| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| | |
Deprecate the certFingerprint option.
|
| | |
| |
| |
| |
| |
| | |
Issue a notice when the option is used nonetheless.
Closes: #432
|
| | |
| |
| |
| | |
It is possible that the current script ($_SERVER['SCRIPT_FILENAME']) is inside SimpleSAMLphp's 'www' directory. However, even if that's the case, we should not enforce our base URL (as set in the 'baseurlpath' configuration option) if the request URI ($_SERVER['REQUEST_URI']) does not contain the relative path to the script. This is the case of AuthMemCookie, for example, where accessing a random URL protected by Apache, leads to the execution of a SimpleSAMLphp script, where SimpleSAML\Utils\HTTP::getSelfURL() must not try to be smart when guessing the current URL.
|
| |/
|
|
|
|
|
|
| |
Some things, like logging of SAML messages or backtraces, are controlled with the 'debug' configuration option. However, it might be possible that we don't want one while we want the other, but that's impossible with just one option.
This commit allows us to configure debugging options independently, but groupping all of them together. This is particularly useful if we want to log backtraces to debug errors, for example, but we don't want to log SAML messages to keep the privacy of the users. This also allows us to get rid of the 'debug.validatexml' configuration option, and group it with other debug options.
This changes are backwards-compatible. Old and new configurations will work at the same time.
|
| |
|
|
| |
Now we are finally using the 2.x branch of the SAML2 library, which was also migrated to use namespaces. Even though the library provides an autoloader that allows loading the classes with the old names using class aliasing, we need to do the migration in one commit (at least for most part of it). This is due to the way SimpleSAMLphp checks data types, using inheritance to check objects agains abstract or more general classes. Even though class aliasing works, there's no way to replicate those relationships, and type checks that use the old class names will fail because the aliases are virtually new classes that don't inherit from others.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
third-party script.
Recent fixes for URL guessing and building addressed bugs in the code that were preventing the 'baseurlpath' from being used properly. However, they introduced a new issue, as the code was assuming the current URL would always point to a SimpleSAMLphp script. This is not always true, of course, as any script can invoke our API and end up trying to get its own URL (for example, when calling requireAuth()).
In order to fix this, we monitor mismatches between SimpleSAMLphp's installation path and the absolute, real path to the current script. When there's a mismatch, it means we are running a third-party script outside SimpleSAMLphp, and therefore we should NOT enforce 'baseurlpath'. This introduces an additional issue, as applications behind a reverse proxy may cause trouble to guess the right URL (we will use the URL as seen by SimpleSAMLphp in the server, which is not necessarily the same as the user sees with a reverse proxy in between). For the moment, we'll leave the responsibility to sort that issue out to implementors. It might be a good idea to add a page to the wiki explaining how to do this.
This resolves #418.
|
| |
|
|
|
|
| |
Due to recent changes to fix the way we were building URLs (mixing what the 'baseurlpath' configuration option and the current URL, see #396), we introduced another bug by assuming file paths will always use slashes ('/'), which obviously is not true in Windows machines. This commit fixes SimpleSAML_Configuration::getBaseDir() and SimpleSAML\Utils\HTTP::getSelfURL() to take that into account.
This closes #414.
|
| |
|
|
| |
Currently, if headers have already been sent, a redirection will fail and generate errors in the error log. The user will be presented with a page containing a link that he or she will need to click on. Checking if headers have already been sent we can avoid errors, and adding a simple javascript to the "onload" event in the body of the page, we can still redirect automatically. That way, only when headers have already been sent and the users have javascript disabled, they will get to see the page.
|
| |
|
|
| |
Both SimpleSAML_SessionHandlerPHP::setCookie() and SimpleSAML\Utils\HTTP::setCookie() throw the SimpleSAML\Error\CannotSetCookie exception. Depending on why the error was generated, set the error code in the exception accordingly.
|
| |
|
|
| |
SimpleSAML\Error\CannotSetCookie exception.
|
| | |
|
| |
|
|
| |
Recent commits have introduced a new way to obtain the self URL, honouring whatever is specified in 'baseurlpath'. However, this new code breaks when accessing SimpleSAMLphp through a path containing symbolic links in the file system, since the base directory refers always to the real path while the $_SERVER contents reflect what the web server sees (symlinks included). We use realpath() to convert a path with symlinks to a canonical path that we can compare.
|
| | |
|
| |
|
|
| |
was producing an empty parameter with an empty value when the query string was empty.
|
| |
|
|
| |
getSelfURLNoQuery() to honor the 'baseurlpath' configuration option instead of simply using the environment. They were actually broken since they were using it to build the scheme, host and port, but completely ignoring the path, rendering wrong URLs in between what was configured in 'baseurlpath' and the real information in the environment. This resolves #396, but also affects #5. The changes to getSelfURLNoQuery() in #391 are unnecessary now, since we now basically getting the full URL and remove the query afterwards.
|
| | |
|
| |
|
|
| |
when the trailing slash is missing, just add it.
|
| |
|
|
| |
php-fpm, common with nginx) where $_SERVER['SCRIPT_NAME'] is already populated with $_SERVER['PATH_INFO'] appended to it. In those cases, we should not blindly append PATH_INFO to SCRIPT_NAME, but check the latter first. This hopefully resolves #5 and closes #391.
|
| |
|
|
| |
Fixes #379
|
| |
|
|
| |
before led to blank pages or even worse.
|
| |
|
|
| |
it makes no sense at all to try to guess the root URI, since there's no such a thing, probably.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
from the OS. Mask errors instead.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
SimpleSAML\Module and SimpleSAML\Logger in there.
|
| |
|
|
| |
reference to a function.
|
| |
|
|
| |
use the host AND port if the latter is not the default one, but we are only using the host. These are the case for evaluating the 'trusted.url.domains' configuration options (we should allow the host and port we are reachable in, but not other ports in the same host) and the method that returns the host with path, which should include the port if that's not standard (the documentation of the method already says so).
|
| |
|
|
| |
Utils\HTTP::getSelfHostWithNonStandardPort(), change the logic, and reimplement Utils\HTTP::getSelfHost() to depend on use the former. Complete the tests to include the case of port 443 while using HTTPS.
|
| | |
|
| |
|
|
| |
popErrorMask() methods to simplify code un SimpleSAML\Utils\Config\Metadata.
|
| | |
|
| | |
|
| |
|
|
| |
all kinds of failures.
|
| |
|
| |
Don't gather the proxy.auth setting if we don't use it
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
(being respectful with occurences that might change the behaviour, i.e. default database prefixes)
|
| |\
| |
| |
| | |
https://github.com/sgomez/simplesamlphp into master
|
| | | |
|
| |/ |
|
| |
|
|
| |
has any values, and raise an exception if not.
|
| |
|
|
| |
SimpleSAML\Utils\Attributes::normalizeAttributesArray().
|
| | |
|
| | |
|
| |\
| |
| |
| | |
feature/config-from-env
|
| | |
| |
| |
| | |
ability to set via environment variable
|
| | |
| |
| |
| | |
discovery service.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
\SimpleSAML\Utils\Crypto::aesEncrypt() to use openssl instead of mcrypt. This removes the direct dependency on mcrypt and closes #228.
|
| |/
|
|
| |
internal methods where the secret is passed as a parameter. Then we don't need a working configuration to test the functionality.
|
| |
|
| |
Raise InvalidArgumentException if $retryURL is not a string AND is not null
|
| |
|
|
| |
with the length of generated IDs.
|
| |
|
|
| |
inet_pton failure is captured later - silence so unit tests pass.
|
| |
|
|
| |
dealing with wrong input parameters.
|
| |
|
|
| |
SimpleSAML\Utils\Config::getCertPath() and deprecate the former.
|
| |
|
|
| |
SimpleSAML\Utils\XML::checkSAMLMessage().
|
| | |
|
| |
|
|
| |
Deprecate SimpleSAML_Utilities::getDefaultEndpoint().
|
| |
|
|
| |
SimpleSAML_Utils_Config_Metadata.
|
| |
|
|
| |
SimpleSAML\Utils\HTTP::debugSAMLMessage() and deprecate the former.
|
| |
|
|
| |
SimpleSAML\Utils\HTTP::checkSessionCookie() and deprecate the former.
|
| |
|
|
| |
\SimpleSAML\Utils\HTTP instead of \SimpleSAML\Utils\System. Fix that.
|
| |
|
|
| |
SimpleSAML\Utils\HTTP:: redirectUntrustedURL() and deprecate the former.
|
| | |
|
| |
|
|
| |
checkURLAllowed() and deprecate the former.
|
| |
|
|
| |
redirectTrustedURL() and deprecate the former.
|
| |
|
|
| |
setCookie() and deprecate the former.
|
| |
|
|
| |
createHttpPostRedirectLink() methods in SimpleSAML_Utilities to \SimpleSAML\Utils\HTTP. The last one is made private, the others are renamed to submitPOSTData() and getPOSTRedirectURL(), respectively. Deprecate the three old ones.
|
| |
|
|
| |
deprecate the former.
|
| |
|
|
| |
deprecate the former.
|
| |
|
|
| |
SimpleSAML\Utils\HTTP::normalizeURL() and deprecate the former.
|
| |
|
|
| |
SimpleSAML\Utils\HTTP::resolveURL() and deprecate the former.
|
| |
|
|
| |
SimpleSAML\Utils\HTTP::getSelfURLNoQuery() and deprecate the former.
|
| |
|
|
| |
and deprecate the former.
|
| |
|
|
| |
SimpleSAML\Utils\HTTP::getSelfURLHost() and deprecate the former.
|
| |
|
|
| |
SimpleSAML\Utils\HTTP::getFirstPathElement() and deprecate the former.
|
| |
|
|
| |
SimpleSAML\Utils\HTTP::getSelfHostWithPath() and deprecate the former.
|
| |
|
|
| |
SimpleSAML\Utils\HTTP::getSelfHost() and deprecate the former.
|
| |
|
|
| |
SimpleSAML\Utils\HTTP::getAcceptLanguage() and deprecate the former.
|
| |
|
|
| |
SimpleSAML\Utils\HTTP::getBaseURL() and deprecate the former.
|
| |
|
|
| |
SimpleSAML\Utils\HTTP::resolvePath() and deprecate the former.
|
| | |
|
| |
|
|
| |
SimpleSAML\Utils\HTTP::addURLParameters() and deprecate the former.
|
| |
|
|
| |
SimpleSAML\Utils\HTTP::parseQueryString() and deprecate the former.
|
| |
|
|
| |
getServerPort() to SimpleSAML\Utils\HTTP.
|
| | |
|
| | |
|
| | |
|
| | |
|
