ruby-openid icon indicating copy to clipboard operation
ruby-openid copied to clipboard
verified publisher icon openid

Issue #125 - Addressing missing server url in check_signature method

Open rbebersole opened this issue 5 years ago • 1 comments

The verify_discovery_results method call was moved after the check_signature method call to address a security vulnerability (issue #121). Apparently, the check_signature method relied on the endpoint instance variable being defined by the verify_discovery_results method. As a result, the check_signature method always fails because the server_url is nil.

This fix initializes the endpoint variable within the check_signature method and populates it with the server url passed by the OPENID2 client.

Note: I followed the link for instructions on contributing, but I could not find any instructions on the target site. So I used what the other contributors did as a guide.

rbebersole avatar May 27 '20 14:05 rbebersole

I believe the error in the failed check is related to the installing rubinius-3 and not from the coding change.

rbebersole avatar May 28 '20 17:05 rbebersole

This repo is being archived. Closing PR.

timcappalli avatar Jul 24 '23 17:07 timcappalli