[MDL-53750] Shibboleth SOAP Logout handling cannot be reached - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.9.5, 3.0.3
Fix Version/s: 2.9.6, 3.0.4
Component/s: Authentication
Labels:
- regression
- triaged

Affected Branches:
MOODLE_29_STABLE, MOODLE_30_STABLE
Fixed Branches:
MOODLE_29_STABLE, MOODLE_30_STABLE
Difficulty:
Easy
Testing Instructions:
Hide

Set up shibboleth auth

Log in

Log out

Ensure you are actually logged out

Install a soap client e.g. SOA Client for firefox

Log in

Send a SOAP log out request as described here https://wiki.shibboleth.net/confluence/display/SHIB2/SLOWebappAdaptation
Show
Set up shibboleth auth Log in Log out Ensure you are actually logged out Install a soap client e.g. SOA Client for firefox Log in Send a SOAP log out request as described here https://wiki.shibboleth.net/confluence/display/SHIB2/SLOWebappAdaptation

Description

There is a regression in /auth/shibboleth/logout.php that was introduced by removing $HTTP_RAW_POST_DATA from the moodle source tree.

Old logic (e.g. 2.7 in this case) - line 35 in logout.php

} else if (!empty($HTTP_RAW_POST_DATA)) {

New logic (3.0.3+ commit 80b5eb78ddba70a575b25048471f83e521ce3431) - line 35 in logout.php

} else if (!file_get_contents("php://input")) {

As you can see, the logic is reversed now.

Fix:

--- logout.php  2016-03-14 10:21:07.139941195 +0100

+++ fixed-logout.php    2016-04-07 16:17:25.906307380 +0200

@@ -32,7 +32,7 @@

         redirect($redirect);

-} else if (!file_get_contents("php://input")) {

+} else if (file_get_contents("php://input")) {

     // Back channel logout.

     // Set SOAP header.

Alternate Fix:

--- logout.php  2016-03-14 10:21:07.139941195 +0100

+++ alternate-fixed-logout.php  2016-04-07 16:17:36.186540900 +0200

@@ -32,7 +32,7 @@

         redirect($redirect);

-} else if (!file_get_contents("php://input")) {

+} else if (!empty(file_get_contents("php://input"))) {

     // Back channel logout.

     // Set SOAP header.

The regression was probably introduced by ~~MDL-51162~~

I've set this to a security issue, because users might believe they are logged out even if they are not (though most likely they could have been informed by their logout software. If so the user still needs to read what the site tells him....).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

MDL-53750-30.mdk.patch
0.8 kB
08/Apr/16 6:23 PM
MDL-53750-master.mdk.patch
0.8 kB
08/Apr/16 6:23 PM

Issue Links

is a regression caused by

MDL-51162 HTTP_RAW_POST_DATA is deprecated and still in use

Closed

MDL-52976 HTTP_RAW_POST_DATA is deprecated and still in use (backport of MDL-51162)

Closed

Activity

People

Assignee:: John Okely

Reporter:: Dr. Michael Schneider

Peer reviewer:: Simey Lameze

Integrator:: David Monllaó

Tester:: Jun Pataleta

Participants:: CiBoT, Dan Poltawski, David Monllaó, Dr. Michael Schneider, Eloy Lafuente (stronk7), John Okely, Jun Pataleta, Marina Glancy, Simey Lameze

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 08/Apr/16 6:28 AM

Updated:: 07/May/16 2:51 AM

Resolved:: 07/May/16 2:51 AM

Fix Release Date:: 9/May/16