fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-11 04:52:14 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix #942 SSO error when CSRF token checking is enabled

Browse source
This commit is contained in:
Kijin Sung 2020-04-07 23:43:14 +09:00
parent 039034c1be
commit 255352df62
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
common/framework/session.php
View file

@ -325,7 +325,7 @@ class Session
\Context::displayErrorPage('SSO Error', 'Invalid SSO Request', 400); \Context::displayErrorPage('SSO Error', 'Invalid SSO Request', 400);
exit; exit;
} }
if (!URL::isInternalUrl($sso_request) || !Security::checkCSRF()) if (!URL::isInternalUrl($sso_request) || !URL::isInternalURL($_SERVER['HTTP_REFERER']))
{ {
\Context::displayErrorPage('SSO Error', 'Invalid SSO Request', 400); \Context::displayErrorPage('SSO Error', 'Invalid SSO Request', 400);
exit; exit;
@ -353,7 +353,7 @@ class Session
} }
// Check that the response was given by the default site (to prevent session fixation CSRF). // Check that the response was given by the default site (to prevent session fixation CSRF).
if(isset($_SERVER['HTTP_REFERER']) && strpos(URL::decodeIdna($_SERVER['HTTP_REFERER']), $default_url) !== 0) if(isset($_SERVER['HTTP_REFERER']) && !URL::isInternalURL($_SERVER['HTTP_REFERER']))
{ {
\Context::displayErrorPage('SSO Error', 'Invalid SSO Response', 400); \Context::displayErrorPage('SSO Error', 'Invalid SSO Response', 400);
exit; exit;