From 6560d4f15007e9c7b5408d6aa9797563ce689439 Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Sun, 20 Feb 2011 20:49:51 +0000
Subject: [PATCH] Handle relayStateLimit="none", unrecognized values.

---
 shibsp/handler/impl/AbstractHandler.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/shibsp/handler/impl/AbstractHandler.cpp b/shibsp/handler/impl/AbstractHandler.cpp
index 967351b..4944e0c 100644
--- a/shibsp/handler/impl/AbstractHandler.cpp
+++ b/shibsp/handler/impl/AbstractHandler.cpp
@@ -118,7 +118,7 @@ namespace shibsp {
         const PropertySet* sessionProps = application.getPropertySet("Sessions");
         if (sessionProps) {
             pair<bool,const char*> relayStateLimit = sessionProps->getString("relayStateLimit");
-            if (relayStateLimit.first) {
+            if (relayStateLimit.first && strcmp(relayStateLimit.second, "none")) {
                 vector<string> whitelist;
                 if (!strcmp(relayStateLimit.second, "exact")) {
                     // Scheme and hostname have to match.
@@ -159,6 +159,10 @@ namespace shibsp {
                         }
                     }
                 }
+                else {
+                    log.warn("unrecognized relayStateLimit policy (%s), blocked redirect to (%s)", relayStateLimit.second, relayState);
+                    throw opensaml::SecurityPolicyException("Unrecognized relayStateLimit setting.");
+                }
 
                 for (vector<string>::const_iterator w = whitelist.begin(); w != whitelist.end(); ++w) {
                     if (XMLString::startsWithI(relayState, w->c_str())) {
-- 
2.1.4