Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

store.py match("^(.+)=(.+)$", key) lookup breaks entityID's with base64 encoded, padded content #109

Open
mrvanes opened this issue Jun 13, 2017 · 12 comments
Open

store.py match("^(.+)=(.+)$", key) lookup breaks entityID's with base64 encoded, padded content #109

mrvanes opened this issue Jun 13, 2017 · 12 comments

Comments

@mrvanes
Copy link
Contributor

mrvanes commented Jun 13, 2017

In store.py @270 there is logic to recognise "=" separated keys. We have entityID's that embed base64 encoded information in entityID, one of them ending in the base64 padding "==". This causes _lookup to miss the entityID, causing the discovery page to break with a 404 in mdx.py @588 for this SP.

The following regex solves the problem, but I'm unsure if it would break the intended "=" situation:

m = re.match("^(.+)=([^=].+)$", key)

And I'm also unsure if it solves the single padded base64 encoded strings, let alone entityID's where the padding is in the middle of the entityID. That would certainly break anytime.
@leifj
Copy link
Contributor

leifj commented Jun 13, 2017

Can you provide a sample URL that breaks?

@leifj
Copy link
Contributor

leifj commented Jun 13, 2017

Also feel free to provide a PR for quicker review but that URL would make a good testcase...

@mrvanes
Copy link
Contributor Author

mrvanes commented Jun 13, 2017

Sample entityID URL (obfuscated the domain)

https://satosa.***.nl/Saml2MirrorSP/proxy_saml2_backend.xml/Saml2IDP/aHR0cHM6Ly9zcC4qKioqLmNvbS9zYW1sL21vZHVsZS5waHAvc2FtbC9zcC9tZXRhZGF0YS5waHAvZGVmYXVsdC1zcA==

I don't want to create a pullrequest because I'm far from certain that my (quick) fix doesn't break any other intended behaviour. I'd rather you scrutinize the problem and rethink the "=" case to lookup { } logic. In my case the "... adding %s=%s" debug code resulted in an empty v, which is a telltale sign that something went wrong with the earlier rewrite of the "=" case.

@leifj
Copy link
Contributor

leifj commented Jun 13, 2017

yeah this smells URL encoding fail to me somewhere - normally that == would/should have been URL-encoded before passing to pyFF because otherwize you could never do query-string parsing

@mrvanes
Copy link
Contributor Author

mrvanes commented Jun 14, 2017

Yes, normaly it's URL encoded, but I think (have to check) that this will be decoded inside the server, so still be a problem?

@mrvanes
Copy link
Contributor Author

mrvanes commented Jun 14, 2017

Here's proof:

[14/Jun/2017:09:52:06]  memory store lookup: https://satosa.****.nl/Saml2MirrorSP/proxy_saml2_backend.xml/Saml2IDP/aHR0cHM6Ly9zcC5tcnZhbmVzLmNvbS9zYW1sL21vZHVsZS5waHAvc2FtbC9zcC9tZXRhZGF0YS5waHAvZGVmYXVsdC1zcA==
[14/Jun/2017:09:52:06]  lookup: https://satosa.*****.nl/Saml2MirrorSP/proxy_saml2_backend.xml/Saml2IDP/aHR0cHM6Ly9zcC5tcnZhbmVzLmNvbS9zYW1sL21vZHVsZS5waHAvc2FtbC9zcC9tZXRhZGF0YS5waHAvZGVmYXVsdC1zcA==
[14/Jun/2017:09:52:06]  trying null index lookup https://satosa.****.nl/Saml2MirrorSP/proxy_saml2_backend.xml/Saml2IDP/aHR0cHM6Ly9zcC5tcnZhbmVzLmNvbS9zYW1sL21vZHVsZS5waHAvc2FtbC9zcC9tZXRhZGF0YS5waHAvZGVmYXVsdC1zcA==
83.85.149.243 - - [14/Jun/2017:09:52:06] "GET /role/idp.ds?entityID=https%3A%2F%2Fsatosa.****.nl%2FSaml2MirrorSP%2Fproxy_saml2_backend.xml%2FSaml2IDP%2FaHR0cHM6Ly9zcC5tcnZhbmVzLmNvbS9zYW1sL21vZHVsZS5waHAvc2FtbC9zcC9tZXRhZGF0YS5waHAvZGVmYXVsdC1zcA%3D%3D&return=https%3A%2F%2Fsatosa.****.nl%2FSaml2MirrorSP%2Fdisco HTTP/1.1" 200 6438 "" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.86 Safari/537.36"

Original request was URL encoded, but lookup debugs the decoded entityID.

@leifj
Copy link
Contributor

leifj commented Jun 14, 2017

Yeah you're right. I need to think about the right way to deal with this. Your patch at least solves one part of this so I don't mind applying it but this actually needs thought...

@mrvanes
Copy link
Contributor Author

mrvanes commented Aug 26, 2019

From time to time we're trying to see if running unmodified vanilla pyff would be a viable option, but bugs like this not being patched upstream make it hard. Any progress on the "thoughts" about this? Do you want a PR for the suggested insertion of the four characters?

@leifj
Copy link
Contributor

leifj commented Aug 26, 2019 via email

@leifj
Copy link
Contributor

leifj commented Aug 26, 2019

if it is still in HEAD I'd appreciate a PR!

@leifj
Copy link
Contributor

leifj commented Mar 30, 2021

ping @mrvanes what should we do about this?

@mrvanes
Copy link
Contributor Author

mrvanes commented Apr 1, 2021
edited
Loading

  1. We don't use base64encode entityID's anymore, so we don't experience the problem anymore, but
  2. The bug is real: any valid entityID containing = characters will trigger it

Will that happen often? I doubt it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leifj @mrvanes