Project

General

Profile

Bug #45581

Lasso fail to properly escape single quotes in RelayState

Added by Emmanuel Dreyfus about 2 years ago. Updated about 1 year ago.

Status:
Fermé
Priority:
Normal
Category:
Core
Target version:
Start date:
30 July 2020
Due date:
% Done:

0%

Estimated time:
Patch proposed:
Yes
Planning:
No

Description

lasso uses libxml2's xmlURIEscapeStr() to URL-encode parameters in query strings. This function implements RFC 2396 URL encoding, which does not mandates escaping the single quote. As a result, lasso produces RelayState parameters with single quotes unescaped in the query string.

Unfortunately, browers automatically replace single quotes in query string by %27. The IdP gets a RelayState where the single quote was replaced by %27, while the signature is based on a RelayState containing an unescaped single quote. This causes the IdP to reject the request because the signature does not match.

The proposed fix in attached patch is to implement RFC 3986 compliant URL encoding, where all characters except the unreserved class [A-Za-z0-9._~-] are escaped. This is done in a lasso_xmlURIEscapeStr() function which is a drop-in replacement for xmlURIEscapeStr()


Files

rfc3986.patch (6.18 KB) rfc3986.patch Emmanuel Dreyfus, 30 July 2020 03:25 AM

Associated revisions

Revision 0b742b1f (diff)
Added by Benjamin Dauvergne about 2 years ago

tools: reimplement xmlURIEscapeStr to respect RFC3986 (#45581)

Bugfix by Emmanuel Dreyfus.

License: MIT

History

#1

Updated by Benjamin Dauvergne about 2 years ago

  • Assignee set to Benjamin Dauvergne
#2

Updated by Benjamin Dauvergne about 2 years ago

I need a statement here that you contribute under MIT license then I will commit your patch with attribution.

#3

Updated by Benjamin Dauvergne about 2 years ago

  • Status changed from Nouveau to Solution validée
#4

Updated by Benjamin Dauvergne about 2 years ago

  • Target version changed from future to 2.6.2
#5

Updated by Emmanuel Dreyfus about 2 years ago

I need a statement here that you contribute under MIT license then I will
commit your patch with attribution.

I contribute the patch under MIT license.

#6

Updated by Benjamin Dauvergne about 2 years ago

  • Status changed from Solution validée to Résolu (à déployer)
commit 390d306e6e87619bd56f766897332d76f81ddd39
Author: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date:   Tue Aug 11 11:30:51 2020 +0200

    tools: reimplement xmlURIEscapeStr to respect RFC3986 (#45581)

    Bugfix by Emmanuel Dreyfus.

    License: MIT
#7

Updated by Benjamin Dauvergne about 1 year ago

  • Status changed from Résolu (à déployer) to Fermé

Also available in: Atom PDF