From 1b465b984f0ec68558dd4df1162a058446ccdf75 Mon Sep 17 00:00:00 2001
From: Thomas McCallig <thomas.mccallig@qstream.com>
Date: Mon, 19 Feb 2018 16:46:38 +0000
Subject: [PATCH] fix: ambiguous path match in other phase

This closes #153
---
 lib/omniauth/strategies/saml.rb       | 6 +++++-
 spec/omniauth/strategies/saml_spec.rb | 9 +++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/lib/omniauth/strategies/saml.rb b/lib/omniauth/strategies/saml.rb
index 496958f..69624c4 100644
--- a/lib/omniauth/strategies/saml.rb
+++ b/lib/omniauth/strategies/saml.rb
@@ -69,7 +69,7 @@ def response_fingerprint
       end
 
       def other_phase
-        if current_path.start_with?(request_path)
+        if request_path_pattern.match(current_path)
           @env['omniauth.strategy'] ||= self
           setup_phase
 
@@ -120,6 +120,10 @@ def find_attribute_by(keys)
 
       private
 
+      def request_path_pattern
+        @request_path_pattern ||= %r{\A#{Regexp.quote(request_path)}(/|\z)}
+      end
+
       def on_subpath?(subpath)
         on_path?("#{request_path}/#{subpath}")
       end
diff --git a/spec/omniauth/strategies/saml_spec.rb b/spec/omniauth/strategies/saml_spec.rb
index 8d8e5b1..1dfbb7f 100644
--- a/spec/omniauth/strategies/saml_spec.rb
+++ b/spec/omniauth/strategies/saml_spec.rb
@@ -435,6 +435,15 @@ def test_default_relay_state(static_default_relay_state = nil, &block_default_re
     specify { expect(last_response.status).to eql 404 }
   end
 
+  context 'when hitting a route that contains a substring match for the strategy name' do
+    before { get '/auth/saml2/metadata' }
+
+    it 'should not set the strategy' do
+      expect(last_request.env['omniauth.strategy']).to be_nil
+      expect(last_response.status).to eql 404
+    end
+  end
+
   describe 'subclass behavior' do
     it 'registers subclasses in OmniAuth.strategies' do
       subclass = Class.new(described_class)