[Security:Low] incorrect parsing of OP-provided acr
Concerned version
Version: 2.0.16
Summary
- Configure Auth::OIDC with an OP that always returns
acr: 1
in the ID token - Set oidcOPMetaDataOptionsAcrValues to
loa-1
-
ACR
value1
is accepted despite not being part of the list['loa-1']
Possible fixes
unless ( $acr_values =~ /\b$acr\b/i ) {
it not a good way to test because \b
matches too many things (in the example: it matches -
)