From b4342434167f0ce0785b2de0efb58b94cf7cf9d2 Mon Sep 17 00:00:00 2001
From: Mikael Nordfeldth <mmn@hethane.se>
Date: Sun, 2 Aug 2015 13:39:38 +0200
Subject: [PATCH] OpenID extlib updated: Fixes CVE-2014-8150

---
 extlib/Auth/OpenID/URINorm.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/extlib/Auth/OpenID/URINorm.php b/extlib/Auth/OpenID/URINorm.php
index c051b550aa..32e84588db 100644
--- a/extlib/Auth/OpenID/URINorm.php
+++ b/extlib/Auth/OpenID/URINorm.php
@@ -93,7 +93,17 @@ function Auth_OpenID_pct_encoded_replace_unreserved($mo)
 
 function Auth_OpenID_pct_encoded_replace($mo)
 {
-    return chr(intval($mo[1], 16));
+    $code = intval($mo[1], 16);
+
+    // Prevent request splitting by ignoring newline and space characters
+    if($code === 0xA || $code === 0xD || $code === ord(' '))
+    {
+        return $mo[0];
+    }
+    else
+    {
+        return chr($code);
+    }
 }
 
 function Auth_OpenID_remove_dot_segments($path)