Package: python-openid / 2.2.5-6

do-no-crash-long-salts.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

The OpenID 2.0 specification indicates that the response_nonce as a
whole can be up to 255 characters, and must be prefixed by an ISO-8601
timestamp in UTC:

https://openid.net/specs/openid-authentication-2_0.html#positive_assertions

even assuming the a very long timestamp, this suggests that the latter
part of the nonce could be over 200 characters long.

The current table definitions in sqlstore.py all assume that the nonce
should be 40 characters.  This causes a crash when used with existing
OpenID providers (e.g. the drupal openid_provider module generates
nonces with a 64-byte salt).

Note: this patch doesn't address in-place upgrades of existing
python-openid servers that use an sqlstore.  The right thing to do is
something like (in PostgreSQL, e.g.):

 ALTER TABLE %(nonces) ALTER COLUMN salt TYPE VARCHAR(255);

I don't see any database versioning or upgrade mechanisms, so it's not
clear how to apply this change dynamically (or to detect that it needs
to be applied).

Some sqlstore backends (sqlite?) may not be able to do an in-place
type change of a column.  Those backends may need to drop the nonces
table and recreate it.
---
 openid/store/sqlstore.py |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/openid/store/sqlstore.py b/openid/store/sqlstore.py
index 58c4337..632644c 100644
--- a/openid/store/sqlstore.py
+++ b/openid/store/sqlstore.py
@@ -297,7 +297,7 @@ class SQLiteStore(SQLStore):
     CREATE TABLE %(nonces)s (
         server_url VARCHAR,
         timestamp INTEGER,
-        salt CHAR(40),
+        salt VARCHAR(255),
         UNIQUE(server_url, timestamp, salt)
     );
     """
@@ -376,7 +376,7 @@ class MySQLStore(SQLStore):
     CREATE TABLE %(nonces)s (
         server_url BLOB NOT NULL,
         timestamp INTEGER NOT NULL,
-        salt CHAR(40) NOT NULL,
+        salt VARCHAR(255) NOT NULL,
         PRIMARY KEY (server_url(255), timestamp, salt)
     )
     ENGINE=InnoDB;
@@ -447,7 +447,7 @@ class PostgreSQLStore(SQLStore):
     CREATE TABLE %(nonces)s (
         server_url VARCHAR(2047) NOT NULL,
         timestamp INTEGER NOT NULL,
-        salt CHAR(40) NOT NULL,
+        salt VARCHAR(255) NOT NULL,
         PRIMARY KEY (server_url, timestamp, salt)
     );
     """
-- 
1.7.10.4