From 9bfbf0705f3613208791b8da83f114823b18235f Mon Sep 17 00:00:00 2001
From: Boy Baukema <boy@ibuildings.nl>
Date: Fri, 19 Dec 2014 07:52:44 +0100
Subject: [PATCH] Make sure metadata-converter.php requires an admin user

Depending on server configuration this may be used in a Denial Of Service attack by tying up all webserver workers with large POST bodies.
---
 www/admin/metadata-converter.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/www/admin/metadata-converter.php b/www/admin/metadata-converter.php
index a674979e5..f91fed0ea 100644
--- a/www/admin/metadata-converter.php
+++ b/www/admin/metadata-converter.php
@@ -2,6 +2,9 @@
 
 require_once('../_include.php');
 
+/* Make sure that the user has admin access rights. */
+SimpleSAML_Utilities::requireAdmin();
+
 $config = SimpleSAML_Configuration::getInstance();
 
 if(array_key_exists('xmldata', $_POST)) {
-- 
GitLab