OpenID extlib updated: Fixes CVE-2014-8150

This commit is contained in:
Mikael Nordfeldth
2015-08-02 13:39:38 +02:00
parent 266b032b17
commit b434243416

View File

@@ -93,7 +93,17 @@ function Auth_OpenID_pct_encoded_replace_unreserved($mo)
function Auth_OpenID_pct_encoded_replace($mo) function Auth_OpenID_pct_encoded_replace($mo)
{ {
return chr(intval($mo[1], 16)); $code = intval($mo[1], 16);
// Prevent request splitting by ignoring newline and space characters
if($code === 0xA || $code === 0xD || $code === ord(' '))
{
return $mo[0];
}
else
{
return chr($code);
}
} }
function Auth_OpenID_remove_dot_segments($path) function Auth_OpenID_remove_dot_segments($path)