Projet

Général

Profil

0001-saml2-only-allow-local-URLs-as-redirections-43279.patch

Frédéric Péters, 25 mai 2020 17:33

Télécharger (2,66 ko)

Voir les différences: 

Subject: [PATCH] saml2: only allow local URLs as redirections (#43279)


 tests/test_saml_auth.py | 14 ++++++++++++--
 wcs/qommon/saml2.py     |  3 +++
 2 files changed, 15 insertions(+), 2 deletions(-)
tests/test_saml_auth.py
18 18 
from wcs.qommon.saml2 import Saml2Directory
19 19 
from wcs.qommon.ident.idp import MethodAdminDirectory, AdminIDPDir
20 20 
from wcs.qommon import sessions, x509utils
21 
from wcs.qommon.errors import RequestError
21 22 
from wcs.roles import Role
22 23 

  		




  23
  24
  
    
from utilities import get_app, create_temporary_pub, clean_temporary_pub

  		




  ......




  303
  304
  
    

  		




  304
  305
  
    
def test_assertion_consumer_full_url_redirect_after_url(pub):

  		




  305
  306
  
    
    req = get_assertion_consumer_request(pub)

  		




  306
  
  
    
    req.form['RelayState'] = 'http://example.org/foobar/?test=ok'

  		




  
  307
  
    
    req.form['RelayState'] = 'http://example.net/foobar/?test=ok'

  		




  307
  308
  
    
    saml2 = Saml2Directory()

  		




  308
  309
  
    
    saml_response_body = req.form['SAMLResponse']

  		




  309
  310
  
    
    body = saml2.assertionConsumerPost()

  		




  310
  311
  
    
    assert req.response.status_code == 303

  		




  311
  
  
    
    assert req.response.headers['location'] == 'http://example.org/foobar/?test=ok'

  		




  
  312
  
    
    assert req.response.headers['location'] == 'http://example.net/foobar/?test=ok'

  		




  
  313
  
    

  		




  
  314
  
    

  		




  
  315
  
    
def test_assertion_consumer_external_url_redirect_after_url(pub):

  		




  
  316
  
    
    req = get_assertion_consumer_request(pub)

  		




  
  317
  
    
    req.form['RelayState'] = 'http://example.org/foobar/?test=ok'

  		




  
  318
  
    
    saml2 = Saml2Directory()

  		




  
  319
  
    
    saml_response_body = req.form['SAMLResponse']

  		




  
  320
  
    
    with pytest.raises(RequestError):

  		




  
  321
  
    
        body = saml2.assertionConsumerPost()

  		




  312
  322
  
    

  		




  313
  323
  
    

  		




  314
  324
  
    
def test_saml_login_page(pub):

  		












  

    
      wcs/qommon/saml2.py
    
  





  355
  355
  
    
            netloc = parsed_url.netloc or request.get_server()

  		




  356
  356
  
    
            after_url = urlparse.urlunsplit((scheme, netloc, parsed_url.path, parsed_url.query,

  		




  357
  357
  
    
                                             parsed_url.fragment))

  		




  
  358
  
    
            if not (after_url.startswith(get_publisher().get_backoffice_url()) or

  		




  
  359
  
    
                    after_url.startswith(get_publisher().get_frontoffice_url())):

  		




  
  360
  
    
                raise errors.RequestError()

  		




  358
  361
  
    
        else:

  		




  359
  362
  
    
            after_url = get_publisher().get_frontoffice_url()

  		




  360
  363
  
    
        response.set_status(303)

  		




  361
  
  
    
-