Encoding an URL in service parameter throws INVALID_SERVICE

[erdnaxe]

This check does not pass with Phabricator CAS client : https://github.com/nitmir/django-cas-server/blob/master/cas_server/views.py#L1219

This is due to Phabricator encoding an URL in service GET parameter :

ticket.service = https://phabricator.crans.org:/index.php?__path__=/auth/login/CAS:self/
self.service = https://phabricator.crans.org:/index.php?__path__=%2Fauth%2Flogin%2FCAS%3Aself%2F

self.service is unquoted from service get parameter and __path__ does not get unquoted. That is not the case with ticket.service that gets fully "unquoted".

One way to solve that is to pass the self.service in urllib.parse.unquote.

[nitmir]

Hi

self.service in the ValidateService view is taken verbatim without modification from the GET parameter provided by the CAS client.

ticket.service comes from the database. The string stored in the database can have two sources:

• Either the user was already authenticated into the CAS before beeing redirected to the CAS. In this case, the service is taken also verbatim from the GET parameter the CAS client provide by redirecting the client.
• Either the user was not already authencated. IN this case, the service is taken from the GET parameter, written into the login form and retrieved during authentication from the corresponding POST parameter. Also without modification

So the ticket.service and self.service are both provided by the CAS client and not modified by django-cas-server.

It would be interesting to see if the issue is present in both case: with and without the extra POST request required for authentication.

django-cas-ng, a django cas client, also use services with url encoded parameter : for instance ?service=https%3A%2F%2Fintranet.example.net%2Flogin%3Fnext%3D%252Fadmin%252F where the paramether ?next=/admin/ is double encoded. This CAS client do not present such an issue.