1 files changed, 28 insertions, 8 deletions

diff --git a/Auth/OpenID.php b/Auth/OpenID.php
index 1d01d44..fd72db3 100644
--- a/Auth/OpenID.php
+++ b/Auth/OpenID.php
@@ -137,22 +137,42 @@ class Auth_OpenID {
      */
     function getQuery($query_str=null)
     {
+        $data = array();
+
         if ($query_str !== null) {
-            $str = $query_str;
+            $data = Auth_OpenID::params_from_string($query_str);
         } else if (!array_key_exists('REQUEST_METHOD', $_SERVER)) {
-            $str = "";
-        } else if ($_SERVER['REQUEST_METHOD'] == 'GET') {
-            $str = $_SERVER['QUERY_STRING'];
-        } else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+            // Do nothing.
+        } else {
+          // XXX HACK FIXME HORRIBLE.
+          //
+          // POSTing to a URL with query parameters is acceptable, but
+          // we don't have a clean way to distinguish those parameters
+          // when we need to do things like return_to verification
+          // which only want to look at one kind of parameter.  We're
+          // going to emulate the behavior of some other environments
+          // by defaulting to GET and overwriting with POST if POST
+          // data is available.
+          $data = Auth_OpenID::params_from_string($_SERVER['QUERY_STRING']);
+
+          if ($_SERVER['REQUEST_METHOD'] == 'POST') {
             $str = file_get_contents('php://input');
 
             if ($str === false) {
-                return array();
+              $post = array();
+            } else {
+              $post = Auth_OpenID::params_from_string($str);
             }
-        } else {
-            return array();
+
+            $data = array_merge($data, $post);
+          }
         }
 
+        return $data;
+    }
+
+    function params_from_string($str)
+    {
         $chunks = explode("&", $str);
 
         $data = array();