Package: python-openid
Version: 2.2.5-3
Severity: normal
Tags: patch upstream
Control: forwarded -1
http://lists.openid.net/pipermail/openid-code/2013-April/000297.html
when using sqlstore.PostgreSQLStore, i noticed python-openid crashing
when it received a longer nonce from OpenID providers.
I've reported it upstream (it should show up at the referenced URL
shortly). The attached patch to make it so that at least newly-created
systems are not vulnerable to this failure mode.
--dkg
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages python-openid depends on:
ii python 2.7.3-4
ii python-support 1.0.15
python-openid recommends no packages.
python-openid suggests no packages.
-- debconf-show failed
commit 559f9cbb3b7718c2dde63db5bc7672a7b5dfc1ee
Author: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Date: Thu Apr 4 14:24:17 2013 -0400
Do not crash when salts are greater than 40 chars and sqlstore is in use
The OpenID 2.0 specification indicates that the response_nonce as a
whole can be up to 255 characters, and must be prefixed by an ISO-8601
timestamp in UTC:
https://openid.net/specs/openid-authentication-2_0.html#positive_assertions
even assuming the a very long timestamp, this suggests that the latter
part of the nonce could be over 200 characters long.
The current table definitions in sqlstore.py all assume that the nonce
should be 40 characters. This causes a crash when used with existing
OpenID providers (e.g. the drupal openid_provider module generates
nonces with a 64-byte salt).
Note: this patch doesn't address in-place upgrades of existing
python-openid servers that use an sqlstore. The right thing to do is
something like (in PostgreSQL, e.g.):
ALTER TABLE %(nonces) ALTER COLUMN salt TYPE VARCHAR(255);
I don't see any database versioning or upgrade mechanisms, so it's not
clear how to apply this change dynamically (or to detect that it needs
to be applied).
Some sqlstore backends (sqlite?) may not be able to do an in-place
type change of a column. Those backends may need to drop the nonces
table and recreate it.
diff --git a/openid/store/sqlstore.py b/openid/store/sqlstore.py
index 58c4337..632644c 100644
--- a/openid/store/sqlstore.py
+++ b/openid/store/sqlstore.py
@@ -297,7 +297,7 @@ class SQLiteStore(SQLStore):
CREATE TABLE %(nonces)s (
server_url VARCHAR,
timestamp INTEGER,
- salt CHAR(40),
+ salt VARCHAR(255),
UNIQUE(server_url, timestamp, salt)
);
"""
@@ -376,7 +376,7 @@ class MySQLStore(SQLStore):
CREATE TABLE %(nonces)s (
server_url BLOB NOT NULL,
timestamp INTEGER NOT NULL,
- salt CHAR(40) NOT NULL,
+ salt VARCHAR(255) NOT NULL,
PRIMARY KEY (server_url(255), timestamp, salt)
)
ENGINE=InnoDB;
@@ -447,7 +447,7 @@ class PostgreSQLStore(SQLStore):
CREATE TABLE %(nonces)s (
server_url VARCHAR(2047) NOT NULL,
timestamp INTEGER NOT NULL,
- salt CHAR(40) NOT NULL,
+ salt VARCHAR(255) NOT NULL,
PRIMARY KEY (server_url, timestamp, salt)
);
"""
