invalid entry in SAML IDP list after logout error
Concerned version
Version: 2.16.1
Platform: (Nginx/Apache/Node.js)
Summary
- Configure Auth::SAML with a single IDP
- Some code paths in Auth/SAML.pm may lead to the following situation
Possible fixes
I was able to reproduce this issue by sending an invalid logout request:
# Process logout request
unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
$self->userLogger->error("Fail to process logout request");
$logout_error = 1;
}
[...]
my $idp = $logout->remote_providerID();
# IDP conf key
my $idpConfKey = $self->idpList->{$idp}->{confKey};
after this code, idpConfKey is not found but $self->idpList->{$idp}
becomes defined.
That's because in Perl, reading a hash can modify it, yay!
We should probably return immediately if processLogoutRequestMsg fails