ruby-saml 0.8.2 → 0.8.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/changelog.md +4 -0
  3. data/lib/onelogin/ruby-saml/logoutresponse.rb +1 -1
  4. data/lib/onelogin/ruby-saml/response.rb +3 -3
  5. data/lib/onelogin/ruby-saml/utils.rb +15 -0
  6. data/lib/onelogin/ruby-saml/version.rb +1 -1
  7. data/lib/ruby-saml.rb +1 -0
  8. data/lib/xml_security.rb +5 -4
  9. data/test/response_test.rb +8 -0
  10. data/test/responses/response_node_text_attack.xml.base64 +1 -0
  11. metadata +6 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 54aff65643a4409b0e306515c9f92ae634db3238
4
- data.tar.gz: c9fe0db4412806b434a8bb36503ecbd7939ffa36
3
+ metadata.gz: f4097d7f4bcd13aa1ca745797b87159cc5980617
4
+ data.tar.gz: 9b70f265ae75b3dafe2884b001f138d3e21e515b
5
5
  SHA512:
6
- metadata.gz: 07d26360f0145816ce08a5e109eae2a9c0f233154fdceb8178b69f1e9d72210baeebaa5ee978c973d6764dfd0a1d28f4ff0ea1e6beef90023a26383c342c3892
7
- data.tar.gz: ee10bbde3c20e9ad2ec658506608a6d705ea9692f4c1577506e6a90b56db858f752f800300cf012e01319531d0b5f8aafcfe0f25b15b8681a2b81f7fed4c2fd4
6
+ metadata.gz: 00c0b519afbb725de8464e61676681abfc6235fdc6756f87384623a044d7fc5ccb9a939d051229da9dc946e4a2983de9d970729c7e6ac27fa84c5cffad3ced51
7
+ data.tar.gz: 6dc1aaa0d3c472374ae20f7a6d401df09899b9e44c93fe71f149bf299cc8b26f199949703424a13c6a4b3f83cde856ed38f3ecbf283ab8e48066646af655989b
data/changelog.md CHANGED
@@ -1,5 +1,9 @@
1
1
  # RubySaml Changelog
2
2
 
3
+ ### 0.8.3 (Feb 27, 2018)
4
+ * Fix vulnerability CVE-2017-11428. Process text of nodes properly, ignoring comments
5
+ * Fix DigestMethod lookup bug #144
6
+
3
7
  ### 0.8.2 (Jan 26, 2014)
4
8
  * [#183](https://github.com/onelogin/ruby-saml/pull/183) Resolved a security vulnerability where string interpolation in a `REXML::XPath.first()` method call allowed for arbitrary code execution.
5
9
 
data/lib/onelogin/ruby-saml/logoutresponse.rb CHANGED
@@ -62,7 +62,7 @@ module OneLogin
62
62
  @issuer ||= begin
63
63
  node = REXML::XPath.first(document, "/p:LogoutResponse/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
64
64
  node ||= REXML::XPath.first(document, "/p:LogoutResponse/a:Assertion/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
65
- node.nil? ? nil : node.text
65
+ Utils.element_text(node)
66
66
  end
67
67
  end
68
68
 
data/lib/onelogin/ruby-saml/response.rb CHANGED
@@ -37,7 +37,7 @@ module OneLogin
37
37
  def name_id
38
38
  @name_id ||= begin
39
39
  node = xpath_first_from_signed_assertion('/a:Subject/a:NameID')
40
- node.nil? ? nil : node.text
40
+ Utils.element_text(node)
41
41
  end
42
42
  end
43
43
 
@@ -58,7 +58,7 @@ module OneLogin
58
58
 
59
59
  stmt_element.elements.each do |attr_element|
60
60
  name = attr_element.attributes["Name"]
61
- value = attr_element.elements.first.text
61
+ value = Utils.element_text(attr_element.elements.first)
62
62
 
63
63
  result[name] = value
64
64
  end
@@ -104,7 +104,7 @@ module OneLogin
104
104
  @issuer ||= begin
105
105
  node = REXML::XPath.first(document, "/p:Response/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
106
106
  node ||= xpath_first_from_signed_assertion('/a:Issuer')
107
- node.nil? ? nil : node.text
107
+ Utils.element_text(node)
108
108
  end
109
109
  end
110
110
 
data/lib/onelogin/ruby-saml/utils.rb ADDED
@@ -0,0 +1,15 @@
1
+ module OneLogin
2
+ module RubySaml
3
+
4
+ # SAML2 Auxiliary class
5
+ #
6
+ class Utils
7
+ # Given a REXML::Element instance, return the concatenation of all child text nodes. Assumes
8
+ # that there all children other than text nodes can be ignored (e.g. comments). If nil is
9
+ # passed, nil will be returned.
10
+ def self.element_text(element)
11
+ element.texts.join if element
12
+ end
13
+ end
14
+ end
15
+ end
data/lib/onelogin/ruby-saml/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module OneLogin
2
2
  module RubySaml
3
- VERSION = '0.8.2'
3
+ VERSION = '0.8.3'
4
4
  end
5
5
  end
data/lib/ruby-saml.rb CHANGED
@@ -4,6 +4,7 @@ require 'onelogin/ruby-saml/logoutrequest'
4
4
  require 'onelogin/ruby-saml/logoutresponse'
5
5
  require 'onelogin/ruby-saml/response'
6
6
  require 'onelogin/ruby-saml/settings'
7
+ require 'onelogin/ruby-saml/utils'
7
8
  require 'onelogin/ruby-saml/validation_error'
8
9
  require 'onelogin/ruby-saml/metadata'
9
10
  require 'onelogin/ruby-saml/version'
data/lib/xml_security.rb CHANGED
@@ -30,6 +30,7 @@ require 'nokogiri'
30
30
  require "digest/sha1"
31
31
  require "digest/sha2"
32
32
  require "onelogin/ruby-saml/validation_error"
33
+ require "onelogin/ruby-saml/utils"
33
34
 
34
35
  module XMLSecurity
35
36
 
@@ -48,7 +49,7 @@ module XMLSecurity
48
49
  # get cert from response
49
50
  cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
50
51
  raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate)") unless cert_element
51
- base64_cert = cert_element.text
52
+ base64_cert = OneLogin::RubySaml::Utils.element_text(cert_element)
52
53
  cert_text = Base64.decode64(base64_cert)
53
54
  cert = OpenSSL::X509::Certificate.new(cert_text)
54
55
 
@@ -96,17 +97,17 @@ module XMLSecurity
96
97
  canon_algorithm = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
97
98
  canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
98
99
 
99
- digest_algorithm = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))
100
+ digest_algorithm = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod", 'ds' => DSIG))
100
101
 
101
102
  hash = digest_algorithm.digest(canon_hashed_element)
102
- digest_value = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)
103
+ digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG})))
103
104
 
104
105
  unless digests_match?(hash, digest_value)
105
106
  return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Digest mismatch"))
106
107
  end
107
108
  end
108
109
 
109
- base64_signature = REXML::XPath.first(@sig_element, "//ds:SignatureValue", {"ds"=>DSIG}).text
110
+ base64_signature = OneLogin::RubySaml::Utils.element_text(REXML::XPath.first(@sig_element, "//ds:SignatureValue", {"ds"=>DSIG}))
110
111
  signature = Base64.decode64(base64_signature)
111
112
 
112
113
  # get certificate object
data/test/response_test.rb CHANGED
@@ -151,6 +151,14 @@ class RubySamlTest < Test::Unit::TestCase
151
151
  response.settings = settings
152
152
  assert_raises(OneLogin::RubySaml::ValidationError, 'Digest mismatch'){ response.validate! }
153
153
  end
154
+
155
+ should "Prevent node text with comment (VU#475445) attack" do
156
+ response_doc = File.read(File.join(File.dirname(__FILE__), "responses", 'response_node_text_attack.xml.base64'))
157
+ response = OneLogin::RubySaml::Response.new(response_doc)
158
+
159
+ assert_equal "support@onelogin.com", response.name_id
160
+ assert_equal "smith", response.attributes["surname"]
161
+ end
154
162
  end
155
163
 
156
164
  context "#name_id" do
data/test/responses/response_node_text_attack.xml.base64 ADDED
@@ -0,0 +1 @@
1
+ PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJHT1NBTUxSMTI5MDExNzQ1NzE3OTQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgRGVzdGluYXRpb249IntyZWNpcGllbnR9Ij4NCiAgPHNhbWxwOlN0YXR1cz4NCiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+DQogIDxzYW1sOkFzc2VydGlvbiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIFZlcnNpb249IjIuMCIgSUQ9InBmeGE0NjU3NGRmLWIzYjAtYTA2YS0yM2M4LTYzNjQxMzE5ODc3MiIgSXNzdWVJbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiI+DQogICAgPHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhLzEzNTkwPC9zYW1sOklzc3Vlcj4NCiAgICA8ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4NCiAgICAgIDxkczpTaWduZWRJbmZvPg0KICAgICAgICA8ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgICAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+DQogICAgICAgIDxkczpSZWZlcmVuY2UgVVJJPSIjcGZ4YTQ2NTc0ZGYtYjNiMC1hMDZhLTIzYzgtNjM2NDEzMTk4NzcyIj4NCiAgICAgICAgICA8ZHM6VHJhbnNmb3Jtcz4NCiAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPg0KICAgICAgICAgICAgPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgICAgICAgIDwvZHM6VHJhbnNmb3Jtcz4NCiAgICAgICAgICA8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4NCiAgICAgICAgICA8ZHM6RGlnZXN0VmFsdWU+cEpRN01TL2VrNEtSUldHbXYvSDQzUmVIWU1zPTwvZHM6RGlnZXN0VmFsdWU+DQogICAgICAgIDwvZHM6UmVmZXJlbmNlPg0KICAgICAgPC9kczpTaWduZWRJbmZvPg0KICAgICAgPGRzOlNpZ25hdHVyZVZhbHVlPnlpdmVLY1BkRHB1RE5qNnNoclEzQUJ3ci9jQTNDcnlEMnBoRy94TFpzektXeFU1L21sYUt0OGV3YlpPZEtLdnRPczJwSEJ5NUR1YTNrOTRBRnp4R3llbDVnT293bW95WEpyQU9ya1BPMHZsaTFWOG8zaFBQVVp3UmdTWDZROXBTMUNxUWdoS2lFYXNSeXlscXFKVWFQWXptT3pPRTgvWGxNa3dpV21PMD08L2RzOlNpZ25hdHVyZVZhbHVlPg0KICAgICAgPGRzOktleUluZm8+DQogICAgICAgIDxkczpYNTA5RGF0YT4NCiAgICAgICAgICA8ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUJyVENDQWFHZ0F3SUJBZ0lCQVRBREJnRUFNR2N4Q3pBSkJnTlZCQVlUQWxWVE1STXdFUVlEVlFRSURBcERZV3hwWm05eWJtbGhNUlV3RXdZRFZRUUhEQXhUWVc1MFlTQk5iMjVwWTJFeEVUQVBCZ05WQkFvTUNFOXVaVXh2WjJsdU1Sa3dGd1lEVlFRRERCQmhjSEF1YjI1bGJHOW5hVzR1WTI5dE1CNFhEVEV3TURNd09UQTVOVGcwTlZvWERURTFNRE13T1RBNU5UZzBOVm93WnpFTE1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ01Da05oYkdsbWIzSnVhV0V4RlRBVEJnTlZCQWNNREZOaGJuUmhJRTF2Ym1sallURVJNQThHQTFVRUNnd0lUMjVsVEc5bmFXNHhHVEFYQmdOVkJBTU1FR0Z3Y0M1dmJtVnNiMmRwYmk1amIyMHdnWjh3RFFZSktvWklodmNOQVFFQkJRQURnWTBBTUlHSkFvR0JBT2pTdTFmalB5OGQ1dzRReUwxemQ0aEl3MU1ra2ZmNFdZL1RMRzhPWmtVNVlUU1dtbUhQRDVrdllINXVvWFMvNnFRODFxWHBSMndWOENUb3daSlVMZzA5ZGRSZFJuOFFzcWoxRnlPQzVzbEUzeTJiWjJvRnVhNzJvZi80OWZwdWpuRlQ2S25RNjFDQk1xbERvVFFxT1Q2MnZHSjhuUDZNWld2QTZzeHF1ZDVBZ01CQUFFd0F3WUJBQU1CQUE9PTwvZHM6WDUwOUNlcnRpZmljYXRlPg0KICAgICAgICA8L2RzOlg1MDlEYXRhPg0KICAgICAgPC9kczpLZXlJbmZvPg0KICAgIDwvZHM6U2lnbmF0dXJlPg0KICAgIDxzYW1sOlN1YmplY3Q+DQogICAgICA8c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnN1cHBvcnQ8IS0tIGF0dGFjayEgLS0+QG9uZWxvZ2luLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOFQyMjowMjozN1oiIFJlY2lwaWVudD0ie3JlY2lwaWVudH0iLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0xMS0xOFQyMTo1MjozN1oiIE5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOFQyMjowMjozN1oiPg0KICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPHNhbWw6QXVkaWVuY2U+e2F1ZGllbmNlfTwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMC0xMS0xOFQyMTo1NzozN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTAtMTEtMTlUMjE6NTc6MzdaIiBTZXNzaW9uSW5kZXg9Il81MzFjMzJkMjgzYmRmZjdlMDRlNDg3YmNkYmM0ZGQ4ZCI+DQogICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9zYW1sOkF1dGhuQ29udGV4dD4NCiAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9InN1cm5hbWUiPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnM8IS0tIGF0dGFjayEgLS0+bWl0aDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0iYW5vdGhlcl92YWx1ZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+dmFsdWUxPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnZhbHVlMjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0icm9sZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+cm9sZTE8L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImZpcnN0bmFtZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+Ym9iPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4gIA0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImF0dHJpYnV0ZV93aXRoX25pbF92YWx1ZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOm5pbD0idHJ1ZSIvPg0KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJhdHRyaWJ1dGVfd2l0aF9uaWxzX2FuZF9lbXB0eV9zdHJpbmdzIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUvPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZT52YWx1ZVByZXNlbnQ8L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOm5pbD0idHJ1ZSIvPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTpuaWw9IjEiLz4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.8.2
4
+ version: 0.8.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - OneLogin LLC
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-01-26 00:00:00.000000000 Z
11
+ date: 2018-02-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: uuid
@@ -61,6 +61,7 @@ files:
61
61
  - lib/onelogin/ruby-saml/metadata.rb
62
62
  - lib/onelogin/ruby-saml/response.rb
63
63
  - lib/onelogin/ruby-saml/settings.rb
64
+ - lib/onelogin/ruby-saml/utils.rb
64
65
  - lib/onelogin/ruby-saml/validation_error.rb
65
66
  - lib/onelogin/ruby-saml/version.rb
66
67
  - lib/ruby-saml.rb
@@ -90,6 +91,7 @@ files:
90
91
  - test/responses/response4.xml.base64
91
92
  - test/responses/response5.xml.base64
92
93
  - test/responses/response_eval.xml
94
+ - test/responses/response_node_text_attack.xml.base64
93
95
  - test/responses/response_with_ampersands.xml
94
96
  - test/responses/response_with_ampersands.xml.base64
95
97
  - test/responses/simple_saml_php.xml
@@ -118,7 +120,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
118
120
  version: '0'
119
121
  requirements: []
120
122
  rubyforge_project: http://www.rubygems.org/gems/ruby-saml
121
- rubygems_version: 2.2.2
123
+ rubygems_version: 2.4.8
122
124
  signing_key:
123
125
  specification_version: 4
124
126
  summary: SAML Ruby Tookit
@@ -143,6 +145,7 @@ test_files:
143
145
  - test/responses/response4.xml.base64
144
146
  - test/responses/response5.xml.base64
145
147
  - test/responses/response_eval.xml
148
+ - test/responses/response_node_text_attack.xml.base64
146
149
  - test/responses/response_with_ampersands.xml
147
150
  - test/responses/response_with_ampersands.xml.base64
148
151
  - test/responses/simple_saml_php.xml