OpenID provider AX does not properly sign AX values [#1485036]

As of 7.11 Drupal core implements a fix for CVE: CVE-2012-0825. AX values on the relying party side are ignored. See: http://drupal.org/node/1425084.

The provided patch solves this issue.

Comment	File	Size	Author
#3	1485036_openidax_properly_sign_3.patch	1.02 KB	slashrsm
#2	1485036_openidax_properly_sign_2.patch	1.04 KB	slashrsm
	properly_sign_ax_value.patch	540 bytes	paranojik

Comments

Comment #1

paranojik commented 16 March 2012 at 14:57

Status:

Active

» Needs review

Forgot to change status...

Comment #2

slashrsm commented 17 May 2012 at 07:11

Status	File	Size
new	1485036_openidax_properly_sign_2.patch	1.04 KB

A bit improved patch.

Comment #3

slashrsm commented 17 May 2012 at 07:48

Status	File	Size
new	1485036_openidax_properly_sign_3.patch	1.02 KB

This should be even better.

Comment #4

xamanu commented 6 February 2013 at 05:19

Status:

Needs review

» Fixed

Committed. Thanks.

Comment #5

20 February 2013 at 05:20

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Comment #6

mgeurts commented 28 February 2013 at 17:27

Xamanu, i'm looking at this at the moment, using:

test-id.net to test this and i'm still getting an "Warning: Provider failed to sign the AX extension." after applying this patch. Any thoughts?

Comment #7

jerry.johnson commented 18 May 2014 at 05:32

Issue summary:	View changes
Status:	Closed (fixed)	» Active

I've tried the patches and the latest commit 7.x-1.x-dev. The attributes such as mode are not being signed still. I've confirmed with fiddler, as well.

OpenID provider AX does not properly sign AX values

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

News items

Our community

Documentation

Drupal code base

Governance of community