Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate Destination #782

Closed
wants to merge 2 commits into from
Closed

Validate Destination #782

wants to merge 2 commits into from

Conversation

peppelinux
Copy link
Member

@peppelinux peppelinux commented Mar 20, 2021
edited
Loading

This PR introduces a validation on the Destination attribute value, in Response.
Destination value MUST be present if binding is HTTP-REDIRECT or HTTP-POST, and correctly valued

fixes: #770

All Submissions:

  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Have you added an explanation of what problem you are trying to solve with this PR?
  • Have you added information on what your changes do and why you chose this as your solution?
  • Have you written new tests for your changes?
  • Does your submission pass tests?
  • This project follows PEP8 style guide. Have you run your code against the 'flake8' linter?

@peppelinux peppelinux changed the title fix: Destination missing or unvalued. Fixes: https://github.com/IdentityPython/pysaml2/issues/770 fix: Destination missing or unvalued Mar 20, 2021
@c00kiemon5ter c00kiemon5ter changed the title fix: Destination missing or unvalued Validate Destination Apr 6, 2021
@c00kiemon5ter
Copy link
Member

Does the specification define that?

What I see is that the Destination attribute is optional, verified by the schema

Destination [Optional]
A URI reference indicating the address to which this request has been sent. This is useful to prevent
malicious forwarding of requests to unintended recipients, a protection that is required by some
protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies
the location at which the message was received. If it does not, the request MUST be discarded.
Some protocol bindings may require the use of this attribute (see [SAMLBind]).

<attribute name="Destination" type="anyURI" use="optional"/>

@peppelinux peppelinux closed this Apr 6, 2021
@peppelinux peppelinux reopened this Jun 13, 2021
@peppelinux
Copy link
Member Author

@c00kiemon5ter Ok, I believe that this PR can be reopened following the reason that the Destination MAY be omitted, because it's optional, BUT if present it MUST be validated upon a match on valid ones.

This means that https://github.com/IdentityPython/pysaml2/pull/782/files#diff-93d65463e66cc55182c30d4629747c4db87f8230056f81497719a0144f44749cR415 would be removed and the check will be done only "if destination" is True

@peppelinux peppelinux closed this Jul 15, 2021
@peppelinux peppelinux mentioned this pull request Jul 20, 2021
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c00kiemon5ter c00kiemon5ter Awaiting requested review from c00kiemon5ter

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Missing Destination in Response
2 participants
@peppelinux @c00kiemon5ter