HTTPRedirectDeflateEncoder includes query parameters in signature calculation
Basics
Logistics
Basics
Logistics
Description
Environment
None
Activity
Show:
Brent Putman March 23, 2019 at 12:23 AM
Fixed in:
master: 4d0b0314f045a1b609bbdf5af13f167d8d3fff58
maint-3.4: 343311f7850de3a1c4f52aa8360cd135cd3a1759
Brent Putman March 18, 2019 at 8:52 PM
Looks like when I fixed OSJ-243, I neglected to distinguish between the params to be signed vs the params to emit. Should be an easy fix.
Fixed
Pinned fields
Click on the next to a field label to start pinning.
Created March 15, 2019 at 8:00 AM
Updated August 6, 2021 at 10:29 PM
Resolved March 23, 2019 at 12:23 AM
If the SingleSignOnService URL for an IdP ends with query parameters the HTTPRedirectDeflateEncoder will include those in the signature calculation (it only removes known query-parameters). This is not correct.