Infinit authentication loop kills server

[avegys]

What happened? SAML2 authentication kills server with infinite loop once not logged in user tries to access plugin pages. For this to happen plugin just has to meet two requirements: 1) Plugin pages has a function call require_login(); 2) Plugin has page setup.php with require_login();

Lets say we have such plugin called A. In such case, when one of plugin A pages is accessed by not authenticated user, function saml_login() is called. This function on line 434 requires setup.php file and instead of saml2 setup.php, the plugin A setup.php file is loaded and require_login() is called again.

This happens for example with Totara contentmarketplace plugin.

What you expected: saml_login() function should load saml2 setup.php file.

FIX Saml2/auth.php file on line 434 instead of: require('setup.php'); Should be: require("$CFG->dirroot/auth/saml2/setup.php");

[tmuras]

There is

require('setup.php');

also in

• https://github.com/catalyst/moodle-auth_saml2/blob/master/auth.php#L650
• https://github.com/catalyst/moodle-auth_saml2/blob/master/auth.php#L711