[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Possible Bug, zxid 1.18: (null) URL returned when calling without parameters



Hi,

I think there is a bug in zxid/ Net::SAML 1.18. I am using the exact demo
script zxidhlo.pl from the documentation.
Whenever I enter the URL of the script in my web-browser
(https://192.168.56.102:8088/blast-web/cgi-bin/zxidhlo.pl), the zxidhlo.pl
script redirects to:
https://192.168.56.102:8088/blast-web/cgi-bin/(null)?o=C

Here is the log output:

[Mon Jul 21 15:25:42 2014] [error] [client 192.168.56.1] 1734.7f3aafbbd700
zxidconf.c:218 zxid_set_opt     \tzx I errmac_debug=1
[Mon Jul 21 15:25:42 2014] [error] [client 192.168.56.1] 1734.7f3aafbbd700
zxidsimp.c:1722 zxid_simple_cf_ses \tzx d QUERY_STRING() 1.18
[Mon Jul 21 15:25:42 2014] [error] [client 192.168.56.1] 1734.7f3aafbbd700
zxidecp.c:141 zxid_lecp_check  \tzx d Neither ECP nor LECP request 0
[Mon Jul 21 15:25:42 2014] [error] [client 192.168.56.1] 1734.7f3aafbbd700
zxidsimp.c:1479 zxid_simple_no_ses_cf \tzx d LECP check: ss(?)
[Mon Jul 21 15:25:42 2014] [error] [client 192.168.56.1] script not found or
unable to stat: /home/licebase/blast-web/cgi-bin/(null)

If I am using https://192.168.56.102:8088/blast-web/cgi-bin/zxidhlo.pl?o=C
instead, it seems to work,
https://192.168.56.102:8088/blast-web/cgi-bin/zxidhlo.pl?o=E&c=


For what it's worth, the web server is running on CentOS 6.5 inside a VM,
apache is 2.2.15 (CentOS), using https with default certs.

Net::SAML  is installed from source
using make samlmod, make samlmod_install
This is perl, v5.10.1 (*) built for x86_64-linux-thread-multi


Michael




######################zxidhlo.pl###########################
#!/usr/bin/perl

use warnings;

use Net::SAML;
$| = 1; undef $/;  # Flush pipes, read all in at once
$url = "https://192.168.56.102:8088/blast-web/cgi-bin/zxidhlo.pl";;  # Edit to
match your conf
$conf = "PATH=/var/zxid/&URL=$url";
$cf = Net::SAML::new_conf_to_cf($conf);
$qs = $ENV{'QUERY_STRING'};
$qs = <STDIN> if $qs =~ /o=P/;
$res = Net::SAML::simple_cf($cf, -1, $qs, undef, 0x1828);
$op = substr($res, 0, 1);
if ($op eq 'L' || $op eq 'C') { print $res; exit; } # LOCATION (Redir) or
CONTENT
if ($op eq 'n') { exit; } # already handled
if ($op eq 'e') { my_render_idpsel_screen(); exit; }
if ($op ne 'd') { die "Unknown Net::SAML::simple() res($res)"; }

($sid) = $res =~ /^sesid: (.*)$/m;  # Extract a useful attribute from SSO
output

print <<HTML
CONTENT-TYPE: text/html
<title>ZXID perl HLO SP Mgmt & Protected Content</title>
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
<link type="text/css" rel=stylesheet href="idpsel.css">
<body bgcolor=white><font face=sans>

<h1>ZXID SP Perl HLO Management & Protected Content (user logged in, session
active)</h1>
sesid: $sid
HTML
   ;
print Net::SAML::fed_mgmt_cf($cf, undef, -1, $sid, 0x1900);
exit;

sub my_render_idpsel_screen {  # Replaces traditional login screen
   print <<HTML;
CONTENT-TYPE: text/html

<title>ZXID SP PERL HLO SSO IdP Selection</title>
<body bgcolor=white><font face=sans>
<h1>ZXID SP Perl HLO Federated SSO IdP Selection (user NOT logged in, no
session.)</h1>
<form method=get action="zxidhlo.pl">

<h3>Login Using New IdP</h3>

<i>A new IdP is one whose metadata we do not have yet. We need to know
the Entity ID in order to fetch the metadata using the well known
location method. You will need to ask the adminstrator of the IdP to
tell you what the EntityID is.</i>

<p>IdP URL <input name=e size=60><input type=submit name=l2 value=" Login ">
HTML
;
   print Net::SAML::idp_list_cf($cf, undef, 0x1c00);   # Get the IdP selection
form
   print <<HTML;
<h3>CoT configuration parameters your IdP may need to know</h3>

Entity ID of this SP: <a href="$url?o=B">$url?o=B</a> (Click on the link to
fetch SP metadata.)

<input type=hidden name=fc value=1><input type=hidden name=fn value=prstnt>
<input type=hidden name=fq value=""><input type=hidden name=fy value="">
<input type=hidden name=fa value=""><input type=hidden name=fm value="">
<input type=hidden name=fp value=0><input type=hidden name=ff value=0>

</form><hr><a href="http://zxid.org/";>zxid.org</a>
HTML
   ;
}

__END__

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]