pyFF icon indicating copy to clipboard operation
pyFF copied to clipboard
verified publisher icon IdentityPython

Broken handling of # in filenames and urls.

Open mikaelfrykholm opened this issue 11 months ago • 2 comments

Multiple problems:

  1. When a files contains # it fails to load
  2. When requesting an entityID with # from /entities/example.com/#asd it is not returned
  3. When requesting and entityID via the sha1 name it works unless if the filename contains # as in 1

mikaelfrykholm avatar Feb 03 '25 08:02 mikaelfrykholm

Is this perhaps related/the same as https://github.com/IdentityPython/pyFF/issues/276? I've proposed a fix for it in https://github.com/IdentityPython/pyFF/pull/277 - can you check if that also fixes this issue?

dnmvisser avatar Feb 04 '25 08:02 dnmvisser

regarding whether the entityID can have a fragment part (...#foobar),

The SAML Core specification defines restrictions on the URI type. Specifically, that a URI must be absolute - this means that fragments are not supported:

1.3.2 URI Values

All SAML URI reference values have the type xs:anyURI, which is built in to the W3C XML Schema Datatypes specification [Schema2]. Unless otherwise indicated in this specification, all URI reference values used within SAML-defined elements or attributes MUST consist of at least one non-whitespace character, and are REQUIRED to be absolute [RFC 2396]. Note that the SAML specification makes extensive use of URI references as identifiers, such as status codes, format types, attribute and system entity names, etc. In such cases, it is essential that the values be both unique and consistent, such that the same URI is never used at different times to represent different underlying information.

it also defines the semantics of the entityID:

8.3.6 Entity Identifier

URI: urn:oasis:names:tc:SAML:2.0:nameid-format:entity Indicates that the content of the element is the identifier of an entity that provides SAML-based services (such as a SAML authority, requester, or responder) or is a participant in SAML profiles (such as a service provider supporting the browser SSO profile). Such an identifier can be used in the element to identify the issuer of a SAML request, response, or assertion, or within the element to make assertions about system entities that can issue SAML requests, responses, and assertions. It can also be used in other elements and attributes whose purpose is to identify a system entity in various protocol exchanges.

The SAML Metadata specification defines what an entityID technically is:

2.2.1 Simple Type entityIDType

The simple type entityIDType restricts the XML schema data type anyURI to a maximum length of 1024 characters. entityIDType is used as a unique identifier for SAML entities. See also Section 8.3.6 of [SAMLCore]. An identifier of this type MUST be unique across all entities that interact within a given deployment. The use of a URI and holding to the rule that a single URI MUST NOT refer to different entities satisfies this requirement

c00kiemon5ter avatar Feb 10 '25 16:02 c00kiemon5ter