[Bug 24779] New: Shibboleth login url double encodes "=" in query
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24779 Bug ID: 24779 Summary: Shibboleth login url double encodes "=" in query Change sponsored?: --- Product: Koha Version: 19.11 Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: hannah.co@northwestu.edu QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org login_shib_url and logout_shib use _get_return to process a url and parameters. I am seeing urls come through with the "=" between the parameter name and the query encoded to "%3D". I think this is because url encoding is done on line 214 to the whole parameter string after assembly. 214 return $uri_base_part . URI::Escape::uri_escape_utf8($uri_params_part); I believe only the query part of the parameter should be uri escaped, on line 209: 209 $uri_params_part .= $uriPiece; My installation with shibboleth login works with lines 209 and 214 changed as follows: 209 $uri_params_part .= URI::Escape::uri_escape_utf8($uriPiece); 214 return $uri_base_part . $uri_params_part; -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24779 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de, | |martin.renvoize@ptfs-europe | |.com, | |matthias.meusburger@biblibr | |e.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24779 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |23042 Version|19.11 |master CC| |jonathan.druart@bugs.koha-c | |ommunity.org --- Comment #1 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Hi Hannah, can you detail a bit more please? We had the discussion about this on bug 23042 and it seems that it is the expected behavior. The variables return and target contains an URI that must be escaped. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23042 [Bug 23042] Local login attempt populates shibboleth url with userid and password in plain text -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24779 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|NEW |RESOLVED -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org