Skip to content

Commit 3855393

Browse files
timleggetimlegge
committed
Allow URIs that do not include scheme and host in redirect
1 parent 5185a1a commit 3855393

File tree

3 files changed

+82
-1
lines changed

3 files changed

+82
-1
lines changed

lib/Net/SAML2/Binding/Redirect.pm

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -262,7 +262,7 @@ sub verify {
262262
my ($self, $url) = @_;
263263

264264
# This now becomes the query string
265-
$url =~ s#^https?://.+\?##;
265+
$url =~ s#^.*\?##;
266266

267267
my %params = map { split(/=/, $_, 2) } split(/&/, $url);
268268

t/20-path-only-redirect.t

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
use strict;
2+
use warnings;
3+
use Test::Lib;
4+
use Test::Net::SAML2;
5+
use Net::SAML2::Binding::Redirect;
6+
7+
8+
my $cacert = << 'CACERT';
9+
-----BEGIN CERTIFICATE-----
10+
MIICnTCCAYUCBgF5YqtQBTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdGb3N3
11+
aWtpMB4XDTIxMDUxMjIyMTkyNFoXDTMxMDUxMjIyMjEwNFowEjEQMA4GA1UEAwwH
12+
Rm9zd2lraTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJMGG6jrdadw
13+
/6rnOAGmNtmdIZy116JyocKlsoxg+iQTlRI2e3gelsiOW7rXNIYHH/f4ozQ8F4ba
14+
7GxJMNWlrDJFN23Dij521PVqJHsu3ZA8JOP+txMCN22zhCO6OYiWx5P9wm7zWVcf
15+
g3sS9564LQ4M7JBQ8tDYxY9RLCDR+sNNd0hWm6SrkEyghqbcxNY+rgXfxLBK5eGX
16+
yX1Zk0NLA5XqRg5a8BDz1oUZ6O4c21tVOvV8vqCUtcnx3hWxcBgXizW8pkSQpQiQ
17+
96zXquAvDwkLtYnQLV5GQlt6c414A7U4dsAZZCc490rqncfsjDfbFMzj89s/WCtF
18+
DOzSa163pqECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAPpeGsBOJN3xGUvtxJqPM
19+
2ja3g7G7LiOJGvzZSIOFr50baebsoJNRwL2GDfYUTM1SWDz4UHnGebsme5TTmzjV
20+
O3YEvnOMTtVC6/fYYdouAqIJ+cTmmF3Cxd/tOr5fkaPscB0x0+zqWqgBZLo0FVEC
21+
DMt+DYk1HaQJPxsAXGahUmIIpfIKO7AUx5tD74PR8XeHWyL0w8jg1h8nVtc49P7h
22+
08SzmSFY0phJ9plLpSubCsd/1KMPOJ0Dh7kYEaOJOOWwjLggiho5N4KBytpts6HI
23+
jmPlKvV7UJEAmQykuhO6PyFfGjwXxpYRTtGa3fZQqu6BztRHDSZQfc+K08VTmAjr
24+
iw==
25+
-----END CERTIFICATE-----
26+
CACERT
27+
28+
my $uri = << 'REDIRECT_FULL';
29+
https://netsaml2-testapp.local/sls-redirect-response?SAMLResponse=jVJda%2BswDP0rxe%2BpXefDiUkKl9sNCtse1rKHvQzZUe5CXTtEDtv%2B%2FdJ2gw3GuG8SOudIR1JNcHSDvgn%2FwhTvkYbgCRevR%2BdJn0sNm0avA1BP2sMRSUerd39ub7RcCj2MIQYbHLtQfgcDEY6xD559afDflA1S7D2ckoY9xziQ5txjPInIJM5VGIalCxYcJ0fJiG0%2Foo1zcHHFFttNw7abp3K1KsoUTVKBgSRr8zwBLFYJlhJkITKQVTuD%2Fec69qFhd1f701DyqeiU6pRUuYKqy2XaCVXYDAvTZqpqK9GlYGxnlWjbKlWlEWlmcmvSrpSmtMLMwkQTbv08r48Nk0LKRJSJFHshtci1zJeFTB%2FZ4gFHOpudF8HW9Zk2rj%2BdH%2FDNugCHi2NdZlnKYYrPfERwR%2BLXgV76Q1%2FzD159OfQuQpzoe%2FY3tLh4ADfh78egM1rvJmuRiPF1zb%2BL8p%2Beaf0O&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=iFglcHV3%2B1CTf7iII1StcDQ1QyfIFCU4%2BuuWsgLFsj4w0KN6te%2FC0SsVWBLg2OAdOzATXQyULiwaH2dq%2F1QIR44ZVJf5cHGiQX0W9blcysCzVzb7fB00mEXTyPdygYk1cip0%2FFNShWodoEUFc1JlD78Nven%2FKJbv8yP3O3igb6A5VEgx0dUtWDiJtyWA7M3pqN%2BWLQux2%2Bg80mZPacbisc%2FJvnoWxgELPwwK1y%2BIFrqstmSTTo919IXCuEBn%2F1m4oEnxCXVaCRRCyDQdDMiEj9J3AaxwYC9czGBK%2FFdkvmmuT8c8CWMAKHrWKn2m%2BeLoPt77Fqu7daBKyT6aa29pTw%3D%3D
30+
REDIRECT_FULL
31+
32+
my $redirect = Net::SAML2::Binding::Redirect->new(
33+
cert => $cacert,
34+
param => 'SAMLResponse',
35+
);
36+
37+
my ($response, $relaystate) = $redirect->verify($uri);
38+
39+
like($response, qr/urn:oasis:names:tc:SAML:2.0:status:Success/, "Full URI is correct");
40+
41+
$uri = << 'REDIRECT_URI';
42+
/sls-redirect-response?SAMLResponse=jVJda%2BswDP0rxe%2BpXefDiUkKl9sNCtse1rKHvQzZUe5CXTtEDtv%2B%2FdJ2gw3GuG8SOudIR1JNcHSDvgn%2FwhTvkYbgCRevR%2BdJn0sNm0avA1BP2sMRSUerd39ub7RcCj2MIQYbHLtQfgcDEY6xD559afDflA1S7D2ckoY9xziQ5txjPInIJM5VGIalCxYcJ0fJiG0%2Foo1zcHHFFttNw7abp3K1KsoUTVKBgSRr8zwBLFYJlhJkITKQVTuD%2Fec69qFhd1f701DyqeiU6pRUuYKqy2XaCVXYDAvTZqpqK9GlYGxnlWjbKlWlEWlmcmvSrpSmtMLMwkQTbv08r48Nk0LKRJSJFHshtci1zJeFTB%2FZ4gFHOpudF8HW9Zk2rj%2BdH%2FDNugCHi2NdZlnKYYrPfERwR%2BLXgV76Q1%2FzD159OfQuQpzoe%2FY3tLh4ADfh78egM1rvJmuRiPF1zb%2BL8p%2Beaf0O&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=iFglcHV3%2B1CTf7iII1StcDQ1QyfIFCU4%2BuuWsgLFsj4w0KN6te%2FC0SsVWBLg2OAdOzATXQyULiwaH2dq%2F1QIR44ZVJf5cHGiQX0W9blcysCzVzb7fB00mEXTyPdygYk1cip0%2FFNShWodoEUFc1JlD78Nven%2FKJbv8yP3O3igb6A5VEgx0dUtWDiJtyWA7M3pqN%2BWLQux2%2Bg80mZPacbisc%2FJvnoWxgELPwwK1y%2BIFrqstmSTTo919IXCuEBn%2F1m4oEnxCXVaCRRCyDQdDMiEj9J3AaxwYC9czGBK%2FFdkvmmuT8c8CWMAKHrWKn2m%2BeLoPt77Fqu7daBKyT6aa29pTw%3D%3D
43+
REDIRECT_URI
44+
45+
$redirect = Net::SAML2::Binding::Redirect->new(
46+
cert => $cacert,
47+
param => 'SAMLResponse',
48+
);
49+
50+
($response, $relaystate) = $redirect->verify($uri);
51+
52+
like($response, qr/urn:oasis:names:tc:SAML:2.0:status:Success/, "Path only URI is correct");
53+
54+
$uri = << 'REDIRECT2_URI';
55+
SAMLResponse=jVJda%2BswDP0rxe%2BpXefDiUkKl9sNCtse1rKHvQzZUe5CXTtEDtv%2B%2FdJ2gw3GuG8SOudIR1JNcHSDvgn%2FwhTvkYbgCRevR%2BdJn0sNm0avA1BP2sMRSUerd39ub7RcCj2MIQYbHLtQfgcDEY6xD559afDflA1S7D2ckoY9xziQ5txjPInIJM5VGIalCxYcJ0fJiG0%2Foo1zcHHFFttNw7abp3K1KsoUTVKBgSRr8zwBLFYJlhJkITKQVTuD%2Fec69qFhd1f701DyqeiU6pRUuYKqy2XaCVXYDAvTZqpqK9GlYGxnlWjbKlWlEWlmcmvSrpSmtMLMwkQTbv08r48Nk0LKRJSJFHshtci1zJeFTB%2FZ4gFHOpudF8HW9Zk2rj%2BdH%2FDNugCHi2NdZlnKYYrPfERwR%2BLXgV76Q1%2FzD159OfQuQpzoe%2FY3tLh4ADfh78egM1rvJmuRiPF1zb%2BL8p%2Beaf0O&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=iFglcHV3%2B1CTf7iII1StcDQ1QyfIFCU4%2BuuWsgLFsj4w0KN6te%2FC0SsVWBLg2OAdOzATXQyULiwaH2dq%2F1QIR44ZVJf5cHGiQX0W9blcysCzVzb7fB00mEXTyPdygYk1cip0%2FFNShWodoEUFc1JlD78Nven%2FKJbv8yP3O3igb6A5VEgx0dUtWDiJtyWA7M3pqN%2BWLQux2%2Bg80mZPacbisc%2FJvnoWxgELPwwK1y%2BIFrqstmSTTo919IXCuEBn%2F1m4oEnxCXVaCRRCyDQdDMiEj9J3AaxwYC9czGBK%2FFdkvmmuT8c8CWMAKHrWKn2m%2BeLoPt77Fqu7daBKyT6aa29pTw%3D%3D
56+
REDIRECT2_URI
57+
58+
$redirect = Net::SAML2::Binding::Redirect->new(
59+
cert => $cacert,
60+
param => 'SAMLResponse',
61+
);
62+
63+
($response, $relaystate) = $redirect->verify($uri);
64+
65+
like($response, qr/urn:oasis:names:tc:SAML:2.0:status:Success/, "Parameters only URI is correct");
66+
67+
$uri = << 'REDIRECT3_URI';
68+
?SAMLResponse=jVJda%2BswDP0rxe%2BpXefDiUkKl9sNCtse1rKHvQzZUe5CXTtEDtv%2B%2FdJ2gw3GuG8SOudIR1JNcHSDvgn%2FwhTvkYbgCRevR%2BdJn0sNm0avA1BP2sMRSUerd39ub7RcCj2MIQYbHLtQfgcDEY6xD559afDflA1S7D2ckoY9xziQ5txjPInIJM5VGIalCxYcJ0fJiG0%2Foo1zcHHFFttNw7abp3K1KsoUTVKBgSRr8zwBLFYJlhJkITKQVTuD%2Fec69qFhd1f701DyqeiU6pRUuYKqy2XaCVXYDAvTZqpqK9GlYGxnlWjbKlWlEWlmcmvSrpSmtMLMwkQTbv08r48Nk0LKRJSJFHshtci1zJeFTB%2FZ4gFHOpudF8HW9Zk2rj%2BdH%2FDNugCHi2NdZlnKYYrPfERwR%2BLXgV76Q1%2FzD159OfQuQpzoe%2FY3tLh4ADfh78egM1rvJmuRiPF1zb%2BL8p%2Beaf0O&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=iFglcHV3%2B1CTf7iII1StcDQ1QyfIFCU4%2BuuWsgLFsj4w0KN6te%2FC0SsVWBLg2OAdOzATXQyULiwaH2dq%2F1QIR44ZVJf5cHGiQX0W9blcysCzVzb7fB00mEXTyPdygYk1cip0%2FFNShWodoEUFc1JlD78Nven%2FKJbv8yP3O3igb6A5VEgx0dUtWDiJtyWA7M3pqN%2BWLQux2%2Bg80mZPacbisc%2FJvnoWxgELPwwK1y%2BIFrqstmSTTo919IXCuEBn%2F1m4oEnxCXVaCRRCyDQdDMiEj9J3AaxwYC9czGBK%2FFdkvmmuT8c8CWMAKHrWKn2m%2BeLoPt77Fqu7daBKyT6aa29pTw%3D%3D
69+
REDIRECT3_URI
70+
71+
$redirect = Net::SAML2::Binding::Redirect->new(
72+
cert => $cacert,
73+
param => 'SAMLResponse',
74+
);
75+
76+
($response, $relaystate) = $redirect->verify($uri);
77+
78+
like($response, qr/urn:oasis:names:tc:SAML:2.0:status:Success/, "Parameters only begin with '?' URI is correct");
79+
80+
done_testing;

xt/testapp/lighttpd.conf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ server.modules = (
88

99
server.port = 80
1010
server.bind = "127.0.0.1"
11+
server.http-parseopts = ( "url-normalize" => "disable" )
1112

1213
## enable debugging
1314
debug.log-file-not-found = "enable"

0 commit comments

Comments
 (0)