From a979507837c0f86e52d2069586a2a1fea735af41 Mon Sep 17 00:00:00 2001
From: Jochen Klar <mail@jochenklar.de>
Date: Thu, 24 Oct 2019 12:49:14 +0200
Subject: [PATCH] Add setting to unquote URL encoded attributes

---
 shibboleth/app_settings.py |  3 +++
 shibboleth/middleware.py   | 17 +++++++++++++----
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/shibboleth/app_settings.py b/shibboleth/app_settings.py
index 8809e4d..b11caeb 100755
--- a/shibboleth/app_settings.py
+++ b/shibboleth/app_settings.py
@@ -30,3 +30,6 @@
 #LOGOUT_REDIRECT_URL specifies a default logout page that will always be used when
 #users logout from Shibboleth.
 LOGOUT_REDIRECT_URL = getattr(settings, 'SHIBBOLETH_LOGOUT_REDIRECT_URL', None)
+
+# unquote URL encoded attributes
+UNQUOTE_ATTRIBUTES = getattr(settings, 'SHIBBOLETH_UNQUOTE_ATTRIBUTES', None)
diff --git a/shibboleth/middleware.py b/shibboleth/middleware.py
index e271492..8256112 100755
--- a/shibboleth/middleware.py
+++ b/shibboleth/middleware.py
@@ -2,9 +2,11 @@
 from django.contrib.auth.models import Group
 from django.contrib import auth
 from django.core.exceptions import ImproperlyConfigured
+
 import re
+from urllib.parse import unquote
 
-from shibboleth.app_settings import SHIB_ATTRIBUTE_MAP, GROUP_ATTRIBUTES, GROUP_DELIMITERS
+from shibboleth.app_settings import SHIB_ATTRIBUTE_MAP, GROUP_ATTRIBUTES, GROUP_DELIMITERS, UNQUOTE_ATTRIBUTES
 
 
 class ShibbolethRemoteUserMiddleware(RemoteUserMiddleware):
@@ -25,6 +27,8 @@ def process_request(self, request):
         # Locate the remote user header.
         try:
             username = request.META[self.header]
+            if UNQUOTE_ATTRIBUTES:
+                username = unquote(username)
         except KeyError:
             # If specified header doesn't exist then return (leaving
             # request.user set to AnonymousUser by the
@@ -58,7 +62,7 @@ def process_request(self, request):
             # by logging the user in.
             request.user = user
             auth.login(request, user)
-            
+
             # Upgrade user groups if configured in the settings.py
             # If activated, the user will be associated with those groups.
             if GROUP_ATTRIBUTES:
@@ -112,6 +116,8 @@ def parse_attributes(request):
                 attr_processor = lambda x: x
             value = meta.get(header, None)
             if value:
+                if UNQUOTE_ATTRIBUTES:
+                    value = unquote(value)
                 shib_attrs[name] = attr_processor(value)
             elif required:
                 error = True
@@ -124,8 +130,11 @@ def parse_group_attributes(request):
         """
         groups = []
         for attr in GROUP_ATTRIBUTES:
-            parsed_groups = re.split('|'.join(GROUP_DELIMITERS),
-                                     request.META.get(attr, ''))
+            value = request.META.get(attr, '')
+            if UNQUOTE_ATTRIBUTES:
+                value = unquote(value)
+
+            parsed_groups = re.split('|'.join(GROUP_DELIMITERS), value)
             groups += filter(bool, parsed_groups)
         return groups