Ignore the Advice section when looking for signatures. #247
Conversation
There can be legal Signature blocks in the 'Advice' element of a response. Since python3-saml does not suport doing anything with the advice section, skipping it altogether seems. like the best solution.
|
In the Signarture validation, the right xpath is provided The process_signed_elements inspect what elements contain a signature, I agree the Advice is a legal element that can contain a signature, but most of the time was used as a way to execute signature wrapping attacks, so better not to whitelist the Advice element at all, the toolkit does not expect an Advice element and I'm not aware of any Identity Provider using such element neither. |
|
Aha, thanks for the explanation. I also read up a bit on the signature wrapping attacks, and now it makes sense. I'm going to discuss with my Identity Provider and see if they can omit the Advice element. |
There can be legal Signature blocks in the 'Advice' element of a response. Since python3-saml does not suport doing
anything with the advice section, skipping it altogether seems. like the best solution.
This is part of #237 as well.