From 2a377f7281283ed0e4a4028b069ee28bbe6a59a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez?= <jaime.perez@uninett.no>
Date: Tue, 22 Nov 2016 10:43:28 +0100
Subject: [PATCH] bugfix: Make sure empty strings are not acceptable for NameID
generation.
This resolves #519.
---
modules/saml/lib/Auth/Process/AttributeNameID.php | 9 +++++++++
modules/saml/lib/Auth/Process/PersistentNameID.php | 8 ++++++++
2 files changed, 17 insertions(+)
diff --git a/modules/saml/lib/Auth/Process/AttributeNameID.php b/modules/saml/lib/Auth/Process/AttributeNameID.php
index 356cab5b2..b59bd7f52 100644
--- a/modules/saml/lib/Auth/Process/AttributeNameID.php
+++ b/modules/saml/lib/Auth/Process/AttributeNameID.php
@@ -67,6 +67,15 @@ class sspmod_saml_Auth_Process_AttributeNameID extends sspmod_saml_BaseNameIDGen
}
$value = array_values($state['Attributes'][$this->attribute]); // just in case the first index is no longer 0
$value = $value[0];
+
+ if (empty($value)) {
+ SimpleSAML\Logger::warning(
+ 'Empty value in attribute '.var_export($this->attribute, true).
+ ' on user - not generating persistent NameID.'
+ );
+ return null;
+ }
+
return $value;
}
diff --git a/modules/saml/lib/Auth/Process/PersistentNameID.php b/modules/saml/lib/Auth/Process/PersistentNameID.php
index 762b613ed..9865bc5b3 100644
--- a/modules/saml/lib/Auth/Process/PersistentNameID.php
+++ b/modules/saml/lib/Auth/Process/PersistentNameID.php
@@ -77,6 +77,14 @@ class sspmod_saml_Auth_Process_PersistentNameID extends sspmod_saml_BaseNameIDGe
$uid = array_values($state['Attributes'][$this->attribute]); // just in case the first index is no longer 0
$uid = $uid[0];
+ if (empty($uid)) {
+ SimpleSAML\Logger::warning(
+ 'Empty value in attribute '.var_export($this->attribute, true).
+ ' on user - not generating persistent NameID.'
+ );
+ return null;
+ }
+
$secretSalt = SimpleSAML\Utils\Config::getSecretSalt();
$uidData = 'uidhashbase'.$secretSalt;
--
GitLab