Handle valid but uncommon dsig block with no URI in the reference

Author: pitbulk

src/onelogin/saml2/utils.py

@@ -806,7 +806,7 @@ def add_sign(xml, key, cert, debug=False):
         if debug:
             xmlsec.set_error_callback(print_xmlsec_errors)
 
-        # Sign the metadacta with our private key.
+        # Sign the metadata with our private key.
         signature = Signature(xmlsec.TransformExclC14N, xmlsec.TransformRsaSha1)
 
         issuer = OneLogin_Saml2_Utils.query(elem, '//saml:Issuer')
@@ -922,6 +922,12 @@ def validate_sign(xml, cert=None, fingerprint=None, fingerprintalg='sha1', valid
                 if cert is None or cert == '':
                     return False
 
+                # Check if Reference URI is empty
+                reference_elem = OneLogin_Saml2_Utils.query(signature_node, '//ds:Reference')
+                if len(reference_elem) > 0:
+                    if reference_elem[0].get('URI') == '':
+                        reference_elem[0].set('URI', '#%s' % signature_node.getparent().get('ID'))
+
                 dsig_ctx = xmlsec.DSigCtx()
 
                 file_cert = OneLogin_Saml2_Utils.write_temp_file(cert)

tests/src/OneLogin/saml2_tests/response_test.py

@@ -1097,3 +1097,12 @@ def testIsValidSign(self):
         response_9 = OneLogin_Saml2_Response(settings, xml_9)
         # Modified message
         self.assertFalse(response_9.is_valid(self.get_request_data()))
+
+    def testIsValidSignWithEmptyReferenceURI(self):
+        settings_info = self.loadSettingsJSON()
+        del settings_info['idp']['x509cert']
+        settings_info['idp']['certFingerprint'] = "194d97e4d8c9c8cfa4b721e5ee497fd9660e5213"
+        settings = OneLogin_Saml2_Settings(settings_info)
+        xml = self.file_contents(join(self.data_path, 'responses', 'response_without_reference_uri.xml.base64'))
+        response = OneLogin_Saml2_Response(settings, xml)
+        self.assertTrue(response.is_valid(self.get_request_data()))