diff options
author | Heiko Bernloehr <Heiko.Bernloehr@FreeIT.de> | 2012-11-15 17:10:35 +0100 |
---|---|---|
committer | Heiko Bernloehr <Heiko.Bernloehr@FreeIT.de> | 2012-11-15 17:15:27 +0100 |
commit | 97c25ae39e3d6a628c65f4cb2ceecd48e410732d (patch) | |
tree | 97aea0adea3043e19b50758325d1bb7a646fff71 | |
parent | 9298117acdf82c9529a12a3ab41baf9d1e86c2f4 (diff) | |
download | ecs2-97c25ae39e3d6a628c65f4cb2ceecd48e410732d.tar.gz ecs2-97c25ae39e3d6a628c65f4cb2ceecd48e410732d.zip |
Changed security fix for redirects.
When creating authorization token the ECS only checks if exactly one of
the realm or url parameter is present.
-rw-r--r-- | app/models/message.rb | 6 | ||||
-rw-r--r-- | test/functional/messages_controller_test.rb | 16 | ||||
-rw-r--r-- | test/unit/message_test.rb | 13 |
3 files changed, 10 insertions, 25 deletions
diff --git a/app/models/message.rb b/app/models/message.rb index 69067d0..8f225df 100644 --- a/app/models/message.rb +++ b/app/models/message.rb @@ -216,10 +216,8 @@ class Message < ActiveRecord::Base unless bks.include?("url") or bks.include?("realm") raise Ecs::InvalidMessageException, "You have to provide realm or url attribute" end - if bks.include?("realm") and !b["realm"].empty? and !bks.include?("url") - b["url"]= b["realm"] - elsif bks.include?("url") and !b["url"].empty? and !bks.include?("realm") - b["realm"]= b["url"] + if bks.include?("url") and bks.include?("realm") + raise Ecs::InvalidMessageException, "You only be allowed to use either realm or url attribute" end #msg_id = URI.split(b["url"])[5][1..-1].sub(/[^\/]*\/[^\/]*\/(.*)/, '\1').to_i diff --git a/test/functional/messages_controller_test.rb b/test/functional/messages_controller_test.rb index 2522617..6d7a906 100644 --- a/test/functional/messages_controller_test.rb +++ b/test/functional/messages_controller_test.rb @@ -309,22 +309,6 @@ class MessagesControllerTest < ActionController::TestCase # Auths tests # - test "create_auths" do - @request.env["RAW_POST_DATA"] = <<-'HERE' - { - "url":"https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT", - "realm":"https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT" - } - HERE - @request.env["CONTENT_TYPE"] = "application/json" - @request.env["X-EcsAuthId"] = identities(:stgt_id1).name - @request.env["X-EcsReceiverMemberships"] = memberships(:ulm_wuv).id.to_s - @request.set_REQUEST_URI("/sys/auths") - mm_count = MembershipMessage.all.count - post :create - assert_response 201 - end - test "create_auths_url" do @request.env["RAW_POST_DATA"] = <<-'HERE' { diff --git a/test/unit/message_test.rb b/test/unit/message_test.rb index fbe0b21..928f3bc 100644 --- a/test/unit/message_test.rb +++ b/test/unit/message_test.rb @@ -68,9 +68,9 @@ class MessageTest < ActiveSupport::TestCase "CONTENT_TYPE" => "application/json" } raw_post= Hash.new - raw_post[:realm]= <<-'HERE' + raw_post[:realm]= <<-"HERE" { - "realm":"https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT" + "realm":"#{Digest::SHA1.hexdigest 'https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT'}" } HERE raw_post[:url]= <<-'HERE' @@ -91,9 +91,12 @@ class MessageTest < ActiveSupport::TestCase json= ActiveSupport::JSON.decode(msg.body) end assert json.keys.include?(k.to_s) - assert_equal "https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT", json[k.to_s] - assert json.keys.include?(k.to_s) - assert_equal "https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT", json[k.to_s] + if k.to_s == "realm" + assert_equal Digest::SHA1.hexdigest("https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT"), json[k.to_s] + end + if k.to_s == "url" + assert_equal "https://ilias.uni-stuttgart.de/goto.php?target=crs_95034&client_id=USTGT", json[k.to_s] + end assert json.keys.include?("pid") assert_equal participants(:ilias_stgt).id, json["pid"] end |