diff options
45 files changed, 147 insertions, 143 deletions
diff --git a/lib/SimpleSAML/Auth/ProcessingChain.php b/lib/SimpleSAML/Auth/ProcessingChain.php index 2bc624d..3380840 100644 --- a/lib/SimpleSAML/Auth/ProcessingChain.php +++ b/lib/SimpleSAML/Auth/ProcessingChain.php @@ -306,7 +306,7 @@ class SimpleSAML_Auth_ProcessingChain { * SimpleSAML_Auth_ProcessingChain::AUTHPARAM request parameter. Please * make sure to sanitize it properly by calling the * SimpleSAML_Utilities::checkURLAllowed() function with the embedded - * restart URL, if any. See also SimpleSAML_Utilities::getURLFromStateID(). + * restart URL, if any. See also SimpleSAML_Utilities::parseStateID(). */ public static function fetchProcessedState($id) { assert('is_string($id)'); diff --git a/lib/SimpleSAML/Auth/State.php b/lib/SimpleSAML/Auth/State.php index 0b74da2..ccea15f 100644 --- a/lib/SimpleSAML/Auth/State.php +++ b/lib/SimpleSAML/Auth/State.php @@ -211,10 +211,10 @@ class SimpleSAML_Auth_State { assert('is_bool($allowMissing)'); SimpleSAML_Logger::debug('Loading state: ' . var_export($id, TRUE)); - $restartURL = SimpleSAML_Utilities::getURLFromStateID($id); + $sid = SimpleSAML_Utilities::parseStateID($id); $session = SimpleSAML_Session::getInstance(); - $state = $session->getData('SimpleSAML_Auth_State', $id); + $state = $session->getData('SimpleSAML_Auth_State', $sid['id']); if ($state === NULL) { /* Could not find saved data. */ @@ -222,11 +222,11 @@ class SimpleSAML_Auth_State { return NULL; } - if ($restartURL === NULL) { + if ($sid['url'] === NULL) { throw new SimpleSAML_Error_NoState(); } - SimpleSAML_Utilities::redirectTrustedURL($restartURL); + SimpleSAML_Utilities::redirectTrustedURL($sid['url']); } $state = unserialize($state); @@ -246,11 +246,11 @@ class SimpleSAML_Auth_State { SimpleSAML_Logger::warning($msg); - if ($restartURL === NULL) { + if ($sid['url'] === NULL) { throw new Exception($msg); } - SimpleSAML_Utilities::redirectTrustedURL($restartURL); + SimpleSAML_Utilities::redirectTrustedURL($sid['url']); } return $state; diff --git a/lib/SimpleSAML/IdP/LogoutTraditional.php b/lib/SimpleSAML/IdP/LogoutTraditional.php index f9fa132..5f934cc 100644 --- a/lib/SimpleSAML/IdP/LogoutTraditional.php +++ b/lib/SimpleSAML/IdP/LogoutTraditional.php @@ -77,9 +77,9 @@ class SimpleSAML_IdP_LogoutTraditional extends SimpleSAML_IdP_LogoutHandler { } // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($relayState); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($relayState); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($relayState, 'core:LogoutTraditional'); diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php index 096b52b..cc42bfc 100644 --- a/lib/SimpleSAML/Utilities.php +++ b/lib/SimpleSAML/Utilities.php @@ -345,19 +345,23 @@ class SimpleSAML_Utilities { /** - * Get a URL embedded in a StateID, in the form 'id:url'. + * Get the ID and (optionally) a URL embedded in a StateID, + * in the form 'id:url'. * * @param string $stateId The state ID to use. - * @return string The embedded URL if found, NULL otherwise. + * @return array A hashed array with the ID and the URL (if any), + * in the 'id' and 'url' keys, respectively. If there's no URL + * in the input parameter, NULL will be returned as the value for + * the 'url' key. */ - public static function getURLFromStateID($stateId) { + public static function parseStateID($stateId) { $tmp = explode(':', $stateId, 2); $id = $tmp[0]; $url = NULL; if (count($tmp) === 2) { $url = $tmp[1]; } - return $url; + return array('id' => $id, 'url' => $url); } diff --git a/modules/InfoCard/lib/Auth/Source/ICAuth.php b/modules/InfoCard/lib/Auth/Source/ICAuth.php index 0b76ed1..bfefdab 100644 --- a/modules/InfoCard/lib/Auth/Source/ICAuth.php +++ b/modules/InfoCard/lib/Auth/Source/ICAuth.php @@ -69,9 +69,9 @@ class sspmod_InfoCard_Auth_Source_ICAuth extends SimpleSAML_Auth_Source { } // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($authStateId); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Retrieve the authentication state. */ diff --git a/modules/aselect/www/credentials.php b/modules/aselect/www/credentials.php index dc0afe7..bcdd208 100644 --- a/modules/aselect/www/credentials.php +++ b/modules/aselect/www/credentials.php @@ -13,9 +13,9 @@ function check_credentials() { $id = $_REQUEST['ssp_state']; // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($id); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($id); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'aselect:login'); diff --git a/modules/authYubiKey/lib/Auth/Source/YubiKey.php b/modules/authYubiKey/lib/Auth/Source/YubiKey.php index 6b14128..981c64c 100644 --- a/modules/authYubiKey/lib/Auth/Source/YubiKey.php +++ b/modules/authYubiKey/lib/Auth/Source/YubiKey.php @@ -125,9 +125,9 @@ class sspmod_authYubiKey_Auth_Source_YubiKey extends SimpleSAML_Auth_Source { assert('is_string($otp)'); // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($authStateId); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Retrieve the authentication state. */ diff --git a/modules/authfacebook/www/linkback.php b/modules/authfacebook/www/linkback.php index 2305f77..879e3d2 100644 --- a/modules/authfacebook/www/linkback.php +++ b/modules/authfacebook/www/linkback.php @@ -11,9 +11,9 @@ if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState'])) $stateID = $_REQUEST['AuthState']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateID); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($stateID); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($stateID, sspmod_authfacebook_Auth_Source_Facebook::STAGE_INIT); diff --git a/modules/authlinkedin/www/linkback.php b/modules/authlinkedin/www/linkback.php index a169f04..e65a8aa 100644 --- a/modules/authlinkedin/www/linkback.php +++ b/modules/authlinkedin/www/linkback.php @@ -11,9 +11,9 @@ if (array_key_exists('stateid', $_REQUEST)) { } // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($stateId); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authlinkedin_Auth_Source_LinkedIn::STAGE_INIT); diff --git a/modules/authmyspace/www/linkback.php b/modules/authmyspace/www/linkback.php index 81683c8..4dbaf79 100644 --- a/modules/authmyspace/www/linkback.php +++ b/modules/authmyspace/www/linkback.php @@ -11,9 +11,9 @@ if (array_key_exists('stateid', $_REQUEST)) { } // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($stateId); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authmyspace_Auth_Source_MySpace::STAGE_INIT); diff --git a/modules/authorize/www/authorize_403.php b/modules/authorize/www/authorize_403.php index 613fa10..5152b99 100644 --- a/modules/authorize/www/authorize_403.php +++ b/modules/authorize/www/authorize_403.php @@ -13,9 +13,9 @@ if (!array_key_exists('StateId', $_REQUEST)) { $id = $_REQUEST['StateId']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($id); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($id); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'authorize:Authorize'); diff --git a/modules/authtwitter/www/linkback.php b/modules/authtwitter/www/linkback.php index 0ebea75..9a397ed 100644 --- a/modules/authtwitter/www/linkback.php +++ b/modules/authtwitter/www/linkback.php @@ -10,9 +10,9 @@ if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState'])) $stateID = $_REQUEST['AuthState']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateID); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($stateID); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($stateID, sspmod_authtwitter_Auth_Source_Twitter::STAGE_INIT); diff --git a/modules/authwindowslive/www/linkback.php b/modules/authwindowslive/www/linkback.php index ee8452d..29b8b0d 100644 --- a/modules/authwindowslive/www/linkback.php +++ b/modules/authwindowslive/www/linkback.php @@ -8,9 +8,9 @@ if (array_key_exists('wrap_client_state', $_REQUEST)) { $stateId = $_REQUEST['wrap_client_state']; // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($stateId); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authwindowslive_Auth_Source_LiveID::STAGE_INIT); diff --git a/modules/cas/www/linkback.php b/modules/cas/www/linkback.php index 8fe43e2..473c44b 100644 --- a/modules/cas/www/linkback.php +++ b/modules/cas/www/linkback.php @@ -14,9 +14,9 @@ if (!isset($_GET['ticket'])) { } // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($stateId); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($stateId, sspmod_cas_Auth_Source_CAS::STAGE_INIT); diff --git a/modules/cdc/www/resume.php b/modules/cdc/www/resume.php index 549be22..8d7258d 100644 --- a/modules/cdc/www/resume.php +++ b/modules/cdc/www/resume.php @@ -18,9 +18,9 @@ if (!isset($response['id'])) { } // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($response['id']); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($response['id']); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($response['id'], 'cdc:resume'); diff --git a/modules/consent/www/getconsent.php b/modules/consent/www/getconsent.php index 3e30817..babbf46 100644 --- a/modules/consent/www/getconsent.php +++ b/modules/consent/www/getconsent.php @@ -33,9 +33,9 @@ if (!array_key_exists('StateId', $_REQUEST)) { $id = $_REQUEST['StateId']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($id); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($id); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'consent:request'); diff --git a/modules/consent/www/logout.php b/modules/consent/www/logout.php index 1e46429..a5f7cf6 100644 --- a/modules/consent/www/logout.php +++ b/modules/consent/www/logout.php @@ -12,9 +12,9 @@ if (!array_key_exists('StateId', $_GET)) { $id = (string)$_GET['StateId']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($id); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($id); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'consent:request'); diff --git a/modules/consent/www/noconsent.php b/modules/consent/www/noconsent.php index 37b5920..2b97585 100644 --- a/modules/consent/www/noconsent.php +++ b/modules/consent/www/noconsent.php @@ -14,9 +14,9 @@ if (!array_key_exists('StateId', $_REQUEST)) { $id = $_REQUEST['StateId']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($id); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($id); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'consent:request'); diff --git a/modules/core/lib/Auth/UserPassBase.php b/modules/core/lib/Auth/UserPassBase.php index c7ff0be..f734d43 100644 --- a/modules/core/lib/Auth/UserPassBase.php +++ b/modules/core/lib/Auth/UserPassBase.php @@ -198,9 +198,9 @@ abstract class sspmod_core_Auth_UserPassBase extends SimpleSAML_Auth_Source { assert('is_string($password)'); // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($authStateId); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Here we retrieve the state array we saved in the authenticate-function. */ diff --git a/modules/core/lib/Auth/UserPassOrgBase.php b/modules/core/lib/Auth/UserPassOrgBase.php index 9c7af97..3e57e4a 100644 --- a/modules/core/lib/Auth/UserPassOrgBase.php +++ b/modules/core/lib/Auth/UserPassOrgBase.php @@ -210,9 +210,9 @@ abstract class sspmod_core_Auth_UserPassOrgBase extends SimpleSAML_Auth_Source { assert('is_string($organization)'); // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($authStateId); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Retrieve the authentication state. */ @@ -264,9 +264,9 @@ abstract class sspmod_core_Auth_UserPassOrgBase extends SimpleSAML_Auth_Source { assert('is_string($authStateId)'); // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($authStateId); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Retrieve the authentication state. */ diff --git a/modules/core/www/idp/logout-iframe-done.php b/modules/core/www/idp/logout-iframe-done.php index 6253998..fe69f40 100644 --- a/modules/core/www/idp/logout-iframe-done.php +++ b/modules/core/www/idp/logout-iframe-done.php @@ -6,9 +6,9 @@ if (!isset($_REQUEST['id'])) { $id = (string)$_REQUEST['id']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($id); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($id); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'core:Logout-IFrame'); diff --git a/modules/core/www/idp/logout-iframe.php b/modules/core/www/idp/logout-iframe.php index 53cdcfc..07a472d 100644 --- a/modules/core/www/idp/logout-iframe.php +++ b/modules/core/www/idp/logout-iframe.php @@ -20,9 +20,9 @@ if ($type !== 'embed' && $type !== 'async') { } // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($id); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($id); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'core:Logout-IFrame'); diff --git a/modules/core/www/idp/resumelogout.php b/modules/core/www/idp/resumelogout.php index f93c8e9..0077909 100644 --- a/modules/core/www/idp/resumelogout.php +++ b/modules/core/www/idp/resumelogout.php @@ -6,9 +6,9 @@ if (!isset($_REQUEST['id'])) { $id = (string)$_REQUEST['id']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($id); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($id); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'core:Logout:afterbridge'); diff --git a/modules/core/www/loginuserpass.php b/modules/core/www/loginuserpass.php index cda363b..6a2dc97 100644 --- a/modules/core/www/loginuserpass.php +++ b/modules/core/www/loginuserpass.php @@ -16,9 +16,9 @@ if (!array_key_exists('AuthState', $_REQUEST)) { $authStateId = $_REQUEST['AuthState']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($authStateId); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Retrieve the authentication state. */ diff --git a/modules/core/www/loginuserpassorg.php b/modules/core/www/loginuserpassorg.php index abd9a53..3e5b9fe 100644 --- a/modules/core/www/loginuserpassorg.php +++ b/modules/core/www/loginuserpassorg.php @@ -16,9 +16,9 @@ if (!array_key_exists('AuthState', $_REQUEST)) { $authStateId = $_REQUEST['AuthState']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($authStateId); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Retrieve the authentication state. */ diff --git a/modules/core/www/short_sso_interval.php b/modules/core/www/short_sso_interval.php index e9e5b15..3a44634 100644 --- a/modules/core/www/short_sso_interval.php +++ b/modules/core/www/short_sso_interval.php @@ -14,9 +14,9 @@ if (!array_key_exists('StateId', $_REQUEST)) { $id = $_REQUEST['StateId']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($id); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($id); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'core:short_sso_interval'); diff --git a/modules/exampleauth/lib/Auth/Source/External.php b/modules/exampleauth/lib/Auth/Source/External.php index 53818e9..256a3de 100644 --- a/modules/exampleauth/lib/Auth/Source/External.php +++ b/modules/exampleauth/lib/Auth/Source/External.php @@ -187,9 +187,9 @@ class sspmod_exampleauth_Auth_Source_External extends SimpleSAML_Auth_Source { $stateId = (string)$_REQUEST['State']; // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($stateId); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* diff --git a/modules/exampleauth/www/authpage.php b/modules/exampleauth/www/authpage.php index bcd01b8..91ff791 100644 --- a/modules/exampleauth/www/authpage.php +++ b/modules/exampleauth/www/authpage.php @@ -33,9 +33,9 @@ if (!preg_match('@State=(.*)@', $returnTo, $matches)) { $stateId = urldecode($matches[1]); // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($stateId); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } SimpleSAML_Auth_State::loadState($stateId, 'exampleauth:External'); diff --git a/modules/exampleauth/www/redirecttest.php b/modules/exampleauth/www/redirecttest.php index c6d4fb8..8a38fc4 100644 --- a/modules/exampleauth/www/redirecttest.php +++ b/modules/exampleauth/www/redirecttest.php @@ -15,9 +15,9 @@ if (!array_key_exists('StateId', $_REQUEST)) { $id = $_REQUEST['StateId']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($id); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($id); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'exampleauth:redirectfilter-test'); diff --git a/modules/expirycheck/www/about2expire.php b/modules/expirycheck/www/about2expire.php index 487b3f8..6717005 100644 --- a/modules/expirycheck/www/about2expire.php +++ b/modules/expirycheck/www/about2expire.php @@ -16,9 +16,9 @@ if (!array_key_exists('StateId', $_REQUEST)) { $id = $_REQUEST['StateId']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($id); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($id); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'expirywarning:about2expire'); diff --git a/modules/expirycheck/www/expired.php b/modules/expirycheck/www/expired.php index 5ec7b93..4279f3e 100644 --- a/modules/expirycheck/www/expired.php +++ b/modules/expirycheck/www/expired.php @@ -16,9 +16,9 @@ if (!array_key_exists('StateId', $_REQUEST)) { $id = $_REQUEST['StateId']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($id); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($id); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'expirywarning:expired'); diff --git a/modules/multiauth/www/selectsource.php b/modules/multiauth/www/selectsource.php index afa28ed..de27843 100644 --- a/modules/multiauth/www/selectsource.php +++ b/modules/multiauth/www/selectsource.php @@ -17,9 +17,9 @@ if (!array_key_exists('AuthState', $_REQUEST)) { $authStateId = $_REQUEST['AuthState']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($authStateId); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Retrieve the authentication state. */ diff --git a/modules/negotiate/www/backend.php b/modules/negotiate/www/backend.php index 347ce8d..a3924ab 100644 --- a/modules/negotiate/www/backend.php +++ b/modules/negotiate/www/backend.php @@ -12,9 +12,9 @@ $authStateId = $_REQUEST['AuthState']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($authStateId); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_negotiate_Auth_Source_Negotiate::STAGEID); diff --git a/modules/negotiate/www/retry.php b/modules/negotiate/www/retry.php index 858b836..1f75c61 100644 --- a/modules/negotiate/www/retry.php +++ b/modules/negotiate/www/retry.php @@ -12,9 +12,9 @@ $authStateId = $_REQUEST['AuthState']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($authStateId); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($authStateId); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_negotiate_Auth_Source_Negotiate::STAGEID); diff --git a/modules/openid/www/consumer.php b/modules/openid/www/consumer.php index 0f8067c..63f83a3 100644 --- a/modules/openid/www/consumer.php +++ b/modules/openid/www/consumer.php @@ -8,9 +8,9 @@ if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState'])) $authState = $_REQUEST['AuthState']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($authState); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($authState); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($authState, 'openid:init'); diff --git a/modules/openid/www/linkback.php b/modules/openid/www/linkback.php index 6108ca7..aa938cc 100644 --- a/modules/openid/www/linkback.php +++ b/modules/openid/www/linkback.php @@ -8,9 +8,9 @@ if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState'])) $authState = $_REQUEST['AuthState']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($authState); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($authState); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($authState, 'openid:auth'); diff --git a/modules/openidProvider/lib/Server.php b/modules/openidProvider/lib/Server.php index 956a7e4..b49223d 100644 --- a/modules/openidProvider/lib/Server.php +++ b/modules/openidProvider/lib/Server.php @@ -330,9 +330,9 @@ class sspmod_openidProvider_Server { assert('is_string($stateId)'); // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($stateId); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } return SimpleSAML_Auth_State::loadState($stateId, 'openidProvider:resumeState'); diff --git a/modules/papi/lib/Auth/Source/PAPI.php b/modules/papi/lib/Auth/Source/PAPI.php index c074093..d9c39b6 100644 --- a/modules/papi/lib/Auth/Source/PAPI.php +++ b/modules/papi/lib/Auth/Source/PAPI.php @@ -117,9 +117,9 @@ class sspmod_papi_Auth_Source_PAPI extends SimpleSAML_Auth_Source { $this->_stateId = (string)$_REQUEST['SSPStateID']; // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($this->_stateId); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($this->_stateId); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($this->_stateId, self::STAGE_INIT); @@ -170,9 +170,9 @@ class sspmod_papi_Auth_Source_PAPI extends SimpleSAML_Auth_Source { $this->_stateId = (string)$_REQUEST['SSPStateID']; // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($this->_stateId); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($this->_stateId); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($this->_stateId, self::STAGE_INIT); diff --git a/modules/preprodwarning/www/showwarning.php b/modules/preprodwarning/www/showwarning.php index 2c50860..1c4c6aa 100644 --- a/modules/preprodwarning/www/showwarning.php +++ b/modules/preprodwarning/www/showwarning.php @@ -17,9 +17,9 @@ if (!array_key_exists('StateId', $_REQUEST)) { $id = $_REQUEST['StateId']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($id); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($id); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'warning:request'); diff --git a/modules/saml/www/sp/discoresp.php b/modules/saml/www/sp/discoresp.php index 1479f8a..5d6d55b 100644 --- a/modules/saml/www/sp/discoresp.php +++ b/modules/saml/www/sp/discoresp.php @@ -15,9 +15,9 @@ if (!array_key_exists('idpentityid', $_REQUEST)) { $stateID = $_REQUEST['AuthID']; // sanitize the input -$restartURL = SimpleSAML_Utilities::getURLFromStateID($stateID); -if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); +$sid = SimpleSAML_Utilities::parseStateID($stateID); +if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($stateID, 'saml:sp:sso'); diff --git a/modules/saml/www/sp/saml1-acs.php b/modules/saml/www/sp/saml1-acs.php index d9a594c..95cc91b 100644 --- a/modules/saml/www/sp/saml1-acs.php +++ b/modules/saml/www/sp/saml1-acs.php @@ -32,9 +32,9 @@ if (preg_match('@^https?://@i', $target)) { $stateID = $_REQUEST['TARGET']; // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($stateID); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($stateID); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($stateID, 'saml:sp:sso'); diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php index 09723b6..dc03758 100644 --- a/modules/saml/www/sp/saml2-acs.php +++ b/modules/saml/www/sp/saml2-acs.php @@ -54,9 +54,9 @@ $stateId = $response->getInResponseTo(); if (!empty($stateId)) { // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($stateId); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($stateId); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* This is a response to a request we sent earlier. */ diff --git a/modules/saml/www/sp/saml2-logout.php b/modules/saml/www/sp/saml2-logout.php index 5d36024..950f3b0 100644 --- a/modules/saml/www/sp/saml2-logout.php +++ b/modules/saml/www/sp/saml2-logout.php @@ -55,9 +55,9 @@ if ($message instanceof SAML2_LogoutResponse) { } // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($relayState); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($relayState); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($relayState, 'saml:slosent'); diff --git a/www/saml2/sp/AssertionConsumerService.php b/www/saml2/sp/AssertionConsumerService.php index c7dc96f..b55fc97 100644 --- a/www/saml2/sp/AssertionConsumerService.php +++ b/www/saml2/sp/AssertionConsumerService.php @@ -61,9 +61,9 @@ if (array_key_exists(SimpleSAML_Auth_ProcessingChain::AUTHPARAM, $_REQUEST)) { $authProcId = $_REQUEST[SimpleSAML_Auth_ProcessingChain::AUTHPARAM]; // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($authProcId); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($authProcId); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId); diff --git a/www/shib13/sp/AssertionConsumerService.php b/www/shib13/sp/AssertionConsumerService.php index bc5a436..6d04f8c 100644 --- a/www/shib13/sp/AssertionConsumerService.php +++ b/www/shib13/sp/AssertionConsumerService.php @@ -49,9 +49,9 @@ if (array_key_exists(SimpleSAML_Auth_ProcessingChain::AUTHPARAM, $_REQUEST)) { $authProcId = $_REQUEST[SimpleSAML_Auth_ProcessingChain::AUTHPARAM]; // sanitize the input - $restartURL = SimpleSAML_Utilities::getURLFromStateID($authProcId); - if (!is_null($restartURL)) { - SimpleSAML_Utilities::checkURLAllowed($restartURL); + $sid = SimpleSAML_Utilities::parseStateID($authProcId); + if (!is_null($sid['url'])) { + SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId); |