Suggested edits made

Author: Tessa Bloomer

src/onelogin/saml2/logout_request.py

@@ -314,7 +314,7 @@ def is_valid(self, request_data, raise_exceptions=False):
                 if root.get('Destination', None):
                     destination = root.get('Destination')
                     if destination != '':
-                        if current_url not in destination:
+                        if OneLogin_Saml2_Utils.normalize_url(current_url) not in OneLogin_Saml2_Utils.normalize_url(destination):
                             raise OneLogin_Saml2_ValidationError(
                                 'The LogoutRequest was received at '
                                 '%(currentURL)s instead of %(destination)s' %

src/onelogin/saml2/logout_response.py

@@ -118,7 +118,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
 
                 # Check destination
                 destination = self.document.get('Destination', None)
-                if destination and current_url not in destination:
+                if destination and OneLogin_Saml2_Utils.normalize_url(current_url) not in OneLogin_Saml2_Utils.normalize_url(destination):
                     raise OneLogin_Saml2_ValidationError(
                         'The LogoutResponse was received at %s instead of %s' % (current_url, destination),
                         OneLogin_Saml2_ValidationError.WRONG_DESTINATION

src/onelogin/saml2/response.py

@@ -192,7 +192,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 # Checks destination
                 destination = self.document.get('Destination', None)
                 if destination:
-                    if not self.__normalize_url(destination).startswith(self.__normalize_url(current_url)):
+                    if not OneLogin_Saml2_Utils.normalize_url(destination).startswith(OneLogin_Saml2_Utils.normalize_url(current_url)):
                         # TODO: Review if following lines are required, since we can control the
                         # request_data
                         #  current_url_routed = OneLogin_Saml2_Utils.get_self_routed_url_no_query(request_data)
@@ -867,26 +867,6 @@ def __decrypt_assertion(self, xml):
                 xml.replace(encrypted_assertion_nodes[0], decrypted)
         return xml
 
-    def __normalize_url(self, url):
-        """
-        Returns normalized URL for comparison. 
-        This method converts the netloc to lowercase, as it should be case-insensitive (per RFC 4343, RFC 7617)
-        If standardization fails, the original URL is returned
-        Python documentation indicates that URL split also normalizes query strings if empty query fields are present
-
-        :param url: URL
-        :type url: String
-
-        :returns: A normalized URL, or the given URL string if parsing fails
-        :rtype: list
-        """
-        try:
-            scheme, netloc, *rest = urlsplit(url)
-            normalized_url = urlunsplit((scheme.lower(), netloc.lower(), *rest))
-            return normalized_url
-        except Exception:
-            return url
-
     def get_error(self):
         """
         After executing a validation process, if it fails this method returns the cause

src/onelogin/saml2/utils.py

@@ -1062,3 +1062,24 @@ def validate_binary_sign(signed_query, signature, cert=None, algorithm=OneLogin_
             if debug:
                 print(e)
             return False
+
+        @staticmethod
+        def normalize_url(self, url):
+        """
+        Returns normalized URL for comparison. 
+        This method converts the netloc to lowercase, as it should be case-insensitive (per RFC 4343, RFC 7617)
+        If standardization fails, the original URL is returned
+        Python documentation indicates that URL split also normalizes query strings if empty query fields are present
+
+        :param url: URL
+        :type url: String
+
+        :returns: A normalized URL, or the given URL string if parsing fails
+        :rtype: String
+        """
+        try:
+            scheme, netloc, *rest = urlsplit(url)
+            normalized_url = urlunsplit((scheme.lower(), netloc.lower(), *rest))
+            return normalized_url
+        except Exception:
+            return url