saml: Clean up additional session vars if authentication fails.

This doesn't have any obvious security implications right now, but nonetheless such information is not meant to stick around in the session if authentication didn't succeed and not cleaning up would be a bug.
2025-11-03 21:43:21 +00:00 · 2023-05-23 14:40:53 +02:00
parent c9fb55dd20
commit 45e3626bd2
1 changed files with 3 additions and 1 deletions
--- a/zproject/backends.py
+++ b/zproject/backends.py
@@ -2742,8 +2742,10 @@ class SAMLAuthBackend(SocialAuthMixin, SAMLAuth):
            self.logger.info("/complete/saml/: error while parsing SAMLResponse:", exc_info=True)
            # Fall through to returning None.
        finally:
+            # We need a finally: block to ensure we don't keep around information in the session
+            # if the authentication failed.
            if result is None:
-                for param in self.standard_relay_params:
+                for param in [*self.standard_relay_params, "saml_idp_name", "saml_session_index"]:
                    # If an attacker managed to eavesdrop on the RelayState token,
                    # they may pass it here to the endpoint with an invalid SAMLResponse.
                    # We remove these potentially sensitive parameters that we have set in the session