cas_in_filter for single sign-out can't handle split requests #88
Comments
|
Are there any logs that indicate that the bytes are read all at one time, perhaps in another log entry? I've tried to duplicate this, but have so far had no luck. I'll definitely have to review Apache input filters before I can fully address what's going on here. Do you have any reference documentation for this behavior or examples of other modules that handle this correctly? |
Just this link.. http://docstore.mik.ua/orelly/weblinux2/apache/ch20_09.htm ( See input filters ) We have developed a fix along these lines, i.e. a data structure that persisted for the duration of a request, and proved that it addressed our bug. It’s not a very big change to address it, but our change can’t be released for the usual corporate IP reasons. Possibly, there’s something special about our environment that provokes these split requests, but split requests are meant to be considered a common case for filters as I understand it. I’m pretty sure that ‘httpd’ is getting the whole request at once, but that the filter processing is resulting in partial bodies being presented to the input filters. Eric Covener suggested "it's something like another module peeking to see if data is ready in the connection. The 1 byte it reads is consumed and set aside, but weaved back in to the next real read."
|
|
Thanks for the link. I'll research the fix and post back here. Patches always welcome if those polices can be worked around. |
Ub untill now we have avoided using the CASSSOEnabled feature in mod_auth_cas doe to the following warning from the gitlab page: CAS single sign out is currently not functional and disabled. It is only safe to use in the case where all requests are GET and not POST (the module inadvertently 'eats' some content of the POST request while determining if it should process it as a SAML logout request). However looking at the commit history i notice a commit which seems to address theses issues[1]. Further i noticed many users reporting have success with this feature. so i wonder if this is just an old message. Regardless of the message there is still at least one outstanding issue[2] however I feel that we should try testing the functionality out. We can start enabling it on simple sites then move to the more complex [1]apereo/mod_auth_cas@bbbad75 [2]apereo/mod_auth_cas#88 Hosts: P:idp::client::httpd Bug: T233941 Change-Id: Id259cf8e84c931cd61f08a6a694cee6e2a0290e2
Apache input filters are not guaranteed to be called with a complete request but instead should assume the request may be fed in piece-meal, in multiple calls. However, the CAS input filter for single signout (cas_in_filter) logic presumes that the first call will have a complete request as it just examines the current bucket brigade, possibly incomplete, for evidence of SAML signout request, calling the CAS signout if found.
We have seen cases where the single sign-out request is split into two pieces.
https://mail-archives.apache.org/mod_mbox/httpd-users/201510.mbox/%3C39A0AA41C90BDA42BEB03EF9F45DC3F80A058AD2@UCDEDC1PWXMR003.de.db.com%3E
The fix involves a request-scope persistent data structure to build up a copy of the request suitable across multiple calls for passing to CASSAMLLogout
The text was updated successfully, but these errors were encountered: