search

apereo / dotnet-cas-client

Apereo .NET CAS Client
Apache License 2.0
234 stars 172 forks source link

SingleSignOut cause A potentially dangerous Request.Form value was detected from the client #80

Closed nightBaker closed 5 years ago

nightBaker commented 6 years ago

After logout CAS sends post request message=@NOT_USED@</saml:NameID>ST-2171-iZF3BlhCp9VdarvPV-tJ1GEebO0-kaspi-portsso1</samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=false,contentType=application/x-www-form-urlencoded

And dotnet-cas-client tryes get logoutRequest from HttpContext.Current.Request.Form

internal static void ProcessSingleSignOutRequest()
        {
            HttpContext context = HttpContext.Current;
            HttpRequest request = context.Request;
            HttpResponse response = context.Response;
            protoLogger.Debug("Examining request for single sign-out signature");

            if (request.HttpMethod == "POST" && request.Form["logoutRequest"] != null)
            {

getting value is causing exception - context.Request.Form["logoutRequest"] 'context.Request.Form["logoutRequest"]' threw an exception of type 'System.Web.HttpRequestValidationException' string {System.Web.HttpRequestValidationException}

phantomtypist commented 5 years ago

Closing this because the discussion can be carried on in PR #83