From 175bb6d19af0c8f1369f9fe0569210abde8bc71c Mon Sep 17 00:00:00 2001
From: Angie Byron <webchick@24967.no-reply.drupal.org>
Date: Tue, 15 Sep 2009 19:46:04 +0000
Subject: [PATCH] #575796 by Heine: Fixed OpenID XRI test violates the spec.

---
 modules/openid/openid.inc  | 12 ++++++++----
 modules/openid/openid.test | 30 ++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/modules/openid/openid.inc b/modules/openid/openid.inc
index 8115f1282498..d833830c6877 100644
--- a/modules/openid/openid.inc
+++ b/modules/openid/openid.inc
@@ -109,11 +109,15 @@ function openid_redirect_form(&$form_state, $url, $message) {
  * Determine if the given identifier is an XRI ID.
  */
 function _openid_is_xri($identifier) {
-  $firstchar = substr($identifier, 0, 1);
-  if ($firstchar == "@" || $firstchar == "=")
-    return TRUE;
+  // Strip the xri:// scheme from the identifier if present.
+  if (stripos($identifier, 'xri://') !== FALSE) {
+    $identifier = substr($identifier, 6);
+  }
 
-  if (stristr($identifier, 'xri://') !== FALSE) {
+
+  // Test whether the identifier starts with an XRI global context symbol or (.
+  $firstchar = substr($identifier, 0, 1);
+  if (strpos("=@+$!(", $firstchar) !== FALSE) {
     return TRUE;
   }
 
diff --git a/modules/openid/openid.test b/modules/openid/openid.test
index ac6defb549b9..58e065e9a7aa 100644
--- a/modules/openid/openid.test
+++ b/modules/openid/openid.test
@@ -219,4 +219,34 @@ class OpenIDUnitTest extends DrupalWebTestCase {
     $association->mac_key = "1234567890abcdefghij\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\xF0\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9";
     $this->assertEqual(_openid_signature($association, $response, array('foo', 'bar')), 'QnKZQzSFstT+GNiJDFOptdcZjrc=', t('Expected signature calculated.'));
   }
+
+  /**
+   * Test _openid_is_xri().
+   */
+  function testOpenidXRITest() {
+    // Test that the XRI test is according to OpenID Authentication 2.0,
+    // section 7.2. If the user-supplied string starts with xri:// it should be
+    // stripped and the resulting string should be treated as an XRI when it
+    // starts with "=", "@", "+", "$", "!" or "(".
+    $this->assertTrue(_openid_is_xri('xri://=foo'), t('_openid_is_xri returned expected result for an xri identifier with xri scheme.'));
+    $this->assertTrue(_openid_is_xri('xri://@foo'), t('_openid_is_xri returned expected result for an xri identifier with xri scheme.'));
+    $this->assertTrue(_openid_is_xri('xri://+foo'), t('_openid_is_xri returned expected result for an xri identifier with xri scheme.'));
+    $this->assertTrue(_openid_is_xri('xri://$foo'), t('_openid_is_xri returned expected result for an xri identifier with xri scheme.'));
+    $this->assertTrue(_openid_is_xri('xri://!foo'), t('_openid_is_xri returned expected result for an xri identifier with xri scheme..'));
+    $this->assertTrue(_openid_is_xri('xri://(foo'), t('_openid_is_xri returned expected result for an xri identifier with xri scheme..'));
+
+    $this->assertTrue(_openid_is_xri('=foo'), t('_openid_is_xri returned expected result for an xri identifier.'));
+    $this->assertTrue(_openid_is_xri('@foo'), t('_openid_is_xri returned expected result for an xri identifier.'));
+    $this->assertTrue(_openid_is_xri('+foo'), t('_openid_is_xri returned expected result for an xri identifier.'));
+    $this->assertTrue(_openid_is_xri('$foo'), t('_openid_is_xri returned expected result for an xri identifier.'));
+    $this->assertTrue(_openid_is_xri('!foo'), t('_openid_is_xri returned expected result for an xri identifier.'));
+    $this->assertTrue(_openid_is_xri('(foo'), t('_openid_is_xri returned expected result for an xri identifier.'));
+
+    $this->assertFalse(_openid_is_xri('foo'), t('_openid_is_xri returned expected result for an http URL.'));
+    $this->assertFalse(_openid_is_xri('xri://foo'), t('_openid_is_xri returned expected result for an http URL.'));
+    $this->assertFalse(_openid_is_xri('http://foo/'), t('_openid_is_xri returned expected result for an http URL.'));
+    $this->assertFalse(_openid_is_xri('http://example.com/'), t('_openid_is_xri returned expected result for an http URL.'));
+    $this->assertFalse(_openid_is_xri('user@example.com/'), t('_openid_is_xri returned expected result for an http URL.'));
+    $this->assertFalse(_openid_is_xri('http://user@example.com/'), t('_openid_is_xri returned expected result for an http URL.'));
+  }
 }
-- 
GitLab