Project

General

Profile

Bug #45581

Lasso fail to properly escape single quotes in RelayState

Added by Emmanuel Dreyfus 6 days ago.

Status:
Nouveau
Priority:
Normal
Assignee:
-
Category:
Core
Target version:
Start date:
30 Jul 2020
Due date:
% Done:

0%

Patch proposed:
Yes
Planning:
No

Description

lasso uses libxml2's xmlURIEscapeStr() to URL-encode parameters in query strings. This function implements RFC 2396 URL encoding, which does not mandates escaping the single quote. As a result, lasso produces RelayState parameters with single quotes unescaped in the query string.

Unfortunately, browers automatically replace single quotes in query string by %27. The IdP gets a RelayState where the single quote was replaced by %27, while the signature is based on a RelayState containing an unescaped single quote. This causes the IdP to reject the request because the signature does not match.

The proposed fix in attached patch is to implement RFC 3986 compliant URL encoding, where all characters except the unreserved class [A-Za-z0-9._~-] are escaped. This is done in a lasso_xmlURIEscapeStr() function which is a drop-in replacement for xmlURIEscapeStr()

rfc3986.patch View (6.18 KB) Emmanuel Dreyfus, 30 Jul 2020 03:25 AM

Also available in: Atom PDF