bugfix: In case an empty SubjectConfirmation is received, an appropriate error must be thrown.

This resolves #530. There are two problems here: - When only one SubjectConfirmation is received and it is empty, an error should be thrown. However, the error would be a not very descriptive message warning about access to a non-property in a null object. Something more descriptive should be in place. - Additionally, in PHP 7.0 this is an error and not an exception, and then the code continues to execute, effectively allowing assertions without a proper SubjectConfirmation element. This is wrong according to the standard.

bugfix: In case an empty SubjectConfirmation is received, an appropriate error must be thrown.
This resolves #530. There are two problems here: - When only one SubjectConfirmation is received and it is empty, an error should be thrown. However, the error would be a not very descriptive message warning about access to a non-property in a null object. Something more descriptive should be in place. - Additionally, in PHP 7.0 this is an error and not an exception, and then the code continues to execute, effectively allowing assertions without a proper SubjectConfirmation element. This is wrong according to the standard.
980b34c7 · Jaime Pérez · 329d748d · 980b34c7
Commit 980b34c7 authored 8 years ago by Jaime Pérez
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -689,6 +689,12 @@ class sspmod_saml_Message {
 				}
 			}

+			// if no SubjectConfirmationData then don't do anything.
+			if ($scd === null) {
+				$lastError = 'No SubjectConfirmationData provided';
+				continue;
+			}
+
 			if ($scd->NotBefore && $scd->NotBefore > time() + 60) {
 				$lastError = 'NotBefore in SubjectConfirmationData is in the future: ' . $scd->NotBefore;
 				continue;