Package: php-openid Version: 2.1.3-1 Severity: important Tags: patch
*** Please type your report below this line ***In Auth/OpenID/Parse.php, $_tag_expr regexp is "<%s\b(?!:)([^>]*?)(?:\/>|>(.*?)(?:<\/?%s\s*>|\Z))". And libpcre3's implementation of .*? is probably recursive. So, on big HTML pages with <link rel="openid.server">, like http://stas-fomin.blogspot.com/, <html>...</html> tag is not matched due to a stack overflow during matching of .*? (matching stops after approximately 99264 bytes). So, Auth_OpenID does not work with these pages.
A workaround is very simple: change .*? to .* A patch is attached. -- System Information: Debian Release: squeeze/sid APT prefers oldstableAPT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686) Kernel: Linux 2.6.30-1-686 (SMP w/2 CPU cores) Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R) Shell: /bin/sh linked to /bin/bash Versions of packages php-openid depends on:ii php5 5.2.10.dfsg.1-1 server-side, HTML-embedded scripti
ii php5-curl 5.2.10.dfsg.1-1 CURL module for php5 ii php5-gmp 5.2.10.dfsg.1-1 GMP module for php5 php-openid recommends no packages. Versions of packages php-openid suggests: pn php-db <none> (no description available) -- no debconf information -- Wbr, Vitaliy Filippov
Parse.php.diff
Description: Binary data
