You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
self.service is unquoted from service get parameter and __path__ does not get unquoted. That is not the case with ticket.service that gets fully "unquoted".
One way to solve that is to pass the self.service in urllib.parse.unquote.
The text was updated successfully, but these errors were encountered:
self.service in the ValidateService view is taken verbatim without modification from the GET parameter provided by the CAS client.
ticket.service comes from the database. The string stored in the database can have two sources:
Either the user was already authenticated into the CAS before beeing redirected to the CAS. In this case, the service is taken also verbatim from the GET parameter the CAS client provide by redirecting the client.
Either the user was not already authencated. IN this case, the service is taken from the GET parameter, written into the login form and retrieved during authentication from the corresponding POST parameter. Also without modification
So the ticket.service and self.service are both provided by the CAS client and not modified by django-cas-server.
It would be interesting to see if the issue is present in both case: with and without the extra POST request required for authentication.
django-cas-ng, a django cas client, also use services with url encoded parameter : for instance ?service=https%3A%2F%2Fintranet.example.net%2Flogin%3Fnext%3D%252Fadmin%252F where the paramether ?next=/admin/ is double encoded. This CAS client do not present such an issue.
This check does not pass with Phabricator CAS client : https://github.com/nitmir/django-cas-server/blob/master/cas_server/views.py#L1219
This is due to Phabricator encoding an URL in service GET parameter :
self.service
is unquoted fromservice
get parameter and__path__
does not get unquoted. That is not the case withticket.service
that gets fully "unquoted".One way to solve that is to pass the
self.service
inurllib.parse.unquote
.The text was updated successfully, but these errors were encountered: