[cas-dev] [Fwd: Re: Failure to remove trailing ticket= parameter in URL sent to app, after auth with mod-auth-cas]

Olivier Berger olivier.berger at it-sudparis.eu
Thu Aug 14 06:52:51 EDT 2008 

Hi.

FYI, and for reference, the response of mod-auth-cas author, that I took
the freedom to forward.

Hope it helps,

Best regards,

Le mercredi 13 août 2008 à 22:33 -0400, Phil Ames a écrit : 
> Hi,
> I looked at your patch and I definitely think it would solve the
> issue.  I have applied a variant of it to the code in trunk right now.
>  Some of the changes I made:
> 
> - I converted the URI in the new location header to an absolute URI
> instead of a relative one, as the HTTP RFC states that it should be an
> absolute URI
> - I also placed a call to escapeString(r->args) when placing the
> arguments in the Location header to prevent HTTP Response Splitting
> attacks in case someone places an encoded newline, etc. in the query
> string and sends it to the web server.
> 
> I am also in the process of applying a few outstanding patches from
> JIRA to the trunk code, and made the update to the license so
> everything should be kosher with Debian packaging now.  The new
> changes have to be tested, and once I am comfortable with them, I will
> tag it as a new release and send out a notification.
> 
> Thanks,
> 
> -Phil



Le mardi 12 août 2008 à 14:32 +0200, Olivier Berger a écrit :
> Hi.
> 
> I think that this is more for devs than users of CAS, btw. So forwarding
> here. Sorry for the duplicate.
> 
> -------- Message transféré --------
> De: Olivier Berger <olivier.berger at it-sudparis.eu>
> À: Yale CAS mailing list <cas at tp.its.yale.edu>
> Sujet: Re: Failure to remove trailing ticket= parameter in URL sent to app, after auth with mod-auth-cas
> Date: Tue, 12 Aug 2008 14:29:02 +0200
> 
> Le mardi 12 août 2008 à 13:10 +0200, Olivier Berger a écrit :
> > Hi.
> > 
> > Sorry again if this a FAQ.
> > 
> > I am trying to CAS-ify a TWiki installation behind mod-auth-cas.
> > 
> > After authentication by the CAS server, the URL displayed in TWiki looks
> > like :
> > http://localhost/cgi-bin/twiki/viewauth/TWiki/TWikiAccessControl?t=1218539240&ticket=ST-15-4pkBwI2qhZc0NHmaKVyi-cas
> > 
> > I would have expected the removal of the
> > "&ticket=ST-15-4pkBwI2qhZc0NHmaKVyi-cas" part by mod_auth_cas (looking
> > at the code : removeCASParams() which seems to do that)
> > 
> > Unfortunately, it won't please TWiki to have this trailing "ticket"
> > param when saving page contents later on :(
> > 
> > Maybe removeCASParams() ain't called when it should be, or it fails
> > parsing the params ?
> > 
> > Any hints ?
> > 
> 
> I've looked at the code and I think I identified what happens. It's a
> problem with the Web browser not knowing the "ticket" parameter was
> removed when the page contains POST forms.
> 
> A URL like
> http://localhost/cgi-bin/twiki/viewauth/TWiki/TWikiAccessControl?t=1218539240&ticket=ST-15-4pkBwI2qhZc0NHmaKVyi-cas is invoked.
> 
> But the perl script is actually called as
> http://localhost/cgi-bin/twiki/viewauth/TWiki/TWikiAccessControl?t=1218539240 once authentified by mod-auth-cas (which removes the "ticket" param before invoking it) directly, without a redirection (HTTP 200/ OK success code).
> 
> So the web browser still thinks it's displaying
> http://localhost/cgi-bin/twiki/viewauth/TWiki/TWikiAccessControl?t=1218539240&ticket=ST-15-4pkBwI2qhZc0NHmaKVyi-cas
> So when trying to edit a wiki page, a POST is issued to
> "edit/TWiki/TWikiAccessControl?t=1218539240&ticket=ST-15-4pkBwI2qhZc0NHmaKVyi-cas" (which fails).
> 
> I think that an aditional redirect should be necessary in
> cas_authenticate() whenever the params are changed by removeCASParams(),
> for additional consistency, then.
> 
> In the code, in "if(ticket != NULL)" block, if "isValidCASTicket()",
> then not return OK directly but a redirect to the same script without
> the ticket= parameter, then.
> 
> Here's a proposed patch, that I think will solve this issue.
> 
> Comments welcome.
> 
> Best regards,

-- 
Olivier BERGER <olivier.berger at it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)

More information about the cas-dev mailing list