Solve a security issue with some modules (not validating URLs we are redirecting to) by moving the check to the SimpleSAML_Auth_State::loadState() method.

author: Jaime Perez Crespo <jaime.perez@uninett.no> 2015-02-27 12:47:20 +0100
committer: Jaime Perez Crespo <jaime.perez@uninett.no> 2015-02-27 12:47:20 +0100
commit: 2970e12a48cb5fbddc36835a5b41c69671c992a5 (patch)
tree: 213efb2f6f28bb7daa2a44ce86a0b23074f39f0b /modules/authYubiKey/lib/Auth/Source/YubiKey.php
parent: 715e798a1cdb02dcb39bf1a42af33ba14949b58e (diff)
download: simplesamlphp-2970e12a48cb5fbddc36835a5b41c69671c992a5.zip
simplesamlphp-2970e12a48cb5fbddc36835a5b41c69671c992a5.tar.gz
simplesamlphp-2970e12a48cb5fbddc36835a5b41c69671c992a5.tar.bz2
1 files changed, 0 insertions, 6 deletions
diff --git a/modules/authYubiKey/lib/Auth/Source/YubiKey.php b/modules/authYubiKey/lib/Auth/Source/YubiKey.php
index a6227c0..48c3047 100644
--- a/modules/authYubiKey/lib/Auth/Source/YubiKey.php
+++ b/modules/authYubiKey/lib/Auth/Source/YubiKey.php
@@ -123,12 +123,6 @@ class sspmod_authYubiKey_Auth_Source_YubiKey extends SimpleSAML_Auth_Source {
 		assert('is_string($authStateId)');
 		assert('is_string($otp)');
 
-		// sanitize the input
-		$sid = SimpleSAML_Utilities::parseStateID($authStateId);
-		if (!is_null($sid['url'])) {
-			SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-		}
-
 		/* Retrieve the authentication state. */
 		$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
author	Jaime Perez Crespo <jaime.perez@uninett.no>	2015-02-27 12:47:20 +0100
committer	Jaime Perez Crespo <jaime.perez@uninett.no>	2015-02-27 12:47:20 +0100
commit	2970e12a48cb5fbddc36835a5b41c69671c992a5 (patch)
tree	213efb2f6f28bb7daa2a44ce86a0b23074f39f0b /modules/authYubiKey/lib/Auth/Source/YubiKey.php
parent	715e798a1cdb02dcb39bf1a42af33ba14949b58e (diff)
download	simplesamlphp-2970e12a48cb5fbddc36835a5b41c69671c992a5.zip simplesamlphp-2970e12a48cb5fbddc36835a5b41c69671c992a5.tar.gz simplesamlphp-2970e12a48cb5fbddc36835a5b41c69671c992a5.tar.bz2