nic-6443 opened a new pull request, #13471:
URL: https://github.com/apache/apisix/pull/13471
A `POST` to the CAS callback path with an empty request body returns a 500
instead of a clean 400.
The single-logout branch in `cas-auth`'s `access` reads the body and
immediately calls `:match` on it:
```lua
local data = core.request.get_body()
local ticket = data:match("<samlp:SessionIndex>(.*)</samlp:SessionIndex>")
```
`core.request.get_body()` returns `nil` when there's no body, so
`data:match` raises `attempt to index local 'data' (a nil value)` and the
request 500s — even though the very next line already handles the "no ticket"
case with a 400, it's never reached.
Fix is a one-liner: guard the body before matching so a missing/empty body
falls through to the existing 400 branch. A normal CAS ticket callback (a GET
with `?ticket=`) is unaffected.
Added a test that POSTs to the callback with no body and asserts a 400 — it
fails with 500 before the fix.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]