Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

saml: Clean up additional session vars if authentication fails. 

This doesn't have any obvious security implications right now, but
nonetheless such information is not meant to stick around in the session
if authentication didn't succeed and not cleaning up would be a bug.
This commit is contained in:
Mateusz Mandera 2023-05-23 14:40:53 +02:00 committed by Tim Abbott
parent c9fb55dd20
commit 45e3626bd2
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
zproject/backends.py
View File

@ -2742,8 +2742,10 @@ class SAMLAuthBackend(SocialAuthMixin, SAMLAuth):
self.logger.info("/complete/saml/: error while parsing SAMLResponse:", exc_info=True) self.logger.info("/complete/saml/: error while parsing SAMLResponse:", exc_info=True)
# Fall through to returning None. # Fall through to returning None.
finally: finally:
# We need a finally: block to ensure we don't keep around information in the session
# if the authentication failed.
if result is None: if result is None:
for param in self.standard_relay_params: for param in [*self.standard_relay_params, "saml_idp_name", "saml_session_index"]:
# If an attacker managed to eavesdrop on the RelayState token, # If an attacker managed to eavesdrop on the RelayState token,
# they may pass it here to the endpoint with an invalid SAMLResponse. # they may pass it here to the endpoint with an invalid SAMLResponse.
# We remove these potentially sensitive parameters that we have set in the session # We remove these potentially sensitive parameters that we have set in the session