missing URL-encoding in audit log

Cantor, Scott cantor.2 at osu.edu
Tue Jul 25 12:33:59 EDT 2017


On 7/25/17, 12:30 PM, "users on behalf of Andrew Morgan" <users-bounces at shibboleth.net on behalf of morgan at orst.edu> wrote:

> I've read RFC 2396 (section 2.4.3).  I'm not clear if the CAS service URL 
> represented in the audit logs should be in an escaped form or not.  Is the 
> log representing a "URI" or something else in that context?

It's a URI, expressed literally, as a name. If the URI contains characters that have to be escaped to appear *in* the URI itself in one of the segments, then it has to be escaped by the thing creating the URI.

> If it is a URI, then I propose that it should be URI escaped and the | 
> would be represented as %7C (thanks for the correction).

Not by the IdP, no. The bug is in whatever is sending you that URI without encoding the character.

If the IdP encoded URI names, then SAML entityIDs would show up with encoded / or : characters.

-- Scott





More information about the users mailing list