Projet

Général

Profil

0001-idp-saml2-do-not-accept-logout-request-missing-a-Nam.patch

Benjamin Dauvergne, 01 juin 2018 17:24

Télécharger (1,96 ko)

Voir les différences: 

Subject: [PATCH] idp/saml2: do not accept logout request missing a NameID
 (fixes #24124)

Lasso should fail in the process_logout_request(), it does not, we
handle it here.

 src/authentic2/idp/saml/saml2_endpoints.py | 4 ++++
 src/authentic2/saml/models.py              | 3 +++
 2 files changed, 7 insertions(+)
src/authentic2/idp/saml/saml2_endpoints.py
1411 1411 
            title=_('You are being redirected to "%s"') % provider.name)
1412 1412 
    logger.info('asynchronous slo from %s' % logout.remoteProviderId)
1413 1413 
    # Filter sessions
1414 
    if not logout.request.nameId:
1415 
        logger.warning('slo refused, no NameID in the SLO request')
1416 
        return return_logout_error(request, logout,
1417 
                AUTHENTIC_STATUS_CODE_MISSING_NAMEID)
1414 1418 
    all_sessions = LibertySession.get_for_nameid_and_session_indexes(
1415 1419 
            logout.server.providerId, logout.remoteProviderId,
1416 1420 
            logout.request.nameId, logout.request.sessionIndexes)
src/authentic2/saml/models.py
555 555 

  		




  556
  556
  
    
    @classmethod

  		




  557
  557
  
    
    def get_for_nameid_and_session_indexes(cls, issuer_id, provider_id, name_id, session_indexes):

  		




  
  558
  
    
        if not name_id:

  		




  
  559
  
    
            # logout request did not contain any NameID, bad !

  		




  
  560
  
    
            return LibertySession.objects.none()

  		




  558
  561
  
    
        kwargs = nameid2kwargs(name_id)

  		




  559
  562
  
    
        name_id_qualifier = kwargs['name_id_qualifier']

  		




  560
  563
  
    
        qs = LibertySession.objects.filter(provider_id=provider_id,

  		




  561
  
  
    
-