Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

auth/cas: MDL-25062 CAS authentication plugin does not validate the C…

…AS server certificate

The CAS protocol security model requires that you verify the cas server
certificate before you trust the answer (valid authentication and username
etc.).

Credit goes to Joachim Fritschi for reporting it and providing a patch.
  • Loading branch information...
commit c07fcc13839ff928b9df0dd48b8e710f1945e0b8 1 parent 70ec102
@iarenaza iarenaza authored
Showing with 63 additions and 3 deletions.
  1. +10 −0 auth/cas/auth.php
  2. +46 −0 auth/cas/config.html
  3. +7 −3 lang/en_utf8/auth.php
View
10 auth/cas/auth.php
@@ -114,8 +114,12 @@ function loginpage_hook() {
// Connection to CAS server
$this->connectCAS();
+ if($this->config->certificate_check && $this->config->certificate_path){
+ phpCAS::setCasServerCACert($this->config->certificate_path);
+ }else{
// Don't try to validate the server SSL credentials
phpCAS::setNoCasServerValidation();
+ }
// Gestion de la connection CAS si acc�s direct d'un ent ou autre
if (phpCAS::checkAuthentication()) {
@@ -248,6 +252,10 @@ function process_config($config) {
$config->logoutcas = '';
if (!isset ($config->multiauth))
$config->multiauth = '';
+ if (!isset ($config->certificate_check))
+ $config->certificate_check = '';
+ if (!isset ($config->certificate_path))
+ $config->certificate_path = '';
// LDAP settings
if (!isset($config->host_url))
{ $config->host_url = ''; }
@@ -290,6 +298,8 @@ function process_config($config) {
set_config('proxycas', $config->proxycas, 'auth/cas');
set_config('logoutcas', $config->logoutcas, 'auth/cas');
set_config('multiauth', $config->multiauth, 'auth/cas');
+ set_config('certificate_check', $config->certificate_check, 'auth/cas');
+ set_config('certificate_path', $config->certificate_path, 'auth/cas');
// save LDAP settings
set_config('host_url', $config->host_url, 'auth/cas');
set_config('ldapencoding', $config->ldapencoding, 'auth/cas');
View
46 auth/cas/config.html
@@ -48,6 +48,14 @@
$config->multiauth = '';
+ if (!isset ($config->certificate_check))
+
+ $config->certificate_check = '';
+
+ if (!isset ($config->certificate_path))
+
+ $config->certificate_path = '';
+
// set to defaults if undefined (LDAP)
if (!isset($config->host_url))
@@ -364,6 +372,44 @@
+<tr valign="top" class="required">
+
+ <td align="right"><?php print_string('auth_cas_certificate_check_key', 'auth') ?>:</td>
+
+ <td>
+
+ <?php choose_from_menu ($yesno, 'certificate_check', $config->certificate_check, ''); ?>
+
+ </td>
+
+ <td><?php print_string('auth_cas_certificate_check', 'auth') ?></td>
+
+</tr>
+
+
+
+<tr valign="top" class="required">
+
+ <td align="right"><?php print_string('auth_cas_certificate_path_key', 'auth') ?>:</td>
+
+ <td>
+
+ <input name="certificate_path" type="text" size="30" value="<?php echo $config->certificate_path ?>" />
+
+ <?php if (isset($err['certificate_path'])) formerr($err['certificate_path']); ?>
+
+ </td>
+
+ <td>
+
+ <?php print_string('auth_cas_certificate_path', 'auth') ?>
+
+ </td>
+
+</tr>
+
+
+
<tr>
<td colspan="2">
View
10 lang/en_utf8/auth.php
@@ -36,9 +36,13 @@
$string['auth_cas_proxycas_key'] = "Proxy mode";
$string['auth_cas_logoutcas_key'] = "Logout CAS";
$string['auth_cas_multiauth_key'] = "Multi-authentication";
-$string['auth_cas_proxycas'] = "Turn this to 'yes'' if you use CASin proxy-mode";
-$string['auth_cas_logoutcas'] = "Turn this to 'yes'' if tou want to logout from CAS when you deconnect from Moodle";
-$string['auth_cas_multiauth'] = "Turn this to 'yes'' if you want to have multi-authentication (CAS + other authentication)";
+$string['auth_cas_certificate_check_key'] = "Server validation";
+$string['auth_cas_certificate_path_key'] = "Certificate path";
+$string['auth_cas_proxycas'] = "Turn this to ''yes'' if you use CASin proxy-mode";
+$string['auth_cas_logoutcas'] = "Turn this to ''yes'' if tou want to logout from CAS when you deconnect from Moodle";
+$string['auth_cas_multiauth'] = "Turn this to ''yes'' if you want to have multi-authentication (CAS + other authentication)";
+$string['auth_cas_certificate_check'] = "Turn this to ''yes'' if you want to validate the server certificate";
+$string['auth_cas_certificate_path'] = "Path of the CA chain file (PEM Format) to validate the server certificate";
$string['accesCAS'] = "CAS users";
$string['accesNOCAS'] = "other users";
$string['CASform'] = "Authentication choice";

0 comments on commit c07fcc1

Please sign in to comment.
Something went wrong with that request. Please try again.