[OpenID] OpenID 2.0 spec security improvement suggestion

[Martin Atkins]

Allen Tom wrote:
> I'm a little rusty on query parameter syntax, but isn't
> 
> key=value1&key=value2&key=value3
> 
> equivalent to
> 
> key=value1,value2,value3
> 
> Should the spec address this case?
> 

I'm pretty sure that this is not standard, but may be the behavior of a 
particular implementation.

The meta-problem here is that the query string was never really intended 
for being a transport for standard protocols, but was rather intended to 
be an application-local concern. This is not the first time we've run 
into grief where we've assumed particular behavior in parsing the query 
string that is not compatible with the behavior of one or more frameworks.

For example, PHP turns periods in key names into underscores, so 
openid.mode is accessed as openid_mode. Fortunately the only ill effect 
this has is that in most PHP OpenID implementations you can send 
openid_mode in the query string and it'll work. :)

You also can't access multiple values of the same key in PHP unless the 
key name has [] at the end.

It might be of more general use for someone to research the various 
nutty behaviors of different frameworks and try to document a safe 
subset that protocols like OpenID and OAuth can use. Hopefully that will 
also encourage future frameworks to be compatible with what's 
documented. Here are three constraints to be starting with:

* Only latin letters, roman digits and underscores in keys.
* Only one instance of each key.
* Don't use commas unless you're making a list.