Merge pull request #454 from jkakavas/fix_authn

Quick fix for the authentication bypass due to optimizations #451
IdentityPython · Oct 11, 2017 · efe27e2 · efe27e2
2 parents 46d24f6 + 6312a41
commit efe27e2
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/saml2/authn.py b/src/saml2/authn.py
@@ -146,7 +146,8 @@ def __call__(self, cookie=None, policy_url=None, logo_url=None,
         return resp
 
     def _verify(self, pwd, user):
-        assert is_equal(pwd, self.passwd[user])
+        if not is_equal(pwd, self.passwd[user]):
+            raise ValueError("Wrong password")
 
     def verify(self, request, **kwargs):
         """
@@ -176,7 +177,7 @@ def verify(self, request, **kwargs):
             return_to = create_return_url(self.return_to, _dict["query"][0],
                                           **{self.query_param: "true"})
             resp = Redirect(return_to, headers=[cookie])
-        except (AssertionError, KeyError):
+        except (ValueError, KeyError):
             resp = Unauthorized("Unknown user or wrong password")
 
         return resp