debian/0000755000000000000000000000000012214103211007151 5ustar debian/compat0000644000000000000000000000000211113225011010347 0ustar 7 debian/patches/0000755000000000000000000000000012214102302010600 5ustar debian/patches/CVE-2013-4701.patch0000644000000000000000000000216012214102214013213 0ustar From: Artur Rona Description: Disable external XML entities and libxml errors. Fixes CVE-2013-4701. Bug: http://jvn.jp/en/jp/JVN24713981/index.html Bug-Debian: http://bugs.debian.org/721221 Origin: upstream, https://github.com/openid/php-openid/commit/625c16bb28bb120d262b3f19f89c2c06cb9b0da9 Author: Kousuke Ebihara diff -pruN -x '*~' php-openid-2.2.2.orig/Auth/Yadis/XML.php php-openid-2.2.2/Auth/Yadis/XML.php --- php-openid-2.2.2.orig/Auth/Yadis/XML.php 2010-04-29 22:41:05.000000000 +0200 +++ php-openid-2.2.2/Auth/Yadis/XML.php 2013-09-11 16:43:00.000000000 +0200 @@ -234,7 +234,14 @@ class Auth_Yadis_dom extends Auth_Yadis_ return false; } - if (!@$this->doc->loadXML($xml_string)) { + // disable external entities and libxml errors + $loader = libxml_disable_entity_loader(true); + $errors = libxml_use_internal_errors(true); + $parse_result = @$this->doc->loadXML($xml_string); + libxml_disable_entity_loader($loader); + libxml_use_internal_errors($errors); + + if (!$parse_result) { return false; } debian/patches/fixes-call-time-pass-by-reference0000644000000000000000000000626311747203420017042 0ustar Description: fixes call-time pass-by-reference Bug-Debian: http://bugs.debian.org/653621 Forwarded: no --- php-openid-2.2.2.orig/Auth/Yadis/XRDS.php +++ php-openid-2.2.2/Auth/Yadis/XRDS.php @@ -429,7 +429,7 @@ class Auth_Yadis_XRDS { foreach ($filters as $filter) { - if (call_user_func_array($filter, array(&$service))) { + if (call_user_func_array($filter, array($service))) { $matches++; if ($filter_mode == SERVICES_YADIS_MATCH_ANY) { --- php-openid-2.2.2.orig/Auth/Yadis/Yadis.php +++ php-openid-2.2.2/Auth/Yadis/Yadis.php @@ -141,7 +141,7 @@ function Auth_Yadis_getServiceEndpoints( } $yadis_result = call_user_func_array($discover_func, - array($input_url, &$fetcher)); + array($input_url, $fetcher)); if ($yadis_result === null) { return array($input_url, array()); --- php-openid-2.2.2.orig/Auth/Yadis/Manager.php +++ php-openid-2.2.2/Auth/Yadis/Manager.php @@ -413,7 +413,7 @@ class Auth_Yadis_Discovery { list($yadis_url, $services) = call_user_func($discover_cb, $this->url, - &$fetcher); + $fetcher); $manager = $this->createManager($services, $yadis_url); } --- php-openid-2.2.2.orig/Auth/OpenID/TrustRoot.php +++ php-openid-2.2.2/Auth/OpenID/TrustRoot.php @@ -413,7 +413,7 @@ function Auth_OpenID_getAllowedReturnURL } call_user_func_array($discover_function, - array($relying_party_url, &$fetcher)); + array($relying_party_url, $fetcher)); $return_to_urls = array(); $matching_endpoints = Auth_OpenID_extractReturnURL($endpoints); --- php-openid-2.2.2.orig/Auth/OpenID/Consumer.php +++ php-openid-2.2.2/Auth/OpenID/Consumer.php @@ -666,7 +666,7 @@ class Auth_OpenID_GenericConsumer { '_completeInvalid'); return call_user_func_array(array($this, $method), - array($message, &$endpoint, $return_to)); + array($message, $endpoint, $return_to)); } /** @@ -1181,7 +1181,7 @@ class Auth_OpenID_GenericConsumer { // oidutil.log('Performing discovery on %s' % (claimed_id,)) list($unused, $services) = call_user_func($this->discoverMethod, $claimed_id, - &$this->fetcher); + $this->fetcher); if (!$services) { return new Auth_OpenID_FailureResponse(null, --- php-openid-2.2.2.orig/Auth/OpenID/Server.php +++ php-openid-2.2.2/Auth/OpenID/Server.php @@ -1704,7 +1704,7 @@ class Auth_OpenID_Server { { if (method_exists($this, "openid_" . $request->mode)) { $handler = array($this, "openid_" . $request->mode); - return call_user_func($handler, &$request); + return call_user_func($handler, $request); } return null; } debian/patches/series0000644000000000000000000000006612214102302012017 0ustar fixes-call-time-pass-by-reference CVE-2013-4701.patch debian/rules0000755000000000000000000000006411207017700010241 0ustar #!/usr/bin/make -f #export DH_VERBOSE=1 %: dh $@ debian/docs0000644000000000000000000000003511366065521010044 0ustar examples contrib NEWS README debian/control0000644000000000000000000000120711432156207010572 0ustar Source: php-openid Section: php Priority: optional Maintainer: Jan Hauke Rahm Build-Depends: debhelper (>= 7) Standards-Version: 3.9.1 Homepage: http://github.com/openid/php-openid Vcs-Svn: http://debsvn.jhr-online.de/php-openid/trunk/ Vcs-Browser: https://cgi.jhr-online.de/viewvc.cgi/debian/php-openid/trunk/ Package: php-openid Architecture: all Depends: php5 (>= 5.2.0), php5-gmp, php5-curl, ${misc:Depends} Suggests: php-db Description: PHP OpenID library The PHP OpenID library lets you enable OpenID authentication on sites built using PHP. It features the OpenID consumer, Store implementations, and an OpenID server. debian/changelog0000644000000000000000000000564212214103211011032 0ustar php-openid (2.2.2-1.2) unstable; urgency=high * Non-maintainer upload. * debian/patches/CVE-2013-4701.patch: - Disable external XML entities and libxml errors. Fixes security issue. (Closes: #721221) - CVE-2013-4701 -- Artur Rona Wed, 11 Sep 2013 16:57:40 +0200 php-openid (2.2.2-1.1) unstable; urgency=low * Non-maintainer upload. * Fixes call-time pass-by-reference (Closes: #653621). -- Thomas Goirand Sun, 29 Apr 2012 09:13:02 +0000 php-openid (2.2.2-1) unstable; urgency=low * New upstream release + Fix regex in Auth/OpenID/Parse.php (Closes: #535479) * debian/watch: link to correct upstream homepage * Bump Standards-Version to 3.9.1 -- Jan Hauke Rahm Mon, 16 Aug 2010 08:37:15 +0200 php-openid (2.2.1-1) unstable; urgency=low * New upstream release (Closes: #571803) + update debian/copyright accordingly + Install contributions by google in /u/s/doc + Report correct version (Closes: #564953) * Update short description (Closes: #564954) * Bump standards-version: 3.8.4 * Update upstream's homepage * Switch to Source Format 3.0 (quilt) * Add upstream's README (Closes: #574963) -- Jan Hauke Rahm Thu, 29 Apr 2010 08:27:42 +0200 php-openid (2.1.3-1) unstable; urgency=low * New upstream release + Consumer: require that op_endpoint be signed in id_res responses + Unify method signatures to reduce E_STRICT warnings + Move signed assertions code into contrib/ + OpenID Signed Assertions(Implementation of old sxip draft) + Message: indentation + getAliasedArg() returns OpenID namespace when $aliased_key is 'ns' + Don't use Range header for ID page requests * Bumped Standards-Version to 3.8.1 * debian/control: section changed from web to php * debian/copyright: removed old license clarification note -- Jan Hauke Rahm Mon, 27 Apr 2009 00:39:02 +0200 php-openid (2.1.2-2) unstable; urgency=low * Upload to unstable * DM-Upload-Allowed: yes -- Jan Hauke Rahm Sun, 01 Mar 2009 18:58:54 +0100 php-openid (2.1.2-1) experimental; urgency=low * New upstream release * Updated debian/copyright * Changing to debhelper >=7; debian/rules cleanup -- Jan Hauke Rahm Sun, 04 Jan 2009 15:13:31 +0100 php-openid (2.0.0-2) unstable; urgency=medium * Adopted. * Bumped the Standards-Version to 3.8.0 * Corrected debian/copyright * Added debian/watch -- Jan Hauke Rahm Sat, 01 Nov 2008 21:13:34 +0100 php-openid (2.0.0-1) unstable; urgency=low * New upstream release * Bumped the Standards-Version to 3.7.3 -- Thierry Randrianiriana Thu, 06 Dec 2007 16:08:08 +0300 php-openid (2.0.0~rc5-1) unstable; urgency=low * Initial Release. (Closes: #452943) -- Thierry Randrianiriana Tue, 27 Nov 2007 11:12:21 +0300 debian/install0000644000000000000000000000002311366065475010567 0ustar Auth usr/share/php debian/copyright0000644000000000000000000000142211432156427011125 0ustar Format-Specification: http://wiki.debian.org/Proposals/CopyrightFormat?action=recall&rev=249 Upstream-Name: php-openid Upstream-Maintainer: JanRain, Inc. Upstream-Source: http://github.com/openid/php-openid Files: * Copyright: (C) 2005-2010 JanRain, Inc. License: Apache-2.0 Files: contrib/* Copyright: (C) 2009 Google Inc. License: Apache-2.0 On Debian systems the full text of the Apache 2.0 License can be found in the `/usr/share/common-licenses/Apache-2.0' file. Files: debian/* Copyright: (C) 2007 Thierry Randrianiriana Copyright: (C) 2008-2010 Jan Hauke Rahm License: GPL-2+ On Debian systems the full text of the GNU General Public License can be found in the `/usr/share/common-licenses/GPL-2' file. debian/source/0000755000000000000000000000000011432156463010473 5ustar debian/source/format0000644000000000000000000000001411350455107011675 0ustar 3.0 (quilt) debian/watch0000644000000000000000000000014411366247017010225 0ustar version=3 http://github.com/openid/php-openid/downloads /openid/php-openid/tarball/([\d\.]*) debian