Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Broken handling of # in filenames and urls. #291

Open
mikaelfrykholm opened this issue Feb 3, 2025 · 2 comments
Open

Broken handling of # in filenames and urls. #291

mikaelfrykholm opened this issue Feb 3, 2025 · 2 comments

Comments

@mikaelfrykholm
Copy link
Contributor

Multiple problems:

  1. When a files contains # it fails to load
  2. When requesting an entityID with # from /entities/example.com/#asd it is not returned
  3. When requesting and entityID via the sha1 name it works unless if the filename contains # as in 1
@dnmvisser
Copy link
Contributor

Is this perhaps related/the same as #276?
I've proposed a fix for it in #277 - can you check if that also fixes this issue?

@c00kiemon5ter
Copy link
Member

regarding whether the entityID can have a fragment part (...#foobar),

The SAML Core specification defines restrictions on the URI type. Specifically, that a URI must be absolute - this means that fragments are not supported:

1.3.2 URI Values

All SAML URI reference values have the type xs:anyURI, which is built in to the W3C XML Schema Datatypes specification [Schema2]. Unless otherwise indicated in this specification, all URI reference values used within SAML-defined elements or attributes MUST consist of at least one non-whitespace character, and are REQUIRED to be absolute [RFC 2396]. Note that the SAML specification makes extensive use of URI references as identifiers, such as status codes, format types, attribute and system entity names, etc. In such cases, it is essential that the values be both unique and consistent, such that the same URI is never used at different times to represent different underlying information.

it also defines the semantics of the entityID:

8.3.6 Entity Identifier

URI: urn:oasis:names:tc:SAML:2.0:nameid-format:entity
Indicates that the content of the element is the identifier of an entity that provides SAML-based services (such as a SAML authority, requester, or responder) or is a participant in SAML profiles (such as a service provider supporting the browser SSO profile). Such an identifier can be used in the element to identify the issuer of a SAML request, response, or assertion, or within the element to make assertions about system entities that can issue SAML requests, responses, and assertions. It can also be used in other elements and attributes whose purpose is to identify a system entity in various protocol exchanges.

The SAML Metadata specification defines what an entityID technically is:

2.2.1 Simple Type entityIDType

The simple type entityIDType restricts the XML schema data type anyURI to a maximum length of 1024 characters. entityIDType is used as a unique identifier for SAML entities. See also Section 8.3.6 of [SAMLCore]. An identifier of this type MUST be unique across all entities that interact within a given deployment. The use of a URI and holding to the rule that a single URI MUST NOT refer to different entities satisfies this requirement

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c00kiemon5ter @mikaelfrykholm @dnmvisser