From c3f26ea19e6134c052fe0719e6b4287fe8498876 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Fri, 1 Jun 2018 11:53:24 +0200 Subject: [PATCH] idp/saml2: do not accept logout request missing a NameID (fixes #24124) Lasso should fail in the process_logout_request(), it does not, we handle it here. --- src/authentic2/idp/saml/saml2_endpoints.py | 4 ++++ src/authentic2/saml/models.py | 3 +++ 2 files changed, 7 insertions(+) diff --git a/src/authentic2/idp/saml/saml2_endpoints.py b/src/authentic2/idp/saml/saml2_endpoints.py index a83c5c7e..cb8c6d37 100644 --- a/src/authentic2/idp/saml/saml2_endpoints.py +++ b/src/authentic2/idp/saml/saml2_endpoints.py @@ -1411,6 +1411,10 @@ def slo(request): title=_('You are being redirected to "%s"') % provider.name) logger.info('asynchronous slo from %s' % logout.remoteProviderId) # Filter sessions + if not logout.request.nameId: + logger.warning('slo refused, no NameID in the SLO request') + return return_logout_error(request, logout, + AUTHENTIC_STATUS_CODE_MISSING_NAMEID) all_sessions = LibertySession.get_for_nameid_and_session_indexes( logout.server.providerId, logout.remoteProviderId, logout.request.nameId, logout.request.sessionIndexes) diff --git a/src/authentic2/saml/models.py b/src/authentic2/saml/models.py index 25aa8a9d..edf6960a 100644 --- a/src/authentic2/saml/models.py +++ b/src/authentic2/saml/models.py @@ -555,6 +555,9 @@ class LibertySession(models.Model): @classmethod def get_for_nameid_and_session_indexes(cls, issuer_id, provider_id, name_id, session_indexes): + if not name_id: + # logout request did not contain any NameID, bad ! + return LibertySession.objects.none() kwargs = nameid2kwargs(name_id) name_id_qualifier = kwargs['name_id_qualifier'] qs = LibertySession.objects.filter(provider_id=provider_id, -- 2.17.0