diff options
| author | Jaime Pérez Crespo <jaime.perez@uninett.no> | 2014-01-24 16:36:54 +0000 |
|---|---|---|
| committer | Jaime Pérez Crespo <jaime.perez@uninett.no> | 2014-01-24 16:36:54 +0000 |
| commit | 57acd8378e263f6abd41a427f01fdcada0391a20 (patch) | |
| tree | 1e4573af30e5c6250fc99697664f6bf3e16081c3 /modules/authYubiKey/lib/Auth/Source/YubiKey.php | |
| parent | c21dc1ba0d1073de8f0ed1779f626ee8b132c9f7 (diff) | |
| download | simplesamlphp-57acd8378e263f6abd41a427f01fdcada0391a20.zip simplesamlphp-57acd8378e263f6abd41a427f01fdcada0391a20.tar.gz simplesamlphp-57acd8378e263f6abd41a427f01fdcada0391a20.tar.bz2 | |
Followup on previous commits. Use redirectUntrustedURL() as a shortcut, and let everything else make use of redirectTrustedURL(). Move the responsibility to check the input out of the library, to the places where URLs are grabbed from input parameters.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3332 44740490-163a-0410-bde0-09ae8108e29a
Diffstat (limited to 'modules/authYubiKey/lib/Auth/Source/YubiKey.php')
| -rw-r--r-- | modules/authYubiKey/lib/Auth/Source/YubiKey.php | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/modules/authYubiKey/lib/Auth/Source/YubiKey.php b/modules/authYubiKey/lib/Auth/Source/YubiKey.php index ae98920..6b14128 100644 --- a/modules/authYubiKey/lib/Auth/Source/YubiKey.php +++ b/modules/authYubiKey/lib/Auth/Source/YubiKey.php @@ -124,6 +124,12 @@ class sspmod_authYubiKey_Auth_Source_YubiKey extends SimpleSAML_Auth_Source { assert('is_string($authStateId)'); assert('is_string($otp)'); + // sanitize the input + $restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId); + if (!is_null($restartURL)) { + SimpleSAML_Utilities::checkURLAllowed($restartURL); + } + /* Retrieve the authentication state. */ $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); |