SAML 2.0: in lasso_saml20_provider_accept_http_method, add HTTP-Artifact-POST case, better check for bad inputs, and handle special SingleSignOn case

1 files changed, 17 insertions, 3 deletions

diff --git a/lasso/saml-2.0/provider.c b/lasso/saml-2.0/provider.c
index f5537f10..97a8dd3e 100644
--- a/lasso/saml-2.0/provider.c
+++ b/lasso/saml-2.0/provider.c
@@ -454,6 +454,7 @@ lasso_saml20_provider_accept_http_method(LassoProvider *provider, const LassoPro
 		"HTTP-Redirect",
 		"SOAP",
 		"HTTP-Artifact",
+		"HTTP-Artifact",
 		NULL
 	};
 	gboolean rc = FALSE;
@@ -469,12 +470,25 @@ lasso_saml20_provider_accept_http_method(LassoProvider *provider, const LassoPro
 	if (initiate_profile)
 		initiating_role = provider->role;
 
+	/* exclude bad input */
+	if (http_method > (int)G_N_ELEMENTS(http_methods) || http_method < 0 ||  http_methods[http_method+1] == NULL) {
+		return FALSE;
+	}
+
 	protocol_profile = g_strdup_printf("%s %s", profile_names[protocol_type],
 			http_methods[http_method+1]);
 
-	if (lasso_provider_get_metadata_list(provider, protocol_profile) &&
-			lasso_provider_get_metadata_list(remote_provider, protocol_profile)) {
-		rc = TRUE;
+	/* special hack for single sign on */
+	if (protocol_type == LASSO_MD_PROTOCOL_TYPE_SINGLE_SIGN_ON) {
+		/* no need to check for the response, it uses another canal
+		 * (AssertionConsumingService) */
+		rc = (lasso_provider_get_metadata_list(remote_provider, protocol_profile) != NULL);
+
+	} else {
+		if (lasso_provider_get_metadata_list(provider, protocol_profile) &&
+				lasso_provider_get_metadata_list(remote_provider, protocol_profile)) {
+			rc = TRUE;
+		}
 	}
 	lasso_release_string(protocol_profile);
 	return rc;