diff options
| -rw-r--r-- | Auth/OpenID/Consumer.php | 8 | ||||
| -rw-r--r-- | NEWS | 7 |
2 files changed, 13 insertions, 2 deletions
diff --git a/Auth/OpenID/Consumer.php b/Auth/OpenID/Consumer.php index 0d6f9d7..7c1e6d5 100644 --- a/Auth/OpenID/Consumer.php +++ b/Auth/OpenID/Consumer.php @@ -401,6 +401,14 @@ class Auth_OpenID_Consumer { */ function complete($return_to, $query=null) { + if ($return_to && !is_string($return_to)) { + // This is ugly, but we need to complain loudly when + // someone uses the API incorrectly. + trigger_error("return_to must be a string; see NEWS file " . + "for upgrading notes.", + E_USER_ERROR); + } + if ($query === null) { $query = Auth_OpenID::getQuery(); } @@ -44,9 +44,12 @@ If you cannot run the Python script, you can re-create your store by dropping the tables in the store and calling createTables() on the store object. -Consumers should now pass an additional parameter to +Consumers should now pass the consumer return_to URL to Auth_OpenID_Consumer::complete() to defend against return_to URL -tampering. +tampering. This has REPLACED the old parameter, $query. $query is +now a second optional parameter. It is STRONGLY RECOMMENDED that you +never override $query, since the OpenID library uses its own logic to +sidestep PHP's broken request-processing code. Summary of API Changes |