The OpenID security fix for the impersonation issue in SA-CORE-2015-002 was committed without tests.

It would be useful to have regression tests for this security vulnerability.

If someone wants to work on this, we could probably copy some more technical details about the vulnerability into this issue (at least after a sufficient time has passed for people to update their sites, so that we're not revealing information that would help an attacker)...

For reference in the meantime: