File tree Expand file tree Collapse file tree 4 files changed +57
-5
lines changed Expand file tree Collapse file tree 4 files changed +57
-5
lines changed Original file line number Diff line number Diff line change 3131 'attributes_to_transfer ' => ['cn ' ],
3232 ],
3333 ],
34+ // Don't use php or SSP's built in methods for constructing queries. Default is false
35+ // Enabling this redirects the user back to the service with the exact service url provided.
36+ 'noReencode ' => false ,
3437
3538 'legal_target_service_urls ' => [
3639 //Any target service url string matching any of the following prefixes is accepted
Original file line number Diff line number Diff line change 2727 '|https://override.example.com/| ' => [
2828 'attrname ' => 'uid ' ,
2929 'attributes_to_transfer ' => ['cn ' ],
30+ ],
31+ 'https://buggy.edu ' => [
32+ // Don't use php or SSP's built in methods for constructing queries.
33+ 'noReencode ' => true
3034 ]
3135 ],
3236
Original file line number Diff line number Diff line change @@ -151,6 +151,43 @@ public function testValidServiceUrl()
151151 );
152152 }
153153
154+ /**
155+ * Some clients don't correctly encode query parameters that are part their service
156+ * urls or encode a space in a different way then SSP will in a redirect. This workaround
157+ * is to allow those clients to work
158+ * @dataProvider buggyClientProvider
159+ * @return void
160+ */
161+ public function testBuggyClientBadUrlEncodingWorkAround ($ service_url
162+ {
163+ $ this authenticate ();
164+
165+ /** @var array $resp */
166+ $ resp$ this server ->get (
167+ self ::$ LINK_URL
168+ ['service ' => $ service_url
169+ [
170+ CURLOPT_COOKIEJAR => $ this cookies_file ,
171+ CURLOPT_COOKIEFILE => $ this cookies_file
172+ ]
173+ );
174+ $ this assertEquals (302 , $ resp'code ' ]);
175+
176+ $ this assertStringStartsWith (
177+ $ service_url'?ticket=ST- ' ,
178+ $ resp'headers ' ]['Location ' ],
179+ 'Ticket should be part of the redirect. '
180+ );
181+ }
182+
183+ public function buggyClientProvider (): array
184+ {
185+ return [
186+ ['https://buggy.edu/kc/portal.do?solo&ct=Search%20Prot&curl=https://kc.edu/kc/IRB.do?se=1875*&runSearch=1 ' ],
187+ ['https://buggy.edu/kc ' ],
188+ ];
189+ }
190+
154191
155192 /**
156193 * Test outputting user info instead of redirecting
Original file line number Diff line number Diff line change 2828 * language
2929 */
3030
31+ use SimpleSAML \Configuration ;
32+ use SimpleSAML \Locale \Language ;
33+ use SimpleSAML \Logger ;
34+ use SimpleSAML \Module ;
3135use SimpleSAML \Module \casserver \Cas \AttributeExtractor ;
3236use SimpleSAML \Module \casserver \Cas \Protocol \SamlValidateResponder ;
3337use SimpleSAML \Module \casserver \Cas \ServiceValidator ;
3438use SimpleSAML \Module \casserver \Cas \Ticket \TicketFactory ;
3539use SimpleSAML \Module \casserver \Cas \Ticket \TicketStore ;
36- use SimpleSAML \Configuration ;
37- use SimpleSAML \Locale \Language ;
38- use SimpleSAML \Logger ;
39- use SimpleSAML \Module ;
4040use SimpleSAML \Session ;
4141use SimpleSAML \Utils \HTTP ;
4242
210210 echo '<pre> ' . htmlspecialchars ($ casResponse'</pre> ' ;
211211 }
212212 } elseif ($ redirect
213- HTTP ::redirectTrustedURL (HTTP ::addURLParameters ($ _GET 'service ' ], $ parameters
213+ if ($ casconfiggetBoolean ('noReencode ' , false )) {
214+ // Some client encode query params wrong, and calling HTTP::addURLParameters
215+ // will reencode them resulting in service mismatches
216+ $ extraParamshttp_build_query ($ parameters
217+ $ redirectUrl$ _GET 'service ' ] . (strpos ('? ' , $ _GET 'service ' ]) === false ? '? ' : '& ' ) . $ extraParams
218+ HTTP ::redirectTrustedURL ($ redirectUrl
219+ } else {
220+ HTTP ::redirectTrustedURL (HTTP ::addURLParameters ($ _GET 'service ' ], $ parameters
221+ }
214222 } else {
215223 HTTP ::submitPOSTData ($ _GET 'service ' ], $ parameters
216224 }
You can’t perform that action at this time.
0 commit comments