saml: Clean up additional session vars if authentication fails.

This doesn't have any obvious security implications right now, but
nonetheless such information is not meant to stick around in the session
if authentication didn't succeed and not cleaning up would be a bug.
This commit is contained in:
Mateusz Mandera 2023-05-23 14:40:53 +02:00 committed by Tim Abbott
parent c9fb55dd20
commit 45e3626bd2
1 changed files with 3 additions and 1 deletions

View File

@ -2742,8 +2742,10 @@ class SAMLAuthBackend(SocialAuthMixin, SAMLAuth):
self.logger.info("/complete/saml/: error while parsing SAMLResponse:", exc_info=True)
# Fall through to returning None.
finally:
# We need a finally: block to ensure we don't keep around information in the session
# if the authentication failed.
if result is None:
for param in self.standard_relay_params:
for param in [*self.standard_relay_params, "saml_idp_name", "saml_session_index"]:
# If an attacker managed to eavesdrop on the RelayState token,
# they may pass it here to the endpoint with an invalid SAMLResponse.
# We remove these potentially sensitive parameters that we have set in the session