[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Extra CRLFs on Location header when mod_auth_saml does redirect.



Hello.

I've been integrating mod_auth_saml with PingFederate and wanted to pass
along some feedback on that experience. So far it has been positive with 2
exceptions. I thought I would post these separately to assist in the
discussion.

The environment we have is several Amazon EC2 instances that will be
running mod_auth_saml. They are behind Amazon's Elastic Load Balancer
(ELB). The first issue was that we were getting a 502 BAD GATEWAY when
going through the load balancer but not when hitting the machine directly.
We tracked this down to extra CRLF tacked on the end of the Location
header. This is the output of curl:

root@server:/# curl -v -H "Host: XXX.XXX.XXX" '
http://YYY.YYY.YYY:8002/secret/saml?e=&d=myidp&l0=+Login+&fc=1&fn=prstnt&fr=%2Fsecret%2F&fq=&fy=&fa=&fm=&fp=0&ff=0
'
* About to connect() to YYY.YYY.YYY port 8002 (#0)
*   Trying AA.AA.AA.AA... connected
* Connected to YYY.YYY.YYY (AA.AA.AA.AA) port 8002 (#0)
> GET
/secret/saml?e=&d=myidp&l0=+Login+&fc=1&fn=prstnt&fr=%2Fsecret%2F&fq=&fy=&fa=&fm=&fp=0&ff=0
HTTP/1.1
> User-Agent: curl/7.21.7 (x86_64-unknown-linux-gnu) libcurl/7.21.7
OpenSSL/0.9.8x zlib/1.2.5 libidn/1.18
> Accept: */*
> Host: XXX.XXX.XXX
>
< HTTP/1.1 303 See Other
< Date: Tue, 09 Apr 2013 17:48:59 GMT
< Server: Apache
< Location: https://XXX.XXX.XXX:9031/idp/SSO.saml2?SAMLRequest=.......%3D%3D
* no chunk, no close, no size. Assume close to signal end
<



Vary: Accept-Encoding
Content-Length: 1232
Content-Type: text/html; charset=iso-8859-1


As you can see there are several CRLFs after the Location header and curl
throws an error. Also Amazon's ELB is not properly able to handle this. I'm
curious if these exist for a reason? I was able to resolve this with the
following patch against 1.11:

--- zxidlib.c.orig      2013-04-09 17:46:12.402567543 -0400
+++ zxidlib.c   2013-04-09 17:46:54.808567566 -0400
@@ -453,8 +453,8 @@
     return 0;
   }
   ss = zx_strf(cf->ctx, (memchr(loc->s, '?', loc->len)
-                        ? "%.*s&%.*s" CRLF2
-                        : "%.*s?%.*s" CRLF2), loc->len, loc->s, rse->len,
rse->s);
+                        ? "%.*s&%.*s"
+                        : "%.*s?%.*s"), loc->len, loc->s, rse->len,
rse->s);
   D("%.*s", ss->len, ss->s);
   if (zx_debug & ZXID_INOUT) INFO("%.*s", ss->len, ss->s);
   zx_str_free(cf->ctx, rse);
--- zxidsso.c.orig      2013-04-09 17:44:43.594569324 -0400
+++ zxidsso.c   2013-04-09 17:44:53.898900530 -0400
@@ -285,7 +285,7 @@
   struct zx_str* url = zxid_start_sso_url(cf, cgi);
   if (!url)
     return 0; //zx_dup_str(cf->ctx, "* ERR");
-  ss = zx_strf(cf->ctx, "Location: %.*s" CRLF2, url->len, url->s);
+  ss = zx_strf(cf->ctx, "Location: %.*s", url->len, url->s);
   zx_str_free(cf->ctx, url);
   return ss;
 }

Basically I remoed the CRLF2 from zxidsso.c and zxidlib.c and everything
works. I'm just curious if those are necessary for some other reason or
based on my experience whether they should be removed.

Thanks,

Aaron



------
The information contained in this email message and any attachment may be privileged, confidential, proprietary or otherwise protected from disclosure. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, copying or use of this message and any attachment is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and permanently delete it from your computer and destroy any printout thereof.