- First commit to issue fork.
- Merge request !31REL #3078837: Allow proxy callback invocation w/o PGT/PGT-IOU parameters → (Open) created by lukio
- last update
9 months ago Build Successful
We are using cas_module to implement proxy-ing to another backend web server (not drupal) using CAS protocol 3.
drupal8 cas_module is used on the frontend web server.
Under CAS Protocol 2.0 or 3.0 by Specification, CAS server in proxy callback access phase tries to establish HTTPS connection with proxy-ing web server to check its identity without PGT/PGT-IOU parameters. cas_module should not return error response for this case.
In src/Controller/ProxyCallbackController.php:callback() method,
if (!($request->query->get('pgtId') && $request->query->get('pgtIou'))) {
return Response::create('OK', 200);
}
instead of this,
if (!($request->query->get('pgtId') && $request->query->get('pgtIou'))) {
return Response::create('Missing necessary parameters', 400);
}
Tracking the first access to proxy callback w/o mentioned parameters and the second w/ them might be better.
However, probably this simplest fix of only changing returned response status code does not change security risks
since there is no cost difference for the server running this code.
p.s., this is my first challenge creating an issue at Drupal web site. Iinstruct me any problem you see in this one, thanks.
Active
2.0
CAS
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.