moodle-auth_saml2 icon indicating copy to clipboard operation
moodle-auth_saml2 copied to clipboard
verified publisher icon catalyst

Infinit authentication loop kills server

Open avegys opened this issue 6 years ago • 1 comments

What happened? SAML2 authentication kills server with infinite loop once not logged in user tries to access plugin pages. For this to happen plugin just has to meet two requirements:

  1. Plugin pages has a function call require_login();
  2. Plugin has page setup.php with require_login();

Lets say we have such plugin called A. In such case, when one of plugin A pages is accessed by not authenticated user, function saml_login() is called. This function on line 434 requires setup.php file and instead of saml2 setup.php, the plugin A setup.php file is loaded and require_login() is called again.

This happens for example with Totara contentmarketplace plugin.

What you expected: saml_login() function should load saml2 setup.php file.

FIX Saml2/auth.php file on line 434 instead of: require('setup.php'); Should be: require("$CFG->dirroot/auth/saml2/setup.php");

avegys avatar Feb 11 '19 10:02 avegys

There is

require('setup.php');

also in

  • https://github.com/catalyst/moodle-auth_saml2/blob/master/auth.php#L650
  • https://github.com/catalyst/moodle-auth_saml2/blob/master/auth.php#L711

tmuras avatar Feb 28 '19 14:02 tmuras