Solve a security issue with some modules (not validating URLs we are redirecting to) by moving the check to the SimpleSAML_Auth_State::loadState() method.

1 files changed, 1 insertions, 8 deletions

diff --git a/modules/exampleauth/lib/Auth/Source/External.php b/modules/exampleauth/lib/Auth/Source/External.php
index c141a4a..3703852 100644
--- a/modules/exampleauth/lib/Auth/Source/External.php
+++ b/modules/exampleauth/lib/Auth/Source/External.php
@@ -183,19 +183,12 @@ class sspmod_exampleauth_Auth_Source_External extends SimpleSAML_Auth_Source {
 		if (!isset($_REQUEST['State'])) {
 			throw new SimpleSAML_Error_BadRequest('Missing "State" parameter.');
 		}
-		$stateId = (string)$_REQUEST['State'];
-
-		// sanitize the input
-		$sid = SimpleSAML_Utilities::parseStateID($stateId);
-		if (!is_null($sid['url'])) {
-			SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-		}
 
 		/*
 		 * Once again, note the second parameter to the loadState function. This must
 		 * match the string we used in the saveState-call above.
 		 */
-		$state = SimpleSAML_Auth_State::loadState($stateId, 'exampleauth:External');
+		$state = SimpleSAML_Auth_State::loadState($_REQUEST['State'], 'exampleauth:External');
 
 		/*
 		 * Now we have the $state-array, and can use it to locate the authentication