nic-6443 commented on code in PR #13471:
URL: https://github.com/apache/apisix/pull/13471#discussion_r3352925859
##########
apisix/plugins/cas-auth.lua:
##########
@@ -381,7 +381,7 @@ function _M.access(conf, ctx)
if method == "POST" and uri == cas_callback_path then
local data = core.request.get_body()
- local ticket =
data:match("<samlp:SessionIndex>(.*)</samlp:SessionIndex>")
+ local ticket = data and
data:match("<samlp:SessionIndex>(.*)</samlp:SessionIndex>")
if ticket == nil then
return ngx.HTTP_BAD_REQUEST,
{message = "invalid logout request from IdP, no ticket"}
Review Comment:
Good catch. Fixed by requiring a non-empty SessionIndex (`(.+)` instead of
`(.*)`), so an empty `<samlp:SessionIndex></samlp:SessionIndex>` now also
returns 400 instead of passing an empty ticket through. Added a test case
covering it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]