From b8399c90d0c4ccbb64f626e6b1892d29974282ce Mon Sep 17 00:00:00 2001
From: brianvans <1323225+brianvans@users.noreply.github.com>
Date: Tue, 28 Mar 2023 20:07:48 -0700
Subject: [PATCH 1/3] Fix XSS in the idp url parameter
---
djangosaml2/tests/__init__.py | 4 ++--
djangosaml2/views.py | 3 ++-
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/djangosaml2/tests/__init__.py b/djangosaml2/tests/__init__.py
index 18cfa4f3..251c3549 100644
--- a/djangosaml2/tests/__init__.py
+++ b/djangosaml2/tests/__init__.py
@@ -308,8 +308,8 @@ def test_unknown_idp(self):
metadata_file="remote_metadata_three_idps.xml",
)
- response = self.client.get(reverse("saml2_login") + "?idp=https://unknown.org")
- self.assertEqual(response.status_code, 403)
+ response = self.client.get(reverse("saml2_login") + "?idp=https://unknown.org")
+ self.assertContains(response, "<b>https://unknown.org</b>", status_code=403)
def test_login_authn_context(self):
sp_kwargs = {
diff --git a/djangosaml2/views.py b/djangosaml2/views.py
index 7bde83ec..526bcadd 100644
--- a/djangosaml2/views.py
+++ b/djangosaml2/views.py
@@ -30,6 +30,7 @@
from django.template import TemplateDoesNotExist
from django.urls import reverse
from django.utils.decorators import method_decorator
+from django.utils.html import escape
from django.utils.module_loading import import_string
from django.utils.translation import gettext_lazy as _
from django.views.decorators.csrf import csrf_exempt
@@ -152,7 +153,7 @@ def get_next_path(self, request: HttpRequest) -> str:
return next_path
def unknown_idp(self, request, idp):
- msg = f"Error: IdP EntityID {idp} was not found in metadata"
+ msg = f"Error: IdP EntityID {escape(idp)} was not found in metadata"
logger.error(msg)
return HttpResponse(msg.format("Please contact technical support."), status=403)
From 842c30a4942fa78c1beade783ebf5ebdcf9a0aaf Mon Sep 17 00:00:00 2001
From: Giuseppe De Marco
Date: Wed, 5 Apr 2023 18:18:54 +0200
Subject: [PATCH 2/3] chore: removed unused format string
---
djangosaml2/views.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/djangosaml2/views.py b/djangosaml2/views.py
index 526bcadd..9b2d9e93 100644
--- a/djangosaml2/views.py
+++ b/djangosaml2/views.py
@@ -155,7 +155,7 @@ def get_next_path(self, request: HttpRequest) -> str:
def unknown_idp(self, request, idp):
msg = f"Error: IdP EntityID {escape(idp)} was not found in metadata"
logger.error(msg)
- return HttpResponse(msg.format("Please contact technical support."), status=403)
+ return HttpResponse(msg, status=403)
def load_sso_kwargs_scoping(self, sso_kwargs):
"""Performs IdP Scoping if scoping param is present."""
From df5c2019de920caa0b12f74f7fdf48cecc51895c Mon Sep 17 00:00:00 2001
From: Giuseppe De Marco
Date: Wed, 5 Apr 2023 18:21:50 +0200
Subject: [PATCH 3/3] v1.5.6
---
setup.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/setup.py b/setup.py
index c805d008..7576e96c 100644
--- a/setup.py
+++ b/setup.py
@@ -27,7 +27,7 @@ def read(*rnames):
setup(
name="djangosaml2",
- version="1.5.5",
+ version="1.5.6",
description="pysaml2 integration for Django",
long_description=read("README.md"),
long_description_content_type="text/markdown",