ruby-saml 0.9.2 → 0.9.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of ruby-saml might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 87259e0d311dfd9ad0d9e4a9aa440e10b637f977
4
- data.tar.gz: 82d80b9439b54b29d2da85b7454b4225070991d5
3
+ metadata.gz: 573fb055ce99a95923ac659b58226dc511813b16
4
+ data.tar.gz: 0421758aea7faed852223275d20afc55b50f2114
5
5
  SHA512:
6
- metadata.gz: 500dfa98a3746237a3e5c4425e57f7231fd6a9b15efaac4aeaf0ab694d0f3dbf9b8535a4f3c858ecbe87c55e4318f777ce1ce94b31efb8af8238d8097c534b58
7
- data.tar.gz: 5007fc0c661da41c87ee5132bf96d4e483cfd925fb88afe795c8fde5252fab818daa35ae6a76edc2d096a7a114132c39c6aae3300f335714c0441c0dab81ce27
6
+ metadata.gz: 2b4c1aeab1619e8f9a25edc5e49cad974f6ca11f33546a77ae60f548ee8d97f03d9f17622124a1343da3c27c75c465b33757abde593a745d5d42714843f4cd3b
7
+ data.tar.gz: 2e1e414280a4098a36be4a2be9d32845b941e087df5d799e779a42e548aa19b61b6efe5c230146ef8894f1eba574745415f7d538d47a840868b60742b342874e
@@ -1,4 +1,8 @@
1
1
  # RubySaml Changelog
2
+
3
+ ### 0.9.3 (Feb 27, 2018)
4
+ * Fix vulnerability CVE-2017-11428. Process text of nodes properly, ignoring comments
5
+
2
6
  ### 0.9.2 (Apr 28, 2015)
3
7
  * [#216](https://github.com/onelogin/ruby-saml/pull/216) Add fingerprint algorithm support
4
8
  * [#218](https://github.com/onelogin/ruby-saml/pull/218) Update README.md
@@ -73,7 +73,7 @@ module OneLogin
73
73
 
74
74
  def idp_name_id_format
75
75
  node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:NameIDFormat", { "md" => METADATA })
76
- node.text if node
76
+ Utils.element_text(node)
77
77
  end
78
78
 
79
79
  def single_signon_service_url
@@ -89,7 +89,7 @@ module OneLogin
89
89
  def certificate
90
90
  @certificate ||= begin
91
91
  node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate", { "md" => METADATA, "ds" => DSIG })
92
- Base64.decode64(node.text) if node
92
+ Base64.decode64(Utils.element_text(node)) if node
93
93
  end
94
94
  end
95
95
 
@@ -58,7 +58,7 @@ module OneLogin
58
58
  @issuer ||= begin
59
59
  node = REXML::XPath.first(document, "/p:LogoutResponse/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
60
60
  node ||= REXML::XPath.first(document, "/p:LogoutResponse/a:Assertion/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
61
- node.nil? ? nil : node.text
61
+ Utils.element_text(node)
62
62
  end
63
63
  end
64
64
 
@@ -45,7 +45,7 @@ module OneLogin
45
45
  def name_id
46
46
  @name_id ||= begin
47
47
  node = xpath_first_from_signed_assertion('/a:Subject/a:NameID')
48
- node.nil? ? nil : node.text
48
+ Utils.element_text(node)
49
49
  end
50
50
  end
51
51
 
@@ -79,7 +79,7 @@ module OneLogin
79
79
  values = attr_element.elements.collect{|e|
80
80
  # SAMLCore requires that nil AttributeValues MUST contain xsi:nil XML attribute set to "true" or "1"
81
81
  # otherwise the value is to be regarded as empty.
82
- ["true", "1"].include?(e.attributes['xsi:nil']) ? nil : e.text.to_s
82
+ ["true", "1"].include?(e.attributes['xsi:nil']) ? nil : Utils.element_text(e)
83
83
  }
84
84
 
85
85
  attributes.add(name, values)
@@ -108,7 +108,7 @@ module OneLogin
108
108
  def status_message
109
109
  @status_message ||= begin
110
110
  node = REXML::XPath.first(document, "/p:Response/p:Status/p:StatusMessage", { "p" => PROTOCOL, "a" => ASSERTION })
111
- node.text if node
111
+ Utils.element_text(node)
112
112
  end
113
113
  end
114
114
 
@@ -129,7 +129,7 @@ module OneLogin
129
129
  @issuer ||= begin
130
130
  node = REXML::XPath.first(document, "/p:Response/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
131
131
  node ||= xpath_first_from_signed_assertion('/a:Issuer')
132
- node.nil? ? nil : node.text
132
+ Utils.element_text(node)
133
133
  end
134
134
  end
135
135
 
@@ -31,7 +31,7 @@ module OneLogin
31
31
  def name_id
32
32
  @name_id ||= begin
33
33
  node = REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
34
- node.nil? ? nil : node.text
34
+ Utils.element_text(node)
35
35
  end
36
36
  end
37
37
 
@@ -46,7 +46,7 @@ module OneLogin
46
46
  def issuer
47
47
  @issuer ||= begin
48
48
  node = REXML::XPath.first(document, "/p:LogoutRequest/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
49
- node.nil? ? nil : node.text
49
+ Utils.element_text(node)
50
50
  end
51
51
  end
52
52
 
@@ -38,7 +38,12 @@ module OneLogin
38
38
  end
39
39
  end
40
40
  end
41
-
41
+ # Given a REXML::Element instance, return the concatenation of all child text nodes. Assumes
42
+ # that there all children other than text nodes can be ignored (e.g. comments). If nil is
43
+ # passed, nil will be returned.
44
+ def self.element_text(element)
45
+ element.texts.join if element
46
+ end
42
47
  end
43
48
  end
44
49
  end
@@ -1,5 +1,5 @@
1
1
  module OneLogin
2
2
  module RubySaml
3
- VERSION = '0.9.2'
3
+ VERSION = '0.9.3'
4
4
  end
5
5
  end
@@ -29,6 +29,7 @@ require "openssl"
29
29
  require 'nokogiri'
30
30
  require "digest/sha1"
31
31
  require "digest/sha2"
32
+ require "onelogin/ruby-saml/utils"
32
33
  require "onelogin/ruby-saml/validation_error"
33
34
 
34
35
  module XMLSecurity
@@ -192,7 +193,7 @@ module XMLSecurity
192
193
  raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate)")
193
194
  end
194
195
  end
195
- base64_cert = cert_element.text
196
+ base64_cert = OneLogin::RubySaml::Utils.element_text(cert_element)
196
197
  cert_text = Base64.decode64(base64_cert)
197
198
  cert = OpenSSL::X509::Certificate.new(cert_text)
198
199
 
@@ -248,7 +249,7 @@ module XMLSecurity
248
249
  digest_algorithm = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod", 'ds' => DSIG))
249
250
 
250
251
  hash = digest_algorithm.digest(canon_hashed_element)
251
- digest_value = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)
252
+ digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG})))
252
253
 
253
254
  unless digests_match?(hash, digest_value)
254
255
  @errors << "Digest mismatch"
@@ -256,7 +257,7 @@ module XMLSecurity
256
257
  end
257
258
  end
258
259
 
259
- base64_signature = REXML::XPath.first(@sig_element, "//ds:SignatureValue", {"ds"=>DSIG}).text
260
+ base64_signature = OneLogin::RubySaml::Utils.element_text(REXML::XPath.first(@sig_element, "//ds:SignatureValue", {"ds"=>DSIG}))
260
261
  signature = Base64.decode64(base64_signature)
261
262
 
262
263
  # get certificate object
@@ -124,6 +124,14 @@ class RubySamlTest < Minitest::Test
124
124
  assert_equal response.name_id, "test@onelogin.com"
125
125
  end
126
126
 
127
+ it "Prevent node text with comment (VU#475445) attack" do
128
+ response_doc = File.read(File.join(File.dirname(__FILE__), "responses", 'response_node_text_attack.xml.base64'))
129
+ response = OneLogin::RubySaml::Response.new(response_doc)
130
+
131
+ assert_equal "support@onelogin.com", response.name_id
132
+ assert_equal "smith", response.attributes["surname"]
133
+ end
134
+
127
135
  it "support dynamic namespace resolution on signature elements" do
128
136
  response = OneLogin::RubySaml::Response.new(fixture("no_signature_ns.xml"))
129
137
  response.stubs(:conditions).returns(nil)
@@ -335,14 +343,14 @@ class RubySamlTest < Minitest::Test
335
343
 
336
344
  it "check what happens when trying retrieve attribute that does not exists" do
337
345
  response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
338
- assert_equal nil, response.attributes[:attribute_not_exists]
339
- assert_equal nil, response.attributes.single(:attribute_not_exists)
340
- assert_equal nil, response.attributes.multi(:attribute_not_exists)
346
+ assert_nil response.attributes[:attribute_not_exists]
347
+ assert_nil response.attributes.single(:attribute_not_exists)
348
+ assert_nil response.attributes.multi(:attribute_not_exists)
341
349
 
342
350
  OneLogin::RubySaml::Attributes.single_value_compatibility = false
343
- assert_equal nil, response.attributes[:attribute_not_exists]
344
- assert_equal nil, response.attributes.single(:attribute_not_exists)
345
- assert_equal nil, response.attributes.multi(:attribute_not_exists)
351
+ assert_nil response.attributes[:attribute_not_exists]
352
+ assert_nil response.attributes.single(:attribute_not_exists)
353
+ assert_nil response.attributes.multi(:attribute_not_exists)
346
354
  OneLogin::RubySaml::Attributes.single_value_compatibility = true
347
355
  end
348
356
 
@@ -383,7 +391,7 @@ class RubySamlTest < Minitest::Test
383
391
  malicious_response_document = fixture('response_eval', false)
384
392
  response = OneLogin::RubySaml::Response.new(malicious_response_document)
385
393
  response.send(:xpath_first_from_signed_assertion)
386
- assert_equal($evalled, nil)
394
+ assert_nil $evalled
387
395
  end
388
396
  end
389
397
 
@@ -0,0 +1 @@
1
+ PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJHT1NBTUxSMTI5MDExNzQ1NzE3OTQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgRGVzdGluYXRpb249IntyZWNpcGllbnR9Ij4NCiAgPHNhbWxwOlN0YXR1cz4NCiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+DQogIDxzYW1sOkFzc2VydGlvbiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIFZlcnNpb249IjIuMCIgSUQ9InBmeGE0NjU3NGRmLWIzYjAtYTA2YS0yM2M4LTYzNjQxMzE5ODc3MiIgSXNzdWVJbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiI+DQogICAgPHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhLzEzNTkwPC9zYW1sOklzc3Vlcj4NCiAgICA8ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4NCiAgICAgIDxkczpTaWduZWRJbmZvPg0KICAgICAgICA8ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgICAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+DQogICAgICAgIDxkczpSZWZlcmVuY2UgVVJJPSIjcGZ4YTQ2NTc0ZGYtYjNiMC1hMDZhLTIzYzgtNjM2NDEzMTk4NzcyIj4NCiAgICAgICAgICA8ZHM6VHJhbnNmb3Jtcz4NCiAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPg0KICAgICAgICAgICAgPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgICAgICAgIDwvZHM6VHJhbnNmb3Jtcz4NCiAgICAgICAgICA8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4NCiAgICAgICAgICA8ZHM6RGlnZXN0VmFsdWU+cEpRN01TL2VrNEtSUldHbXYvSDQzUmVIWU1zPTwvZHM6RGlnZXN0VmFsdWU+DQogICAgICAgIDwvZHM6UmVmZXJlbmNlPg0KICAgICAgPC9kczpTaWduZWRJbmZvPg0KICAgICAgPGRzOlNpZ25hdHVyZVZhbHVlPnlpdmVLY1BkRHB1RE5qNnNoclEzQUJ3ci9jQTNDcnlEMnBoRy94TFpzektXeFU1L21sYUt0OGV3YlpPZEtLdnRPczJwSEJ5NUR1YTNrOTRBRnp4R3llbDVnT293bW95WEpyQU9ya1BPMHZsaTFWOG8zaFBQVVp3UmdTWDZROXBTMUNxUWdoS2lFYXNSeXlscXFKVWFQWXptT3pPRTgvWGxNa3dpV21PMD08L2RzOlNpZ25hdHVyZVZhbHVlPg0KICAgICAgPGRzOktleUluZm8+DQogICAgICAgIDxkczpYNTA5RGF0YT4NCiAgICAgICAgICA8ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUJyVENDQWFHZ0F3SUJBZ0lCQVRBREJnRUFNR2N4Q3pBSkJnTlZCQVlUQWxWVE1STXdFUVlEVlFRSURBcERZV3hwWm05eWJtbGhNUlV3RXdZRFZRUUhEQXhUWVc1MFlTQk5iMjVwWTJFeEVUQVBCZ05WQkFvTUNFOXVaVXh2WjJsdU1Sa3dGd1lEVlFRRERCQmhjSEF1YjI1bGJHOW5hVzR1WTI5dE1CNFhEVEV3TURNd09UQTVOVGcwTlZvWERURTFNRE13T1RBNU5UZzBOVm93WnpFTE1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ01Da05oYkdsbWIzSnVhV0V4RlRBVEJnTlZCQWNNREZOaGJuUmhJRTF2Ym1sallURVJNQThHQTFVRUNnd0lUMjVsVEc5bmFXNHhHVEFYQmdOVkJBTU1FR0Z3Y0M1dmJtVnNiMmRwYmk1amIyMHdnWjh3RFFZSktvWklodmNOQVFFQkJRQURnWTBBTUlHSkFvR0JBT2pTdTFmalB5OGQ1dzRReUwxemQ0aEl3MU1ra2ZmNFdZL1RMRzhPWmtVNVlUU1dtbUhQRDVrdllINXVvWFMvNnFRODFxWHBSMndWOENUb3daSlVMZzA5ZGRSZFJuOFFzcWoxRnlPQzVzbEUzeTJiWjJvRnVhNzJvZi80OWZwdWpuRlQ2S25RNjFDQk1xbERvVFFxT1Q2MnZHSjhuUDZNWld2QTZzeHF1ZDVBZ01CQUFFd0F3WUJBQU1CQUE9PTwvZHM6WDUwOUNlcnRpZmljYXRlPg0KICAgICAgICA8L2RzOlg1MDlEYXRhPg0KICAgICAgPC9kczpLZXlJbmZvPg0KICAgIDwvZHM6U2lnbmF0dXJlPg0KICAgIDxzYW1sOlN1YmplY3Q+DQogICAgICA8c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnN1cHBvcnQ8IS0tIGF0dGFjayEgLS0+QG9uZWxvZ2luLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOFQyMjowMjozN1oiIFJlY2lwaWVudD0ie3JlY2lwaWVudH0iLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0xMS0xOFQyMTo1MjozN1oiIE5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOFQyMjowMjozN1oiPg0KICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPHNhbWw6QXVkaWVuY2U+e2F1ZGllbmNlfTwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMC0xMS0xOFQyMTo1NzozN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTAtMTEtMTlUMjE6NTc6MzdaIiBTZXNzaW9uSW5kZXg9Il81MzFjMzJkMjgzYmRmZjdlMDRlNDg3YmNkYmM0ZGQ4ZCI+DQogICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9zYW1sOkF1dGhuQ29udGV4dD4NCiAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9InN1cm5hbWUiPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnM8IS0tIGF0dGFjayEgLS0+bWl0aDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0iYW5vdGhlcl92YWx1ZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+dmFsdWUxPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnZhbHVlMjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0icm9sZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+cm9sZTE8L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImZpcnN0bmFtZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+Ym9iPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4gIA0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImF0dHJpYnV0ZV93aXRoX25pbF92YWx1ZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOm5pbD0idHJ1ZSIvPg0KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJhdHRyaWJ1dGVfd2l0aF9uaWxzX2FuZF9lbXB0eV9zdHJpbmdzIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUvPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZT52YWx1ZVByZXNlbnQ8L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOm5pbD0idHJ1ZSIvPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTpuaWw9IjEiLz4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.9.2
4
+ version: 0.9.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - OneLogin LLC
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-04-29 00:00:00.000000000 Z
11
+ date: 2018-02-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: uuid
@@ -212,6 +212,7 @@ files:
212
212
  - test/responses/response5.xml.base64
213
213
  - test/responses/response_eval.xml
214
214
  - test/responses/response_no_cert_and_encrypted_attrs.xml
215
+ - test/responses/response_node_text_attack.xml.base64
215
216
  - test/responses/response_with_ampersands.xml
216
217
  - test/responses/response_with_ampersands.xml.base64
217
218
  - test/responses/response_with_multiple_attribute_values.xml
@@ -246,7 +247,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
246
247
  version: '0'
247
248
  requirements: []
248
249
  rubyforge_project: http://www.rubygems.org/gems/ruby-saml
249
- rubygems_version: 2.4.5
250
+ rubygems_version: 2.5.2.1
250
251
  signing_key:
251
252
  specification_version: 4
252
253
  summary: SAML Ruby Tookit
@@ -278,6 +279,7 @@ test_files:
278
279
  - test/responses/response5.xml.base64
279
280
  - test/responses/response_eval.xml
280
281
  - test/responses/response_no_cert_and_encrypted_attrs.xml
282
+ - test/responses/response_node_text_attack.xml.base64
281
283
  - test/responses/response_with_ampersands.xml
282
284
  - test/responses/response_with_ampersands.xml.base64
283
285
  - test/responses/response_with_multiple_attribute_values.xml