Related to PR 83. extract the already encoded value directly from

pitbulk · pitbulk · commit 7fc8370f5efa · 2016-04-08T19:01:03.000+02:00
diff --git a/README.md b/README.md
@@ -925,6 +925,8 @@ Auxiliary class that contains several methods
 * ***add_sign*** Adds signature key and senders certificate to an element (Message or Assertion).
 * ***validate_sign*** Validates a signature (Message or Assertion).
 * ***validate_binary_sign*** Validates signed bynary data (Used to validate GET Signature).
+* ***def get_encoded_parameter*** Return an url encoded get parameter value
+* ***extract_raw_query_parameter***
 
 ####OneLogin_Saml2_IdPMetadataParser - idp_metadata_parser.py####
 
diff --git a/demo-bottle/index.py b/demo-bottle/index.py
@@ -35,6 +35,7 @@ def prepare_bottle_request(req):
         'script_name': req.fullpath,
         'get_data': req.query,
         'post_data': req.forms,
+        'query_string': req.query_string,
         'https': 'on' if req.urlparts.scheme == 'https' else 'off'
     }
 
diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py
@@ -23,7 +23,8 @@ def prepare_django_request(request):
         'script_name': request.META['PATH_INFO'],
         'server_port': request.META['SERVER_PORT'],
         'get_data': request.GET.copy(),
-        'post_data': request.POST.copy()
+        'post_data': request.POST.copy(),
+        'query_string': req.query_string
     }
     return result
 
diff --git a/demo-flask/index.py b/demo-flask/index.py
@@ -28,7 +28,8 @@ def prepare_flask_request(request):
         'server_port': url_data.port,
         'script_name': request.path,
         'get_data': request.args.copy(),
-        'post_data': request.form.copy()
+        'post_data': request.form.copy(),
+        'query_string': req.query_string
     }
 
 
diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
@@ -13,7 +13,6 @@
 from base64 import b64encode, b64decode
 from lxml import etree
 from defusedxml.lxml import fromstring
-from urllib import quote_plus
 from xml.dom.minidom import Document
 
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
@@ -317,10 +316,10 @@ def is_valid(self, request_data):
                 else:
                     sign_alg = get_data['SigAlg']
 
-                signed_query = 'SAMLRequest=%s' % quote_plus(get_data['SAMLRequest'])
+                signed_query = 'SAMLRequest=%s' % OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SAMLRequest')
                 if 'RelayState' in get_data:
-                    signed_query = '%s&RelayState=%s' % (signed_query, quote_plus(get_data['RelayState']))
-                signed_query = '%s&SigAlg=%s' % (signed_query, quote_plus(sign_alg))
+                    signed_query = '%s&RelayState=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'RelayState'))
+                signed_query = '%s&SigAlg=%s' % (signed_query, OneLogin_Saml2_Utils.get_encoded_parameter(get_data, 'SigAlg', OneLogin_Saml2_Constants.RSA_SHA1))
 
                 if 'x509cert' not in idp_data or idp_data['x509cert'] is None:
                     raise Exception('In order to validate the sign on the Logout Request, the x509cert of the IdP is required')
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
@@ -1127,3 +1127,25 @@ def validate_binary_sign(signed_query, signature, cert=None, algorithm=OneLogin_
             return True
         except Exception:
             return False
+
+    @staticmethod
+    def get_encoded_parameter(get_data, name, default=None):
+        """Return an url encoded get parameter value
+        Prefer to extract the original encoded value directly from query_string since url
+        encoding is not canonical. The encoding used by ADFS 3.0 is not compatible with
+        python's quote_plus (ADFS produces lower case hex numbers and quote_plus produces
+        upper case hex numbers)
+        """
+        if name not in get_data:
+            return quote_plus(default)
+        if 'query_string' in get_data:
+            return OneLogin_Saml2_Utils.extract_raw_query_parameter(get_data['query_string'], name)
+        return quote_plus(get_data[name])
+
+    @staticmethod
+    def extract_raw_query_parameter(query_string, parameter, default=''):
+        m = re.search('%s=([^&]+)' % parameter, query_string)
+        if m:
+            return m.group(1)
+        else:
+            return default

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@ def prepare_bottle_request(req):`
`35`	`35`	`'script_name': req.fullpath,`
`36`	`36`	`'get_data': req.query,`
`37`	`37`	`'post_data': req.forms,`
	`38`	`+ 'query_string': req.query_string,`
`38`	`39`	`'https': 'on' if req.urlparts.scheme == 'https' else 'off'`
`39`	`40`	`}`
`40`	`41`
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,8 @@ def prepare_django_request(request):`
`23`	`23`	`'script_name': request.META['PATH_INFO'],`
`24`	`24`	`'server_port': request.META['SERVER_PORT'],`
`25`	`25`	`'get_data': request.GET.copy(),`
`26`		`- 'post_data': request.POST.copy()`
	`26`	`+ 'post_data': request.POST.copy(),`
	`27`	`+ 'query_string': req.query_string`
`27`	`28`	`}`
`28`	`29`	`return result`
`29`	`30`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,8 @@ def prepare_flask_request(request):`
`28`	`28`	`'server_port': url_data.port,`
`29`	`29`	`'script_name': request.path,`
`30`	`30`	`'get_data': request.args.copy(),`
`31`		`- 'post_data': request.form.copy()`
	`31`	`+ 'post_data': request.form.copy(),`
	`32`	`+ 'query_string': req.query_string`
`32`	`33`	`}`
`33`	`34`
`34`	`35`