dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix regression in #2085 (#2224)

Browse Source 
Clearing all hidden form values was a mistake as it breaks SAML when the
redirection URL contains a query string. We should keep existing hidden
fields. In the context of OIDC request, we clear them before redirection
to avoid #2085
This commit is contained in:
Maxime Besson 2020-05-28 19:15:04 +02:00
parent 827d06cded
commit 33a5496e55
2 changed files with 27 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
View File

@ -707,10 +707,7 @@ sub run {
$session_state $session_state
); );
$self->logger->debug("Redirect user to $response_url"); return $self->_redirectToUrl($req, $response_url);
$req->urldc($response_url);
return PE_REDIRECT;
} }
# Implicit Flow # Implicit Flow
@ -780,10 +777,7 @@ sub run {
$session_state $session_state
); );
$self->logger->debug("Redirect user to $response_url"); return $self->_redirectToUrl($req, $response_url);
$req->urldc($response_url);
return PE_REDIRECT;
} }
# Hybrid Flow # Hybrid Flow
@ -885,9 +879,7 @@ sub run {
$session_state $session_state
); );
$self->logger->debug("Redirect user to $response_url"); return $self->_redirectToUrl($req, $response_url);
$req->urldc($response_url);
return PE_REDIRECT;
} }
$self->logger->debug("None flow has been selected"); $self->logger->debug("None flow has been selected");
@ -969,9 +961,7 @@ sub run {
$self->buildLogoutResponse( $post_logout_redirect_uri, $self->buildLogoutResponse( $post_logout_redirect_uri,
$state ); $state );
$self->logger->debug("Redirect user to $response_url"); return $self->_redirectToUrl($req, $response_url);
$req->urldc($response_url);
return PE_REDIRECT;
} }
return $req->param('confirm') == 1 return $req->param('confirm') == 1
? ( $err ? $err : PE_LOGOUT_OK ) ? ( $err ? $err : PE_LOGOUT_OK )
@ -2323,4 +2313,15 @@ sub _generateIDToken {
return $self->createIDToken( $id_token_payload_hash, $rp ); return $self->createIDToken( $id_token_payload_hash, $rp );
} }
sub _redirectToUrl {
my ($self, $req, $response_url) = @_;
# We must clear hidden form fields saved from the request (#2085)
$self->p->clearHiddenFormValue($req);
$self->logger->debug("Redirect user to $response_url");
$req->urldc($response_url);
return PE_REDIRECT;
}
1; 1;

23
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
View File

@ -524,19 +524,20 @@ sub buildOutgoingHiddenForm {
my ( $self, $req, $method ) = @_; my ( $self, $req, $method ) = @_;
my @keys = keys %{ $req->{portalHiddenFormValues} }; my @keys = keys %{ $req->{portalHiddenFormValues} };
# Redirection URL contains query string. Before displaying a form, if ( lc $method eq 'get' ) {
# we must set the query string parameters as form fields so they can my $uri = URI->new( $req->{urldc} );
# be preserved #2085 my %query_params = $uri->query_form;
my $uri = URI->new( $req->{urldc} ); # Redirection URL contains query string. Before displaying a form,
my %query_params = $uri->query_form; # we must set the query string parameters as form fields so they can
if (%query_params) { # be preserved #2085
$self->logger->debug( if (%query_params) {
$self->logger->debug(
"urldc contains query parameters, setting them as hidden form values" "urldc contains query parameters, setting them as hidden form values"
); );
$self->clearHiddenFormValue($req); foreach ( keys %query_params ) {
foreach ( keys %query_params ) { $self->setHiddenFormValue( $req, $_, $query_params{$_}, "", 0 );
$self->setHiddenFormValue( $req, $_, $query_params{$_}, "", 0 ); }
} }
} }