Check if a URL is valid and is in our list of allowed URLs.
public static checkURLAllowed ( string $url, array $trustedSites = null ) : string | ||
$url | string | The URL to check. |
$trustedSites | array | An optional white list of domains. If none specified, the 'trusted.url.domains' configuration directive will be used. |
Результат | string | The normalized URL itself if it is allowed. An empty string if the $url parameter is empty as defined by the empty() function. |
<?php /** * This SAML 2.0 endpoint can receive incoming LogoutRequests. It will also send LogoutResponses, * and LogoutRequests and also receive LogoutResponses. It is implemeting SLO at the SAML 2.0 IdP. * * @author Andreas Åkre Solberg, UNINETT AS. <*****@*****.**> * @package SimpleSAMLphp */ require_once '../../_include.php'; SimpleSAML\Logger::info('SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService'); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); $idp = SimpleSAML_IdP::getById('saml2:' . $idpEntityId); if (isset($_REQUEST['ReturnTo'])) { $idp->doLogoutRedirect(\SimpleSAML\Utils\HTTP::checkURLAllowed((string) $_REQUEST['ReturnTo'])); } else { try { sspmod_saml_IdP_SAML2::receiveLogoutMessage($idp); } catch (Exception $e) { // TODO: look for a specific exception /* * This is dirty. Instead of checking the message of the exception, \SAML2\Binding::getCurrentBinding() should * throw an specific exception when the binding is unknown, and we should capture that here */ if ($e->getMessage() === 'Unable to find the current binding.') { throw new SimpleSAML_Error_Error('SLOSERVICEPARAMS', $e, 400); } else { throw $e; // do not ignore other exceptions! }
/** * Test SimpleSAML\Utils\HTTP::checkURLAllowed(), with the regex as a * subdomain of an evil domain. */ public function testCheckURLAllowedWithRegexWithoutDelimiters() { $original = $_SERVER; \SimpleSAML_Configuration::loadFromArray(array('trusted.url.domains' => array('app\\.example\\.com'), 'trusted.url.regex' => true), '[ARRAY]', 'simplesaml'); $_SERVER['REQUEST_URI'] = '/module.php'; $this->setExpectedException('SimpleSAML_Error_Exception'); HTTP::checkURLAllowed('https://app.example.com.evil.com'); $_SERVER = $original; }
/** * Initializes this discovery service. * * The constructor does the parsing of the request. If this is an invalid request, it will throw an exception. * * @param array $metadataSets Array with metadata sets we find remote entities in. * @param string $instance The name of this instance of the discovery service. * * @throws Exception If the request is invalid. */ public function __construct(array $metadataSets, $instance) { assert('is_string($instance)'); // initialize standard classes $this->config = SimpleSAML_Configuration::getInstance(); $this->metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $this->session = SimpleSAML_Session::getSessionFromRequest(); $this->instance = $instance; $this->metadataSets = $metadataSets; $this->log('Accessing discovery service.'); // standard discovery service parameters if (!array_key_exists('entityID', $_GET)) { throw new Exception('Missing parameter: entityID'); } else { $this->spEntityId = $_GET['entityID']; } if (!array_key_exists('returnIDParam', $_GET)) { $this->returnIdParam = 'entityID'; } else { $this->returnIdParam = $_GET['returnIDParam']; } $this->log('returnIdParam initially set to [' . $this->returnIdParam . ']'); if (!array_key_exists('return', $_GET)) { throw new Exception('Missing parameter: return'); } else { $this->returnURL = \SimpleSAML\Utils\HTTP::checkURLAllowed($_GET['return']); } $this->isPassive = false; if (array_key_exists('isPassive', $_GET)) { if ($_GET['isPassive'] === 'true') { $this->isPassive = true; } } $this->log('isPassive initially set to [' . ($this->isPassive ? 'TRUE' : 'FALSE') . ']'); if (array_key_exists('IdPentityID', $_GET)) { $this->setIdPentityID = $_GET['IdPentityID']; } if (array_key_exists('IDPList', $_REQUEST)) { $this->scopedIDPList = $_REQUEST['IDPList']; } }
<?php /** * This page serves as a dummy login page. * * Note that we don't actually validate the user in this example. This page * just serves to make the example work out of the box. * * @package SimpleSAMLphp */ if (!isset($_REQUEST['ReturnTo'])) { die('Missing ReturnTo parameter.'); } $returnTo = \SimpleSAML\Utils\HTTP::checkURLAllowed($_REQUEST['ReturnTo']); /* * The following piece of code would never be found in a real authentication page. Its * purpose in this example is to make this example safer in the case where the * administrator of * the IdP leaves the exampleauth-module enabled in a production * environment. * * What we do here is to extract the $state-array identifier, and check that it belongs to * the exampleauth:External process. */ if (!preg_match('@State=(.*)@', $returnTo, $matches)) { die('Invalid ReturnTo URL for this example.'); } SimpleSAML_Auth_State::loadState(urldecode($matches[1]), 'exampleauth:External'); /* * The loadState-function will not return if the second parameter does not * match the parameter passed to saveState, so by now we know that we arrived here * through the exampleauth:External authentication page.
<?php /** * Endpoint for logging in with an authentication source. * * @package simpleSAMLphp */ if (!is_string($_REQUEST['ReturnTo'])) { throw new SimpleSAML_Error_BadRequest('Missing ReturnTo parameter.'); } if (!is_string($_REQUEST['AuthId'])) { throw new SimpleSAML_Error_BadRequest('Missing AuthId parameter.'); } /* * Setting up the options for the requireAuth() call later.. */ $options = array('ReturnTo' => \SimpleSAML\Utils\HTTP::checkURLAllowed($_REQUEST['ReturnTo'])); /* * Allows a saml:idp query string parameter specify the IdP entity ID to be used * as used by the DiscoJuice embedded client. */ if (!empty($_REQUEST['saml:idp'])) { $options['saml:idp'] = $_REQUEST['saml:idp']; } $as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']); $as->requireAuth($options); \SimpleSAML\Utils\HTTP::redirectTrustedURL($options['ReturnTo']);
/** * @deprecated This method will be removed in SSP 2.0. Please use \SimpleSAML\Utils\HTTP::checkURLAllowed() instead. */ public static function checkURLAllowed($url, array $trustedSites = NULL) { return \SimpleSAML\Utils\HTTP::checkURLAllowed($url, $trustedSites); }
<?php require_once '../../_include.php'; $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); $idp = SimpleSAML_IdP::getById('saml2:' . $idpEntityId); SimpleSAML_Logger::info('SAML2.0 - IdP.initSLO: Accessing SAML 2.0 IdP endpoint init Single Logout'); if (!isset($_GET['RelayState'])) { throw new SimpleSAML_Error_Error('NORELAYSTATE'); } $idp->doLogoutRedirect(\SimpleSAML\Utils\HTTP::checkURLAllowed((string) $_GET['RelayState'])); assert('FALSE');
public static function receiveLogoutMessage(SimpleSAML_IdP $idp) { // if a redirect is to occur based on wreply, we will redirect to url as // this implies an override to normal sp notification. if (isset($_GET['wreply']) && !empty($_GET['wreply'])) { $idp->doLogoutRedirect(\SimpleSAML\Utils\HTTP::checkURLAllowed($_GET['wreply'])); assert(FALSE); } $state = array('Responder' => array('sspmod_adfs_IdP_ADFS', 'sendLogoutResponse')); $assocId = NULL; // TODO: verify that this is really no problem for: // a) SSP, because there's no caller SP... // b) ADFS SP because caller will be called back... $idp->handleLogoutRequest($state, $assocId); }
<?php /** * Endpoint for logging out in with an authentication source. * * @package simpleSAMLphp */ if (!isset($_REQUEST['ReturnTo']) || !is_string($_REQUEST['ReturnTo'])) { throw new SimpleSAML_Error_BadRequest('Missing ReturnTo parameter.'); } if (!isset($_REQUEST['AuthId']) || !is_string($_REQUEST['AuthId'])) { throw new SimpleSAML_Error_BadRequest('Missing AuthId parameter.'); } $as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']); $as->logout(\SimpleSAML\Utils\HTTP::checkURLAllowed($_REQUEST['ReturnTo']));
assert('array_key_exists("saml:sp:AuthId", $state)'); if ($state['saml:sp:AuthId'] !== $sourceId) { throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.'); } // check that the issuer is the one we are expecting assert('array_key_exists("ExpectedIssuer", $state)'); if ($state['ExpectedIssuer'] !== $idp) { $idpMetadata = $source->getIdPMetadata($idp); $idplist = $idpMetadata->getArrayize('IDPList', array()); if (!in_array($state['ExpectedIssuer'], $idplist)) { throw new SimpleSAML_Error_Exception('The issuer of the response does not match to the identity provider we sent the request to.'); } } } else { // this is an unsolicited response $state = array('saml:sp:isUnsolicited' => true, 'saml:sp:AuthId' => $sourceId, 'saml:sp:RelayState' => \SimpleSAML\Utils\HTTP::checkURLAllowed($spMetadata->getString('RelayState', $response->getRelayState()))); } SimpleSAML_Logger::debug('Received SAML2 Response from ' . var_export($idp, true) . '.'); if (empty($idpMetadata)) { $idpMetadata = $source->getIdPmetadata($idp); } try { $assertions = sspmod_saml_Message::processResponse($spMetadata, $idpMetadata, $response); } catch (sspmod_saml_Error $e) { // the status of the response wasn't "success" $e = $e->toException(); SimpleSAML_Auth_State::throwException($state, $e); } $authenticatingAuthority = null; $nameId = null; $sessionIndex = null;
<?php require_once '_include.php'; $config = SimpleSAML_Configuration::getInstance(); if (array_key_exists('link_href', $_REQUEST)) { $link = \SimpleSAML\Utils\HTTP::checkURLAllowed($_REQUEST['link_href']); } else { $link = 'index.php'; } if (array_key_exists('link_text', $_REQUEST)) { $text = $_REQUEST['link_text']; } else { $text = '{logout:default_link_text}'; } $t = new SimpleSAML_XHTML_Template($config, 'logout.php'); $t->data['link'] = $link; $t->data['text'] = $text; $t->show(); exit;
} if (!array_key_exists('PATH_INFO', $_SERVER)) { throw new SimpleSAML_Error_BadRequest('Missing authentication source ID in assertion consumer service URL'); } $sourceId = $_SERVER['PATH_INFO']; $end = strpos($sourceId, '/', 1); if ($end === FALSE) { $end = strlen($sourceId); } $sourceId = substr($sourceId, 1, $end - 1); $source = SimpleSAML_Auth_Source::getById($sourceId, 'sspmod_saml_Auth_Source_SP'); SimpleSAML_Logger::debug('Received SAML1 response'); $target = (string) $_REQUEST['TARGET']; if (preg_match('@^https?://@i', $target)) { // Unsolicited response $state = array('saml:sp:isUnsolicited' => TRUE, 'saml:sp:AuthId' => $sourceId, 'saml:sp:RelayState' => \SimpleSAML\Utils\HTTP::checkURLAllowed($target)); } else { $state = SimpleSAML_Auth_State::loadState($_REQUEST['TARGET'], 'saml:sp:sso'); // Check that the authentication source is correct. assert('array_key_exists("saml:sp:AuthId", $state)'); if ($state['saml:sp:AuthId'] !== $sourceId) { throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.'); } assert('isset($state["saml:idp"])'); } $spMetadata = $source->getMetadata(); if (array_key_exists('SAMLart', $_REQUEST)) { if (!isset($state['saml:idp'])) { /* Unsolicited response. */ throw new SimpleSAML_Error_Exception('IdP initiated authentication not supported with the SAML 1.1 SAMLart protocol.'); }
<?php if (isset($_REQUEST['retryURL'])) { $retryURL = (string) $_REQUEST['retryURL']; $retryURL = \SimpleSAML\Utils\HTTP::checkURLAllowed($retryURL); } else { $retryURL = null; } $globalConfig = SimpleSAML_Configuration::getInstance(); $t = new SimpleSAML_XHTML_Template($globalConfig, 'core:no_cookie.tpl.php'); $t->data['retryURL'] = $retryURL; $t->show();