search

rbCAS / CASino

CASino is a Ruby-based Single Sign-On solution supporting the CAS standard
MIT License
329 stars 189 forks source link

clean_service_url should not remove trailing slashes #165

Open lchanouha opened 8 years ago

lchanouha commented 8 years ago

Removing trailing slashing breaks single sign-out function because url of type is called

https://example.com/service

whereas my service URL is https://example.com/service/

Apache sends an 301 http redirect, which CASinos not follows. This is the default configuration for most common web servers, and removing redirection with the directive DirectorySlash Off is very unsecure.

My solution is: 

--- a/app/processors/casino/service_ticket_processor.rb
+++ b/app/processors/casino/service_ticket_processor.rb
@@ -19,7 +19,9 @@ module CASino::ServiceTicketProcessor
       service_uri.query_values = nil
     end

-    service_uri.path = (service_uri.path || '').gsub(/\/+\z/, '')
+    service_uri.path = (service_uri.path || '')
+    #.gsub(/\/+\z/, '')
     service_uri.path = '/' if service_uri.path.blank?

     service_uri.normalize.to_s.tap do |clean_service|

A better way is to call clean_service_url only for display purposes.

luxflux commented 7 years ago

Hmm, I'm not sure about why we have this in place. @pencil, do you know something?