SimpleID: Invalid OpenID message

SimpleID, my preferred self-hosted OpenID server software, unnerved me for quite a while with the following error message:

HTTP/1.1 400 Bad Request

error:Invalid OpenID message.
ns:http://specs.openid.net/auth/2.0

This happened after I entered username and password to log into SimpleID, before getting redirected back to the application I wanted to login originally.

Navigating back and reloading that page always worked, but it wasn't nice to get that message in the first way.

Debugging

I expected the worst after my last OpenID debugging session, but this time it was quite simple.

At first I compared the GET variables that got sent to the login form URL with the ones that were in the POST data when submitting the form. They were equal, although I would have thought otherwise because of the Invalid OpenID message error.

The next step was to find out where this error is being thrown, which was only two nearby lines of code, of which one could be ruled out by thinking. The apparent reason for the error was that $request['openid.mode'] was not set - which is strange, because the POST data definitely contained it.

The situation was now the following:

I suspected an error with the Apache rewrite rule, but investigating that didn't yield any results: The rules were fine.

What else could it be? phpinfo() showed me the un-rewritten $_SERVER["REQUEST_URI"], and the rewritten $_SERVER["QUERY_STRING"] completely with the s parameter.

This means that stripping the s parameter happened in PHP itself, and not somewhere earlier. Placing a var_dump($_GET); at the beginning of index.php also showed that s was missing.

Now I remembered Suhosin, any my earlier problems with it. phpinfo() showed me a list of settings, one with the name

suhosin.get.max_value_length => 512

There it was: s was some 600 bytes long, and Suhosin simply stripped it away. After modifying php.ini and reloading Apache, the error was gone.

Fin

After discovering the problem's source, I made a patch for SimpleID that checks the suhosin.get.max_value_length setting and opened a bug report for it.

Now I also know that Suhosin reports the error in /var/log/syslog (where nobody looks for apache-related errors):

suhosin[12345]: ALERT -
configured GET variable value length limit exceeded - dropped variable 's'
(attacker '1.2.3.4', file '/path/to/id.cweiske.de/index.php')

Written by Christian Weiske.

Comments? Please send an e-mail. Or Reply or Like.