Describe the bug
If the SAMLResponse parameter for Single Logout contains line breaks, Base64 decoding fails with an IllegalArgumentException:
java.lang.IllegalArgumentException: Illegal base64 character d
at java.base/java.util.Base64$Decoder.decode0(Base64.java:847)
at java.base/java.util.Base64$Decoder.decode(Base64.java:566)
at java.base/java.util.Base64$Decoder.decode(Base64.java:589)
at org.springframework.security.saml2.provider.service.authentication.logout.Saml2Utils.samlDecode(Saml2Utils.java:47)
at org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutResponseValidator.validate(OpenSamlLogoutResponseValidator.java:77)
at org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutResponseFilter.doFilterInternal(Saml2LogoutResponseFilter.java:141)
Because the same Saml2Utils class is used to decode the LogoutRequest, the issue should also occur there.
During authentication, the SAMLResponse is Base64-decoded using org.apache.commons.codec.binary.Base64, and line breaks are not an issue there.
To Reproduce
Capture the POST to /logout/saml2/slo, add some %0D and/or %0A to the SAMLResponse parameter, and submit the POST request. Alternatively, have an asserting party that produces a SAMLResponse containing line breaks.
Expected behavior
Single Logout should accept newlines in the SAMLResponse request parameter.
According to https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf, line 793: "The base64-encoded value MAY be line-wrapped at a reasonable length in accordance with common practice."
The document is not clear about the specific Base64 format to be used in this context, but it refers to RFC2045 in some other contexts. RFC2045 is implemented by java.util.Base64.getMimeEncoder().
Describe the bug
If the
SAMLResponseparameter for Single Logout contains line breaks, Base64 decoding fails with anIllegalArgumentException:Because the same
Saml2Utilsclass is used to decode theLogoutRequest, the issue should also occur there.During authentication, the
SAMLResponseis Base64-decoded usingorg.apache.commons.codec.binary.Base64, and line breaks are not an issue there.To Reproduce
Capture the POST to
/logout/saml2/slo, add some%0Dand/or%0Ato theSAMLResponseparameter, and submit the POST request. Alternatively, have an asserting party that produces aSAMLResponsecontaining line breaks.Expected behavior
Single Logout should accept newlines in the
SAMLResponserequest parameter.According to https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf, line 793: "The base64-encoded value MAY be line-wrapped at a reasonable length in accordance with common practice."
The document is not clear about the specific Base64 format to be used in this context, but it refers to RFC2045 in some other contexts. RFC2045 is implemented by
java.util.Base64.getMimeEncoder().