Skip to content
Snippets Groups Projects
Commit bdeb43b3 authored by Andreas Åkre Solberg's avatar Andreas Åkre Solberg
Browse files

Security fix for consent

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@394 44740490-163a-0410-bde0-09ae8108e29a
parent cfbe9d85
No related branches found
No related tags found
No related merge requests found
...@@ -25,21 +25,28 @@ class SimpleSAML_Consent_Consent { ...@@ -25,21 +25,28 @@ class SimpleSAML_Consent_Consent {
private $attributes; private $attributes;
private $filteredattributes; private $filteredattributes;
private $consent_cookie;
private $storageerror; private $storageerror;
/** /**
* Constructor * Constructor
*/ */
public function __construct($config, $session, $spentityid, $idpentityid, $attributes, $filteredattributes) { public function __construct($config, $session, $spentityid, $idpentityid, $attributes, $filteredattributes, $consent_cookie) {
$this->config = $config; $this->config = $config;
$this->salt = $this->config->getValue('consent_salt', 'eae46a3d5cb6e8546dded65be9855e5c'); $this->salt = $this->config->getValue('consent_salt');
if (!isset($this->salt)) {
throw new Exception('Configuration parameter [consent_salt] is not set.');
}
$this->attributes = $attributes; $this->attributes = $attributes;
$this->filteredattributes = $filteredattributes; $this->filteredattributes = $filteredattributes;
$this->session = $session; $this->session = $session;
$this->spentityid = $spentityid; $this->spentityid = $spentityid;
$this->idpentityid = $idpentityid; $this->idpentityid = $idpentityid;
$this->consent_cookie = $consent_cookie;
$this->storageerror = false; $this->storageerror = false;
} }
...@@ -83,7 +90,7 @@ class SimpleSAML_Consent_Consent { ...@@ -83,7 +90,7 @@ class SimpleSAML_Consent_Consent {
*/ */
private function getTargetedID($hashed_userid) { private function getTargetedID($hashed_userid) {
return hash('sha1', $hashed_userid . $salt . $this->spentityid); return hash('sha1', $hashed_userid . $this->salt . $this->spentityid);
} }
...@@ -103,6 +110,14 @@ class SimpleSAML_Consent_Consent { ...@@ -103,6 +110,14 @@ class SimpleSAML_Consent_Consent {
public function consent() { public function consent() {
if (isset($_GET['consent']) ) {
if ($_GET['consent'] != $this->consent_cookie) {
throw new Exception('Consent cookie set to wrong value.');
}
}
/** /**
* The user has manually accepted consent and chosen not to store the consent * The user has manually accepted consent and chosen not to store the consent
* for later. * for later.
......
...@@ -9,15 +9,15 @@ ...@@ -9,15 +9,15 @@
<form action="<?php echo htmlspecialchars($data['consenturl']); ?>"> <form action="<?php echo htmlspecialchars($data['consenturl']); ?>">
<input type="submit" value="Yes"> <input type="submit" value="Yes" />
<input type="hidden" name="consent" value="1"> <input type="hidden" name="consent" value="<?php echo htmlspecialchars($this->data['consent_cookie']); ?>" />
<input type="hidden" name="RequestID" value="<?php echo $this->data['requestid']; ?>"> <input type="hidden" name="RequestID" value="<?php echo htmlspecialchars($this->data['requestid']); ?>" />
<?php if($this->data['usestorage']) { ?> <?php if($this->data['usestorage']) { ?>
<input type="checkbox" name="saveconsent" id="saveconsent" value="1"> remember consent <input type="checkbox" name="saveconsent" id="saveconsent" value="1" /> remember consent
<?php } ?> <?php } ?>
</form> </form>
<form action="<?php echo htmlspecialchars($this->data['noconsent']); ?>" method="GET"> <form action="<?php echo htmlspecialchars($this->data['noconsent']); ?>" method="GET">
<input type="submit" value="No"> <input type="submit" value="No" />
</form> </form>
......
...@@ -32,7 +32,7 @@ try { ...@@ -32,7 +32,7 @@ try {
$idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); $idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$idpmetadata = $metadata->getMetaDataCurrent('saml20-idp-hosted'); $idpmetadata = $metadata->getMetaDataCurrent('saml20-idp-hosted');
if (!array_key_exists($idpmetadata, 'auth')) { if (!array_key_exists('auth', $idpmetadata)) {
throw new Exception('Missing mandatory parameter in SAML 2.0 IdP Hosted Metadata: [auth]'); throw new Exception('Missing mandatory parameter in SAML 2.0 IdP Hosted Metadata: [auth]');
} }
...@@ -69,7 +69,8 @@ if (isset($_GET['SAMLRequest'])) { ...@@ -69,7 +69,8 @@ if (isset($_GET['SAMLRequest'])) {
* Create an assoc array of the request to store in the session cache. * Create an assoc array of the request to store in the session cache.
*/ */
$requestcache = array( $requestcache = array(
'Issuer' => $issuer 'Issuer' => $issuer,
'ConsentCookie' => SimpleSAML_Utilities::generateID(),
); );
if ($relaystate = $authnrequest->getRelayState() ) if ($relaystate = $authnrequest->getRelayState() )
$requestcache['RelayState'] = $relaystate; $requestcache['RelayState'] = $relaystate;
...@@ -202,7 +203,7 @@ if (!isset($session) || !$session->isValid($authority) ) { ...@@ -202,7 +203,7 @@ if (!isset($session) || !$session->isValid($authority) ) {
} }
if ($requireconsent) { if ($requireconsent) {
$consent = new SimpleSAML_Consent_Consent($config, $session, $spentityid, $idpentityid, $attributes, $filteredattributes); $consent = new SimpleSAML_Consent_Consent($config, $session, $spentityid, $idpentityid, $attributes, $filteredattributes, $requestcache['ConsentCookie']);
if (!$consent->consent()) { if (!$consent->consent()) {
...@@ -212,6 +213,7 @@ if (!isset($session) || !$session->isValid($authority) ) { ...@@ -212,6 +213,7 @@ if (!isset($session) || !$session->isValid($authority) ) {
$t->data['attributes'] = $filteredattributes; $t->data['attributes'] = $filteredattributes;
$t->data['consenturl'] = SimpleSAML_Utilities::selfURLNoQuery(); $t->data['consenturl'] = SimpleSAML_Utilities::selfURLNoQuery();
$t->data['requestid'] = $requestid; $t->data['requestid'] = $requestid;
$t->data['consent_cookie'] = $requestcache['ConsentCookie'];
$t->data['usestorage'] = $consent->useStorage(); $t->data['usestorage'] = $consent->useStorage();
$t->data['noconsent'] = '/' . $config->getBaseURL() . 'noconsent.php'; $t->data['noconsent'] = '/' . $config->getBaseURL() . 'noconsent.php';
$t->show(); $t->show();
...@@ -223,9 +225,6 @@ if (!isset($session) || !$session->isValid($authority) ) { ...@@ -223,9 +225,6 @@ if (!isset($session) || !$session->isValid($authority) ) {
// Generate an SAML 2.0 AuthNResponse message // Generate an SAML 2.0 AuthNResponse message
$ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata); $ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata);
$authnResponseXML = $ar->generate($idpentityid, $spentityid, $requestid, null, $filteredattributes); $authnResponseXML = $ar->generate($idpentityid, $spentityid, $requestid, null, $filteredattributes);
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment