From 8128e378187e7c836786dac26b8b628401c6953a Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Sep 08 2015 13:11:51 +0000
Subject: Fix permission check on SP update


The permission check for owner was checking the wrong field,
which would make it possible for anyone to update the Service
Provider owner, making it possible for anyone to change the
SP owner, allowing anyone to change the SP name.

Fixes: CVE-2015-5217

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/ipsilon/providers/saml2/admin.py b/ipsilon/providers/saml2/admin.py
index 28ea19f..811af9f 100644
--- a/ipsilon/providers/saml2/admin.py
+++ b/ipsilon/providers/saml2/admin.py
@@ -192,8 +192,9 @@ class SPAdminPage(AdminPage):
                         if (not self.user.is_admin and
                                 self.user.name != self.sp.owner):
                             raise UnauthorizedUser("Unauthorized to set owner")
-                    elif key in ['Owner', 'Default NameID', 'Allowed NameIDs',
-                                 'Attribute Mapping', 'Allowed Attributes']:
+                    elif key in ['User Owner', 'Default NameID',
+                                 'Allowed NameIDs', 'Attribute Mapping',
+                                 'Allowed Attributes']:
                         if not self.user.is_admin:
                             raise UnauthorizedUser(
                                 "Unauthorized to set %s" % key