[Code] Python library only supports assertions sent as GET (not POST)

Jack Bates d8526k at nottheoilrig.com
Fri Nov 18 15:58:31 UTC 2011 

On Thu, Nov 17, 2011 at 03:53:46PM -0800, Yang Zhao wrote:
> On 17 November 2011 15:42, Jack Bates <d8526k at nottheoilrig.com> wrote:
> >> Any query parameters that are present in the "openid.return_to" URL MUST also
> >> be present with the same values in the URL of the HTTP request the RP
> >> received
> >
> > e.g. an assertion with:
> >
> >  openid.return_to=http://example.com/return?egparam=egvalue
> >
> >  - is valid if sent to http://example.com/return?egparam=egvalue but invalid if
> > sent to http://example.com/return or http://example.com/return?egparam=bogus
> >
> > In the Python OpenID library, this is implemented by _verifyReturnToArgs().
> 
> This is not the case.

Here is the implementation of _verifyReturnToArgs(), consumer.py lines 842-872.
Lines 846-854 parse query parameters from openid.return_to. Lines 856-865
verify that each parameter is present with the same value in the *assertion*.
This only supports assertions sent as GET (not POST). To support POST, it must
verify that each parameter is present with the same value in the *URL of the
HTTP request the RP received*, as required by the specification:

> 842    def _verifyReturnToArgs(query):
> 843        """Verify that the arguments in the return_to URL are present in this
> 844        response.
> 845        """
> 846        message = Message.fromPostArgs(query)
> 847        return_to = message.getArg(OPENID_NS, 'return_to')
> 848
> 849        if return_to is None:
> 850            raise ProtocolError('Response has no return_to')
> 851
> 852        parsed_url = urlparse(return_to)
> 853        rt_query = parsed_url[4]
> 854        parsed_args = cgi.parse_qsl(rt_query)
> 855
> 856        for rt_key, rt_value in parsed_args:
> 857            try:
> 858                value = query[rt_key]
> 859                if rt_value != value:
> 860                    format = ("parameter %s value %r does not match "
> 861                              "return_to's value %r")
> 862                    raise ProtocolError(format % (rt_key, value, rt_value))
> 863            except KeyError:
> 864                format = "return_to parameter %s absent from query %r"
> 865                raise ProtocolError(format % (rt_key, query))
> 866
> 867        # Make sure all non-OpenID arguments in the response are also
> 868        # in the signed return_to.
> 869        bare_args = message.getArgs(BARE_NS)
> 870        for pair in bare_args.iteritems():
> 871            if pair not in parsed_args:
> 872                raise ProtocolError("Parameter %s not in return_to URL" % (pair[0],))

More information about the Code mailing list