Launchpad itself

Launchpad OpenID Provider generates malformed POST assertion responses

Bug #574911 reported by Forest on 2010-05-04

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical SSO provider	Fix Released	Undecided	David Owen	Canonical SSO provider 2.6.0
	Launchpad itself	Invalid	Undecided	Unassigned

Bug Description

When the Launchpad OpenID provider wants to produce an assertion that is too large for an http GET redirect, it correctly tries to produce an html form so the assertion can be POSTed instead. Unfortunately, the response it generates contains only a <form> element (no surrounding <html> or <body>) with a Content-Type of text/plain (instead of text/html). This ends up being rendered by Firefox as a raw html fragment, which is useless to the user. The OpenID assertion never reaches its destination.

This test tool can reproduce the problem:
http://test-id.net/OP/POSTAssertion.aspx

Testcase ISD_196

See original description

Tags:

Related branches

lp://staging/~canonical-isd-hackers/canonical-identity-provider/bug_574911_large_assertions

Merged into lp://staging/canonical-identity-provider/release at revision 51

Ricardo Kirkner (community): Approve on 2010-06-09

Gary Poster (gary) on 2010-05-10

Changed in launchpad-foundations:
status:	New → Triaged
importance:	Undecided → Low
status:	Triaged → New
importance:	Low → Undecided

Gary Poster (gary) on 2010-05-10

Changed in launchpad-foundations:
status:	New → Invalid

Stuart Metcalfe (stuartmetcalfe) on 2010-05-14

Changed in canonical-identity-provider:
milestone:	none → 2.6.0

David Owen (dsowen) on 2010-06-04

Changed in canonical-identity-provider:
assignee:	nobody → David Owen (dsowen)

David Owen (dsowen) on 2010-06-07

Changed in canonical-identity-provider:
status:	New → In Progress

Revision history for this message

David Owen (dsowen) wrote on 2010-06-07:

The faulty response is coming from /<token>/+decide

Revision history for this message

Julien Funk (jaboing) wrote on 2010-06-07:

Note to QA: when the fix is ready it should be seen to fail, perhaps on the old staging system, then seen to pass properly

Changed in canonical-isd-qa:
assignee:	nobody → Dave Morley (davmor2)

Tom Haddon (mthaddon) on 2010-06-08

tags:

added: canonical-losa-isd

Revision history for this message

Stuart Metcalfe (stuartmetcalfe) wrote on 2010-06-08:

Steps to reproduce:

1. Log out of Launchpad
2. Go to https://bugs.launchpad.net/canonical-identity-provider/+bugs?field.searchtext=&orderby=-importance&search=Search&field.status:list=NEW&field.status:list=INCOMPLETE_WITH_RESPONSE&field.status:list=INCOMPLETE_WITHOUT_RESPONSE&field.status:list=CONFIRMED&field.status:list=TRIAGED&field.status:list=INPROGRESS&field.status:list=FIXCOMMITTED&assignee_option=any&field.assignee=&field.bug_reporter=&field.bug_supervisor=&field.bug_commenter=&field.subscriber=&field.tag=&field.tags_combinator=ANY&field.has_cve.used=&field.omit_dupes.used=&field.omit_dupes=on&field.affects_me.used=&field.has_patch.used=&field.has_branches.used=&field.has_branches=on&field.has_no_branches.used=&field.has_no_branches=on (or a similar URL with a long query string)
3. Attempt to log in from that page
4. See plain text <form> output on page

The same url with much of the irrelevant query string removed works fine (eg: https://bugs.launchpad.net/canonical-identity-provider/+bugs?field.searchtext=&orderby=-importance&search=Search) so the long query string appears to be the trigger for this.

David Owen (dsowen) on 2010-06-09

Changed in canonical-identity-provider:
status:	In Progress → Fix Committed

Revision history for this message

David Owen (dsowen) wrote on 2010-06-16:

To test:

1. Go to http://test-id.net/OP/POSTAssertion.aspx
2. Enter the public address of the test server (e.g. "http://my-test-server.net/") in the "OpenID Identifier" box
3. Click "Begin"

At this point you should see one of our SSO sign-in screens.

4. Login in or confirm access.

Failure mode: Text such as "<form ..." will be displayed.

Success mode: A web page with a brightly colored box indicating success.

Revision history for this message

Dave Morley (davmor2) wrote on 2010-06-16:

Need admin off lukasz tomorrow. Currently get no access.

Changed in canonical-isd-qa:
status:	New → Incomplete

Revision history for this message

Dave Morley (davmor2) wrote on 2010-06-17:

This seems to pass using the steps above. The better test will be on staging though.

Changed in canonical-isd-qa:
status:	Incomplete → Confirmed

Revision history for this message

Dave Morley (davmor2) wrote on 2010-06-21:

Passes on staging using a similarly long url

Changed in canonical-isd-qa:
status:	Confirmed → Fix Committed

Revision history for this message

Dave Morley (davmor2) wrote on 2010-06-22:

https://bugs.launchpad.net/canonical-identity?orderby=-importance&search=Search&field.assignee=&field.searchtext=&field.has_patch=&field.omit_dupes=on&field.status=NEW&field.status=INCOMPLETE_WITH_RESPONSE&field.status=INCOMPLETE_WITHOUT_RESPONSE&field.status=CONFIRMED&field.status=TRIAGED&field.status=INPROGRESS&field.status=FIXCOMMITTED&field.bug_reporter=&field.has_no_package=

as my long url and dsowen suggestion both pass however the example given by Stuartm does due to a launchpad issue.

Comment on irc Lukasz confirmed there was an issue on Stuartm's link and I presented my url. At that everyone was happy this had passed and a new bug is being created for LP to deal with the issue there.

Changed in canonical-isd-qa:
status:	Fix Committed → Triaged

David Owen (dsowen) on 2010-06-23

Changed in canonical-identity-provider:
status:	Fix Committed → Fix Released

Dave Morley (davmor2) on 2010-06-30

description:

updated

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.