[OpenID] OpenID 2.0 spec security improvement suggestion
Andrew Arnott
andrewarnott at gmail.com
Wed Mar 11 22:20:00 UTC 2009
The way you've interpreted it, Allen, is the way .NET interprets it, I know
that. I'm not sure about whether that's part of the URI spec or not. I was
just thinking that in some of the less robust OpenID libraries that might
have a string search and a for loop going through looking for each key=value
that is supposed to be present that they'd miss the additional ones.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
On Wed, Mar 11, 2009 at 1:57 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> I'm a little rusty on query parameter syntax, but isn't
>
> key=value1&key=value2&key=value3
>
> equivalent to
>
> key=value1,value2,value3
>
> Should the spec address this case?
>
> Allen
>
>
>
>
> Breno de Medeiros wrote:
>
>>
>>
>>
>> What if they appear a fewer number of times?
>>
>> The correct language is that the set of parameter assignments "a=b", where
>> 'a' is the key and 'b' is the value, that appear in the HTTP request the RP
>> received, and that are not OpenID parameters, should be identical to the set
>> of assignments present in the query part of the return_to URL in the
>> authentication response.
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090311/d90094a6/attachment-0002.htm>
More information about the general
mailing list