Package: python-openid / 2.2.5-7

Metadata

Package Version Patches format
python-openid 2.2.5-7 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
do no crash long salts.patch | (download)

openid/store/sqlstore.py | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 do-no-crash-long-salts

The OpenID 2.0 specification indicates that the response_nonce as a
whole can be up to 255 characters, and must be prefixed by an ISO-8601
timestamp in UTC:

https://openid.net/specs/openid-authentication-2_0.html#positive_assertions

even assuming the a very long timestamp, this suggests that the latter
part of the nonce could be over 200 characters long.

The current table definitions in sqlstore.py all assume that the nonce
should be 40 characters.  This causes a crash when used with existing
OpenID providers (e.g. the drupal openid_provider module generates
nonces with a 64-byte salt).

Note: this patch doesn't address in-place upgrades of existing
python-openid servers that use an sqlstore.  The right thing to do is
something like (in PostgreSQL, e.g.):

 ALTER TABLE %(nonces) ALTER COLUMN salt TYPE VARCHAR(255);

I don't see any database versioning or upgrade mechanisms, so it's not
clear how to apply this change dynamically (or to detect that it needs
to be applied).

Some sqlstore backends (sqlite?) may not be able to do an in-place
type change of a column.  Those backends may need to drop the nonces
table and recreate it.
Patch-Name: do-no-crash-long-salts.patch

fix version.patch | (download)

openid/__init__.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix-version

Fix version reported by the package (Bug #754774)
Patch-Name: fix-version.patch