Option to redirect to exact service url #25
Conversation
|
Code-wise I have no remarks, but not sure if we should jump through flaming hoops to facilitate bad client-behaviour... |
|
Thanks for the read through. As to whether the module should support this... we ( Cirrus ) need to have more parity between this module and the behavior of Shib CAS and Jasig CAS since we've transitioned customers from both of those to SSP, and this is one area where we've encountered issues. Also seems like other people have addressed it with their own local patches (https://groups.google.com/forum/#!searchin/simplesamlphp/cas|sort:date/simplesamlphp/2J7BxXsVfkk/zzRttynxBAAJ). |
|
Is there a way we can detect this case and automate the fix, instead of adding a config flag? |
|
I guess one could argue, why are we (in the HTTP utils) even parsing and re-encoding the provided url rather than just redirect back to it? For example if the client provided a valid query string with I suspect we will make this flag 'on' for all our deployments (eventually). |
|
I realized my fix doesn’t handle a #fragment correctly. I think I’ll switch
to the sample code from the forum post I linked earlier.
…On Thu, Aug 29, 2019 at 5:34 PM Tim van Dijen ***@***.***> wrote:
Is there a way we can detect this case and automate the fix, instead of
adding a config flag?
If not, then let's merge it as is..
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#25?email_source=notifications&email_token=AAHDYRTISIRW7SBLIEBFLX3QHBFGDA5CNFSM4ISEHKZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5QAN6I#issuecomment-526386937>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHDYRXUCOJTIPIDLCFVZGDQHBFGDANCNFSM4ISEHKZQ>
.
|
|
Well, we could consider adding an enc_type to the http_build_query call in HTTP::addURLParameters? Would that solve your problem? Perhaps @jaimeperez has a suggestion... One thing I overlooked last night is that you're changing the default behaviour here by defaulting the new option to |
|
I share your pain @pradtke, but at the same time it makes me slightly nervous to introduce complexity just to deal with entities not working properly... |
pradtke
force-pushed
the
bug/re-encode-workaround
branch
from
fa13ceb to
d64485f
Compare
|
I think my describing this as buggy client was a bad idea.... buggy client is not the only cause.
|
|
1 & 2 we should be able to fix.. |
|
We've been analyzing our CAS service urls the last two weeks and there is one more case where there is ambiguity in re-encoding, specifically if percent encodings are case sensitive. Some .net based clients use lowercase percent encodings, while if php re-encodes the query parameter it uses upper case, resulting in a mismatch. |
tvdijen
force-pushed
the
master
branch
2 times, most recently
from
656286c to
c53489f
Compare
Some clients will encode query parameters in their service url incorrectly. If SSP/php's query builder utils are used then the service url is parsed, and reconstructed differently then what is stored in the ticket. Sometimes badly encoded parameters are lost. Example: should space in a query param be encoded as '+' or '%20'
pradtke
force-pushed
the
bug/re-encode-workaround
branch
from
d64485f to
3a818c2
Compare
There are too many cases where SSP's redirect changes the service url in ways that make future exact matches fail. As such change is to always user the alternate method.
|
I've rebased changes on master, adjusted some of the test and comments to reflect encoding issues with lower case hexadecimal and multiple query params with the same name (not just badly encoded urls). I also removed the option to use the old behavior (have SSP re-encode the url) since that encodes problematically in about 1% of our traffic (about 500,000 cas logins across ~10 schools since the PR was created). The newer way (similar to Jasig's CAS server's way) handle the traffic without issue. @tvdijen If your feelings on having this merged in have changed since the summer, let me know and I'll do a squash and merge. If you still think it shouldn't be merged then I'll leave it here as a PR so that anyone else encountering similar issues can download and apply as a patch. thanks |
|
I'd like to know what @jaimeperez feels about solving 1 & 2 in SSP.. |
tvdijen
force-pushed
the
master
branch
8 times, most recently
from
8ea49c8 to
aa07206
Compare
tvdijen
force-pushed
the
master
branch
2 times, most recently
from
f9b6fcf to
747e292
Compare
tvdijen
force-pushed
the
master
branch
4 times, most recently
from
eda4f08 to
4c1267e
Compare
|
How relevant is this in 2021? Not sure why the tests fail either |
|
I reviewed our traffic from today and both Banner and Kuali still send CAS service urls that are "weird" in some way, and require the workaround. I'm unsure if this is because those apps still run the same version as in 2019, or an updated version with the same bugs. We run all our customers with this patch (or some variation of it) enabled. I can look at the cause of the PR checks failure, but probably won't have the time till January. |
tvdijen
force-pushed
the
master
branch
11 times, most recently
from
8019898 to
c28564c
Compare
Some clients will encode query parameters in their service url incorrectly.
If SSP/php's query builder utils are used then the service url is parsed,
and reconstructed differently then what is stored in the ticket. Sometimes
badly encoded parameters are lost.
Example: should space in a query param be encoded as '+' or '%20'