@@ -192,7 +192,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
192192 # Checks destination
193193 destination = self .document .get ('Destination' , None )
194194 if destination :
195- if not self .__standardize_url (destination ).startswith (self .__standardize_url (current_url )):
195+ if not self .__normalize_url (destination ).startswith (self .__normalize_url (current_url )):
196196 # TODO: Review if following lines are required, since we can control the
197197 # request_data
198198 # current_url_routed = OneLogin_Saml2_Utils.get_self_routed_url_no_query(request_data)
@@ -867,12 +867,24 @@ def __decrypt_assertion(self, xml):
867867 xml .replace (encrypted_assertion_nodes [0 ], decrypted )
868868 return xml
869869
870- def __standardize_url (self , url ):
870+ def __normalize_url (self , url ):
871+ """
872+ Returns normalized URL for comparison.
873+ This method converts the hostname to lowercase, as it should be case-insensitive (per RFC 4343)
874+ If standardization fails, the original URL is returned
875+ Python documentation indicates that URL split also normalizes query strings if empty query fields are present
876+
877+ :param url: URL
878+ :type url: String
879+
880+ :returns: A normalized URL, or the given URL string if parsing fails
881+ :rtype: list
882+ """
871883 try :
872884 parsed = list (urlsplit (url ))
873885 parsed [1 ] = parsed [1 ].lower ()
874- standardized_url = urlunsplit (parsed )
875- return standardized_url
886+ normalized_url = urlunsplit (parsed )
887+ return normalized_url
876888 except Exception :
877889 return url
878890
0 commit comments