CAS protocol violation
Marvin Addison
marvin.addison at gmail.com
Tue Mar 13 10:06:03 EDT 2018
On Mon, Mar 12, 2018 at 5:55 PM Andrew Morgan <morgan at orst.edu> wrote:
> At first, I thought this was a new restriction in v3 of the protocol too.
> However, take a look at section 3.7 of the v2 spec... Same character
> class restriction.
>
Wow. I was so sure that the character set was an editorialization on top of
the original document [1], but I'm just wrong. That raises the priority in
my view to "something we probably should fix." Thinking on it more, it's
probably not too much work to simply use base 32 encoding and swap out the
"=" padding character with "-" in a post-encoding/pre-decoding step. I've
filed an issue to track it:
https://issues.shibboleth.net/jira/browse/IDP-1265
Given the character class restriction, I wonder if the patch will ever be
> accepted into mod_auth_cas. :/
>
While your observation about character set requirements in the protocol
makes it less palatable perhaps, one could argue it's a reasonable
improvement nonetheless. In any case I'm fairly certain dhawes would
consider positive feedback on the patch as a sign that it should be
accepted.
M <users-unsubscribe at shibboleth.net>
[1]
https://web.archive.org/web/20110430030314/http://www.jasig.org/cas/protocol
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180313/75af6f3c/attachment.html>
More information about the users
mailing list