bugfix: Allow only valid auth sources in MultiAuth.

The configuration of the MultiAuth authentication source specifies the auth sources that the user is presented with when asked for authentication. However, there was no proper check for the auth source selected by the user to ensure it is one of those allowed for MultiAuth.

bugfix: Allow only valid auth sources in MultiAuth.
The configuration of the MultiAuth authentication source specifies the auth sources that the user is presented with when asked for authentication. However, there was no proper check for the auth source selected by the user to ensure it is one of those allowed for MultiAuth.
23e68ad0 · Jaime Pérez Crespo · 4bc62965 · 23e68ad0
Unverified Commit 23e68ad0 authored 7 years ago by Jaime Pérez Crespo
--- a/modules/multiauth/lib/Auth/Source/MultiAuth.php
+++ b/modules/multiauth/lib/Auth/Source/MultiAuth.php
@@ -143,7 +143,13 @@ class sspmod_multiauth_Auth_Source_MultiAuth extends SimpleSAML_Auth_Source {
 		assert('is_array($state)');
 		$as = SimpleSAML_Auth_Source::getById($authId);
-		if ($as === NULL) {
+		$valid_sources = array_map(
+			function($src) {
+				return $src['source'];
+			},
+			$state[self::SOURCESID]
+        );
+		if ($as === NULL || !in_array($authId, $valid_sources)) {
 			throw new Exception('Invalid authentication source: ' . $authId);
 		}