Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-53750

Shibboleth SOAP Logout handling cannot be reached

    XMLWordPrintable

Details

    • MOODLE_29_STABLE, MOODLE_30_STABLE
    • MOODLE_29_STABLE, MOODLE_30_STABLE
    • Easy
    • Hide
      1. Set up shibboleth auth
      2. Log in
      3. Log out
      4. Ensure you are actually logged out
      5. Install a soap client e.g. SOA Client for firefox
      6. Log in
      7. Send a SOAP log out request as described here https://wiki.shibboleth.net/confluence/display/SHIB2/SLOWebappAdaptation
      Show
      Set up shibboleth auth Log in Log out Ensure you are actually logged out Install a soap client e.g. SOA Client for firefox Log in Send a SOAP log out request as described here https://wiki.shibboleth.net/confluence/display/SHIB2/SLOWebappAdaptation

    Description

      There is a regression in /auth/shibboleth/logout.php that was introduced by removing $HTTP_RAW_POST_DATA from the moodle source tree.

      Old logic (e.g. 2.7 in this case) - line 35 in logout.php

      } else if (!empty($HTTP_RAW_POST_DATA)) {
      

      New logic (3.0.3+ commit 80b5eb78ddba70a575b25048471f83e521ce3431) - line 35 in logout.php

      } else if (!file_get_contents("php://input")) {
      

      As you can see, the logic is reversed now.

      Fix:

      --- logout.php  2016-03-14 10:21:07.139941195 +0100
      +++ fixed-logout.php    2016-04-07 16:17:25.906307380 +0200
      @@ -32,7 +32,7 @@
               redirect($redirect);
           }
       
      -} else if (!file_get_contents("php://input")) {
      +} else if (file_get_contents("php://input")) {
       
           // Back channel logout.
           // Set SOAP header.
      

      Alternate Fix:

      --- logout.php  2016-03-14 10:21:07.139941195 +0100
      +++ alternate-fixed-logout.php  2016-04-07 16:17:36.186540900 +0200
      @@ -32,7 +32,7 @@
               redirect($redirect);
           }
       
      -} else if (!file_get_contents("php://input")) {
      +} else if (!empty(file_get_contents("php://input"))) {
       
           // Back channel logout.
           // Set SOAP header.
      

      The regression was probably introduced by MDL-51162

      I've set this to a security issue, because users might believe they are logged out even if they are not (though most likely they could have been informed by their logout software. If so the user still needs to read what the site tells him....).

      Attachments

        Issue Links

          Activity

            People

              johno John Okely
              misc Dr. Michael Schneider
              Simey Lameze Simey Lameze
              David Monllaó David Monllaó
              Jun Pataleta Jun Pataleta
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                9/May/16