Fix permission check on SP update

The permission check for owner was checking the wrong field,
which would make it possible for anyone to update the Service
Provider owner, making it possible for anyone to change the
SP owner, allowing anyone to change the SP name.

Fixes: CVE-2015-5217

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>

diff --git a/ipsilon/providers/saml2/admin.py b/ipsilon/providers/saml2/admin.py
index 28ea19f..811af9f 100644 (file)
--- a/ipsilon/providers/saml2/admin.py
+++ b/ipsilon/providers/saml2/admin.py
@@ -192,8 +192,9 @@ class SPAdminPage(AdminPage):
                         if (not self.user.is_admin and
                                 self.user.name != self.sp.owner):
                             raise UnauthorizedUser("Unauthorized to set owner")
-                    elif key in ['Owner', 'Default NameID', 'Allowed NameIDs',
-                                 'Attribute Mapping', 'Allowed Attributes']:
+                    elif key in ['User Owner', 'Default NameID',
+                                 'Allowed NameIDs', 'Attribute Mapping',
+                                 'Allowed Attributes']:
                         if not self.user.is_admin:
                             raise UnauthorizedUser(
                                 "Unauthorized to set %s" % key