Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-41598

Shibboleth doesn't handle deep linking under HTTPS properly

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      This patch requires a Moodle environment with a working Shibboleth configuration. It assumes that you're using the internal WAYF and have the alternative login URL configured. You also need to set your Moodle instance to require HTTPS.

      1. Create a course in Moodle. Make a note of the direct link to the course.
      2. Logout. Make sure you aren't authenticated to the Moodle instance and that your session is completely closed.
      3. Verify that you are not currently authenticated to your Shib provider.
      4. Craft a direct link to your Moodle instance which incorporates the direct link to your course but not the entityID. This could be http://your-moodle-instance/course/view.php?id=2
      5. Point your browser to that link.

      You should be first taken to Moodle's WAYF page and then to your Shibboleth provider. After that you should be taken directly to the course.

      Show
      This patch requires a Moodle environment with a working Shibboleth configuration. It assumes that you're using the internal WAYF and have the alternative login URL configured. You also need to set your Moodle instance to require HTTPS. Create a course in Moodle. Make a note of the direct link to the course. Logout. Make sure you aren't authenticated to the Moodle instance and that your session is completely closed. Verify that you are not currently authenticated to your Shib provider. Craft a direct link to your Moodle instance which incorporates the direct link to your course but not the entityID. This could be http://your-moodle-instance/course/view.php?id=2 Point your browser to that link. You should be first taken to Moodle's WAYF page and then to your Shibboleth provider. After that you should be taken directly to the course.
    • Affected Branches:
      MOODLE_24_STABLE, MOODLE_25_STABLE
    • Fixed Branches:
      MOODLE_28_STABLE, MOODLE_29_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-41598-master

      Description

      MDL-37020 introduced a validation check for WAYFLess URLs in Shibboleth. It's based on the assumption that in a Shib or Shib/CAS environment target is only passed back to Moodle when it's explicitly set per MDL-35153. This isn't the case: target is always set, and if the user doesn't set a deep link URL it's set to the authentication provider. This didn't show up in testing because the authentication provider is an HTTPS link, which PARAM_LOCALURL filtered out (which may be a bug, but that's for another issue). If you're running a Shibbolized Moodle instance you're going to see similar behavior to MDL-37020: deep links which don't include the IDP are ignored and you're redirected to the main page, because the wantsurl session variable isn't checked.

      I think the solution is to check if $SESSION->wantsurl is set and if so always use it in preference to target.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              cfulton Charles Fulton
              Reporter:
              cfulton Charles Fulton
              Peer reviewer:
              Petr Skoda
              Integrator:
              Dan Poltawski
              Tester:
              Rajesh Taneja
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                14/Sep/15