From b93dce9835884f005ff262de4882ffbca167fc04 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Wed, 2 Apr 2014 12:14:22 +0200
Subject: check response desination URL

---
 .../moa/id/configuration/struts/action/IndexAction.java     | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
index 8004ab520..12bd4aff9 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
@@ -290,6 +290,19 @@ public class IndexAction extends ActionSupport implements ServletRequestAware,
 					
 				}
 				
+				//check response destination
+				String serviceURL = config.getPublicUrlPreFix(request);
+				if (!serviceURL.endsWith("/"))
+					serviceURL = serviceURL + "/";
+				
+				String responseDestination = samlResponse.getDestination();
+				if (MiscUtil.isEmpty(responseDestination) || 
+						!responseDestination.equals(serviceURL + Constants.SERVLET_PVP2ASSERTION)) {
+					log.warn("PVPResponse destination does not match requested destination");
+					return Constants.STRUTS_ERROR;
+				}
+				
+				//check if response is signed
 				Signature sign = samlResponse.getSignature();
 				if (sign == null) {
 					log.info("Only http POST Requests can be used");
-- 
cgit v1.2.3