Tagging 2.4.2 release.

[shibboleth/sp.git] / shibsp / handler / impl / AbstractHandler.cpp

diff --git a/shibsp/handler/impl/AbstractHandler.cpp b/shibsp/handler/impl/AbstractHandler.cpp
index 967351b..4944e0c 100644 (file)
--- a/shibsp/handler/impl/AbstractHandler.cpp
+++ b/shibsp/handler/impl/AbstractHandler.cpp
@@ -118,7 +118,7 @@ namespace shibsp {
         const PropertySet* sessionProps = application.getPropertySet("Sessions");
         if (sessionProps) {
             pair<bool,const char*> relayStateLimit = sessionProps->getString("relayStateLimit");
-            if (relayStateLimit.first) {
+            if (relayStateLimit.first && strcmp(relayStateLimit.second, "none")) {
                 vector<string> whitelist;
                 if (!strcmp(relayStateLimit.second, "exact")) {
                     // Scheme and hostname have to match.
@@ -159,6 +159,10 @@ namespace shibsp {
                         }
                     }
                 }
+                else {
+                    log.warn("unrecognized relayStateLimit policy (%s), blocked redirect to (%s)", relayStateLimit.second, relayState);
+                    throw opensaml::SecurityPolicyException("Unrecognized relayStateLimit setting.");
+                }
 
                 for (vector<string>::const_iterator w = whitelist.begin(); w != whitelist.end(); ++w) {
                     if (XMLString::startsWithI(relayState, w->c_str())) {