From 980b34c782739d140afadd42bb196821adf4c66d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez?= <jaime.perez@uninett.no>
Date: Fri, 9 Dec 2016 12:37:05 +0100
Subject: [PATCH] bugfix: In case an empty SubjectConfirmation is received, an
 appropriate error must be thrown.

This resolves #530. There are two problems here:

- When only one SubjectConfirmation is received and it is empty, an error should be thrown. However, the error would be a not very descriptive message warning about access to a non-property in a null object. Something more descriptive should be in place.
- Additionally, in PHP 7.0 this is an error and not an exception, and then the code continues to execute, effectively allowing assertions without a proper SubjectConfirmation element. This is wrong according to the standard.
---
 modules/saml/lib/Message.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index f15a01ad8..5c6369b12 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -689,6 +689,12 @@ class sspmod_saml_Message {
 				}
 			}
 
+			// if no SubjectConfirmationData then don't do anything.
+			if ($scd === null) {
+				$lastError = 'No SubjectConfirmationData provided';
+				continue;
+			}
+
 			if ($scd->NotBefore && $scd->NotBefore > time() + 60) {
 				$lastError = 'NotBefore in SubjectConfirmationData is in the future: ' . $scd->NotBefore;
 				continue;
-- 
GitLab