Bug 52338 - UMC-Web-Server: don't store relay state dictionary
Summary: UMC-Web-Server: don't store relay state dictionary
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
Version: UCS 4.4
Hardware: Other Linux
: P5 normal
Target Milestone: UCS 4.4-6-errata
Assignee: Florian Best
QA Contact: Dirk Wiesenthal
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-09 16:58 CET by Florian Best
Modified: 2020-11-25 12:08 CET (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Cleanup, Large environments, UCS Performance
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2020-11-09 16:58:24 CET 
We are currently storing a dictionary relay_state between the SAML AuthNRequest and the response to it to redirect the user back to the location where he came from.

Instead, this is regular SAML behavior, we should just set the URL/path as relay state.

Then we don't leak a never removed dictionary entry in case the user never comes back. (And we currently don't seem to remove it at all ever).
Comment 1 Florian Best univentionstaff 2020-11-09 17:11:53 CET 
Fixed in:

univention-management-console.yaml
34b46e2fc39d | YAML Bug #52338

univention-management-console (11.0.5-11)
ad51dd79f9b7 | Bug #52338: do not store relay state between requests
Comment 2 Dirk Wiesenthal univentionstaff 2020-11-18 14:46:56 CET 
OK: Login flow still works
OK: Code
OK: YAML