Fix RelayState encoding in autoPost (#2671)
This commit is contained in:
parent
459cd3b7da
commit
7048354cb6
|
@ -3,6 +3,7 @@ package Lemonldap::NG::Portal::Auth::SAML;
|
|||
use strict;
|
||||
use MIME::Base64 qw/encode_base64/;
|
||||
use Mouse;
|
||||
use HTML::Entities qw(encode_entities);
|
||||
use Lemonldap::NG::Portal::Lib::SAML;
|
||||
use Lemonldap::NG::Common::FormEncode;
|
||||
use Lemonldap::NG::Portal::Main::Constants qw(
|
||||
|
@ -772,8 +773,11 @@ sub extractFormInfo {
|
|||
$req->postFields( { 'SAMLResponse' => $slo_body } );
|
||||
|
||||
# RelayState
|
||||
$req->postFields->{'RelayState'} = $relaystate
|
||||
if ($relaystate);
|
||||
if ($relaystate) {
|
||||
$req->{postFields}->{'RelayState'} =
|
||||
encode_entities($relaystate);
|
||||
$req->data->{safeHiddenFormValues}->{RelayState} = 1;
|
||||
}
|
||||
|
||||
# TODO: verify this
|
||||
push @{ $req->steps }, 'autoPost';
|
||||
|
@ -1132,8 +1136,11 @@ sub extractFormInfo {
|
|||
}
|
||||
|
||||
# RelayState
|
||||
$req->{postFields}->{'RelayState'} = $login->msg_relayState
|
||||
if ( $login->msg_relayState );
|
||||
if ( $login->msg_relayState ) {
|
||||
$req->{postFields}->{'RelayState'} =
|
||||
encode_entities( $login->msg_relayState );
|
||||
$req->data->{safeHiddenFormValues}->{RelayState} = 1;
|
||||
}
|
||||
|
||||
# TODO: verify this
|
||||
$req->steps( ['autoPost'] );
|
||||
|
@ -1394,8 +1401,11 @@ sub authLogout {
|
|||
$req->postFields( { 'SAMLRequest' => $slo_body } );
|
||||
|
||||
# RelayState
|
||||
$req->postFields->{'RelayState'} = $logout->msg_relayState
|
||||
if ( $logout->msg_relayState );
|
||||
if ( $logout->msg_relayState ) {
|
||||
$req->{postFields}->{'RelayState'} =
|
||||
encode_entities( $logout->msg_relayState );
|
||||
$req->data->{safeHiddenFormValues}->{RelayState} = 1;
|
||||
}
|
||||
|
||||
# Post done in Portal
|
||||
$req->steps( [ 'deleteSession', 'autoPost' ] );
|
||||
|
|
|
@ -4,6 +4,7 @@ use strict;
|
|||
use Mouse;
|
||||
use URI;
|
||||
use URI::QueryParam;
|
||||
use HTML::Entities qw(encode_entities);
|
||||
use Lemonldap::NG::Portal::Lib::SAML;
|
||||
use Lemonldap::NG::Portal::Main::Constants qw(
|
||||
PE_OK
|
||||
|
@ -1048,8 +1049,11 @@ sub run {
|
|||
}
|
||||
|
||||
# RelayState
|
||||
$req->{postFields}->{'RelayState'} = $relaystate
|
||||
if ($relaystate);
|
||||
if ($relaystate) {
|
||||
$req->{postFields}->{'RelayState'} =
|
||||
encode_entities($relaystate);
|
||||
$req->data->{safeHiddenFormValues}->{RelayState} = 1;
|
||||
}
|
||||
|
||||
$req->steps( ['autoPost'] );
|
||||
return PE_OK;
|
||||
|
@ -1515,9 +1519,15 @@ sub sloRelayPost {
|
|||
$self->logger->debug("Found relay session $relayID");
|
||||
|
||||
# Get data to build POST form
|
||||
$req->{postUrl} = $relayInfos->data->{url};
|
||||
$req->{postUrl} = $relayInfos->data->{url};
|
||||
$req->{postFields}->{'SAMLRequest'} = $relayInfos->data->{body};
|
||||
$req->{postFields}->{'RelayState'} = $relayInfos->data->{relayState};
|
||||
|
||||
# RelayState
|
||||
if ( $relayInfos->data->{relayState} ) {
|
||||
$req->{postFields}->{'RelayState'} =
|
||||
encode_entities( $relayInfos->data->{relayState} );
|
||||
$req->data->{safeHiddenFormValues}->{RelayState} = 1;
|
||||
}
|
||||
|
||||
# Delete relay session
|
||||
$relayInfos->remove();
|
||||
|
|
|
@ -7,7 +7,7 @@ use Lemonldap::NG::Common::Session;
|
|||
use Lemonldap::NG::Common::UserAgent;
|
||||
use Lemonldap::NG::Common::FormEncode;
|
||||
use XML::Simple;
|
||||
use HTML::Entities qw(decode_entities);
|
||||
use HTML::Entities qw(decode_entities encode_entities);
|
||||
use MIME::Base64;
|
||||
use HTTP::Request; # SOAP call
|
||||
use POSIX qw(strftime); # Convert SAML2 date into timestamp
|
||||
|
@ -2556,8 +2556,10 @@ sub sendLogoutResponseToServiceProvider {
|
|||
$req->{postFields} = { 'SAMLResponse' => $slo_body };
|
||||
|
||||
# RelayState
|
||||
$req->{postFields}->{'RelayState'} = $relaystate
|
||||
if ($relaystate);
|
||||
if ($relaystate) {
|
||||
$req->{postFields}->{'RelayState'} = encode_entities($relaystate);
|
||||
$req->data->{safeHiddenFormValues}->{RelayState} = 1;
|
||||
}
|
||||
|
||||
return $self->p->do( $req, ['autoPost'] );
|
||||
}
|
||||
|
|
|
@ -142,7 +142,7 @@ sub display {
|
|||
ASK_LOGINS => $req->param('checkLogins') || 0,
|
||||
ASK_STAYCONNECTED => $req->param('stayconnected') || 0,
|
||||
CONFIRMKEY => $self->stamp(),
|
||||
LIST => $req->data->{list} || [],
|
||||
LIST => $req->data->{list} || [],
|
||||
(
|
||||
$req->data->{customScript}
|
||||
? ( CUSTOM_SCRIPT => $req->data->{customScript} )
|
||||
|
@ -635,7 +635,9 @@ sub buildHiddenForm {
|
|||
|
||||
# Check XSS attacks
|
||||
next
|
||||
if $self->checkXSSAttack( $_, $req->{portalHiddenFormValues}->{$_} );
|
||||
if (!$req->data->{safeHiddenFormValues}->{$_}
|
||||
&& $self->checkXSSAttack( $_, $req->{portalHiddenFormValues}->{$_} )
|
||||
);
|
||||
|
||||
# Build hidden input HTML code
|
||||
# 'id' is removed to avoid warning with Choice
|
||||
|
|
Loading…
Reference in New Issue
Block a user