From: scantor <scantor@cb58f699-b61c-0410-a6fe-9272a202ed29>
Date: Sun, 20 Feb 2011 20:49:51 +0000 (+0000)
Subject: Handle relayStateLimit="none", unrecognized values.
X-Git-Tag: moonshot-old~27
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=shibboleth%2Fsp.git;a=commitdiff_plain;h=98e6eb1f24ea01cff5b1317befd7f8bf6faa2b9a

Handle relayStateLimit="none", unrecognized values.


git-svn-id: https://svn.shibboleth.net/cpp-sp/branches/REL_2@3404 cb58f699-b61c-0410-a6fe-9272a202ed29
---

diff --git a/shibsp/handler/impl/AbstractHandler.cpp b/shibsp/handler/impl/AbstractHandler.cpp
index 967351b..4944e0c 100644
--- a/shibsp/handler/impl/AbstractHandler.cpp
+++ b/shibsp/handler/impl/AbstractHandler.cpp
@@ -118,7 +118,7 @@ namespace shibsp {
         const PropertySet* sessionProps = application.getPropertySet("Sessions");
         if (sessionProps) {
             pair<bool,const char*> relayStateLimit = sessionProps->getString("relayStateLimit");
-            if (relayStateLimit.first) {
+            if (relayStateLimit.first && strcmp(relayStateLimit.second, "none")) {
                 vector<string> whitelist;
                 if (!strcmp(relayStateLimit.second, "exact")) {
                     // Scheme and hostname have to match.
@@ -159,6 +159,10 @@ namespace shibsp {
                         }
                     }
                 }
+                else {
+                    log.warn("unrecognized relayStateLimit policy (%s), blocked redirect to (%s)", relayStateLimit.second, relayState);
+                    throw opensaml::SecurityPolicyException("Unrecognized relayStateLimit setting.");
+                }
 
                 for (vector<string>::const_iterator w = whitelist.begin(); w != whitelist.end(); ++w) {
                     if (XMLString::startsWithI(relayState, w->c_str())) {