Skip to content

Allows scheme and domain to match ignoring case#354

Closed
tdphillipsjr wants to merge 4 commits intoSAML-Toolkits:masterfrom
grnhse:case_insensitive_domain_match
Closed

Allows scheme and domain to match ignoring case#354
tdphillipsjr wants to merge 4 commits intoSAML-Toolkits:masterfrom
grnhse:case_insensitive_domain_match

Conversation

@tdphillipsjr
Copy link
Copy Markdown

@tdphillipsjr tdphillipsjr commented Sep 23, 2016

  • Per RFC4343, the domain name portion of a URI should be considered case-insensitive.
  • Per RFC3986, the scheme portion of a URI should be considered case-insenstive.
  • Some SSO providers allow users to enter their own subdomain, which many may do with capital letters (such as in the case of an acronym).
  • The destination match should take this in to consideration when matching the destination URI to the ACS URI, if these are proper URIs.
  • The match should default to the original case when either of the values are not proper URIs.

@tdphillipsjr
Copy link
Copy Markdown
Author

tdphillipsjr commented Oct 5, 2016

Hi @pitbulk -- I was hoping you guys could take a look at this PR and decide if it can be incorporated. The domain case-insensitivity issue is blocking us from upgrading this Gem and resolving a CVE. We're going to have to switch to a local fork if this or something similar can't be done in this gem, which is something we'd really like to avoid.

Thanks.

@pitbulk
Copy link
Copy Markdown
Collaborator

pitbulk commented Oct 6, 2016
edited
Loading

@tdphillipsjr Sorry for the delay.

May we use that solution to check also the issuers?

https://github.com/onelogin/ruby-saml/blob/master/lib/onelogin/ruby-saml/response.rb#L568
https://github.com/onelogin/ruby-saml/blob/master/lib/onelogin/ruby-saml/slo_logoutrequest.rb#L212
https://github.com/onelogin/ruby-saml/blob/master/lib/onelogin/ruby-saml/logoutresponse.rb#L195

Then maybe move the uri_match? and original_uri_match? to the utils.py?

@tdphillipsjr
Copy link
Copy Markdown
Author

tdphillipsjr commented Oct 13, 2016

@pitbulk Sure, that sounds good. Is this something you'd like me to add to the PR?

@pitbulk
Copy link
Copy Markdown
Collaborator

pitbulk commented Oct 13, 2016

If you can yes, please!.

@tdphillipsjr
Allows scheme and domain to match ignoring case
97a2bfe 
 - Per RFC4343, the domain name portion of a URI should be considered case-insensitive.
 - Per RFC3986, the scheme portion of a URI should be considered case-insenstive.
 - Some SSO providers allow users to enter their own subdomain, which many may do with capital letters (such as in the case of an acronym).
 - The destination match should take this in to consideration when matching the destination URI to the ACS URI, if these are proper URIs.
 - The match should default to the original case when either of the values are not proper URIs.
@tdphillipsjr
Move uri match methods to Utils.
8809278
@tdphillipsjr
Don't rely on an object, just take two urls.
f0db858
@tdphillipsjr
Use the new utility in additional places as requested.
2a8f48a
@tdphillipsjr
Copy link
Copy Markdown
Author

tdphillipsjr commented Oct 14, 2016
edited by pitbulk
Loading

Hi @pitbulk -- this is done, as requested.
I will take care of it next week, thanks

@tdphillipsjr
Copy link
Copy Markdown
Author

tdphillipsjr commented Nov 2, 2016

Hi @pitbulk -- just checking in here.

pitbulk added a commit that referenced this pull request Nov 7, 2016
@pitbulk
#354 Allows scheme and domain to match ignoring case
889aee0
@pitbulk pitbulk closed this Nov 7, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tdphillipsjr @pitbulk