[TYPO3-core] RFC #13977: Improve OpenID association handling

Dmitry Dulepov dmitry.dulepov at gmail.com
Wed Mar 31 14:56:19 CEST 2010 

Hi!

This is SVN patch request.

Type: tweak (stability issue)

Branches: 4.3, 4.4

BT reference: http://bugs.typo3.org/view.php?id=13977

Problem: There are two issues with OpenID association handling. Firsts, if session is expired, it is not removed from the storage by the Consumer object. Thus authentication failures due to expired association may happen several times before the association is invalidated by the server. Secondly, due to MySQL issues with character sets blogs can be written incorrectly (some of character_set_* variables affect blobs!). Therefore it is safer to encode association data to a binary safe string (such as base64) in the database.

Solution: the attached patch contains both fixes. It makes sure that expired associations are removed and database association store uses base64 for binary data.

Notes:
- this patch contains two things. The reason to post is a single RFC is that they target the same purpose: improve association handling
- this patch runs for several months at Snowflake servers and we did not have issues with it. However it helped us a lot to reduce the amount of OpenID authentication failures

Q&A:
Q: What happens with existing associations during upgrade?
A: They are restarted. Usually such associations last for 1 hour max. If the client cannot verify the association, it will tell the server to restart it. This is transparent for the user, he will know about it.
Q: How can character_set_* affect blob fields?
A: Blobs do not have character sets. However connection, file system and database do have them. Therefore under certain condition ~binary~ data may become corrupted when it is sent from the application to the database. I do not have a link under hand but during my search I found that one such case caused hard to track problems with OpenID logins. After changing blob data from binary to binary safe, the problem was fixed. This is what this patch does too.

-- 
Dmitry Dulepov
TYPO3 expert / TYPO3 security team member
Read more @ http://dmitry-dulepov.com/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 13977.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100331/2a465098/attachment.txt>

More information about the TYPO3-team-core mailing list