cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8037) Survey security of using SAML plugin in production and test against standard IDPs
Date Mon, 12 Jan 2015 08:33:34 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14273401#comment-14273401
] 

ASF subversion and git services commented on CLOUDSTACK-8037:
-------------------------------------------------------------

Commit 173710d5b48d1a34996f15c3ff1bd80938639b94 in cloudstack's branch refs/heads/master from
[~rohit.yadav@shapeblue.com]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=173710d ]

CLOUDSTACK-8037: URL encode cookie values with UTF8 as per version 1

As per Version 1 cookies, certain characters are now allowed such as space,
colons etc but they should be url encoded using UTF8 encoding. The frontend
has a cookie value unboxing method that removes any double quotes that are added.

As per the doc http://download.oracle.com/javase/6/docs/api/java/net/URLEncoder.html
values are application/x-www-form-urlencoded and as per
http://www.w3.org/TR/html4/interact/forms.html#h-17.13.4 whitespaces are encoded
as +, therefore '+' are replaced by %20 (whitespace).

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 734bd70173c36508f0fc13a30c3aa8006814c019)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>


> Survey security of using SAML plugin in production and test against standard IDPs
> ---------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8037
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8037
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Rohit Yadav
>            Assignee: Rohit Yadav
>            Priority: Critical
>             Fix For: 4.5.0, 4.6.0
>
>
> Since SAML plugin will ship with 4.5, and while it's not enabled by default we need to
do a lot of testing and make sure whatever we're shipping works generally in most cases. While
the protocol does not dictate what different metadata an IDP should return other than NameID
(like a UUID), it needs to work just based on that and provide other mechanisms to support
additional metadata such as email, name, timezone etc.
> The other main aim is to test various possible loopholes it could have or exploits or
bad conflicts with respect to transient vs non-transient/unique NameIDs and SAML token signature
checking as well as HTTP-redirected authentication process. Final set of tests (possibly automated
tests) or manual QA against known standard IDP implementations for example openidp, ssocircle,
shibboleth etc.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message