Followup on previous commits. Use redirectUntrustedURL() as a shortcut, and let everything else make use of redirectTrustedURL(). Move the responsibility to check the input out of the library, to the places where URLs are grabbed from input parameters.
git-svn-id: http://simplesamlphp.googlecode.com/svn/trunk@3332 44740490-163a-0410-bde0-09ae8108e29a
This commit is contained in:
jaimepc@gmail.com
parent
fe294c9323
commit
445fee4ba8
|
|
@ -701,13 +701,26 @@ $config = array (
|
|||
'proxy' => NULL,
|
||||
|
||||
/*
|
||||
* Array of URL's to allow a trusted redirect to.
|
||||
* Array of domains that are allowed when generating links or redirections
|
||||
* to URLs. simpleSAMLphp will use this option to determine whether to
|
||||
* to consider a given URL valid or not, but you should always validate
|
||||
* URLs obtained from the input on your own (i.e. ReturnTo or RelayState
|
||||
* parameters obtained from the $_REQUEST array).
|
||||
*
|
||||
* Set to NULL to disable.
|
||||
* Set to NULL to disable checking of URLs.
|
||||
*
|
||||
* simpleSAMLphp will automatically add your own domain (either by checking
|
||||
* it dinamically, or by using the domain defined in the 'baseurlpath'
|
||||
* directive, the latter having precedence) to the list of trusted domains,
|
||||
* in case this option is NOT set to NULL. In that case, you are explicitly
|
||||
* telling simpleSAMLphp to verify URLs.
|
||||
*
|
||||
* Set to an empty array to disallow ALL redirections or links pointing to
|
||||
* an external URL other than your own domain.
|
||||
*
|
||||
* Example:
|
||||
* 'redirect.trustedsites' => array('sp.example.com', 'othersite.org'),
|
||||
* 'trusted.url.domains' => array('sp.example.com', 'app.example.com'),
|
||||
*/
|
||||
'redirect.trustedsites' => NULL,
|
||||
'trusted.url.domains' => NULL,
|
||||
|
||||
);
|
||||
|
|
|
|||
|
|
@ -209,6 +209,9 @@ If you want to return to a specific URL after logging out, you should include th
|
|||
|
||||
$as->logout('https://example.org/');
|
||||
|
||||
Please make sure the URL is trusted. If you obtain the URL from the user input, make sure it is trusted before
|
||||
calling $as->logout(), by using the SimpleSAML_Utilities::checkURLAllowed() method.
|
||||
|
||||
|
||||
#### Login link
|
||||
|
||||
|
|
|
|||
|
|
@ -143,19 +143,19 @@ class SimpleSAML_Auth_BWC extends SimpleSAML_Auth_Simple {
|
|||
$session = SimpleSAML_Session::getInstance();
|
||||
if (!$session->isValid($this->authority)) {
|
||||
/* Not authenticated to this authentication source. */
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($url);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($url);
|
||||
assert('FALSE');
|
||||
}
|
||||
|
||||
if ($this->authority === 'saml2') {
|
||||
$config = SimpleSAML_Configuration::getInstance();
|
||||
SimpleSAML_Utilities::redirectUntrustedURL('/' . $config->getBaseURL() . 'saml2/sp/initSLO.php',
|
||||
SimpleSAML_Utilities::redirectTrustedURL('/' . $config->getBaseURL() . 'saml2/sp/initSLO.php',
|
||||
array('RelayState' => $url)
|
||||
);
|
||||
}
|
||||
|
||||
$session->doLogout($this->authority);
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($url);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($url);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,13 +19,21 @@ class SimpleSAML_Auth_Default {
|
|||
* This function never returns.
|
||||
*
|
||||
* @param string $authId The identifier of the authentication source.
|
||||
* @param string|array $return The URL or function we should direct the user to after authentication.
|
||||
* @param string|NULL $errorURL The URL we should direct the user to after failed authentication.
|
||||
* Can be NULL, in which case a standard error page will be shown.
|
||||
* @param array $params Extra information about the login. Different authentication requestors may
|
||||
* provide different information. Optional, will default to an empty array.
|
||||
* @param string|array $return The URL or function we should direct the
|
||||
* user to after authentication. If using a URL obtained from user input,
|
||||
* please make sure to check it by calling
|
||||
* SimpleSAML_Utilities::checkURLAllowed().
|
||||
* @param string|NULL $errorURL The URL we should direct the user to after
|
||||
* failed authentication. Can be NULL, in which case a standard error page
|
||||
* will be shown. If using a URL obtained from user input, please make sure
|
||||
* to check it by calling SimpleSAML_Utilities::checkURLAllowed().
|
||||
* @param array $params Extra information about the login. Different
|
||||
* authentication requestors may provide different information. Optional,
|
||||
* will default to an empty array.
|
||||
*/
|
||||
public static function initLogin($authId, $return, $errorURL = NULL, array $params = array()) {
|
||||
public static function initLogin($authId, $return, $errorURL = NULL,
|
||||
array $params = array()) {
|
||||
|
||||
assert('is_string($authId)');
|
||||
assert('is_string($return) || is_array($return)');
|
||||
assert('is_string($errorURL) || is_null($errorURL)');
|
||||
|
|
@ -121,7 +129,7 @@ class SimpleSAML_Auth_Default {
|
|||
|
||||
if (is_string($return)) {
|
||||
/* Redirect... */
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($return);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($return);
|
||||
} else {
|
||||
call_user_func($return, $state);
|
||||
assert('FALSE');
|
||||
|
|
@ -132,11 +140,16 @@ class SimpleSAML_Auth_Default {
|
|||
/**
|
||||
* Start logout.
|
||||
*
|
||||
* This function starts a logout operation from the current authentication source. This function
|
||||
* will return if the logout operation does not require a redirect.
|
||||
* This function starts a logout operation from the current authentication
|
||||
* source. This function will return if the logout operation does not
|
||||
* require a redirect.
|
||||
*
|
||||
* @param string $returnURL The URL we should redirect the user to after logging out.
|
||||
* @param string|NULL $authority The authentication source we are logging out from, or NULL to log out of the most recent.
|
||||
* @param string $returnURL The URL we should redirect the user to after
|
||||
* logging out. No checking is performed on the URL, so make sure to verify
|
||||
* it on beforehand if the URL is obtained from user input. Refer to
|
||||
* SimpleSAML_Utilities::checkURLAllowed() for more information.
|
||||
* @param string|NULL $authority The authentication source we are logging
|
||||
* out from, or NULL to log out from the most recent.
|
||||
*/
|
||||
public static function initLogoutReturn($returnURL, $authority = NULL) {
|
||||
assert('is_string($returnURL)');
|
||||
|
|
@ -171,11 +184,16 @@ class SimpleSAML_Auth_Default {
|
|||
/**
|
||||
* Start logout.
|
||||
*
|
||||
* This function starts a logout operation from the current authentication source. This function
|
||||
* never returns.
|
||||
* This function starts a logout operation from the current authentication
|
||||
* source. This function never returns.
|
||||
*
|
||||
* @param string $returnURL The URL we should redirect the user to after logging out.
|
||||
* @param string|NULL $authority The authentication source we are logging out from, or NULL to log out of the most recent.
|
||||
* @param string $returnURL The URL we should redirect the user to after
|
||||
* logging out. No checking is performed on the URL, so make sure to verify
|
||||
* it on beforehand if the URL is obtained from user input. Refer to
|
||||
* SimpleSAML_Utilities::checkURLAllowed() for more information.
|
||||
* @param string|NULL $authority The authentication source we are logging
|
||||
* out from, or NULL to log out from the most recent.
|
||||
* @return void This function never returns.
|
||||
*/
|
||||
public static function initLogout($returnURL, $authority = NULL) {
|
||||
assert('is_string($returnURL)');
|
||||
|
|
@ -184,7 +202,7 @@ class SimpleSAML_Auth_Default {
|
|||
self::initLogoutReturn($returnURL, $authority);
|
||||
|
||||
/* Redirect... */
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($returnURL);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($returnURL);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -202,7 +220,7 @@ class SimpleSAML_Auth_Default {
|
|||
$returnURL = $state['SimpleSAML_Auth_Default.ReturnURL'];
|
||||
|
||||
/* Redirect... */
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($returnURL);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($returnURL);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -239,10 +257,14 @@ class SimpleSAML_Auth_Default {
|
|||
*
|
||||
* This is used to handle IdP initiated SSO.
|
||||
*
|
||||
* @param string $authId The id of the authentication source that received the request.
|
||||
* @param array $state A state array.
|
||||
* @param string $redirectTo The URL we should redirect the user to after
|
||||
* updating the session.
|
||||
* @param string $authId The id of the authentication source that received
|
||||
* the request.
|
||||
* @param array $state A state array.
|
||||
* @param string $redirectTo The URL we should redirect the user to after
|
||||
* updating the session. The function will check if the URL is allowed, so
|
||||
* there is no need to manually check the URL on beforehand. Please refer
|
||||
* to the 'trusted.url.domains' configuration directive for more
|
||||
* information about allowing (or disallowing) URLs.
|
||||
*/
|
||||
public static function handleUnsolicitedAuth($authId, array $state, $redirectTo) {
|
||||
assert('is_string($authId)');
|
||||
|
|
|
|||
|
|
@ -248,7 +248,7 @@ class SimpleSAML_Auth_ProcessingChain {
|
|||
* in $state['ReturnURL'].
|
||||
*/
|
||||
$id = SimpleSAML_Auth_State::saveState($state, self::COMPLETED_STAGE);
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($state['ReturnURL'], array(self::AUTHPARAM => $id));
|
||||
SimpleSAML_Utilities::redirectTrustedURL($state['ReturnURL'], array(self::AUTHPARAM => $id));
|
||||
} else {
|
||||
/* Pass the state to the function defined in $state['ReturnCall']. */
|
||||
|
||||
|
|
@ -302,8 +302,11 @@ class SimpleSAML_Auth_ProcessingChain {
|
|||
/**
|
||||
* Retrieve a state which has finished processing.
|
||||
*
|
||||
* @param string $id The identifier of the state. This can be found in the request parameter
|
||||
* with index from SimpleSAML_Auth_ProcessingChain::AUTHPARAM.
|
||||
* @param string $id The state identifier. This can be found in the
|
||||
* SimpleSAML_Auth_ProcessingChain::AUTHPARAM request parameter. Please
|
||||
* make sure to sanitize it properly by calling the
|
||||
* SimpleSAML_Utilities::checkURLAllowed() function with the embedded
|
||||
* restart URL, if any. See also SimpleSAML_Utilities::getURLFromStateID().
|
||||
*/
|
||||
public static function fetchProcessedState($id) {
|
||||
assert('is_string($id)');
|
||||
|
|
@ -351,5 +354,3 @@ class SimpleSAML_Auth_ProcessingChain {
|
|||
}
|
||||
|
||||
}
|
||||
|
||||
?>
|
||||
|
|
@ -219,7 +219,7 @@ class SimpleSAML_Auth_Simple {
|
|||
$params[$state['ReturnStateParam']] = $stateID;
|
||||
}
|
||||
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($state['ReturnTo'], $params);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($state['ReturnTo'], $params);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -211,13 +211,7 @@ class SimpleSAML_Auth_State {
|
|||
assert('is_bool($allowMissing)');
|
||||
SimpleSAML_Logger::debug('Loading state: ' . var_export($id, TRUE));
|
||||
|
||||
$tmp = explode(':', $id, 2);
|
||||
$id = $tmp[0];
|
||||
if (count($tmp) === 2) {
|
||||
$restartURL = $tmp[1];
|
||||
} else {
|
||||
$restartURL = NULL;
|
||||
}
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
|
||||
|
||||
$session = SimpleSAML_Session::getInstance();
|
||||
$state = $session->getData('SimpleSAML_Auth_State', $id);
|
||||
|
|
|
|||
|
|
@ -529,7 +529,7 @@ class SimpleSAML_IdP {
|
|||
public static function finishLogoutRedirect(SimpleSAML_IdP $idp, array $state) {
|
||||
assert('isset($state["core:Logout:URL"])');
|
||||
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($state['core:Logout:URL']);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($state['core:Logout:URL']);
|
||||
assert('FALSE');
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -76,6 +76,12 @@ class SimpleSAML_IdP_LogoutTraditional extends SimpleSAML_IdP_LogoutHandler {
|
|||
throw new SimpleSAML_Error_Exception('RelayState lost during logout.');
|
||||
}
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($relayState);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($relayState, 'core:LogoutTraditional');
|
||||
|
||||
if ($error === NULL) {
|
||||
|
|
|
|||
|
|
@ -298,17 +298,80 @@ class SimpleSAML_Utilities {
|
|||
}
|
||||
|
||||
|
||||
/**
|
||||
* Check if a URL is valid and is in our list of allowed URLs.
|
||||
*
|
||||
* @param string $url The URL to check.
|
||||
* @param array $trustedSites An optional white list of domains. If none
|
||||
* specified, the 'trusted.url.domains' configuration directive will be
|
||||
* used.
|
||||
* @return string The normalized URL itself if it is allowed.
|
||||
* @throws SimpleSAML_Error_Exception if the URL is malformed or is not
|
||||
* allowed by configuration.
|
||||
*/
|
||||
public static function checkURLAllowed($url, array $trustedSites = NULL) {
|
||||
$url = self::normalizeURL($url);
|
||||
|
||||
// verify that the URL points to an http or https site
|
||||
if (!preg_match('@^https?://@i', $url)) {
|
||||
throw new SimpleSAML_Error_Exception('Invalid URL: '.$url);
|
||||
}
|
||||
|
||||
// get the white list of domains
|
||||
if ($trustedSites === NULL) {
|
||||
$trustedSites = SimpleSAML_Configuration::getInstance()->getArray('trusted.url.domains', NULL);
|
||||
if ($trustedSites === NULL) {
|
||||
$trustedSites = SimpleSAML_Configuration::getInstance()->getArray('redirect.trustedsites', NULL);
|
||||
}
|
||||
}
|
||||
|
||||
// validates the URL's host is among those allowed
|
||||
if ($trustedSites !== NULL) {
|
||||
assert(is_array($trustedSites));
|
||||
preg_match('@^https?://([^/]+)@i', $url, $matches);
|
||||
$hostname = $matches[1];
|
||||
|
||||
// add self host to the white list
|
||||
$self_host = self::getSelfHost();
|
||||
$trustedSites[] = $self_host;
|
||||
|
||||
/* Throw exception due to redirection to untrusted site */
|
||||
if (!in_array($hostname, $trustedSites)) {
|
||||
throw new SimpleSAML_Error_Exception('URL not allowed: '.$url);
|
||||
}
|
||||
}
|
||||
return $url;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Get a URL embedded in a StateID, in the form 'id:url'.
|
||||
*
|
||||
* @param string $stateId The state ID to use.
|
||||
* @return string The embedded URL if found, NULL otherwise.
|
||||
*/
|
||||
public static function getURLFromStateID($stateId) {
|
||||
$tmp = explode(':', $stateId, 2);
|
||||
$id = $tmp[0];
|
||||
$url = NULL;
|
||||
if (count($tmp) === 2) {
|
||||
$url = $tmp[1];
|
||||
}
|
||||
return $url;
|
||||
}
|
||||
|
||||
|
||||
public static function checkDateConditions($start=NULL, $end=NULL) {
|
||||
$currentTime = time();
|
||||
|
||||
if (! empty($start)) {
|
||||
if (!empty($start)) {
|
||||
$startTime = SAML2_Utils::parseSAML2Time($start);
|
||||
/* Allow for a 10 minute difference in Time */
|
||||
if (($startTime < 0) || (($startTime - 600) > $currentTime)) {
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
if (! empty($end)) {
|
||||
if (!empty($end)) {
|
||||
$endTime = SAML2_Utils::parseSAML2Time($end);
|
||||
if (($endTime < 0) || ($endTime <= $currentTime)) {
|
||||
return FALSE;
|
||||
|
|
@ -493,113 +556,20 @@ class SimpleSAML_Utilities {
|
|||
return true;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* This function redirects the user to the specified address.
|
||||
*
|
||||
* This function will use the "HTTP 303 See Other" redirection if the
|
||||
* current request used the POST method and the HTTP version is 1.1.
|
||||
* Otherwise, a "HTTP 302 Found" redirection will be used.
|
||||
*
|
||||
* The fuction will also generate a simple web page with a clickable
|
||||
* link to the target page.
|
||||
*
|
||||
* @param string $url The URL we should redirect to. This URL may include
|
||||
* query parameters. If this URL is a relative URL (starting with '/'),
|
||||
* then it will be turned into an absolute URL by prefixing it with the
|
||||
* absolute URL to the root of the website.
|
||||
* @param string[] $parameters An array with extra query string parameters
|
||||
* which should be appended to the URL. The name of the parameter is the
|
||||
* array index. The value of the parameter is the value stored in the index.
|
||||
* Both the name and the value will be urlencoded. If the value is NULL,
|
||||
* then the parameter will be encoded as just the name, without a value.
|
||||
* @param string[] $allowed_redirect_hosts An array with a whitelist of
|
||||
* hosts for which redirects are allowed. If NULL, redirections will be
|
||||
* allowed to any host. Otherwise, the host of the $url provided must be
|
||||
* present in this parameter. If the host is not whitelisted, an exception
|
||||
* will be thrown.
|
||||
*
|
||||
* @return void This function never returns.
|
||||
* @deprecated 1.12.0 This function will be removed from the API. Use
|
||||
* accordingly the redirectTrustedURL or redirectUntrustedURL functions
|
||||
* instead.
|
||||
/*
|
||||
* This is a temporary function, holding the redirect() functionality,
|
||||
* meanwhile we are deprecating the it.
|
||||
*/
|
||||
public static function redirect($url, $parameters = array(), $allowed_redirect_hosts = NULL) {
|
||||
assert(is_string($url));
|
||||
assert(strlen($url) > 0);
|
||||
assert(is_array($parameters));
|
||||
if($allowed_redirect_hosts != NULL) assert(is_array($allowed_redirect_hosts));
|
||||
|
||||
/* Check for relative URL. */
|
||||
if(substr($url, 0, 1) === '/') {
|
||||
/* Prefix the URL with the url to the root of the
|
||||
* website.
|
||||
*/
|
||||
$url = self::selfURLhost() . $url;
|
||||
private static function _doRedirect($url, $parameters = array()) {
|
||||
if (!empty($parameters)) {
|
||||
$url = self::addURLparameter($url, $parameters);
|
||||
}
|
||||
|
||||
/* Verify that the URL points to an http or https site. */
|
||||
if (!preg_match('@^https?://@i', $url)) {
|
||||
throw new SimpleSAML_Error_Exception('Redirect to invalid URL: ' . $url);
|
||||
}
|
||||
|
||||
/* Validates the URL's host is among those allowed. */
|
||||
if ($allowed_redirect_hosts !== NULL) {
|
||||
preg_match('@^https?://([^/]+)@i', $url, $matches);
|
||||
$hostname = $matches[1];
|
||||
|
||||
// add self host to the white list
|
||||
$self_host = self::getSelfHost();
|
||||
$allowed_redirect_hosts[] = $self_host;
|
||||
|
||||
/* Throw exception due to redirection to untrusted site */
|
||||
if(!in_array($hostname, $allowed_redirect_hosts)) {
|
||||
throw new SimpleSAML_Error_Exception('Redirection not to allowed to URL: ' . $url);
|
||||
}
|
||||
}
|
||||
|
||||
/* Determine which prefix we should put before the first
|
||||
* parameter.
|
||||
*/
|
||||
if(strpos($url, '?') === FALSE) {
|
||||
$paramPrefix = '?';
|
||||
} else {
|
||||
$paramPrefix = '&';
|
||||
}
|
||||
|
||||
/* Iterate over the parameters and append them to the query
|
||||
* string.
|
||||
*/
|
||||
foreach($parameters as $name => $value) {
|
||||
|
||||
/* Encode the parameter. */
|
||||
if($value === NULL) {
|
||||
$param = urlencode($name);
|
||||
} elseif (is_array($value)) {
|
||||
$param = "";
|
||||
foreach ($value as $val) {
|
||||
$param .= urlencode($name) . "[]=" . urlencode($val) . '&';
|
||||
}
|
||||
} else {
|
||||
$param = urlencode($name) . '=' .
|
||||
urlencode($value);
|
||||
}
|
||||
|
||||
/* Append the parameter to the query string. */
|
||||
$url .= $paramPrefix . $param;
|
||||
|
||||
/* Every following parameter is guaranteed to follow
|
||||
* another parameter. Therefore we use the '&' prefix.
|
||||
*/
|
||||
$paramPrefix = '&';
|
||||
}
|
||||
|
||||
|
||||
/* Set the HTTP result code. This is either 303 See Other or
|
||||
* 302 Found. HTTP 303 See Other is sent if the HTTP version
|
||||
* is HTTP/1.1 and the request type was a POST request.
|
||||
*/
|
||||
if($_SERVER['SERVER_PROTOCOL'] === 'HTTP/1.1' &&
|
||||
if ($_SERVER['SERVER_PROTOCOL'] === 'HTTP/1.1' &&
|
||||
$_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
$code = 303;
|
||||
} else {
|
||||
|
|
@ -630,7 +600,8 @@ class SimpleSAML_Utilities {
|
|||
echo '<h1>Redirect</h1>';
|
||||
echo '<p>';
|
||||
echo 'You were redirected to: ';
|
||||
echo '<a id="redirlink" href="' . htmlspecialchars($url) . '">' . htmlspecialchars($url) . '</a>';
|
||||
echo '<a id="redirlink" href="' .
|
||||
htmlspecialchars($url) . '">' . htmlspecialchars($url) . '</a>';
|
||||
echo '<script type="text/javascript">document.getElementById("redirlink").focus();</script>';
|
||||
echo '</p>';
|
||||
echo '</body>';
|
||||
|
|
@ -638,6 +609,51 @@ class SimpleSAML_Utilities {
|
|||
|
||||
/* End script execution. */
|
||||
exit;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* This function redirects the user to the specified address.
|
||||
*
|
||||
* This function will use the "HTTP 303 See Other" redirection if the
|
||||
* current request used the POST method and the HTTP version is 1.1.
|
||||
* Otherwise, a "HTTP 302 Found" redirection will be used.
|
||||
*
|
||||
* The fuction will also generate a simple web page with a clickable
|
||||
* link to the target page.
|
||||
*
|
||||
* @param string $url The URL we should redirect to. This URL may include
|
||||
* query parameters. If this URL is a relative URL (starting with '/'),
|
||||
* then it will be turned into an absolute URL by prefixing it with the
|
||||
* absolute URL to the root of the website.
|
||||
* @param string[] $parameters An array with extra query string parameters
|
||||
* which should be appended to the URL. The name of the parameter is the
|
||||
* array index. The value of the parameter is the value stored in the index.
|
||||
* Both the name and the value will be urlencoded. If the value is NULL,
|
||||
* then the parameter will be encoded as just the name, without a value.
|
||||
* @param string[] $allowed_redirect_hosts An array with a whitelist of
|
||||
* hosts for which redirects are allowed. If NULL, redirections will be
|
||||
* allowed to any host. Otherwise, the host of the $url provided must be
|
||||
* present in this parameter. If the host is not whitelisted, an exception
|
||||
* will be thrown.
|
||||
*
|
||||
* @return void This function never returns.
|
||||
* @deprecated 1.12.0 This function will be removed from the API. Instead,
|
||||
* use the redirectTrustedURL or redirectUntrustedURL functions
|
||||
* accordingly.
|
||||
*/
|
||||
public static function redirect($url, $parameters = array(),
|
||||
$allowed_redirect_hosts = NULL) {
|
||||
|
||||
assert(is_string($url));
|
||||
assert(strlen($url) > 0);
|
||||
assert(is_array($parameters));
|
||||
|
||||
$url = self::normalizeURL($url);
|
||||
if ($allowed_redirect_hosts !== NULL) {
|
||||
$url = self::checkURLAllowed($url, $allowed_redirect_hosts);
|
||||
}
|
||||
self::_doRedirect($url, $parameters);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -665,26 +681,27 @@ class SimpleSAML_Utilities {
|
|||
* @return void This function never returns.
|
||||
*/
|
||||
public static function redirectTrustedURL($url, $parameters = array()) {
|
||||
self::redirect($url, $parameters);
|
||||
$url = self::normalizeURL($url);
|
||||
self::_doRedirect($url, $parameters);
|
||||
}
|
||||
|
||||
/**
|
||||
* This function redirects to the specified URL after performing the
|
||||
* appropriate security checks on it. Particularly, it will make sure
|
||||
* that the provided URL is allowed by the 'redirect.trustedsites'
|
||||
* directive in the configuration.
|
||||
* appropriate security checks on it. Particularly, it will make sure that
|
||||
* the provided URL is allowed by the 'redirect.trustedsites' directive
|
||||
* in the configuration.
|
||||
*
|
||||
* If the aforementioned option is not set or the URL does corresponds
|
||||
* to a trusted site, it performs a redirection to it. If the site is
|
||||
* not trusted, an exception will be thrown.
|
||||
* If the aforementioned option is not set or the URL does correspond to a
|
||||
* trusted site, it performs a redirection to it. If the site is not
|
||||
* trusted, an exception will be thrown.
|
||||
*
|
||||
* See the redirectTrustedURL function for more details.
|
||||
*
|
||||
* @return void This function never returns.
|
||||
*/
|
||||
public static function redirectUntrustedURL($url, $parameters = array()) {
|
||||
$trustedSites = SimpleSAML_Configuration::getInstance()->getArray('redirect.trustedsites', NULL);
|
||||
self::redirect($url, $parameters, $trustedSites);
|
||||
$url = self::checkURLAllowed($url);
|
||||
self::_doRedirect($url, $parameters);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -1150,8 +1167,7 @@ class SimpleSAML_Utilities {
|
|||
$base = self::getBaseURL();
|
||||
}
|
||||
|
||||
|
||||
if(!preg_match('$^((((\w+:)//[^/]+)(/[^?#]*))(?:\?[^#]*)?)(?:#.*)?$', $base, $baseParsed)) {
|
||||
if(!preg_match('/^((((\w+:)\/\/[^\/]+)(\/[^?#]*))(?:\?[^#]*)?)(?:#.*)?/', $base, $baseParsed)) {
|
||||
throw new Exception('Unable to parse base url: ' . $base);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -124,7 +124,7 @@ class SimpleSAML_XHTML_IdPDisco {
|
|||
if(!array_key_exists('return', $_GET)) {
|
||||
throw new Exception('Missing parameter: return');
|
||||
} else {
|
||||
$this->returnURL = $_GET['return'];
|
||||
$this->returnURL = SimpleSAML_Utilities::checkURLAllowed($_GET['return']);
|
||||
}
|
||||
|
||||
$this->isPassive = FALSE;
|
||||
|
|
@ -474,7 +474,7 @@ class SimpleSAML_XHTML_IdPDisco {
|
|||
|
||||
} else {
|
||||
$this->log('Choice made [' . $idp . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')');
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($this->returnURL, array($this->returnIdParam => $idp));
|
||||
SimpleSAML_Utilities::redirectTrustedURL($this->returnURL, array($this->returnIdParam => $idp));
|
||||
}
|
||||
|
||||
return;
|
||||
|
|
@ -482,7 +482,7 @@ class SimpleSAML_XHTML_IdPDisco {
|
|||
|
||||
if ($this->isPassive) {
|
||||
$this->log('Choice not made. (Redirecting the user back without answer)');
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($this->returnURL);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($this->returnURL);
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
@ -500,7 +500,7 @@ class SimpleSAML_XHTML_IdPDisco {
|
|||
|
||||
if(sizeof($idpintersection) == 1) {
|
||||
$this->log('Choice made [' . $idpintersection[0] . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')');
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($this->returnURL, array($this->returnIdParam => $idpintersection[0]));
|
||||
SimpleSAML_Utilities::redirectTrustedURL($this->returnURL, array($this->returnIdParam => $idpintersection[0]));
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
|||
|
|
@ -42,7 +42,6 @@ class sspmod_InfoCard_Auth_Source_ICAuth extends SimpleSAML_Auth_Source {
|
|||
|
||||
|
||||
public static function handleLogin($authStateId, $xmlToken) {
|
||||
SimpleSAML_Logger::debug('ENTRA en icauth');
|
||||
assert('is_string($authStateId)');
|
||||
|
||||
$config = SimpleSAML_Configuration::getInstance();
|
||||
|
|
@ -61,14 +60,20 @@ SimpleSAML_Logger::debug('ENTRA en icauth');
|
|||
SimpleSAML_Logger::debug("NOXMLtoken: ".$xmlToken);
|
||||
$claims = $infocard->process($xmlToken);
|
||||
if($claims->isValid()) {
|
||||
// if(false) {
|
||||
$attributes = array();
|
||||
foreach ($Infocard['requiredClaims'] as $claim => $data){
|
||||
$attributes[$claim] = array($claims->$claim);
|
||||
}
|
||||
foreach ($Infocard['optionalClaims'] as $claim => $data){
|
||||
$attributes[$claim] = array($claims->$claim);
|
||||
}
|
||||
}
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
/* Retrieve the authentication state. */
|
||||
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
|
||||
/* Find authentication source. */
|
||||
|
|
@ -78,12 +83,10 @@ SimpleSAML_Logger::debug('ENTRA en icauth');
|
|||
throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
|
||||
}
|
||||
$state['Attributes'] = $attributes;
|
||||
SimpleSAML_Logger::debug('VALIDA');
|
||||
unset($infocard);
|
||||
unset($claims);
|
||||
SimpleSAML_Auth_Source::completeAuth($state);
|
||||
} else {
|
||||
SimpleSAML_Logger::debug('NO VALIDA ERROR:'.$claims->getErrorMsg());
|
||||
unset($infocard);
|
||||
unset($claims);
|
||||
return 'wrong_IC';
|
||||
|
|
|
|||
|
|
@ -7,7 +7,18 @@
|
|||
* @author Wessel Dankers, Tilburg University
|
||||
*/
|
||||
function check_credentials() {
|
||||
$state = SimpleSAML_Auth_State::loadState($_REQUEST['ssp_state'], 'aselect:login');
|
||||
|
||||
if (!array_key_exists('ssp_state', $_REQUEST))
|
||||
SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing ssp_state parameter"));
|
||||
$id = $_REQUEST['ssp_state'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($id, 'aselect:login');
|
||||
|
||||
if(!array_key_exists('a-select-server', $_REQUEST))
|
||||
SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing a-select-server parameter"));
|
||||
|
|
|
|||
|
|
@ -124,6 +124,12 @@ class sspmod_authYubiKey_Auth_Source_YubiKey extends SimpleSAML_Auth_Source {
|
|||
assert('is_string($authStateId)');
|
||||
assert('is_string($otp)');
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
/* Retrieve the authentication state. */
|
||||
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,13 @@ if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState']))
|
|||
}
|
||||
|
||||
$stateID = $_REQUEST['AuthState'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateID);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($stateID, sspmod_authfacebook_Auth_Source_Facebook::STAGE_INIT);
|
||||
|
||||
/* Find authentication source. */
|
||||
|
|
|
|||
|
|
@ -10,6 +10,12 @@ if (array_key_exists('stateid', $_REQUEST)) {
|
|||
throw new Exception('Lost OAuth Client State');
|
||||
}
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authlinkedin_Auth_Source_LinkedIn::STAGE_INIT);
|
||||
|
||||
// http://developer.linkedin.com/docs/DOC-1008#2_Redirect_the_User_to_our_Authorization_Server
|
||||
|
|
|
|||
|
|
@ -10,6 +10,12 @@ if (array_key_exists('stateid', $_REQUEST)) {
|
|||
throw new Exception('State Lost - not returned by MySpace Auth');
|
||||
}
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authmyspace_Auth_Source_MySpace::STAGE_INIT);
|
||||
|
||||
if (array_key_exists('oauth_problem', $_REQUEST)) {
|
||||
|
|
|
|||
|
|
@ -11,6 +11,13 @@ if (!array_key_exists('StateId', $_REQUEST)) {
|
|||
}
|
||||
|
||||
$id = $_REQUEST['StateId'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($id, 'authorize:Authorize');
|
||||
|
||||
$globalConfig = SimpleSAML_Configuration::getInstance();
|
||||
|
|
|
|||
|
|
@ -9,6 +9,12 @@ if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState']))
|
|||
}
|
||||
$stateID = $_REQUEST['AuthState'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateID);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($stateID, sspmod_authtwitter_Auth_Source_Twitter::STAGE_INIT);
|
||||
|
||||
/* Find authentication source. */
|
||||
|
|
|
|||
|
|
@ -6,6 +6,13 @@
|
|||
|
||||
if (array_key_exists('wrap_client_state', $_REQUEST)) {
|
||||
$stateId = $_REQUEST['wrap_client_state'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authwindowslive_Auth_Source_LiveID::STAGE_INIT);
|
||||
} else {
|
||||
throw new Exception('Lost OAuth-WRAP Client State');
|
||||
|
|
|
|||
|
|
@ -13,6 +13,12 @@ if (!isset($_GET['ticket'])) {
|
|||
throw new SimpleSAML_Error_BadRequest('Missing ticket parameter.');
|
||||
}
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_cas_Auth_Source_CAS::STAGE_INIT);
|
||||
$state['cas:ticket'] = (string)$_GET['ticket'];
|
||||
|
||||
|
|
|
|||
|
|
@ -48,10 +48,8 @@ storeTicket($ticket, $path, array('service' => $service,
|
|||
'proxies' => array(),
|
||||
'validbefore' => time() + 5));
|
||||
|
||||
SimpleSAML_Utilities::redirectUntrustedURL(
|
||||
SimpleSAML_Utilities::redirectTrustedURL(
|
||||
SimpleSAML_Utilities::addURLparameter($service,
|
||||
array('ticket' => $ticket)
|
||||
)
|
||||
);
|
||||
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -327,7 +327,7 @@ class sspmod_cdc_Server {
|
|||
|
||||
$url = SimpleSAML_Utilities::addURLparameter($to, $params);
|
||||
if (strlen($url) < 2048) {
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($url);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($url);
|
||||
} else {
|
||||
SimpleSAML_Utilities::postRedirect($to, $params);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,6 +17,12 @@ if (!isset($response['id'])) {
|
|||
throw new SimpleSAML_Error_BadRequest('CDCResponse without id.');
|
||||
}
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($response['id']);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($response['id'], 'cdc:resume');
|
||||
|
||||
SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
|
||||
|
|
|
|||
|
|
@ -31,6 +31,13 @@ if (!array_key_exists('StateId', $_REQUEST)) {
|
|||
}
|
||||
|
||||
$id = $_REQUEST['StateId'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($id, 'consent:request');
|
||||
|
||||
if (array_key_exists('core:SP', $state)) {
|
||||
|
|
|
|||
|
|
@ -10,6 +10,13 @@ if (!array_key_exists('StateId', $_GET)) {
|
|||
throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
|
||||
}
|
||||
$id = (string)$_GET['StateId'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($id, 'consent:request');
|
||||
|
||||
$state['Responder'] = array('sspmod_consent_Logout', 'postLogout');
|
||||
|
|
|
|||
|
|
@ -12,6 +12,13 @@ if (!array_key_exists('StateId', $_REQUEST)) {
|
|||
}
|
||||
|
||||
$id = $_REQUEST['StateId'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($id, 'consent:request');
|
||||
|
||||
$resumeFrom = SimpleSAML_Module::getModuleURL(
|
||||
|
|
|
|||
|
|
@ -197,6 +197,12 @@ abstract class sspmod_core_Auth_UserPassBase extends SimpleSAML_Auth_Source {
|
|||
assert('is_string($username)');
|
||||
assert('is_string($password)');
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
/* Here we retrieve the state array we saved in the authenticate-function. */
|
||||
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
|
||||
|
||||
|
|
|
|||
|
|
@ -209,6 +209,12 @@ abstract class sspmod_core_Auth_UserPassOrgBase extends SimpleSAML_Auth_Source {
|
|||
assert('is_string($password)');
|
||||
assert('is_string($organization)');
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
/* Retrieve the authentication state. */
|
||||
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
|
||||
|
||||
|
|
@ -257,6 +263,12 @@ abstract class sspmod_core_Auth_UserPassOrgBase extends SimpleSAML_Auth_Source {
|
|||
public static function listOrganizations($authStateId) {
|
||||
assert('is_string($authStateId)');
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
/* Retrieve the authentication state. */
|
||||
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ if (!is_string($_REQUEST['AuthId'])) {
|
|||
* Setting up the options for the requireAuth() call later..
|
||||
*/
|
||||
$options = array(
|
||||
'ReturnTo' => $_REQUEST['ReturnTo'],
|
||||
'ReturnTo' => SimpleSAML_Utilities::checkURLAllowed($_REQUEST['ReturnTo']),
|
||||
);
|
||||
|
||||
/*
|
||||
|
|
@ -30,9 +30,7 @@ if (!empty($_REQUEST['saml:idp'])) {
|
|||
$options['saml:idp'] = $_REQUEST['saml:idp'];
|
||||
}
|
||||
|
||||
|
||||
|
||||
$as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']);
|
||||
$as->requireAuth($options);
|
||||
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['ReturnTo']);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($options['ReturnTo']);
|
||||
|
|
|
|||
|
|
@ -16,4 +16,4 @@ if (!isset($_REQUEST['AuthId']) || !is_string($_REQUEST['AuthId'])) {
|
|||
}
|
||||
|
||||
$as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']);
|
||||
$as->logout($_REQUEST['ReturnTo']);
|
||||
$as->logout(SimpleSAML_Utilities::checkURLAllowed($_REQUEST['ReturnTo']));
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ if ($requestcache['ForceAuthn'] && $requestcache['core:prevSession'] === $sessio
|
|||
}
|
||||
|
||||
if (isset($state['ReturnTo'])) {
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($state['ReturnTo']);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($state['ReturnTo']);
|
||||
}
|
||||
|
||||
foreach ($session->getAuthState($authority) as $k => $v) {
|
||||
|
|
|
|||
|
|
@ -26,12 +26,12 @@ foreach($_COOKIE as $cookieName => $value) {
|
|||
|
||||
/* Find where we should go now. */
|
||||
if(array_key_exists('ReturnTo', $_REQUEST)) {
|
||||
$returnTo = $_REQUEST['ReturnTo'];
|
||||
$returnTo = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['ReturnTo']);
|
||||
} else {
|
||||
/* Return to the front page if no other destination is given. This is the same as the base cookie path. */
|
||||
$returnTo = $cookiePath;
|
||||
}
|
||||
|
||||
/* Redirect to destination. */
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($returnTo);
|
||||
|
||||
|
|
|
|||
|
|
@ -5,6 +5,12 @@ if (!isset($_REQUEST['id'])) {
|
|||
}
|
||||
$id = (string)$_REQUEST['id'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($id, 'core:Logout-IFrame');
|
||||
$idp = SimpleSAML_IdP::getByState($state);
|
||||
|
||||
|
|
|
|||
|
|
@ -19,6 +19,12 @@ if ($type !== 'embed' && $type !== 'async') {
|
|||
SimpleSAML_Stats::log('core:idp:logout-iframe:page', array('type' => $type));
|
||||
}
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($id, 'core:Logout-IFrame');
|
||||
$idp = SimpleSAML_IdP::getByState($state);
|
||||
|
||||
|
|
|
|||
|
|
@ -5,6 +5,12 @@ if (!isset($_REQUEST['id'])) {
|
|||
}
|
||||
$id = (string)$_REQUEST['id'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($id, 'core:Logout:afterbridge');
|
||||
$idp = SimpleSAML_IdP::getByState($state);
|
||||
|
||||
|
|
|
|||
|
|
@ -6,9 +6,8 @@
|
|||
if (!array_key_exists('ReturnTo', $_REQUEST)) {
|
||||
throw new SimpleSAML_Error_BadRequest('Missing ReturnTo parameter.');
|
||||
}
|
||||
$returnTo = $_REQUEST['ReturnTo'];
|
||||
|
||||
SimpleSAML_Utilities::requireAdmin();
|
||||
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['ReturnTo']);
|
||||
|
||||
|
|
|
|||
|
|
@ -15,6 +15,12 @@ if (!array_key_exists('AuthState', $_REQUEST)) {
|
|||
}
|
||||
$authStateId = $_REQUEST['AuthState'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
/* Retrieve the authentication state. */
|
||||
$state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_core_Auth_UserPassBase::STAGEID);
|
||||
|
||||
|
|
|
|||
|
|
@ -15,6 +15,12 @@ if (!array_key_exists('AuthState', $_REQUEST)) {
|
|||
}
|
||||
$authStateId = $_REQUEST['AuthState'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
/* Retrieve the authentication state. */
|
||||
$state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_core_Auth_UserPassOrgBase::STAGEID);
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,13 @@ if (!array_key_exists('StateId', $_REQUEST)) {
|
|||
}
|
||||
|
||||
$id = $_REQUEST['StateId'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($id, 'core:short_sso_interval');
|
||||
|
||||
if (array_key_exists('continue', $_REQUEST)) {
|
||||
|
|
|
|||
|
|
@ -203,7 +203,7 @@ class sspmod_discopower_PowerIdPDisco extends SimpleSAML_XHTML_IdPDisco {
|
|||
|
||||
} else {
|
||||
$this->log('Choice made [' . $idp . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')');
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($this->returnURL, array($this->returnIdParam => $idp));
|
||||
SimpleSAML_Utilities::redirectTrustedURL($this->returnURL, array($this->returnIdParam => $idp));
|
||||
}
|
||||
|
||||
return;
|
||||
|
|
@ -211,7 +211,7 @@ class sspmod_discopower_PowerIdPDisco extends SimpleSAML_XHTML_IdPDisco {
|
|||
|
||||
if ($this->isPassive) {
|
||||
$this->log('Choice not made. (Redirecting the user back without answer)');
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($this->returnURL);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($this->returnURL);
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -186,6 +186,12 @@ class sspmod_exampleauth_Auth_Source_External extends SimpleSAML_Auth_Source {
|
|||
}
|
||||
$stateId = (string)$_REQUEST['State'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
/*
|
||||
* Once again, note the second parameter to the loadState function. This must
|
||||
* match the string we used in the saveState-call above.
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ if (!isset($_REQUEST['ReturnTo'])) {
|
|||
die('Missing ReturnTo parameter.');
|
||||
}
|
||||
|
||||
$returnTo = $_REQUEST['ReturnTo'];
|
||||
$returnTo = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['ReturnTo']);
|
||||
|
||||
|
||||
/*
|
||||
|
|
@ -31,6 +31,13 @@ if (!preg_match('@State=(.*)@', $returnTo, $matches)) {
|
|||
die('Invalid ReturnTo URL for this example.');
|
||||
}
|
||||
$stateId = urldecode($matches[1]);
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
SimpleSAML_Auth_State::loadState($stateId, 'exampleauth:External');
|
||||
|
||||
/*
|
||||
|
|
@ -87,8 +94,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
|||
$_SESSION['mail'] = $user['mail'];
|
||||
$_SESSION['type'] = $user['type'];
|
||||
|
||||
header('Location: ' . $returnTo);
|
||||
exit();
|
||||
SimpleSAML_Utilities::redirectTrustedURL($returnTo);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -13,6 +13,13 @@ if (!array_key_exists('StateId', $_REQUEST)) {
|
|||
}
|
||||
|
||||
$id = $_REQUEST['StateId'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($id, 'exampleauth:redirectfilter-test');
|
||||
|
||||
$state['Attributes']['RedirectTest2'] = array('OK');
|
||||
|
|
|
|||
|
|
@ -14,6 +14,13 @@ if (!array_key_exists('StateId', $_REQUEST)) {
|
|||
}
|
||||
|
||||
$id = $_REQUEST['StateId'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($id, 'expirywarning:about2expire');
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -14,6 +14,13 @@ if (!array_key_exists('StateId', $_REQUEST)) {
|
|||
}
|
||||
|
||||
$id = $_REQUEST['StateId'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($id, 'expirywarning:expired');
|
||||
|
||||
$globalConfig = SimpleSAML_Configuration::getInstance();
|
||||
|
|
|
|||
|
|
@ -16,6 +16,12 @@ if (!array_key_exists('AuthState', $_REQUEST)) {
|
|||
}
|
||||
$authStateId = $_REQUEST['AuthState'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
/* Retrieve the authentication state. */
|
||||
$state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_multiauth_Auth_Source_MultiAuth::STAGEID);
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,13 @@
|
|||
*/
|
||||
|
||||
$authStateId = $_REQUEST['AuthState'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_negotiate_Auth_Source_Negotiate::STAGEID);
|
||||
SimpleSAML_Logger::debug('backend - fallback: '.$state['LogoutState']['negotiate:backend']);
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,13 @@
|
|||
*/
|
||||
|
||||
$authStateId = $_REQUEST['AuthState'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_negotiate_Auth_Source_Negotiate::STAGEID);
|
||||
|
||||
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ try {
|
|||
|
||||
if ($url) {
|
||||
// If authorize() returns a URL, take user there (oauth1.0a)
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($url);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($url);
|
||||
}
|
||||
else if (isset($_REQUEST['oauth_callback'])) {
|
||||
// If callback was provided in the request (oauth1.0)
|
||||
|
|
|
|||
|
|
@ -6,6 +6,13 @@ if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState']))
|
|||
}
|
||||
|
||||
$authState = $_REQUEST['AuthState'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($authState);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($authState, 'openid:init');
|
||||
$sourceId = $state['openid:AuthId'];
|
||||
$authSource = SimpleSAML_Auth_Source::getById($sourceId);
|
||||
|
|
|
|||
|
|
@ -6,6 +6,13 @@ if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState']))
|
|||
}
|
||||
|
||||
$authState = $_REQUEST['AuthState'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($authState);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($authState, 'openid:auth');
|
||||
$sourceId = $state['openid:AuthId'];
|
||||
$authSource = SimpleSAML_Auth_Source::getById($sourceId);
|
||||
|
|
|
|||
|
|
@ -329,6 +329,12 @@ class sspmod_openidProvider_Server {
|
|||
public function loadState($stateId) {
|
||||
assert('is_string($stateId)');
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
return SimpleSAML_Auth_State::loadState($stateId, 'openidProvider:resumeState');
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -115,6 +115,13 @@ class sspmod_papi_Auth_Source_PAPI extends SimpleSAML_Auth_Source {
|
|||
if (isset($_REQUEST['SSPStateID'])) {
|
||||
// yes! restore original request
|
||||
$this->_stateId = (string)$_REQUEST['SSPStateID'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($this->_stateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($this->_stateId, self::STAGE_INIT);
|
||||
} else if (!$this->_poa->isAuthenticated()) {
|
||||
// no! we have to save the request
|
||||
|
|
@ -161,6 +168,13 @@ class sspmod_papi_Auth_Source_PAPI extends SimpleSAML_Auth_Source {
|
|||
$this->_poa->logout(true);
|
||||
} else if (isset($_REQUEST['SSPStateID'])) {
|
||||
$this->_stateId = (string)$_REQUEST['SSPStateID'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($this->_stateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($this->_stateId, self::STAGE_INIT);
|
||||
} else {
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -15,6 +15,13 @@ if (!array_key_exists('StateId', $_REQUEST)) {
|
|||
}
|
||||
|
||||
$id = $_REQUEST['StateId'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($id, 'warning:request');
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -12,7 +12,15 @@ if (!array_key_exists('idpentityid', $_REQUEST)) {
|
|||
throw new SimpleSAML_Error_BadRequest('Missing idpentityid to discovery service response handler');
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthID'], 'saml:sp:sso');
|
||||
$stateID = $_REQUEST['AuthID'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateID);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($stateID, 'saml:sp:sso');
|
||||
|
||||
/* Find authentication source. */
|
||||
assert('array_key_exists("saml:sp:AuthId", $state)');
|
||||
|
|
|
|||
|
|
@ -19,17 +19,25 @@ $source = SimpleSAML_Auth_Source::getById($sourceId, 'sspmod_saml_Auth_Source_SP
|
|||
|
||||
SimpleSAML_Logger::debug('Received SAML1 response');
|
||||
|
||||
|
||||
$target = (string)$_REQUEST['TARGET'];
|
||||
|
||||
if (preg_match('@^https?://@i', $target)) {
|
||||
/* Unsolicited response. */
|
||||
$state = array(
|
||||
'saml:sp:isUnsolicited' => TRUE,
|
||||
'saml:sp:AuthId' => $sourceId,
|
||||
'saml:sp:RelayState' => $target,
|
||||
'saml:sp:RelayState' => SimpleSAML_Utilities::checkURLAllowed($target),
|
||||
);
|
||||
} else {
|
||||
$state = SimpleSAML_Auth_State::loadState($_REQUEST['TARGET'], 'saml:sp:sso');
|
||||
$stateID = $_REQUEST['TARGET'];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateID);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($stateID, 'saml:sp:sso');
|
||||
|
||||
/* Check that the authentication source is correct. */
|
||||
assert('array_key_exists("saml:sp:AuthId", $state)');
|
||||
|
|
@ -80,4 +88,4 @@ $state['LogoutState'] = $logoutState;
|
|||
$source->handleResponse($state, $responseIssuer, $attributes);
|
||||
assert('FALSE');
|
||||
|
||||
?>
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -52,6 +52,13 @@ $idpMetadata = array();
|
|||
|
||||
$stateId = $response->getInResponseTo();
|
||||
if (!empty($stateId)) {
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
/* This is a response to a request we sent earlier. */
|
||||
$state = SimpleSAML_Auth_State::loadState($stateId, 'saml:sp:sso');
|
||||
|
||||
|
|
@ -75,7 +82,7 @@ if (!empty($stateId)) {
|
|||
$state = array(
|
||||
'saml:sp:isUnsolicited' => TRUE,
|
||||
'saml:sp:AuthId' => $sourceId,
|
||||
'saml:sp:RelayState' => $response->getRelayState(),
|
||||
'saml:sp:RelayState' => SimpleSAML_Utilities::checkURLAllowed($response->getRelayState()),
|
||||
);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -54,6 +54,12 @@ if ($message instanceof SAML2_LogoutResponse) {
|
|||
SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . sspmod_saml_Message::getResponseError($message));
|
||||
}
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($relayState);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$state = SimpleSAML_Auth_State::loadState($relayState, 'saml:slosent');
|
||||
$state['saml:sp:LogoutStatus'] = $message->getStatus();
|
||||
SimpleSAML_Auth_Source::completeLogout($state);
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ if (!array_key_exists('RelayState', $_REQUEST)) {
|
|||
throw new SimpleSAML_Error_Error('NORELAYSTATE');
|
||||
}
|
||||
|
||||
$relaystate = $_REQUEST['RelayState'];
|
||||
$relaystate = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['RelayState']);
|
||||
|
||||
$correctpassword = $config->getString('auth.adminpassword', '123');
|
||||
|
||||
|
|
@ -59,7 +59,7 @@ if (isset($_POST['password'])) {
|
|||
else
|
||||
SimpleSAML_Logger::stats('AUTH-login-admin OK');
|
||||
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($relaystate);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($relaystate);
|
||||
exit(0);
|
||||
} else {
|
||||
SimpleSAML_Logger::stats('AUTH-login-admin Failed');
|
||||
|
|
@ -82,6 +82,3 @@ if (isset($error)) {
|
|||
}
|
||||
|
||||
$t->show();
|
||||
|
||||
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -30,8 +30,6 @@ try {
|
|||
|
||||
$casconfig = $casldapconfig[$idpentityid]['cas'];
|
||||
$ldapconfig = $casldapconfig[$idpentityid]['ldap'];
|
||||
|
||||
|
||||
} catch (Exception $exception) {
|
||||
throw new SimpleSAML_Error_Error('METADATA', $exception);
|
||||
}
|
||||
|
|
@ -44,8 +42,6 @@ if (!array_key_exists('RelayState', $_REQUEST)) {
|
|||
throw new SimpleSAML_Error_Error('NORELAYSTATE');
|
||||
}
|
||||
|
||||
|
||||
|
||||
function casValidate($cas) {
|
||||
|
||||
$service = SimpleSAML_Utilities::selfURL();
|
||||
|
|
@ -110,12 +106,7 @@ function casValidate($cas) {
|
|||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
try {
|
||||
|
||||
$relaystate = $_REQUEST['RelayState'];
|
||||
|
||||
list($username, $casattributes) = casValidate($casconfig);
|
||||
|
||||
SimpleSAML_Logger::info('AUTH - cas-ldap: '. $username . ' authenticated by ' . $casconfig['validate']);
|
||||
|
|
@ -132,11 +123,9 @@ try {
|
|||
$session->setNameID(array(
|
||||
'value' => SimpleSAML_Utilities::generateID(),
|
||||
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($relaystate);
|
||||
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['RelayState']);
|
||||
|
||||
} catch(Exception $exception) {
|
||||
throw new SimpleSAML_Error_Error('CASERROR', $exception);
|
||||
}
|
||||
|
||||
|
||||
?>
|
||||
|
|
@ -10,7 +10,6 @@ $session = SimpleSAML_Session::getInstance();
|
|||
$ldapconfigfile = $config->getBaseDir() . 'config/ldapmulti.php';
|
||||
require_once($ldapconfigfile);
|
||||
|
||||
|
||||
SimpleSAML_Logger::info('AUTH - ldap-multi: Accessing auth endpoint login-ldapmulti');
|
||||
|
||||
$error = null;
|
||||
|
|
@ -23,6 +22,8 @@ if (!array_key_exists('RelayState', $_REQUEST)) {
|
|||
throw new SimpleSAML_Error_Error('NORELAYSTATE');
|
||||
}
|
||||
|
||||
$relaystate = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['RelayState']);
|
||||
|
||||
if (isset($_POST['username'])) {
|
||||
|
||||
try {
|
||||
|
|
@ -50,8 +51,7 @@ if (isset($_POST['username'])) {
|
|||
$attributes = $ldap->getAttributes($dn, $ldapconfig['attributes']);
|
||||
|
||||
SimpleSAML_Logger::info('AUTH - ldap-multi: '. $_POST['username'] . ' successfully authenticated');
|
||||
|
||||
|
||||
|
||||
$session->doLogin('login-ldapmulti');
|
||||
$session->setAttributes($attributes);
|
||||
|
||||
|
|
@ -64,19 +64,16 @@ if (isset($_POST['username'])) {
|
|||
* Also log a specific attribute as set in the config: statistics.authlogattr
|
||||
*/
|
||||
$authlogattr = $config->getValue('statistics.authlogattr', null);
|
||||
if ($authlogattr && array_key_exists($authlogattr, $attributes))
|
||||
if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
|
||||
SimpleSAML_Logger::stats('AUTH-login-ldapmulti OK ' . $attributes[$authlogattr][0]);
|
||||
else
|
||||
} else {
|
||||
SimpleSAML_Logger::stats('AUTH-login-ldapmulti OK');
|
||||
|
||||
|
||||
$returnto = $_REQUEST['RelayState'];
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($returnto);
|
||||
}
|
||||
|
||||
SimpleSAML_Utilities::redirectTrustedURL($relaystate);
|
||||
|
||||
} catch (Exception $e) {
|
||||
|
||||
$error = $e->getMessage();
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -84,7 +81,7 @@ if (isset($_POST['username'])) {
|
|||
$t = new SimpleSAML_XHTML_Template($config, 'login-ldapmulti.php', 'login');
|
||||
|
||||
$t->data['header'] = 'simpleSAMLphp: Enter username and password';
|
||||
$t->data['relaystate'] = $_REQUEST['RelayState'];
|
||||
$t->data['relaystate'] = $relaystate;
|
||||
$t->data['ldapconfig'] = $ldapmulti;
|
||||
$t->data['org'] = $_REQUEST['org'];
|
||||
$t->data['error'] = $error;
|
||||
|
|
|
|||
|
|
@ -19,6 +19,8 @@ if (!array_key_exists('RelayState', $_REQUEST)) {
|
|||
throw new SimpleSAML_Error_Error('NORELAYSTATE');
|
||||
}
|
||||
|
||||
$relaystate = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['RelayState']);
|
||||
|
||||
if (isset($_POST['username'])) {
|
||||
|
||||
|
||||
|
|
@ -97,21 +99,18 @@ if (isset($_POST['username'])) {
|
|||
'value' => SimpleSAML_Utilities::generateID(),
|
||||
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
|
||||
|
||||
|
||||
/**
|
||||
* Create a statistics log entry for every successfull login attempt.
|
||||
* Also log a specific attribute as set in the config: statistics.authlogattr
|
||||
*/
|
||||
$authlogattr = $config->getValue('statistics.authlogattr', null);
|
||||
if ($authlogattr && array_key_exists($authlogattr, $attributes))
|
||||
if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
|
||||
SimpleSAML_Logger::stats('AUTH-login-radius OK ' . $attributes[$authlogattr][0]);
|
||||
else
|
||||
} else {
|
||||
SimpleSAML_Logger::stats('AUTH-login-radius OK');
|
||||
}
|
||||
|
||||
|
||||
$returnto = $_REQUEST['RelayState'];
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($returnto);
|
||||
|
||||
SimpleSAML_Utilities::redirectTrustedURL($relaystate);
|
||||
|
||||
case RADIUS_ACCESS_REJECT:
|
||||
|
||||
|
|
@ -125,13 +124,10 @@ if (isset($_POST['username'])) {
|
|||
default:
|
||||
SimpleSAML_Logger::critical('AUTH -radius: General radius error: ' . radius_strerror($radius));
|
||||
throw new Exception('Error during radius authentication: ' . radius_strerror($radius));
|
||||
|
||||
}
|
||||
|
||||
} catch (Exception $e) {
|
||||
|
||||
$error = $e->getMessage();
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -139,13 +135,10 @@ if (isset($_POST['username'])) {
|
|||
$t = new SimpleSAML_XHTML_Template($config, 'login.php', 'login');
|
||||
|
||||
$t->data['header'] = 'simpleSAMLphp: Enter username and password';
|
||||
$t->data['relaystate'] = $_REQUEST['RelayState'];
|
||||
$t->data['relaystate'] = $relaystate;
|
||||
$t->data['error'] = $error;
|
||||
if (isset($error)) {
|
||||
$t->data['username'] = $_POST['username'];
|
||||
}
|
||||
|
||||
$t->show();
|
||||
|
||||
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -23,9 +23,6 @@ if (!array_key_exists('RelayState', $_REQUEST)) {
|
|||
throw new SimpleSAML_Error_Error('NORELAYSTATE');
|
||||
}
|
||||
|
||||
$relaystate = $_REQUEST['RelayState'];
|
||||
|
||||
|
||||
try {
|
||||
|
||||
$attributes = array();
|
||||
|
|
@ -55,21 +52,21 @@ try {
|
|||
|
||||
$session->setNameID(array(
|
||||
'value' => SimpleSAML_Utilities::generateID(),
|
||||
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
|
||||
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')
|
||||
);
|
||||
|
||||
/**
|
||||
* Create a statistics log entry for every successfull login attempt.
|
||||
* Also log a specific attribute as set in the config: statistics.authlogattr
|
||||
*/
|
||||
$authlogattr = $config->getValue('statistics.authlogattr', null);
|
||||
if ($authlogattr && array_key_exists($authlogattr, $attributes))
|
||||
if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
|
||||
SimpleSAML_Logger::stats('AUTH-tlsclient OK ' . $attributes[$authlogattr][0]);
|
||||
else
|
||||
} else {
|
||||
SimpleSAML_Logger::stats('AUTH-tlsclient OK');
|
||||
|
||||
}
|
||||
|
||||
$returnto = $_REQUEST['RelayState'];
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($returnto);
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['RelayState']);
|
||||
|
||||
|
||||
} catch (Exception $e) {
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ if (!array_key_exists('RelayState', $_REQUEST)) {
|
|||
throw new SimpleSAML_Error_Error('NORELAYSTATE');
|
||||
}
|
||||
|
||||
$relaystate = $_REQUEST['RelayState'];
|
||||
$relaystate = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['RelayState']);
|
||||
|
||||
if ($username = $_POST['username']) {
|
||||
try {
|
||||
|
|
@ -59,7 +59,7 @@ if ($username = $_POST['username']) {
|
|||
$session->setNameID(array(
|
||||
'value' => SimpleSAML_Utilities::generateID(),
|
||||
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($relaystate);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($relaystate);
|
||||
}
|
||||
} catch(Exception $e) {
|
||||
throw new SimpleSAML_Error_Error('LDAPERROR', $e);
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
|
|||
$idp = SimpleSAML_IdP::getById('saml2:' . $idpEntityId);
|
||||
|
||||
if (isset($_REQUEST['ReturnTo'])) {
|
||||
$idp->doLogoutRedirect((string)$_REQUEST['ReturnTo']);
|
||||
$idp->doLogoutRedirect(SimpleSAML_Utilities::checkURLAllowed((string)$_REQUEST['ReturnTo']));
|
||||
} else {
|
||||
sspmod_saml_IdP_SAML2::receiveLogoutMessage($idp);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,5 +16,5 @@ if (!isset($_REQUEST['RelayState'])) {
|
|||
throw new SimpleSAML_Error_BadRequest('Missing required RelayState parameter.');
|
||||
}
|
||||
|
||||
$idp->doLogoutRedirect((string)$_REQUEST['RelayState']);
|
||||
$idp->doLogoutRedirect(SimpleSAML_Utilities::checkURLAllowed((string)$_REQUEST['RelayState']));
|
||||
assert('FALSE');
|
||||
|
|
|
|||
|
|
@ -11,6 +11,5 @@ if (!isset($_GET['RelayState'])) {
|
|||
throw new SimpleSAML_Error_Error('NORELAYSTATE');
|
||||
}
|
||||
|
||||
$returnTo = (string)$_GET['RelayState'];
|
||||
$idp->doLogoutRedirect($returnTo);
|
||||
$idp->doLogoutRedirect(SimpleSAML_Utilities::checkURLAllowed((string)$_GET['RelayState']));
|
||||
assert('FALSE');
|
||||
|
|
@ -47,7 +47,7 @@ function finishLogin($authProcState) {
|
|||
global $session;
|
||||
$session->doLogin('saml2', $authData);
|
||||
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($authProcState['core:saml20-sp:TargetURL']);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($authProcState['core:saml20-sp:TargetURL']);
|
||||
}
|
||||
|
||||
SimpleSAML_Logger::info('SAML2.0 - SP.AssertionConsumerService: Accessing SAML 2.0 SP endpoint AssertionConsumerService');
|
||||
|
|
@ -59,6 +59,13 @@ if (array_key_exists(SimpleSAML_Auth_ProcessingChain::AUTHPARAM, $_REQUEST)) {
|
|||
/* We have returned from the authentication processing filters. */
|
||||
|
||||
$authProcId = $_REQUEST[SimpleSAML_Auth_ProcessingChain::AUTHPARAM];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($authProcId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId);
|
||||
finishLogin($authProcState);
|
||||
}
|
||||
|
|
@ -93,7 +100,7 @@ try {
|
|||
if($info === NULL) {
|
||||
/* Fall back to RelayState. */
|
||||
$info = array();
|
||||
$info['RelayState'] = $response->getRelayState();
|
||||
$info['RelayState'] = SimpleSAML_Utilities::checkURLAllowed($response->getRelayState());
|
||||
if(empty($info['RelayState'])) {
|
||||
$info['RelayState'] = $spMetadata->getString('RelayState', NULL);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -83,12 +83,14 @@ if ($message instanceof SAML2_LogoutRequest) {
|
|||
$id = $message->getInResponseTo();
|
||||
}
|
||||
|
||||
// 'spLogoutReturnTo' is checked before storing it in the
|
||||
// session, so we trust it here.
|
||||
$returnTo = $session->getData('spLogoutReturnTo', $id);
|
||||
if (empty($returnTo)) {
|
||||
throw new SimpleSAML_Error_Error('LOGOUTINFOLOST');
|
||||
}
|
||||
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($returnTo);
|
||||
|
||||
} else {
|
||||
throw new SimpleSAML_Error_Error('SLOSERVICEPARAMS');
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ if (!$config->getBoolean('enable.saml20-sp', TRUE))
|
|||
|
||||
|
||||
if (isset($_REQUEST['RelayState'])) {
|
||||
$returnTo = $_REQUEST['RelayState'];
|
||||
$returnTo = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['RelayState']);
|
||||
} else {
|
||||
throw new SimpleSAML_Error_Error('NORELAYSTATE');
|
||||
}
|
||||
|
|
@ -25,7 +25,7 @@ try {
|
|||
$idpEntityId = $session->getAuthData('saml2', 'saml:sp:IdP');
|
||||
if ($idpEntityId === NULL) {
|
||||
SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: User not authenticated with an IdP.');
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($returnTo);
|
||||
}
|
||||
$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-remote');
|
||||
$SLOendpoint = $idpMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', array(
|
||||
|
|
@ -34,8 +34,8 @@ try {
|
|||
NULL);
|
||||
if ($SLOendpoint === NULL) {
|
||||
$session->doLogout('saml2');
|
||||
SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: No supported SingleLogoutService endpoint in IdP.');
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
|
||||
SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: No SingleLogoutService endpoint supported in the IdP.');
|
||||
SimpleSAML_Utilities::redirectTrustedURL($returnTo);
|
||||
}
|
||||
|
||||
$spEntityId = isset($_GET['spentityid']) ? $_GET['spentityid'] : $metadata->getMetaDataCurrentEntityID();
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ if (!$config->getBoolean('enable.saml20-sp', TRUE))
|
|||
if (empty($_GET['RelayState'])) {
|
||||
throw new SimpleSAML_Error_Error('NORELAYSTATE');
|
||||
}
|
||||
$returnTo = SimpleSAML_Utilities::checkURLAllowed($_GET['RelayState']);
|
||||
|
||||
$reachableIDPs = array();
|
||||
|
||||
|
|
@ -134,7 +135,7 @@ try {
|
|||
|
||||
$assertionConsumerServiceURL = $metadata->getGenerated('AssertionConsumerService', 'saml20-sp-hosted');
|
||||
$ar->setAssertionConsumerServiceURL($assertionConsumerServiceURL);
|
||||
$ar->setRelayState($_REQUEST['RelayState']);
|
||||
$ar->setRelayState($returnTo);
|
||||
|
||||
if ($isPassive) {
|
||||
$ar->setIsPassive(TRUE);
|
||||
|
|
@ -156,9 +157,9 @@ try {
|
|||
|
||||
/* Save request information. */
|
||||
$info = array();
|
||||
$info['RelayState'] = $_REQUEST['RelayState'];
|
||||
$info['RelayState'] = $returnTo;
|
||||
if(array_key_exists('OnError', $_REQUEST)) {
|
||||
$info['OnError'] = $_REQUEST['OnError'];
|
||||
$info['OnError'] = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['OnError']);
|
||||
}
|
||||
$session->setData('SAML2:SP:SSO:Info', $ar->getId(), $info);
|
||||
|
||||
|
|
|
|||
|
|
@ -47,6 +47,13 @@ if (array_key_exists(SimpleSAML_Auth_ProcessingChain::AUTHPARAM, $_REQUEST)) {
|
|||
/* We have returned from the authentication processing filters. */
|
||||
|
||||
$authProcId = $_REQUEST[SimpleSAML_Auth_ProcessingChain::AUTHPARAM];
|
||||
|
||||
// sanitize the input
|
||||
$restartURL = SimpleSAML_Utilities::getURLFromStateID($authProcId);
|
||||
if (!is_null($restartURL)) {
|
||||
SimpleSAML_Utilities::checkURLAllowed($restartURL);
|
||||
}
|
||||
|
||||
$authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId);
|
||||
finishLogin($authProcState);
|
||||
}
|
||||
|
|
@ -86,7 +93,7 @@ try {
|
|||
$authProcState = array(
|
||||
'core:shib13-sp:NameID' => $authnResponse->getNameID(),
|
||||
'core:shib13-sp:SessionIndex' => $authnResponse->getSessionIndex(),
|
||||
'core:shib13-sp:TargetURL' => $relayState,
|
||||
'core:shib13-sp:TargetURL' => SimpleSAML_Utilities::checkURLAllowed($relayState),
|
||||
'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(),
|
||||
'Attributes' => $authnResponse->getAttributes(),
|
||||
'Destination' => $spmetadata,
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ if (!isset($session) || !$session->isValid('shib13') ) {
|
|||
$ar = new SimpleSAML_XML_Shib13_AuthnRequest();
|
||||
$ar->setIssuer($spentityid);
|
||||
if(isset($_GET['RelayState']))
|
||||
$ar->setRelayState($_GET['RelayState']);
|
||||
$ar->setRelayState(SimpleSAML_Utilities::checkURLAllowed($_GET['RelayState']));
|
||||
|
||||
SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: SP (' . $spentityid . ') is sending AuthNRequest to IdP (' . $idpentityid . ')');
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ if (!$config->getBoolean('enable.wsfed-sp', false))
|
|||
|
||||
|
||||
if (isset($_REQUEST['RelayState'])) {
|
||||
$returnTo = $_REQUEST['RelayState'];
|
||||
$returnTo = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['RelayState']);
|
||||
} else {
|
||||
throw new SimpleSAML_Error_Error('NORELAYSTATE');
|
||||
}
|
||||
|
|
@ -53,7 +53,7 @@ if (isset($session) ) {
|
|||
} else {
|
||||
|
||||
SimpleSAML_Logger::info('WS-Fed - SP.initSLO: User is already logged out. Go back to relaystate');
|
||||
SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
|
||||
SimpleSAML_Utilities::redirectTrustedURL($returnTo);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ if ($idpentityid == null) {
|
|||
}
|
||||
|
||||
try {
|
||||
$relaystate = $_GET['RelayState'];
|
||||
$relaystate = SimpleSAML_Utilities::checkURLAllowed($_GET['RelayState']);
|
||||
|
||||
$idpmeta = $metadata->getMetaData($idpentityid, 'wsfed-idp-remote');
|
||||
$spmeta = $metadata->getMetaData($spentityid, 'wsfed-sp-hosted');
|
||||
|
|
|
|||
Reference in New Issue