diff options
author | Vlastimil Zíma <vlastimil.zima@nic.cz> | 2019-10-08 10:14:50 +0200 |
---|---|---|
committer | Vlastimil Zíma <vlastimil.zima@nic.cz> | 2019-10-08 14:15:46 +0200 |
commit | ae769920b2dc641b9c7ddbc500071a66cb1d3667 (patch) | |
tree | 4cfc643778dfeef356df02dc7796c4f3ed6bb558 | |
parent | d16bfee10c7f70f7a42ac9d10ac4bce94a4a38ad (diff) | |
download | openid-ae769920b2dc641b9c7ddbc500071a66cb1d3667.tar.gz |
Fix false positive redirect when verifying consumer
-rw-r--r-- | openid/server/trustroot.py | 2 | ||||
-rw-r--r-- | openid/test/test_rpverify.py | 20 |
2 files changed, 21 insertions, 1 deletions
diff --git a/openid/server/trustroot.py b/openid/server/trustroot.py index 159b60d..349032f 100644 --- a/openid/server/trustroot.py +++ b/openid/server/trustroot.py @@ -400,7 +400,7 @@ def getAllowedReturnURLs(relying_party_url): (rp_url_after_redirects, return_to_urls) = services.getServiceEndpoints( relying_party_url, _extractReturnURL) - if rp_url_after_redirects != relying_party_url: + if urinorm.urinorm(rp_url_after_redirects) != urinorm.urinorm(relying_party_url): # Verification caused a redirect raise RealmVerificationRedirected( relying_party_url, rp_url_after_redirects) diff --git a/openid/test/test_rpverify.py b/openid/test/test_rpverify.py index 82af2cf..5b6780a 100644 --- a/openid/test/test_rpverify.py +++ b/openid/test/test_rpverify.py @@ -3,9 +3,11 @@ from __future__ import unicode_literals import unittest +from mock import patch, sentinel from testfixtures import LogCapture, StringComparison from openid.server import trustroot +from openid.server.trustroot import getAllowedReturnURLs from openid.yadis import services from openid.yadis.discover import DiscoveryFailure, DiscoveryResult @@ -183,6 +185,24 @@ class TestReturnToMatches(unittest.TestCase): self.assertFalse(trustroot.returnToMatches([r], 'http://example.com/xss_exploit')) +class TestGetAllowedReturnURLs(unittest.TestCase): + + def test_equal(self): + with patch('openid.yadis.services.getServiceEndpoints', autospec=True, + return_value=('http://example.com/', sentinel.endpoints)): + endpoints = getAllowedReturnURLs('http://example.com/') + + self.assertEqual(endpoints, sentinel.endpoints) + + def test_normalized(self): + # Test redirect is not reported when the returned URL is normalized. + with patch('openid.yadis.services.getServiceEndpoints', autospec=True, + return_value=('http://example.com/', sentinel.endpoints)): + endpoints = getAllowedReturnURLs('http://example.com:80') + + self.assertEqual(endpoints, sentinel.endpoints) + + class TestVerifyReturnTo(unittest.TestCase): def test_bogusRealm(self): |