From 23e68ad0e380207bf4ad33d04e123bbe265bef1e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no>
Date: Fri, 5 May 2017 11:36:42 +0200
Subject: [PATCH] bugfix: Allow only valid auth sources in MultiAuth.

The configuration of the MultiAuth authentication source specifies the auth sources that the user is presented with when asked for authentication. However, there was no proper check for the auth source selected by the user to ensure it is one of those allowed for MultiAuth.
---
 modules/multiauth/lib/Auth/Source/MultiAuth.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/multiauth/lib/Auth/Source/MultiAuth.php b/modules/multiauth/lib/Auth/Source/MultiAuth.php
index f3acc9016..07c148105 100644
--- a/modules/multiauth/lib/Auth/Source/MultiAuth.php
+++ b/modules/multiauth/lib/Auth/Source/MultiAuth.php
@@ -143,7 +143,13 @@ class sspmod_multiauth_Auth_Source_MultiAuth extends SimpleSAML_Auth_Source {
 		assert('is_array($state)');
 
 		$as = SimpleSAML_Auth_Source::getById($authId);
-		if ($as === NULL) {
+		$valid_sources = array_map(
+			function($src) {
+				return $src['source'];
+			},
+			$state[self::SOURCESID]
+        );
+		if ($as === NULL || !in_array($authId, $valid_sources)) {
 			throw new Exception('Invalid authentication source: ' . $authId);
 		}
 
-- 
GitLab