Allow proxy callback invocation w/o PGT/PGT-IOU parameters

Created on 3 September 2019, over 5 years ago
Updated 4 April 2024, 9 months ago

Problem/Motivation

We are using cas_module to implement proxy-ing to another backend web server (not drupal) using CAS protocol 3.
drupal8 cas_module is used on the frontend web server.

Under CAS Protocol 2.0 or 3.0 by Specification, CAS server in proxy callback access phase tries to establish HTTPS connection with proxy-ing web server to check its identity without PGT/PGT-IOU parameters. cas_module should not return error response for this case.

Proposed resolution

In src/Controller/ProxyCallbackController.php:callback() method,

if (!($request->query->get('pgtId') && $request->query->get('pgtIou'))) {
    return Response::create('OK', 200);
}

instead of this,

if (!($request->query->get('pgtId') && $request->query->get('pgtIou'))) {
    return Response::create('Missing necessary parameters', 400);
}

Remaining tasks

Tracking the first access to proxy callback w/o mentioned parameters and the second w/ them might be better.
However, probably this simplest fix of only changing returned response status code does not change security risks
since there is no cost difference for the server running this code.

p.s., this is my first challenge creating an issue at Drupal web site. Iinstruct me any problem you see in this one, thanks.

🐛 Bug report
Status

Active

Version

2.0

Component

CAS

Created by

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024