From: Mikael Nordfeldth Date: Sun, 2 Aug 2015 11:39:38 +0000 (+0200) Subject: OpenID extlib updated: Fixes CVE-2014-8150 X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=b4342434167f0ce0785b2de0efb58b94cf7cf9d2;p=quix0rs-gnu-social.git OpenID extlib updated: Fixes CVE-2014-8150 --- diff --git a/extlib/Auth/OpenID/URINorm.php b/extlib/Auth/OpenID/URINorm.php index c051b550aa..32e84588db 100644 --- a/extlib/Auth/OpenID/URINorm.php +++ b/extlib/Auth/OpenID/URINorm.php @@ -93,7 +93,17 @@ function Auth_OpenID_pct_encoded_replace_unreserved($mo) function Auth_OpenID_pct_encoded_replace($mo) { - return chr(intval($mo[1], 16)); + $code = intval($mo[1], 16); + + // Prevent request splitting by ignoring newline and space characters + if($code === 0xA || $code === 0xD || $code === ord(' ')) + { + return $mo[0]; + } + else + { + return chr($code); + } } function Auth_OpenID_remove_dot_segments($path)