From 48cd6e0cf1658811dec36d4ab4de1b3d64bc2f97 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Mon, 17 Nov 2008 08:30:28 +0000
Subject: [PATCH] Verify recipient of SAML2 assertions.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1017 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/XML/SAML20/AuthnResponse.php | 28 +++++++++++++++++----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index 48c98a2a4..a04370f78 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -283,12 +283,30 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 				throw new Exception('Unhandled SubjectConfirmationData: ' . $method->value);
 			}
 
-			$subjectConfirmationData = $this->doXPathQuery('saml:SubjectConfirmationData', $subjectConfirmation);
-			if($subjectConfirmationData === NULL) {
-				throw new Exception('Bearer confirmation node without verification data.');
-			}
+			foreach ($this->doXPathQuery('saml:SubjectConfirmationData', $subjectConfirmation)
+				as $subjectConfirmationData) {
+
+				$recipient = $subjectConfirmationData->getAttributeNode('Recipient');
+				if ($recipient !== NULL) {
+					/* The Recipient attribute contains the address this assertion should
+					 * be delivered to. Verify that it matches the current address.
+					 */
+					$recipient = $recipient->value;
+					$currentURL = SimpleSAML_Utilities::selfURL();
+
+					if ($recipient !== $currentURL) {
+						throw new Exception('Recipient in assertion doesn\'t match the ' .
+							' current URL. Recipient is "' . $recipient .
+							'", current URL is "' . $currentURL . '".');
+					}
+				}
 
-			/* TODO: Verify this subject. */
+				/* TODO: Verify the rest of the subject. Missing are:
+				 * - NotBefore & NotOnOrAfter
+				 * - InResponseTo
+				 * - Address
+				 */
+			}
 		}
 
 
-- 
GitLab