From 4f68733485029d6adddef35816bec111b30a6e0c Mon Sep 17 00:00:00 2001 From: Vlad Mencl Date: Thu, 12 Dec 2024 16:52:37 +1300 Subject: [PATCH] fix: prep_for_nego_auth: avoid double signing redirect requests Fixes IdentityPython/pysaml2#819 (again) The prepare_for_negotiated_authenticate method has sign parameter defaulting to None. The logic setting sign_redirect and sign_post does not properly handle the three-state aspects that sign has with None mixed True and False. Python evalutes `None and ` as None, so as a result, None gets passed forboth sign_redirect and sign_post. However, None is interpreted by Entity._message as "sign if self.should_sign". As a result, for Redirect binding, the authentication request gets signed both in XML and in HTTP parameter (recurrence of IdentityPython/pysaml2#819). Fix this by passing an explicit False for exactly one of the branches (sign_post for REDIRECT binding and sign_redirect for all other bindings), passing through value of `sign` for the other branch. --- src/saml2/client.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/saml2/client.py b/src/saml2/client.py index 0e77bad19..4c91a08b8 100644 --- a/src/saml2/client.py +++ b/src/saml2/client.py @@ -144,8 +144,8 @@ def prepare_for_negotiated_authenticate( # XXX ^through self.create_authn_request(...) # XXX - sign_redirect will add the signature to the query params # XXX ^through self.apply_binding(...) - sign_redirect = sign and binding == BINDING_HTTP_REDIRECT - sign_post = sign and not sign_redirect + sign_redirect = sign if binding == BINDING_HTTP_REDIRECT else False + sign_post = sign if binding != BINDING_HTTP_REDIRECT else False reqid, request = self.create_authn_request( destination=destination,