Fix for bug introduced in r3332.

git-svn-id: http://simplesamlphp.googlecode.com/svn/trunk@3336 44740490-163a-0410-bde0-09ae8108e29a
2014-01-28 00:24:41 +00:00 · 2014-01-28 00:24:41 +00:00 · 4522bf2864
parent 8da830870b
commit 4522bf2864
45 changed files with 147 additions and 143 deletions
--- a/lib/SimpleSAML/Auth/ProcessingChain.php
+++ b/lib/SimpleSAML/Auth/ProcessingChain.php
@ -306,7 +306,7 @@ class SimpleSAML_Auth_ProcessingChain {
 	 * SimpleSAML_Auth_ProcessingChain::AUTHPARAM request parameter. Please
 	 * make sure to sanitize it properly by calling the
 	 * SimpleSAML_Utilities::checkURLAllowed() function with the embedded
-	 * restart URL, if any. See also SimpleSAML_Utilities::getURLFromStateID().
+	 * restart URL, if any. See also SimpleSAML_Utilities::parseStateID().
 	 */
 	public static function fetchProcessedState($id) {
 		assert('is_string($id)');
--- a/lib/SimpleSAML/Auth/State.php
+++ b/lib/SimpleSAML/Auth/State.php
@ -211,10 +211,10 @@ class SimpleSAML_Auth_State {
 		assert('is_bool($allowMissing)');
 		SimpleSAML_Logger::debug('Loading state: ' . var_export($id, TRUE));

-		$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
+		$sid = SimpleSAML_Utilities::parseStateID($id);

 		$session = SimpleSAML_Session::getInstance();
-		$state = $session->getData('SimpleSAML_Auth_State', $id);
+		$state = $session->getData('SimpleSAML_Auth_State', $sid['id']);

 		if ($state === NULL) {
 			/* Could not find saved data. */
@ -222,11 +222,11 @@ class SimpleSAML_Auth_State {
 				return NULL;
 			}

-			if ($restartURL === NULL) {
+			if ($sid['url'] === NULL) {
 				throw new SimpleSAML_Error_NoState();
 			}

-			SimpleSAML_Utilities::redirectTrustedURL($restartURL);
+			SimpleSAML_Utilities::redirectTrustedURL($sid['url']);
 		}

 		$state = unserialize($state);
@ -246,11 +246,11 @@ class SimpleSAML_Auth_State {

 			SimpleSAML_Logger::warning($msg);

-			if ($restartURL === NULL) {
+			if ($sid['url'] === NULL) {
 				throw new Exception($msg);
 			}

-			SimpleSAML_Utilities::redirectTrustedURL($restartURL);
+			SimpleSAML_Utilities::redirectTrustedURL($sid['url']);
 		}

 		return $state;
--- a/lib/SimpleSAML/IdP/LogoutTraditional.php
+++ b/lib/SimpleSAML/IdP/LogoutTraditional.php
@ -77,9 +77,9 @@ class SimpleSAML_IdP_LogoutTraditional extends SimpleSAML_IdP_LogoutHandler {
 		}

 		// sanitize the input
-		$restartURL = SimpleSAML_Utilities::getURLFromStateID($relayState);
-		if (!is_null($restartURL)) {
-			SimpleSAML_Utilities::checkURLAllowed($restartURL);
+		$sid = SimpleSAML_Utilities::parseStateID($relayState);
+		if (!is_null($sid['url'])) {
+			SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 		}

 		$state = SimpleSAML_Auth_State::loadState($relayState, 'core:LogoutTraditional');
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@ -345,19 +345,23 @@ class SimpleSAML_Utilities {


 	/**
-	 * Get a URL embedded in a StateID, in the form 'id:url'.
+	 * Get the ID and (optionally) a URL embedded in a StateID,
+	 * in the form 'id:url'.
 	 *
 	 * @param string $stateId The state ID to use.
-	 * @return string The embedded URL if found, NULL otherwise.
+	 * @return array A hashed array with the ID and the URL (if any),
+	 * in the 'id' and 'url' keys, respectively. If there's no URL
+	 * in the input parameter, NULL will be returned as the value for
+	 * the 'url' key.
 	 */
-	public static function getURLFromStateID($stateId) {
+	public static function parseStateID($stateId) {
 		$tmp = explode(':', $stateId, 2);
 		$id = $tmp[0];
 		$url = NULL;
 		if (count($tmp) === 2) {
 			$url = $tmp[1];
 		}
-		return $url;
+		return array('id' => $id, 'url' => $url);
 	}


--- a/modules/InfoCard/lib/Auth/Source/ICAuth.php
+++ b/modules/InfoCard/lib/Auth/Source/ICAuth.php
@ -69,9 +69,9 @@ class sspmod_InfoCard_Auth_Source_ICAuth extends SimpleSAML_Auth_Source {
 			}

 			// sanitize the input
-			$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
-			if (!is_null($restartURL)) {
-				SimpleSAML_Utilities::checkURLAllowed($restartURL);
+			$sid = SimpleSAML_Utilities::parseStateID($authStateId);
+			if (!is_null($sid['url'])) {
+				SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 			}

 			/* Retrieve the authentication state. */
--- a/modules/aselect/www/credentials.php
+++ b/modules/aselect/www/credentials.php
@ -13,9 +13,9 @@ function check_credentials() {
 	$id = $_REQUEST['ssp_state'];

 	// sanitize the input
-	$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
-	if (!is_null($restartURL)) {
-		SimpleSAML_Utilities::checkURLAllowed($restartURL);
+	$sid = SimpleSAML_Utilities::parseStateID($id);
+	if (!is_null($sid['url'])) {
+		SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 	}

 	$state = SimpleSAML_Auth_State::loadState($id, 'aselect:login');
--- a/modules/authYubiKey/lib/Auth/Source/YubiKey.php
+++ b/modules/authYubiKey/lib/Auth/Source/YubiKey.php
@ -125,9 +125,9 @@ class sspmod_authYubiKey_Auth_Source_YubiKey extends SimpleSAML_Auth_Source {
 		assert('is_string($otp)');

 		// sanitize the input
-		$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
-		if (!is_null($restartURL)) {
-			SimpleSAML_Utilities::checkURLAllowed($restartURL);
+		$sid = SimpleSAML_Utilities::parseStateID($authStateId);
+		if (!is_null($sid['url'])) {
+			SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 		}

 		/* Retrieve the authentication state. */
--- a/modules/authfacebook/www/linkback.php
+++ b/modules/authfacebook/www/linkback.php
@ -11,9 +11,9 @@ if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState']))
 $stateID = $_REQUEST['AuthState'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateID);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($stateID);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($stateID, sspmod_authfacebook_Auth_Source_Facebook::STAGE_INIT);
--- a/modules/authlinkedin/www/linkback.php
+++ b/modules/authlinkedin/www/linkback.php
@ -11,9 +11,9 @@ if (array_key_exists('stateid', $_REQUEST)) {
 }

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($stateId);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authlinkedin_Auth_Source_LinkedIn::STAGE_INIT);
--- a/modules/authmyspace/www/linkback.php
+++ b/modules/authmyspace/www/linkback.php
@ -11,9 +11,9 @@ if (array_key_exists('stateid', $_REQUEST)) {
 }

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($stateId);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authmyspace_Auth_Source_MySpace::STAGE_INIT);
--- a/modules/authorize/www/authorize_403.php
+++ b/modules/authorize/www/authorize_403.php
@ -13,9 +13,9 @@ if (!array_key_exists('StateId', $_REQUEST)) {
 $id = $_REQUEST['StateId'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($id);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($id, 'authorize:Authorize');
--- a/modules/authtwitter/www/linkback.php
+++ b/modules/authtwitter/www/linkback.php
@ -10,9 +10,9 @@ if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState']))
 $stateID = $_REQUEST['AuthState'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateID);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($stateID);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($stateID, sspmod_authtwitter_Auth_Source_Twitter::STAGE_INIT);
--- a/modules/authwindowslive/www/linkback.php
+++ b/modules/authwindowslive/www/linkback.php
@ -8,9 +8,9 @@ if (array_key_exists('wrap_client_state', $_REQUEST)) {
 	$stateId = $_REQUEST['wrap_client_state'];
 	
 	// sanitize the input
-	$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
-	if (!is_null($restartURL)) {
-		SimpleSAML_Utilities::checkURLAllowed($restartURL);
+	$sid = SimpleSAML_Utilities::parseStateID($stateId);
+	if (!is_null($sid['url'])) {
+		SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 	}

 	$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authwindowslive_Auth_Source_LiveID::STAGE_INIT);
--- a/modules/cas/www/linkback.php
+++ b/modules/cas/www/linkback.php
@ -14,9 +14,9 @@ if (!isset($_GET['ticket'])) {
 }

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($stateId);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($stateId, sspmod_cas_Auth_Source_CAS::STAGE_INIT);
--- a/modules/cdc/www/resume.php
+++ b/modules/cdc/www/resume.php
@ -18,9 +18,9 @@ if (!isset($response['id'])) {
 }

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($response['id']);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($response['id']);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($response['id'], 'cdc:resume');
--- a/modules/consent/www/getconsent.php
+++ b/modules/consent/www/getconsent.php
@ -33,9 +33,9 @@ if (!array_key_exists('StateId', $_REQUEST)) {
 $id = $_REQUEST['StateId'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($id);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($id, 'consent:request');
--- a/modules/consent/www/logout.php
+++ b/modules/consent/www/logout.php
@ -12,9 +12,9 @@ if (!array_key_exists('StateId', $_GET)) {
 $id = (string)$_GET['StateId'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($id);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($id, 'consent:request');
--- a/modules/consent/www/noconsent.php
+++ b/modules/consent/www/noconsent.php
@ -14,9 +14,9 @@ if (!array_key_exists('StateId', $_REQUEST)) {
 $id = $_REQUEST['StateId'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($id);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($id, 'consent:request');
--- a/modules/core/lib/Auth/UserPassBase.php
+++ b/modules/core/lib/Auth/UserPassBase.php
@ -198,9 +198,9 @@ abstract class sspmod_core_Auth_UserPassBase extends SimpleSAML_Auth_Source {
 		assert('is_string($password)');

 		// sanitize the input
-		$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
-		if (!is_null($restartURL)) {
-			SimpleSAML_Utilities::checkURLAllowed($restartURL);
+		$sid = SimpleSAML_Utilities::parseStateID($authStateId);
+		if (!is_null($sid['url'])) {
+			SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 		}

 		/* Here we retrieve the state array we saved in the authenticate-function. */
--- a/modules/core/lib/Auth/UserPassOrgBase.php
+++ b/modules/core/lib/Auth/UserPassOrgBase.php
@ -210,9 +210,9 @@ abstract class sspmod_core_Auth_UserPassOrgBase extends SimpleSAML_Auth_Source {
 		assert('is_string($organization)');

 		// sanitize the input
-		$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
-		if (!is_null($restartURL)) {
-			SimpleSAML_Utilities::checkURLAllowed($restartURL);
+		$sid = SimpleSAML_Utilities::parseStateID($authStateId);
+		if (!is_null($sid['url'])) {
+			SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 		}

 		/* Retrieve the authentication state. */
@ -264,9 +264,9 @@ abstract class sspmod_core_Auth_UserPassOrgBase extends SimpleSAML_Auth_Source {
 		assert('is_string($authStateId)');

 		// sanitize the input
-		$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
-		if (!is_null($restartURL)) {
-			SimpleSAML_Utilities::checkURLAllowed($restartURL);
+		$sid = SimpleSAML_Utilities::parseStateID($authStateId);
+		if (!is_null($sid['url'])) {
+			SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 		}

 		/* Retrieve the authentication state. */
--- a/modules/core/www/idp/logout-iframe-done.php
+++ b/modules/core/www/idp/logout-iframe-done.php
@ -6,9 +6,9 @@ if (!isset($_REQUEST['id'])) {
 $id = (string)$_REQUEST['id'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($id);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($id, 'core:Logout-IFrame');
--- a/modules/core/www/idp/logout-iframe.php
+++ b/modules/core/www/idp/logout-iframe.php
@ -20,9 +20,9 @@ if ($type !== 'embed' && $type !== 'async') {
 }

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($id);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($id, 'core:Logout-IFrame');
--- a/modules/core/www/idp/resumelogout.php
+++ b/modules/core/www/idp/resumelogout.php
@ -6,9 +6,9 @@ if (!isset($_REQUEST['id'])) {
 $id = (string)$_REQUEST['id'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($id);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($id, 'core:Logout:afterbridge');
--- a/modules/core/www/loginuserpass.php
+++ b/modules/core/www/loginuserpass.php
@ -16,9 +16,9 @@ if (!array_key_exists('AuthState', $_REQUEST)) {
 $authStateId = $_REQUEST['AuthState'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($authStateId);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 /* Retrieve the authentication state. */
--- a/modules/core/www/loginuserpassorg.php
+++ b/modules/core/www/loginuserpassorg.php
@ -16,9 +16,9 @@ if (!array_key_exists('AuthState', $_REQUEST)) {
 $authStateId = $_REQUEST['AuthState'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($authStateId);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 /* Retrieve the authentication state. */
--- a/modules/core/www/short_sso_interval.php
+++ b/modules/core/www/short_sso_interval.php
@ -14,9 +14,9 @@ if (!array_key_exists('StateId', $_REQUEST)) {
 $id = $_REQUEST['StateId'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($id);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($id, 'core:short_sso_interval');
--- a/modules/exampleauth/lib/Auth/Source/External.php
+++ b/modules/exampleauth/lib/Auth/Source/External.php
@ -187,9 +187,9 @@ class sspmod_exampleauth_Auth_Source_External extends SimpleSAML_Auth_Source {
 		$stateId = (string)$_REQUEST['State'];

 		// sanitize the input
-		$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
-		if (!is_null($restartURL)) {
-			SimpleSAML_Utilities::checkURLAllowed($restartURL);
+		$sid = SimpleSAML_Utilities::parseStateID($stateId);
+		if (!is_null($sid['url'])) {
+			SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 		}

 		/*
--- a/modules/exampleauth/www/authpage.php
+++ b/modules/exampleauth/www/authpage.php
@ -33,9 +33,9 @@ if (!preg_match('@State=(.*)@', $returnTo, $matches)) {
 $stateId = urldecode($matches[1]);

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($stateId);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 SimpleSAML_Auth_State::loadState($stateId, 'exampleauth:External');
--- a/modules/exampleauth/www/redirecttest.php
+++ b/modules/exampleauth/www/redirecttest.php
@ -15,9 +15,9 @@ if (!array_key_exists('StateId', $_REQUEST)) {
 $id = $_REQUEST['StateId'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($id);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($id, 'exampleauth:redirectfilter-test');
--- a/modules/expirycheck/www/about2expire.php
+++ b/modules/expirycheck/www/about2expire.php
@ -16,9 +16,9 @@ if (!array_key_exists('StateId', $_REQUEST)) {
 $id = $_REQUEST['StateId'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($id);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($id, 'expirywarning:about2expire');
--- a/modules/expirycheck/www/expired.php
+++ b/modules/expirycheck/www/expired.php
@ -16,9 +16,9 @@ if (!array_key_exists('StateId', $_REQUEST)) {
 $id = $_REQUEST['StateId'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($id);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($id, 'expirywarning:expired');
--- a/modules/multiauth/www/selectsource.php
+++ b/modules/multiauth/www/selectsource.php
@ -17,9 +17,9 @@ if (!array_key_exists('AuthState', $_REQUEST)) {
 $authStateId = $_REQUEST['AuthState'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($authStateId);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 /* Retrieve the authentication state. */
--- a/modules/negotiate/www/backend.php
+++ b/modules/negotiate/www/backend.php
@ -12,9 +12,9 @@
 $authStateId = $_REQUEST['AuthState'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($authStateId);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_negotiate_Auth_Source_Negotiate::STAGEID);
--- a/modules/negotiate/www/retry.php
+++ b/modules/negotiate/www/retry.php
@ -12,9 +12,9 @@
 $authStateId = $_REQUEST['AuthState'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($authStateId);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_negotiate_Auth_Source_Negotiate::STAGEID);
--- a/modules/openid/www/consumer.php
+++ b/modules/openid/www/consumer.php
@ -8,9 +8,9 @@ if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState']))
 $authState = $_REQUEST['AuthState'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($authState);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($authState);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($authState, 'openid:init');
--- a/modules/openid/www/linkback.php
+++ b/modules/openid/www/linkback.php
@ -8,9 +8,9 @@ if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState']))
 $authState = $_REQUEST['AuthState'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($authState);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($authState);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($authState, 'openid:auth');
--- a/modules/openidProvider/lib/Server.php
+++ b/modules/openidProvider/lib/Server.php
@ -330,9 +330,9 @@ class sspmod_openidProvider_Server {
 		assert('is_string($stateId)');

 		// sanitize the input
-		$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
-		if (!is_null($restartURL)) {
-			SimpleSAML_Utilities::checkURLAllowed($restartURL);
+		$sid = SimpleSAML_Utilities::parseStateID($stateId);
+		if (!is_null($sid['url'])) {
+			SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 		}

 		return SimpleSAML_Auth_State::loadState($stateId, 'openidProvider:resumeState');
--- a/modules/papi/lib/Auth/Source/PAPI.php
+++ b/modules/papi/lib/Auth/Source/PAPI.php
@ -117,9 +117,9 @@ class sspmod_papi_Auth_Source_PAPI extends SimpleSAML_Auth_Source {
           	$this->_stateId = (string)$_REQUEST['SSPStateID'];
           	
 			// sanitize the input
-			$restartURL = SimpleSAML_Utilities::getURLFromStateID($this->_stateId);
-			if (!is_null($restartURL)) {
-				SimpleSAML_Utilities::checkURLAllowed($restartURL);
+			$sid = SimpleSAML_Utilities::parseStateID($this->_stateId);
+			if (!is_null($sid['url'])) {
+				SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 			}

           	$state = SimpleSAML_Auth_State::loadState($this->_stateId, self::STAGE_INIT);
@ -170,9 +170,9 @@ class sspmod_papi_Auth_Source_PAPI extends SimpleSAML_Auth_Source {
    		$this->_stateId = (string)$_REQUEST['SSPStateID'];

 			// sanitize the input
-			$restartURL = SimpleSAML_Utilities::getURLFromStateID($this->_stateId);
-			if (!is_null($restartURL)) {
-				SimpleSAML_Utilities::checkURLAllowed($restartURL);
+			$sid = SimpleSAML_Utilities::parseStateID($this->_stateId);
+			if (!is_null($sid['url'])) {
+				SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 			}

    		$state = SimpleSAML_Auth_State::loadState($this->_stateId, self::STAGE_INIT);
--- a/modules/preprodwarning/www/showwarning.php
+++ b/modules/preprodwarning/www/showwarning.php
@ -17,9 +17,9 @@ if (!array_key_exists('StateId', $_REQUEST)) {
 $id = $_REQUEST['StateId'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($id);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($id);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($id, 'warning:request');
--- a/modules/saml/www/sp/discoresp.php
+++ b/modules/saml/www/sp/discoresp.php
@ -15,9 +15,9 @@ if (!array_key_exists('idpentityid', $_REQUEST)) {
 $stateID = $_REQUEST['AuthID'];

 // sanitize the input
-$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateID);
-if (!is_null($restartURL)) {
-	SimpleSAML_Utilities::checkURLAllowed($restartURL);
+$sid = SimpleSAML_Utilities::parseStateID($stateID);
+if (!is_null($sid['url'])) {
+	SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 }

 $state = SimpleSAML_Auth_State::loadState($stateID, 'saml:sp:sso');
--- a/modules/saml/www/sp/saml1-acs.php
+++ b/modules/saml/www/sp/saml1-acs.php
@ -32,9 +32,9 @@ if (preg_match('@^https?://@i', $target)) {
 	$stateID = $_REQUEST['TARGET'];

 	// sanitize the input
-	$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateID);
-	if (!is_null($restartURL)) {
-		SimpleSAML_Utilities::checkURLAllowed($restartURL);
+	$sid = SimpleSAML_Utilities::parseStateID($stateID);
+	if (!is_null($sid['url'])) {
+		SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 	}

 	$state = SimpleSAML_Auth_State::loadState($stateID, 'saml:sp:sso');
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@ -54,9 +54,9 @@ $stateId = $response->getInResponseTo();
 if (!empty($stateId)) {

 	// sanitize the input
-	$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId);
-	if (!is_null($restartURL)) {
-		SimpleSAML_Utilities::checkURLAllowed($restartURL);
+	$sid = SimpleSAML_Utilities::parseStateID($stateId);
+	if (!is_null($sid['url'])) {
+		SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 	}

 	/* This is a response to a request we sent earlier. */
--- a/modules/saml/www/sp/saml2-logout.php
+++ b/modules/saml/www/sp/saml2-logout.php
@ -55,9 +55,9 @@ if ($message instanceof SAML2_LogoutResponse) {
 	}

 	// sanitize the input
-	$restartURL = SimpleSAML_Utilities::getURLFromStateID($relayState);
-	if (!is_null($restartURL)) {
-		SimpleSAML_Utilities::checkURLAllowed($restartURL);
+	$sid = SimpleSAML_Utilities::parseStateID($relayState);
+	if (!is_null($sid['url'])) {
+		SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 	}

 	$state = SimpleSAML_Auth_State::loadState($relayState, 'saml:slosent');
--- a/www/saml2/sp/AssertionConsumerService.php
+++ b/www/saml2/sp/AssertionConsumerService.php
@ -61,9 +61,9 @@ if (array_key_exists(SimpleSAML_Auth_ProcessingChain::AUTHPARAM, $_REQUEST)) {
 	$authProcId = $_REQUEST[SimpleSAML_Auth_ProcessingChain::AUTHPARAM];

 	// sanitize the input
-	$restartURL = SimpleSAML_Utilities::getURLFromStateID($authProcId);
-	if (!is_null($restartURL)) {
-		SimpleSAML_Utilities::checkURLAllowed($restartURL);
+	$sid = SimpleSAML_Utilities::parseStateID($authProcId);
+	if (!is_null($sid['url'])) {
+		SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 	}

 	$authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId);
--- a/www/shib13/sp/AssertionConsumerService.php
+++ b/www/shib13/sp/AssertionConsumerService.php
@ -49,9 +49,9 @@ if (array_key_exists(SimpleSAML_Auth_ProcessingChain::AUTHPARAM, $_REQUEST)) {
 	$authProcId = $_REQUEST[SimpleSAML_Auth_ProcessingChain::AUTHPARAM];

 	// sanitize the input
-	$restartURL = SimpleSAML_Utilities::getURLFromStateID($authProcId);
-	if (!is_null($restartURL)) {
-		SimpleSAML_Utilities::checkURLAllowed($restartURL);
+	$sid = SimpleSAML_Utilities::parseStateID($authProcId);
+	if (!is_null($sid['url'])) {
+		SimpleSAML_Utilities::checkURLAllowed($sid['url']);
 	}

 	$authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId);