| Subject: | GET value for service not escaped |
| Date: | Wed, 07 Nov 2007 15:40:48 +0100 |
| To: | bug-Apache2-AuthCAS [...] rt.cpan.org |
| From: | David Westlund <david [...] stickybit.se> |
AuthCAS version: 0.1
Perl version: 5.8.7
OS: Ubuntu 6.06, kernel Linux 2.6.15-28-server.
The value returned from the method this_url is in some cases escaped, in
some cases not. The value is then in some cases sent as the value to the
GET parameter service.
For example, suppose that you visit "https://service.com/strange url!"
which is protected using Apache2::AuthCAS for the first time. You get
redirected to the CAS login page. After login, you are redirected to:
https://service.com/strange url!?ticket=<ticket value>
Since you have just logged in, the cookie for Apache2::AuthCAS is not
set. However, there is a ticket. Method validate_service_ticket will
thus be called from method authenticate on row 214, with the ticket as
its parameter.
validate_service_ticket now makes a request to the CAS authentication
service by setting the GET parameter service to
https://service.com/strange url! and ticket to the ticket value. Without
escaping the URL, the call would be:
<ServiceValidateUri>?service=https://service.com/strange url!&ticket=<ticket>
There is however no guarantee that the CAS service will understand this
url correctly.
The solution is to change this_url to always return an unescaped string,
and then escape the result in cases where it is used as a GET value.
The following patch seems to solve the problem:
--
363a364
Show quoted text
> $service = uri_escape($service);
385a387
Show quoted text> $service = uri_escape($service);
427a430
Show quoted text> $service = uri_escape($service);
842c845
< return uri_escape($service);
---
Show quoted text> return $service;
--
Regards,
David Westlund