nic-6443 commented on code in PR #13471:
URL: https://github.com/apache/apisix/pull/13471#discussion_r3352925859


##########
apisix/plugins/cas-auth.lua:
##########
@@ -381,7 +381,7 @@ function _M.access(conf, ctx)
 
     if method == "POST" and uri == cas_callback_path then
         local data = core.request.get_body()
-        local ticket = 
data:match("<samlp:SessionIndex>(.*)</samlp:SessionIndex>")
+        local ticket = data and 
data:match("<samlp:SessionIndex>(.*)</samlp:SessionIndex>")
         if ticket == nil then
             return ngx.HTTP_BAD_REQUEST,
                 {message = "invalid logout request from IdP, no ticket"}

Review Comment:
   Good catch. Fixed by requiring a non-empty SessionIndex (`(.+)` instead of 
`(.*)`), so an empty `<samlp:SessionIndex></samlp:SessionIndex>` now also 
returns 400 instead of passing an empty ticket through. Added a test case 
covering it.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to