Added the following patch from the [email protected] mailing list:

http://lists.openidenabled.com/pipermail/dev/attachments/20080821/1eded806/attachment-0001.bin

Original Message:
will at willnorris.com
Thu Aug 21 18:43:28 PDT 2008
darcs patch: seperate provider and consumer xrds types

	"Currently, the five OpenID Provider service types (OpenID 1.0 - 1.2, and the two for OpenID 2.0) are combined with the one OpenID Consumer service type (return_to).  This causes a potential false positive when performing discovery on an endpoint.  If a php-openid consumer performs discovery on another consumer which has a published return_to service type, php-openid will think it is a valid OpenID Server service type and send an authentication request to the URI.  Similarly, when checking the return_to URL of a consumer, if the consumer has any of the OpenID Server service types published, a php-openid server object will try to treat one of those URIs as a published return_to URL.

	This scenario is actually fairly common... many personal blogs serve as both an OpenID Server (for the blog owner) as well as an OpenID consumer (for people who comment on the blog)."

This patch was in the form of a Darcs patch, not a normal patch.  So solve this, I applied it to the Darcs repository found on openidenabled, then created a new diff file between the original Darcs repo and the new one (with the patch applied) so that I could apply it to this git repo.

It should be noted that all 3 hunks for Discover.php and the 1st hunk for TrustRoot.php were applied successfully, but the second hunk for TrustRoot failed.  It seems that all it was doing was removing trailing endlines from the file, so I think it should be ok.

Author: Lilli

Auth/OpenID/Discover.php

@@ -28,8 +28,12 @@ function Auth_OpenID_getOpenIDTypeURIs()
                  Auth_OpenID_TYPE_2_0,
                  Auth_OpenID_TYPE_1_2,
                  Auth_OpenID_TYPE_1_1,
-                 Auth_OpenID_TYPE_1_0,
-                 Auth_OpenID_RP_RETURN_TO_URL_TYPE);
+                 Auth_OpenID_TYPE_1_0);
+}
+
+function Auth_OpenID_getOpenIDConsumerTypeURIs()
+{
+    return array(Auth_OpenID_RP_RETURN_TO_URL_TYPE);
 }
 
 
@@ -193,6 +197,25 @@ function getLocalID()
         }
     }
 
+    /*
+     * Parse the given document as XRDS looking for OpenID consumer services.
+     *
+     * @return array of Auth_OpenID_ServiceEndpoint or null if the
+     * document cannot be parsed.
+     */
+    function consumerFromXRDS($uri, $xrds_text)
+    {
+        $xrds =& Auth_Yadis_XRDS::parseXRDS($xrds_text);
+
+        if ($xrds) {
+            $yadis_services =
+              $xrds->services(array('filter_MatchesAnyOpenIDConsumerType'));
+            return Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services);
+        }
+
+        return null;
+    }
+
     /*
      * Parse the given document as XRDS looking for OpenID services.
      *
@@ -340,6 +363,19 @@ function filter_MatchesAnyOpenIDType(&$service)
     return false;
 }
 
+function filter_MatchesAnyOpenIDConsumerType(&$service)
+{
+    $uris = $service->getTypes();
+
+    foreach ($uris as $uri) {
+        if (in_array($uri, Auth_OpenID_getOpenIDConsumerTypeURIs())) {
+            return true;
+        }
+    }
+
+    return false;
+}
+
 function Auth_OpenID_bestMatchingService($service, $preferred_types)
 {
     // Return the index of the first matching type, or something

Auth/OpenID/TrustRoot.php

@@ -401,7 +401,7 @@ function Auth_OpenID_getAllowedReturnURLs($relying_party_url, &$fetcher,
         $discover_function = array('Auth_Yadis_Yadis', 'discover');
     }
 
-    $xrds_parse_cb = array('Auth_OpenID_ServiceEndpoint', 'fromXRDS');
+    $xrds_parse_cb = array('Auth_OpenID_ServiceEndpoint', 'consumerFromXRDS');
 
     list($rp_url_after_redirects, $endpoints) =
         Auth_Yadis_getServiceEndpoints($relying_party_url, $xrds_parse_cb,