-
-
Notifications
You must be signed in to change notification settings - Fork 568
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
validate_signature broken with recently released version of REXML (3.2.5) #577
Comments
I ran into the same issue a few minutes. |
It looks like the closing square bracket was introduced in 059abe4 when |
pitbulk
added a commit
that referenced
this issue
Apr 5, 2021
pitbulk
added a commit
that referenced
this issue
Apr 5, 2021
pitbulk
added a commit
that referenced
this issue
Apr 5, 2021
See #577. Fix XPath typo incompatible with Rexml 3.2.5
kwerle
added a commit
to cdd/ruby-saml
that referenced
this issue
Apr 5, 2021
…2.5) SAML-Toolkits#577 SAML-Toolkits#577 With REXML 3.2.5 (security release from this morning) and ruby-saml 1.12.0, calling validate_signature leads to an exception: REXML::ParseException: Garbage component exists at the end: <]>: </p:Response[@id=$id]/ds:Signature]> /usr/local/rvm/gems/ruby-2.7.2/gems/rexml-3.2.5/lib/rexml/parsers/xpathparser.rb:28:in `parse' /usr/local/rvm/gems/ruby-2.7.2/gems/rexml-3.2.5/lib/rexml/xpath_parser.rb:80:in `parse' /usr/local/rvm/gems/ruby-2.7.2/gems/rexml-3.2.5/lib/rexml/xpath.rb:78:in `match' /usr/local/rvm/gems/ruby-2.7.2/gems/ruby-saml-1.12.0/lib/onelogin/ruby-saml/response.rb:829:in `validate_signature' It seems it doesn't like the ] at the end of the XPath that ruby-saml is trying to use. Is that character necessary?
Thanks for reporting this. The typo was fixed and 1.12.1 released |
7 tasks
This was referenced May 9, 2021
n1zyy
added a commit
to department-of-veterans-affairs/caseflow-efolder
that referenced
this issue
May 19, 2021
The rexml upgrade exposed a dormant bug in ruby-saml: SAML-Toolkits/ruby-saml#577 Shout-out to Riley Anderson for helping us identify this.
1 task
CGillen
added a commit
to OregonDigital/OD2
that referenced
this issue
Jun 9, 2021
Capncavedan
pushed a commit
to intellum/ruby-saml
that referenced
this issue
Jun 30, 2021
n1zyy
added a commit
to department-of-veterans-affairs/caseflow-efolder
that referenced
this issue
Jul 20, 2021
* Update rexml and Rails rexml: 3.2.4 -> 3.2.5 rails: 5.2.4.5 -> 5.2.4.6 Both for CVEs * Update ruby-saml The rexml upgrade exposed a dormant bug in ruby-saml: SAML-Toolkits/ruby-saml#577 Shout-out to Riley Anderson for helping us identify this. * Remove security overrides * Updates nokogiri * Updates puma * Extend the multi-year snooze on CVE-2015-9284 for now :-[ * Update addressable gem Security fix
giladshanan
added a commit
to tablexi/nucore-open
that referenced
this issue
Sep 1, 2021
romanrizzi
added a commit
to discourse/discourse-saml
that referenced
this issue
Sep 22, 2021
We started seeing [this error](SAML-Toolkits/ruby-saml#577) on some of our sites, which has been fixed on 1.12.1.
romanrizzi
added a commit
to discourse/discourse-saml
that referenced
this issue
Sep 22, 2021
We started seeing [this error](SAML-Toolkits/ruby-saml#577) on some of our sites, which has been fixed on 1.12.1.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
With REXML 3.2.5 (security release from this morning) and ruby-saml 1.12.0, calling
validate_signature
leads to an exception:It seems it doesn't like the
]
at the end of the XPath that ruby-saml is trying to use. Is that character necessary?The text was updated successfully, but these errors were encountered: