[
https://issues.apache.org/jira/browse/CLOUDSTACK-8037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14273401#comment-14273401
]
ASF subversion and git services commented on CLOUDSTACK-8037:
-------------------------------------------------------------
Commit 173710d5b48d1a34996f15c3ff1bd80938639b94 in cloudstack's branch
refs/heads/master from [[email protected]]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=173710d ]
CLOUDSTACK-8037: URL encode cookie values with UTF8 as per version 1
As per Version 1 cookies, certain characters are now allowed such as space,
colons etc but they should be url encoded using UTF8 encoding. The frontend
has a cookie value unboxing method that removes any double quotes that are
added.
As per the doc
http://download.oracle.com/javase/6/docs/api/java/net/URLEncoder.html
values are application/x-www-form-urlencoded and as per
http://www.w3.org/TR/html4/interact/forms.html#h-17.13.4 whitespaces are encoded
as +, therefore '+' are replaced by %20 (whitespace).
Signed-off-by: Rohit Yadav <[email protected]>
(cherry picked from commit 734bd70173c36508f0fc13a30c3aa8006814c019)
Signed-off-by: Rohit Yadav <[email protected]>
> Survey security of using SAML plugin in production and test against standard
> IDPs
> ---------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-8037
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8037
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Rohit Yadav
> Assignee: Rohit Yadav
> Priority: Critical
> Fix For: 4.5.0, 4.6.0
>
>
> Since SAML plugin will ship with 4.5, and while it's not enabled by default
> we need to do a lot of testing and make sure whatever we're shipping works
> generally in most cases. While the protocol does not dictate what different
> metadata an IDP should return other than NameID (like a UUID), it needs to
> work just based on that and provide other mechanisms to support additional
> metadata such as email, name, timezone etc.
> The other main aim is to test various possible loopholes it could have or
> exploits or bad conflicts with respect to transient vs non-transient/unique
> NameIDs and SAML token signature checking as well as HTTP-redirected
> authentication process. Final set of tests (possibly automated tests) or
> manual QA against known standard IDP implementations for example openidp,
> ssocircle, shibboleth etc.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
