Adapt code to work with py2.7 as well. Follow same pattern on response, logoutrequest and logoutresponse destination check

pitbulk · pitbulk · commit 06e15d3cbc9d · 2021-01-11T21:06:53.000+01:00
diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
@@ -311,19 +311,18 @@ def is_valid(self, request_data, raise_exceptions=False):
                         )
 
                 # Check destination
-                if root.get('Destination', None):
-                    destination = root.get('Destination')
-                    if destination != '':
-                        if OneLogin_Saml2_Utils.normalize_url(current_url) not in OneLogin_Saml2_Utils.normalize_url(destination):
-                            raise OneLogin_Saml2_ValidationError(
-                                'The LogoutRequest was received at '
-                                '%(currentURL)s instead of %(destination)s' %
-                                {
-                                    'currentURL': current_url,
-                                    'destination': destination,
-                                },
-                                OneLogin_Saml2_ValidationError.WRONG_DESTINATION
-                            )
+                destination = root.get('Destination', None)
+                if destination:
+                    if not OneLogin_Saml2_Utils.normalize_url(url=destination).startswith(OneLogin_Saml2_Utils.normalize_url(url=current_url)):
+                        raise OneLogin_Saml2_ValidationError(
+                            'The LogoutRequest was received at '
+                            '%(currentURL)s instead of %(destination)s' %
+                            {
+                                'currentURL': current_url,
+                                'destination': destination,
+                            },
+                            OneLogin_Saml2_ValidationError.WRONG_DESTINATION
+                        )
 
                 # Check issuer
                 issuer = OneLogin_Saml2_Logout_Request.get_issuer(root)
diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
@@ -118,11 +118,12 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
 
                 # Check destination
                 destination = self.document.get('Destination', None)
-                if destination and OneLogin_Saml2_Utils.normalize_url(url=current_url) not in OneLogin_Saml2_Utils.normalize_url(url=destination):
-                    raise OneLogin_Saml2_ValidationError(
-                        'The LogoutResponse was received at %s instead of %s' % (current_url, destination),
-                        OneLogin_Saml2_ValidationError.WRONG_DESTINATION
-                    )
+                if destination:
+                    if not OneLogin_Saml2_Utils.normalize_url(url=destination).startswith(OneLogin_Saml2_Utils.normalize_url(url=current_url)):
+                        raise OneLogin_Saml2_ValidationError(
+                            'The LogoutResponse was received at %s instead of %s' % (current_url, destination),
+                            OneLogin_Saml2_ValidationError.WRONG_DESTINATION
+                        )
 
                 if security['wantMessagesSigned']:
                     if 'Signature' not in get_data:
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
@@ -10,7 +10,6 @@
 """
 
 from copy import deepcopy
-from urllib.parse import urlsplit, urlunsplit
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
 from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError, return_false_on_exception
 from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
@@ -20,7 +20,6 @@
 from functools import wraps
 from uuid import uuid4
 from xml.dom.minidom import Element
-from urllib.parse import urlsplit, urlunsplit
 import zlib
 import xmlsec
 
@@ -31,8 +30,9 @@
 
 
 try:
-    from urllib.parse import quote_plus  # py3
+    from urllib.parse import quote_plus, urlsplit, urlunsplit  # py3
 except ImportError:
+    from urlparse import urlsplit, urlunsplit
     from urllib import quote_plus  # py2
 
 
@@ -1078,8 +1078,8 @@ def normalize_url(url):
         :rtype: String
         """
         try:
-            scheme, netloc, *rest = urlsplit(url)
-            normalized_url = urlunsplit((scheme.lower(), netloc.lower(), *rest))
+            scheme, netloc, path, query, fragment = urlsplit(url)
+            normalized_url = urlunsplit((scheme.lower(), netloc.lower(), path, query, fragment))
             return normalized_url
         except Exception:
             return url
