882829021ef7&openid.signed=mode,identity,return_to&openid.sig=tHfd%2BBICtd4hMNWPR5aA%2F8b2o%2Fc%3D"
     :HTTP/1.1)
 10: (HUNCHENTOOT::PROCESS-CONNECTION
      #<HUNCHENTOOT::SERVER {B7EC6D1}>
      #<SB-BSD-SOCKETS:INET-SOCKET descriptor 8 {AC23859}>)
 11: ((FLET SB-THREAD::WITH-MUTEX-THUNK))
 12: (SB-UNIX::CALL-WITH-LOCAL-INTERRUPTS
      #<CLOSURE (FLET SB-UNIX::WITH-LOCAL-INTERRUPTS-THUNK) {B574209D}>
      T)
 13: ((FLET SB-UNIX::WITHOUT-INTERRUPTS-THUNK) T)
 14: ((FLET SB-UNIX::RUN-WITHOUT-INTERRUPTS))
 15: (SB-UNIX::CALL-WITHOUT-INTERRUPTS
      #<CLOSURE (FLET SB-UNIX::WITHOUT-INTERRUPTS-THUNK) {B574218D}>)
 16: (SB-THREAD::CALL-WITH-MUTEX
      #<CLOSURE (FLET SB-THREAD::WITH-MUTEX-THUNK) {B5742215}>
      #S(SB-THREAD:MUTEX
         :NAME "thread result lock"
         :%OWNER #<SB-THREAD:THREAD "hunchentoot-worker-2" {AC245B1}>
         :STATE 1)
      #<SB-THREAD:THREAD "hunchentoot-worker-2" {AC245B1}>
      T)
 17: ((LAMBDA ()))
 18: ("foreign function: #x806398C")
 19: ("foreign function: #x8051E61")
 20: ("foreign function: #x805B44D")
 21: ("foreign function: #xB7FC8FDA")

 [2008-07-19 20:10:59] 87.252.227.42 - "GET /cl-
 openid/ID1?openid.mode=id_res&openid.identity=http://clopenid.smugmug.com/&openid.return_to=http://myhost:4242
 /cl-
 openid/ID1&openid.assoc_handle=8398644882829021ef7&openid.signed=mode,identity,return_to&openid.sig=tHfd%2BBICtd4hMNWPR5aA%2F8b2o%2Fc%3D
 HTTP/1.1" 500 298 "http://myhost:4242/cl-openid/" "Mozilla/5.0 (Windows;
 U; Windows NT 5.1; ru; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16"

-- 
Ticket URL: <http://trac.common-lisp.net/cl-openid/ticket/11>
cl-openid <http://common-lisp.net/project/cl-openid>
cl-openid

From cl-openid-devel at common-lisp.net  Thu Jul 31 13:11:15 2008
From: cl-openid-devel at common-lisp.net (cl-openid)
Date: Thu, 31 Jul 2008 13:11:15 -0000
Subject: [cl-openid-ticket] #12: openid.return_to verification based on
 realm, relying party discovery
Message-ID: <084.2079a3de1a76d488f2f12ba32e44263b@common-lisp.net>

#12: openid.return_to verification based on realm, relying party discovery
--------------------------+-------------------------------------------------
 Reporter:  mpasternacki  |       Owner:  mpasternacki           
     Type:  task          |      Status:  new                    
 Priority:  major         |   Milestone:  HTTP client portability
Component:  code          |     Version:  0.5 nonportable        
 Keywords:                |  
--------------------------+-------------------------------------------------
 [http://openid.net/specs/openid-authentication-2_0.html#realms 9.2.1.
 Using the Realm for Return URL Verification]
 [http://openid.net/specs/openid-authentication-2_0.html#rp_discovery 13.
 Discovering OpenID Relying Parties]

 Still unimplemented in OP.

-- 
Ticket URL: <http://trac.common-lisp.net/cl-openid/ticket/12>
cl-openid <http://common-lisp.net/project/cl-openid>
cl-openid