diff --git a/lib/SimpleSAML/Auth/BWC.php b/lib/SimpleSAML/Auth/BWC.php
index 2866f11c2bbc54cb0487bf396594dc8b14ea1303..290c514b506e31d30f4af255e2a017188dbff135 100644
--- a/lib/SimpleSAML/Auth/BWC.php
+++ b/lib/SimpleSAML/Auth/BWC.php
@@ -120,7 +120,7 @@ class SimpleSAML_Auth_BWC extends SimpleSAML_Auth_Simple {
$config = SimpleSAML_Configuration::getInstance();
$authurl = '/' . $config->getBaseURL() . $this->auth;
- SimpleSAML_Utilities::redirect($authurl, array(
+ SimpleSAML_Utilities::redirectTrustedURL($authurl, array(
'RelayState' => $relayState,
'AuthId' => $authId,
'protocol' => 'saml2',
@@ -143,20 +143,19 @@ class SimpleSAML_Auth_BWC extends SimpleSAML_Auth_Simple {
$session = SimpleSAML_Session::getInstance();
if (!$session->isValid($this->authority)) {
/* Not authenticated to this authentication source. */
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectUntrustedURL($url);
assert('FALSE');
}
if ($this->authority === 'saml2') {
$config = SimpleSAML_Configuration::getInstance();
- SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'saml2/sp/initSLO.php',
+ SimpleSAML_Utilities::redirectUntrustedURL('/' . $config->getBaseURL() . 'saml2/sp/initSLO.php',
array('RelayState' => $url)
);
}
$session->doLogout($this->authority);
-
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectUntrustedURL($url);
}
}
diff --git a/lib/SimpleSAML/Auth/Default.php b/lib/SimpleSAML/Auth/Default.php
index 39cc174f304a61f77cbecfe4a393b409a8f74876..34686aa2d0926feb1a3bfc2715467113fa36bfc1 100644
--- a/lib/SimpleSAML/Auth/Default.php
+++ b/lib/SimpleSAML/Auth/Default.php
@@ -121,7 +121,7 @@ class SimpleSAML_Auth_Default {
if (is_string($return)) {
/* Redirect... */
- SimpleSAML_Utilities::redirect($return);
+ SimpleSAML_Utilities::redirectUntrustedURL($return);
} else {
call_user_func($return, $state);
assert('FALSE');
@@ -184,7 +184,7 @@ class SimpleSAML_Auth_Default {
self::initLogoutReturn($returnURL, $authority);
/* Redirect... */
- SimpleSAML_Utilities::redirect($returnURL);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnURL);
}
@@ -202,7 +202,7 @@ class SimpleSAML_Auth_Default {
$returnURL = $state['SimpleSAML_Auth_Default.ReturnURL'];
/* Redirect... */
- SimpleSAML_Utilities::redirect($returnURL);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnURL);
}
diff --git a/lib/SimpleSAML/Auth/ProcessingChain.php b/lib/SimpleSAML/Auth/ProcessingChain.php
index 238b58f849a4843d7326d4e9f2e07c21cca0eae2..da04532642d0cff4679236166f29aca9e6c7fb6b 100644
--- a/lib/SimpleSAML/Auth/ProcessingChain.php
+++ b/lib/SimpleSAML/Auth/ProcessingChain.php
@@ -248,7 +248,7 @@ class SimpleSAML_Auth_ProcessingChain {
* in $state['ReturnURL'].
*/
$id = SimpleSAML_Auth_State::saveState($state, self::COMPLETED_STAGE);
- SimpleSAML_Utilities::redirect($state['ReturnURL'], array(self::AUTHPARAM => $id));
+ SimpleSAML_Utilities::redirectUntrustedURL($state['ReturnURL'], array(self::AUTHPARAM => $id));
} else {
/* Pass the state to the function defined in $state['ReturnCall']. */
diff --git a/lib/SimpleSAML/Auth/Simple.php b/lib/SimpleSAML/Auth/Simple.php
index 0041dddb95c3ce70cdd90545b61b9f41fe19ebcb..8577379e88e7d24a9f9c06314edc79081361f395 100644
--- a/lib/SimpleSAML/Auth/Simple.php
+++ b/lib/SimpleSAML/Auth/Simple.php
@@ -219,7 +219,7 @@ class SimpleSAML_Auth_Simple {
$params[$state['ReturnStateParam']] = $stateID;
}
- SimpleSAML_Utilities::redirect($state['ReturnTo'], $params);
+ SimpleSAML_Utilities::redirectUntrustedURL($state['ReturnTo'], $params);
}
}
diff --git a/lib/SimpleSAML/Auth/State.php b/lib/SimpleSAML/Auth/State.php
index 5eb1b555e8ae01517c31914fdcf008af767b1648..57387665d8045fe115ee2e8bd21d8983dd4063b7 100644
--- a/lib/SimpleSAML/Auth/State.php
+++ b/lib/SimpleSAML/Auth/State.php
@@ -232,7 +232,7 @@ class SimpleSAML_Auth_State {
throw new SimpleSAML_Error_NoState();
}
- SimpleSAML_Utilities::redirect($restartURL);
+ SimpleSAML_Utilities::redirectTrustedURL($restartURL);
}
$state = unserialize($state);
@@ -256,7 +256,7 @@ class SimpleSAML_Auth_State {
throw new Exception($msg);
}
- SimpleSAML_Utilities::redirect($restartURL);
+ SimpleSAML_Utilities::redirectTrustedURL($restartURL);
}
return $state;
@@ -301,7 +301,7 @@ class SimpleSAML_Auth_State {
$id = self::saveState($state, self::EXCEPTION_STAGE);
/* Redirect to the exception handler. */
- SimpleSAML_Utilities::redirect($state[self::EXCEPTION_HANDLER_URL], array(self::EXCEPTION_PARAM => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($state[self::EXCEPTION_HANDLER_URL], array(self::EXCEPTION_PARAM => $id));
} elseif (array_key_exists(self::EXCEPTION_HANDLER_FUNC, $state)) {
/* Call the exception handler. */
diff --git a/lib/SimpleSAML/IdP.php b/lib/SimpleSAML/IdP.php
index de19898bf8abd1ec3293ac5cd66acb340572f4c2..630662dd752895131050ef9f3898cec75f2c7d7d 100644
--- a/lib/SimpleSAML/IdP.php
+++ b/lib/SimpleSAML/IdP.php
@@ -529,7 +529,7 @@ class SimpleSAML_IdP {
public static function finishLogoutRedirect(SimpleSAML_IdP $idp, array $state) {
assert('isset($state["core:Logout:URL"])');
- SimpleSAML_Utilities::redirect($state['core:Logout:URL']);
+ SimpleSAML_Utilities::redirectUntrustedURL($state['core:Logout:URL']);
assert('FALSE');
}
diff --git a/lib/SimpleSAML/IdP/LogoutIFrame.php b/lib/SimpleSAML/IdP/LogoutIFrame.php
index 094c1a4b4540790e2207eae206ad7e6bbb89bff3..d0c7eee45253cfab5597eb2815be361d7242104f 100644
--- a/lib/SimpleSAML/IdP/LogoutIFrame.php
+++ b/lib/SimpleSAML/IdP/LogoutIFrame.php
@@ -49,7 +49,7 @@ class SimpleSAML_IdP_LogoutIFrame extends SimpleSAML_IdP_LogoutHandler {
}
$url = SimpleSAML_Module::getModuleURL('core/idp/logout-iframe.php', $params);
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectTrustedURL($url);
}
diff --git a/lib/SimpleSAML/IdP/LogoutTraditional.php b/lib/SimpleSAML/IdP/LogoutTraditional.php
index 5a4846608ca34a8ce995b3b0945d486b34c9bfdf..86ce301e9a717169bd52cfb41a029c4c2c6e4531 100644
--- a/lib/SimpleSAML/IdP/LogoutTraditional.php
+++ b/lib/SimpleSAML/IdP/LogoutTraditional.php
@@ -30,7 +30,7 @@ class SimpleSAML_IdP_LogoutTraditional extends SimpleSAML_IdP_LogoutHandler {
try {
$idp = SimpleSAML_IdP::getByState($association);
$url = call_user_func(array($association['Handler'], 'getLogoutURL'), $idp, $association, $relayState);
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectTrustedURL($url);
} catch (Exception $e) {
SimpleSAML_Logger::warning('Unable to initialize logout to ' . var_export($id, TRUE) . '.');
$this->idp->terminateAssociation($id);
diff --git a/lib/SimpleSAML/XHTML/IdPDisco.php b/lib/SimpleSAML/XHTML/IdPDisco.php
index 4b7e51494a7b84474c5832546ef0e13214752fbd..c1c5be0c46c5769f026f2081bf6a6645c74da342 100644
--- a/lib/SimpleSAML/XHTML/IdPDisco.php
+++ b/lib/SimpleSAML/XHTML/IdPDisco.php
@@ -463,7 +463,7 @@ class SimpleSAML_XHTML_IdPDisco {
$extDiscoveryStorage = $this->config->getString('idpdisco.extDiscoveryStorage', NULL);
if ($extDiscoveryStorage !== NULL) {
$this->log('Choice made [' . $idp . '] (Forwarding to external discovery storage)');
- SimpleSAML_Utilities::redirect($extDiscoveryStorage, array(
+ SimpleSAML_Utilities::redirectTrustedURL($extDiscoveryStorage, array(
// $this->returnIdParam => $idp,
'entityID' => $this->spEntityId,
'IdPentityID' => $idp,
@@ -474,7 +474,7 @@ class SimpleSAML_XHTML_IdPDisco {
} else {
$this->log('Choice made [' . $idp . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')');
- SimpleSAML_Utilities::redirect($this->returnURL, array($this->returnIdParam => $idp));
+ SimpleSAML_Utilities::redirectUntrustedURL($this->returnURL, array($this->returnIdParam => $idp));
}
return;
@@ -482,7 +482,7 @@ class SimpleSAML_XHTML_IdPDisco {
if ($this->isPassive) {
$this->log('Choice not made. (Redirecting the user back without answer)');
- SimpleSAML_Utilities::redirect($this->returnURL);
+ SimpleSAML_Utilities::redirectUntrustedURL($this->returnURL);
return;
}
@@ -500,7 +500,7 @@ class SimpleSAML_XHTML_IdPDisco {
if(sizeof($idpintersection) == 1) {
$this->log('Choice made [' . $idpintersection[0] . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')');
- SimpleSAML_Utilities::redirect($this->returnURL, array($this->returnIdParam => $idpintersection[0]));
+ SimpleSAML_Utilities::redirectUntrustedURL($this->returnURL, array($this->returnIdParam => $idpintersection[0]));
}
/*
diff --git a/modules/InfoCard/lib/Auth/Source/ICAuth.php b/modules/InfoCard/lib/Auth/Source/ICAuth.php
index 5f11dc2ae5ffa9a0e4aa629f61719212716628fe..39e746c56b6b409f0866ead18fa502eaab1daca8 100644
--- a/modules/InfoCard/lib/Auth/Source/ICAuth.php
+++ b/modules/InfoCard/lib/Auth/Source/ICAuth.php
@@ -37,7 +37,7 @@ class sspmod_InfoCard_Auth_Source_ICAuth extends SimpleSAML_Auth_Source {
$state[self::AUTHID] = $this->authId;
$id = SimpleSAML_Auth_State::saveState($state, self::STAGEID);
$url = SimpleSAML_Module::getModuleURL('InfoCard/login-infocard.php');
- SimpleSAML_Utilities::redirect($url, array('AuthState' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('AuthState' => $id));
}
diff --git a/modules/adfs/lib/IdP/ADFS.php b/modules/adfs/lib/IdP/ADFS.php
index 1353d01bcecce1b15525cac48da211e45fb387c1..0594cc78e36b63353691352028cc6c862b20a4e9 100644
--- a/modules/adfs/lib/IdP/ADFS.php
+++ b/modules/adfs/lib/IdP/ADFS.php
@@ -171,7 +171,7 @@ class sspmod_adfs_IdP_ADFS {
// NB:: we don't know from which SP the logout request came from
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpMetadata = $idp->getConfig();
- SimpleSAML_Utilities::redirect($idpMetadata->getValue('redirect-after-logout', SimpleSAML_Utilities::getBaseURL()));
+ SimpleSAML_Utilities::redirectTrustedURL($idpMetadata->getValue('redirect-after-logout', SimpleSAML_Utilities::getBaseURL()));
}
public static function receiveLogoutMessage(SimpleSAML_IdP $idp) {
diff --git a/modules/aselect/lib/Auth/Source/aselect.php b/modules/aselect/lib/Auth/Source/aselect.php
index c7cb88d2f789b7a370a6c8924c760dc4ee8bf531..c503361e1ab96567c040c7edd89bab4ce166d1c7 100644
--- a/modules/aselect/lib/Auth/Source/aselect.php
+++ b/modules/aselect/lib/Auth/Source/aselect.php
@@ -52,7 +52,7 @@ class sspmod_aselect_Auth_Source_aselect extends SimpleSAML_Auth_Source {
$app_url = SimpleSAML_Module::getModuleURL('aselect/credentials.php', array('ssp_state' => $id));
$as_url = $this->request_authentication($app_url);
- SimpleSAML_Utilities::redirect($as_url);
+ SimpleSAML_Utilities::redirectTrustedURL($as_url);
} catch(Exception $e) {
// attach the exception to the state
SimpleSAML_Auth_State::throwException($state, $e);
diff --git a/modules/authYubiKey/lib/Auth/Source/YubiKey.php b/modules/authYubiKey/lib/Auth/Source/YubiKey.php
index 1381ee68fb3900b910ffe57b6789b0f41ba762a3..ae98920d61113455fb6bea97f886567456e8ba81 100644
--- a/modules/authYubiKey/lib/Auth/Source/YubiKey.php
+++ b/modules/authYubiKey/lib/Auth/Source/YubiKey.php
@@ -104,7 +104,7 @@ class sspmod_authYubiKey_Auth_Source_YubiKey extends SimpleSAML_Auth_Source {
$id = SimpleSAML_Auth_State::saveState($state, self::STAGEID);
$url = SimpleSAML_Module::getModuleURL('authYubiKey/yubikeylogin.php');
- SimpleSAML_Utilities::redirect($url, array('AuthState' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('AuthState' => $id));
}
diff --git a/modules/authfacebook/lib/Auth/Source/Facebook.php b/modules/authfacebook/lib/Auth/Source/Facebook.php
index 67ab3cbf06f7b2988d745d6d970abd0f5208be66..5c2e62dd1d1a8fdeb72ecc0f67706669fc64c258 100644
--- a/modules/authfacebook/lib/Auth/Source/Facebook.php
+++ b/modules/authfacebook/lib/Auth/Source/Facebook.php
@@ -80,7 +80,7 @@ class sspmod_authfacebook_Auth_Source_Facebook extends SimpleSAML_Auth_Source {
$url = $facebook->getLoginUrl(array('redirect_uri' => $linkback, 'scope' => $this->req_perms));
SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT);
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectTrustedURL($url);
}
diff --git a/modules/authorize/lib/Auth/Process/Authorize.php b/modules/authorize/lib/Auth/Process/Authorize.php
index cd815560190bf52526aafe7276b5201685dec4d5..ab573fed3c86472a3845eb48c98a4b51736e8478 100644
--- a/modules/authorize/lib/Auth/Process/Authorize.php
+++ b/modules/authorize/lib/Auth/Process/Authorize.php
@@ -129,7 +129,7 @@ class sspmod_authorize_Auth_Process_Authorize extends SimpleSAML_Auth_Processing
'authorize:Authorize');
$url = SimpleSAML_Module::getModuleURL(
'authorize/authorize_403.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
}
diff --git a/modules/authwindowslive/lib/Auth/Source/LiveID.php b/modules/authwindowslive/lib/Auth/Source/LiveID.php
index 2dcd532bf266f422cf9e7ba046f7001ed5af3ae3..cbbff0ffb3524f8fdd76d68b09cf9d3685f69201 100644
--- a/modules/authwindowslive/lib/Auth/Source/LiveID.php
+++ b/modules/authwindowslive/lib/Auth/Source/LiveID.php
@@ -72,7 +72,7 @@ class sspmod_authwindowslive_Auth_Source_LiveID extends SimpleSAML_Auth_Source {
. '&wrap_scope=WL_Profiles.View,Messenger.SignIn'
;
- SimpleSAML_Utilities::redirect($authorizeURL);
+ SimpleSAML_Utilities::redirectTrustedURL($authorizeURL);
}
diff --git a/modules/cas/lib/Auth/Source/CAS.php b/modules/cas/lib/Auth/Source/CAS.php
index faa52d09cc4c1fe05f7bf4505f5f83b933692b9d..e1f2a93a05348468d190ec9e9636132c3b4f227c 100644
--- a/modules/cas/lib/Auth/Source/CAS.php
+++ b/modules/cas/lib/Auth/Source/CAS.php
@@ -206,7 +206,7 @@ class sspmod_cas_Auth_Source_CAS extends SimpleSAML_Auth_Source {
$serviceUrl = SimpleSAML_Module::getModuleURL('cas/linkback.php', array('stateID' => $stateID));
- SimpleSAML_Utilities::redirect($this->_loginMethod, array(
+ SimpleSAML_Utilities::redirectTrustedURL($this->_loginMethod, array(
'service' => $serviceUrl));
}
@@ -230,7 +230,7 @@ class sspmod_cas_Auth_Source_CAS extends SimpleSAML_Auth_Source {
SimpleSAML_Auth_State::deleteState($state);
// we want cas to log us out
- SimpleSAML_Utilities::redirect($logoutUrl, array());
+ SimpleSAML_Utilities::redirectTrustedURL($logoutUrl);
}
}
diff --git a/modules/casserver/www/login.php b/modules/casserver/www/login.php
index be417d336c990c743721015d6c6d754eebc73a29..e59c3324877acf4dd71320c2f5016cc897b9f781 100644
--- a/modules/casserver/www/login.php
+++ b/modules/casserver/www/login.php
@@ -48,7 +48,7 @@ storeTicket($ticket, $path, array('service' => $service,
'proxies' => array(),
'validbefore' => time() + 5));
-SimpleSAML_Utilities::redirect(
+SimpleSAML_Utilities::redirectUntrustedURL(
SimpleSAML_Utilities::addURLparameter($service,
array('ticket' => $ticket)
)
diff --git a/modules/cdc/lib/Server.php b/modules/cdc/lib/Server.php
index 5f7636ccc5f3f672264f327071a74acf31bc2eee..403ff950b0da8ba2ca52507f6885f3f05d2acea6 100644
--- a/modules/cdc/lib/Server.php
+++ b/modules/cdc/lib/Server.php
@@ -325,7 +325,7 @@ class sspmod_cdc_Server {
$url = SimpleSAML_Utilities::addURLparameter($to, $params);
if (strlen($url) < 2048) {
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectUntrustedURL($url);
} else {
SimpleSAML_Utilities::postRedirect($to, $params);
}
diff --git a/modules/consent/lib/Auth/Process/Consent.php b/modules/consent/lib/Auth/Process/Consent.php
index 25067ec97b19aeb46c3a00bc0893ba4f1e79eed0..eaacd3eb78014a221cb42c6219becb03f51f8f18 100644
--- a/modules/consent/lib/Auth/Process/Consent.php
+++ b/modules/consent/lib/Auth/Process/Consent.php
@@ -278,7 +278,7 @@ class sspmod_consent_Auth_Process_Consent extends SimpleSAML_Auth_ProcessingFilt
// Save state and redirect
$id = SimpleSAML_Auth_State::saveState($state, 'consent:request');
$url = SimpleSAML_Module::getModuleURL('consent/getconsent.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
/**
diff --git a/modules/consent/lib/Logout.php b/modules/consent/lib/Logout.php
index ad7ca4e11eaf4b116920966a4f8cf94bdd734f1a..f605e98923ea893b75f02ff8c0197ed10cb057bf 100644
--- a/modules/consent/lib/Logout.php
+++ b/modules/consent/lib/Logout.php
@@ -10,7 +10,7 @@ class sspmod_consent_Logout {
public static function postLogout(SimpleSAML_IdP $idp, array $state) {
$url = SimpleSAML_Module::getModuleURL('consent/logout_completed.php');
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectTrustedURL($url);
}
}
diff --git a/modules/core/lib/Auth/Process/WarnShortSSOInterval.php b/modules/core/lib/Auth/Process/WarnShortSSOInterval.php
index 6d250ed0e2547e33bf9169c47c28144b88ea9129..6ac34d7c1f5b43bf749e39ce9e8533612c82d09b 100644
--- a/modules/core/lib/Auth/Process/WarnShortSSOInterval.php
+++ b/modules/core/lib/Auth/Process/WarnShortSSOInterval.php
@@ -47,7 +47,7 @@ class sspmod_core_Auth_Process_WarnShortSSOInterval extends SimpleSAML_Auth_Proc
/* Save state and redirect. */
$id = SimpleSAML_Auth_State::saveState($state, 'core:short_sso_interval');
$url = SimpleSAML_Module::getModuleURL('core/short_sso_interval.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
}
diff --git a/modules/core/lib/Auth/UserPassBase.php b/modules/core/lib/Auth/UserPassBase.php
index 80eae48eeca25474e42511c378f61843ac430d34..633a7484afce369e9d2df6416edfeb910ca3d183 100644
--- a/modules/core/lib/Auth/UserPassBase.php
+++ b/modules/core/lib/Auth/UserPassBase.php
@@ -158,7 +158,7 @@ abstract class sspmod_core_Auth_UserPassBase extends SimpleSAML_Auth_Source {
*/
$url = SimpleSAML_Module::getModuleURL('core/loginuserpass.php');
$params = array('AuthState' => $id);
- SimpleSAML_Utilities::redirect($url, $params);
+ SimpleSAML_Utilities::redirectTrustedURL($url, $params);
/* The previous function never returns, so this code is never executed. */
assert('FALSE');
diff --git a/modules/core/lib/Auth/UserPassOrgBase.php b/modules/core/lib/Auth/UserPassOrgBase.php
index dc3a92eb67d9ff575adbb285096c71efc1f250fa..f79c3aefa265b47339434a03d5528d349426e4c5 100644
--- a/modules/core/lib/Auth/UserPassOrgBase.php
+++ b/modules/core/lib/Auth/UserPassOrgBase.php
@@ -157,7 +157,7 @@ abstract class sspmod_core_Auth_UserPassOrgBase extends SimpleSAML_Auth_Source {
$url = SimpleSAML_Module::getModuleURL('core/loginuserpassorg.php');
$params = array('AuthState' => $id);
- SimpleSAML_Utilities::redirect($url, $params);
+ SimpleSAML_Utilities::redirectTrustedURL($url, $params);
}
diff --git a/modules/core/www/as_login.php b/modules/core/www/as_login.php
index 143dde6c1cd7b87b7b58f9dbdac21b1b64a481f6..a30bd1f77f3c08c2d1f6695d2df52ac863fabf04 100644
--- a/modules/core/www/as_login.php
+++ b/modules/core/www/as_login.php
@@ -35,4 +35,4 @@ if (!empty($_REQUEST['saml:idp'])) {
$as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']);
$as->requireAuth($options);
-SimpleSAML_Utilities::redirect($_REQUEST['ReturnTo']);
+SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['ReturnTo']);
diff --git a/modules/core/www/bwc_resumeauth.php b/modules/core/www/bwc_resumeauth.php
index 5da50c3dccb85e0d00b43a7a264a5b792956a81c..68b2055049e7659819f1f320e297068f9362dcd5 100644
--- a/modules/core/www/bwc_resumeauth.php
+++ b/modules/core/www/bwc_resumeauth.php
@@ -20,7 +20,7 @@ if ($requestcache['ForceAuthn'] && $requestcache['core:prevSession'] === $sessio
}
if (isset($state['ReturnTo'])) {
- SimpleSAML_Utilities::redirect($state['ReturnTo']);
+ SimpleSAML_Utilities::redirectUntrustedURL($state['ReturnTo']);
}
foreach ($session->getAuthState($authority) as $k => $v) {
diff --git a/modules/core/www/cleardiscochoices.php b/modules/core/www/cleardiscochoices.php
index 7cf7fa03fa5e46455ccc2c44d6b1e5ab2954bedc..c94e411e211b4bef7f01f54becd4d04957862c45 100644
--- a/modules/core/www/cleardiscochoices.php
+++ b/modules/core/www/cleardiscochoices.php
@@ -33,5 +33,5 @@ if(array_key_exists('ReturnTo', $_REQUEST)) {
}
/* Redirect to destination. */
-SimpleSAML_Utilities::redirect($returnTo);
+SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
diff --git a/modules/core/www/login-admin.php b/modules/core/www/login-admin.php
index 16acc1e0f97be11300ee17fd45302cee7e049091..83886a181a27edac1954710c04bdfe3b2ab5e5fd 100644
--- a/modules/core/www/login-admin.php
+++ b/modules/core/www/login-admin.php
@@ -10,5 +10,5 @@ $returnTo = $_REQUEST['ReturnTo'];
SimpleSAML_Utilities::requireAdmin();
-SimpleSAML_Utilities::redirect($returnTo);
+SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
diff --git a/modules/discopower/lib/PowerIdPDisco.php b/modules/discopower/lib/PowerIdPDisco.php
index 072e6afb3de1dc1fe2a8ce1b89fd59023951ef82..bb33a3c6d83c1f756417273241c9710b4927e032 100644
--- a/modules/discopower/lib/PowerIdPDisco.php
+++ b/modules/discopower/lib/PowerIdPDisco.php
@@ -193,7 +193,7 @@ class sspmod_discopower_PowerIdPDisco extends SimpleSAML_XHTML_IdPDisco {
if ($this->config->getBoolean('idpdisco.extDiscoveryStorage', NULL) != NULL) {
$extDiscoveryStorage = $this->config->getBoolean('idpdisco.extDiscoveryStorage');
$this->log('Choice made [' . $idp . '] (Forwarding to external discovery storage)');
- SimpleSAML_Utilities::redirect($extDiscoveryStorage, array(
+ SimpleSAML_Utilities::redirectTrustedURL($extDiscoveryStorage, array(
'entityID' => $this->spEntityId,
'IdPentityID' => $idp,
'returnIDParam' => $this->returnIdParam,
@@ -203,7 +203,7 @@ class sspmod_discopower_PowerIdPDisco extends SimpleSAML_XHTML_IdPDisco {
} else {
$this->log('Choice made [' . $idp . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')');
- SimpleSAML_Utilities::redirect($this->returnURL, array($this->returnIdParam => $idp));
+ SimpleSAML_Utilities::redirectUntrustedURL($this->returnURL, array($this->returnIdParam => $idp));
}
return;
@@ -211,7 +211,7 @@ class sspmod_discopower_PowerIdPDisco extends SimpleSAML_XHTML_IdPDisco {
if ($this->isPassive) {
$this->log('Choice not made. (Redirecting the user back without answer)');
- SimpleSAML_Utilities::redirect($this->returnURL);
+ SimpleSAML_Utilities::redirectUntrustedURL($this->returnURL);
return;
}
diff --git a/modules/exampleauth/lib/Auth/Process/RedirectTest.php b/modules/exampleauth/lib/Auth/Process/RedirectTest.php
index 02a4220d6a3023c7dc9f32c2bb95f35cb547914d..1ed8103948fb8bd5b5c8f5f1850577e28fabaac2 100644
--- a/modules/exampleauth/lib/Auth/Process/RedirectTest.php
+++ b/modules/exampleauth/lib/Auth/Process/RedirectTest.php
@@ -22,7 +22,7 @@ class sspmod_exampleauth_Auth_Process_RedirectTest extends SimpleSAML_Auth_Proce
/* Save state and redirect. */
$id = SimpleSAML_Auth_State::saveState($state, 'exampleauth:redirectfilter-test');
$url = SimpleSAML_Module::getModuleURL('exampleauth/redirecttest.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
}
diff --git a/modules/exampleauth/lib/Auth/Source/External.php b/modules/exampleauth/lib/Auth/Source/External.php
index fee9489aa3f4b73c307aaab328ba143aff718a11..d3b16f020c19ca4d64edac6971d2fcaaf169456d 100644
--- a/modules/exampleauth/lib/Auth/Source/External.php
+++ b/modules/exampleauth/lib/Auth/Source/External.php
@@ -156,7 +156,7 @@ class sspmod_exampleauth_Auth_Source_External extends SimpleSAML_Auth_Source {
* Note the 'ReturnTo' parameter. This must most likely be replaced with
* the real name of the parameter for the login page.
*/
- SimpleSAML_Utilities::redirect($authPage, array(
+ SimpleSAML_Utilities::redirectTrustedURL($authPage, array(
'ReturnTo' => $returnTo,
));
diff --git a/modules/expirycheck/lib/Auth/Process/ExpiryDate.php b/modules/expirycheck/lib/Auth/Process/ExpiryDate.php
index 65a56ca176c1a798a57c7e1b3cd8e6d47ffeb557..1132617595a351167fec7a3a078042ec2be0b085 100644
--- a/modules/expirycheck/lib/Auth/Process/ExpiryDate.php
+++ b/modules/expirycheck/lib/Auth/Process/ExpiryDate.php
@@ -136,7 +136,7 @@ class sspmod_expirycheck_Auth_Process_ExpiryDate extends SimpleSAML_Auth_Process
$state['netId'] = $netId;
$id = SimpleSAML_Auth_State::saveState($state, 'expirywarning:about2expire');
$url = SimpleSAML_Module::getModuleURL('expirycheck/about2expire.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
if (!self::checkDate($expireOnDate)) {
@@ -149,7 +149,7 @@ class sspmod_expirycheck_Auth_Process_ExpiryDate extends SimpleSAML_Auth_Process
$state['netId'] = $netId;
$id = SimpleSAML_Auth_State::saveState($state, 'expirywarning:expired');
$url = SimpleSAML_Module::getModuleURL('expirycheck/expired.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
}
diff --git a/modules/multiauth/lib/Auth/Source/MultiAuth.php b/modules/multiauth/lib/Auth/Source/MultiAuth.php
index 2b975d4feb143cacb5a3c6bd2c81144797e1307e..ea74df5a88eb91bb3104ac87d2a126e5132777ed 100644
--- a/modules/multiauth/lib/Auth/Source/MultiAuth.php
+++ b/modules/multiauth/lib/Auth/Source/MultiAuth.php
@@ -121,7 +121,7 @@ class sspmod_multiauth_Auth_Source_MultiAuth extends SimpleSAML_Auth_Source {
$params['source'] = $_GET['source'];
}
- SimpleSAML_Utilities::redirect($url, $params);
+ SimpleSAML_Utilities::redirectTrustedURL($url, $params);
/* The previous function never returns, so this code is never
executed */
diff --git a/modules/oauth/lib/Consumer.php b/modules/oauth/lib/Consumer.php
index 734fd43365c47648f0af847c6307c14b1598e294..36065fec2478ed316243419ab733bdde48e11096 100644
--- a/modules/oauth/lib/Consumer.php
+++ b/modules/oauth/lib/Consumer.php
@@ -94,7 +94,7 @@ class sspmod_oauth_Consumer {
}
$authorizeURL = SimpleSAML_Utilities::addURLparameter($url, $params);
if ($redirect) {
- SimpleSAML_Utilities::redirect($authorizeURL);
+ SimpleSAML_Utilities::redirectTrustedURL($authorizeURL);
exit;
}
return $authorizeURL;
diff --git a/modules/oauth/www/authorize.php b/modules/oauth/www/authorize.php
index a2329d1ba24c57d1931b8d15a2788a7ebb3e5827..9b3e032e12bb4fe24347835b5fa8aa69f3b4d40c 100644
--- a/modules/oauth/www/authorize.php
+++ b/modules/oauth/www/authorize.php
@@ -56,11 +56,11 @@ try {
if ($url) {
// If authorize() returns a URL, take user there (oauth1.0a)
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectUntrustedURL($url);
}
else if (isset($_REQUEST['oauth_callback'])) {
// If callback was provided in the request (oauth1.0)
- SimpleSAML_Utilities::redirect($_REQUEST['oauth_callback']);
+ SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['oauth_callback']);
} else {
// No callback provided, display standard template
diff --git a/modules/openid/lib/Auth/Source/OpenIDConsumer.php b/modules/openid/lib/Auth/Source/OpenIDConsumer.php
index 2144ad1b0006f675c63f163af341f0f66c804b12..ce5a758be501cc4dfa12efdea220446e77fdb591 100644
--- a/modules/openid/lib/Auth/Source/OpenIDConsumer.php
+++ b/modules/openid/lib/Auth/Source/OpenIDConsumer.php
@@ -123,7 +123,7 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source {
$id = SimpleSAML_Auth_State::saveState($state, 'openid:init');
$url = SimpleSAML_Module::getModuleURL('openid/consumer.php');
- SimpleSAML_Utilities::redirect($url, array('AuthState' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('AuthState' => $id));
}
@@ -251,7 +251,7 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source {
// For OpenID 2 failover to POST if redirect URL is longer than 2048
if ($should_send_redirect || strlen($redirect_url) <= 2048) {
- SimpleSAML_Utilities::redirect($redirect_url);
+ SimpleSAML_Utilities::redirectTrustedURL($redirect_url);
assert('FALSE');
}
}
diff --git a/modules/openidProvider/lib/Server.php b/modules/openidProvider/lib/Server.php
index 417191e178e76e7659790af7b0bb00aa87b3d104..f0596d18fa1e5a0fd68add0ee9494ab1929d55aa 100644
--- a/modules/openidProvider/lib/Server.php
+++ b/modules/openidProvider/lib/Server.php
@@ -401,7 +401,7 @@ class sspmod_openidProvider_Server {
}
$trustURL = $this->getStateURL('trust.php', $state);
- SimpleSAML_Utilities::redirect($trustURL);
+ SimpleSAML_Utilities::redirectTrustedURL($trustURL);
}
if (!$trusted) {
diff --git a/modules/openidProvider/www/user.php b/modules/openidProvider/www/user.php
index 69647628699710d738fd52d5d1372af75860eec6..74aa1a7c822bcb2d40be445e6a70e6efeeec7b96 100644
--- a/modules/openidProvider/www/user.php
+++ b/modules/openidProvider/www/user.php
@@ -15,7 +15,7 @@ if (!$userId && $identity) {
* We are accessing the front-page, but are logged in.
* Redirect to the correct page.
*/
- SimpleSAML_Utilities::redirect($identity);
+ SimpleSAML_Utilities::redirectTrustedURL($identity);
}
/* Determine whether we are at the users own page. */
@@ -39,7 +39,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
}
}
- SimpleSAML_Utilities::redirect($identity);
+ SimpleSAML_Utilities::redirectTrustedURL($identity);
}
if ($ownPage) {
diff --git a/modules/preprodwarning/lib/Auth/Process/Warning.php b/modules/preprodwarning/lib/Auth/Process/Warning.php
index 089801534604fe366b4bca32f3484322a8b333b4..b9ea10ed9215f438d0dbf7cd4d35a8b7f0ced986 100644
--- a/modules/preprodwarning/lib/Auth/Process/Warning.php
+++ b/modules/preprodwarning/lib/Auth/Process/Warning.php
@@ -29,7 +29,7 @@ class sspmod_preprodwarning_Auth_Process_Warning extends SimpleSAML_Auth_Process
/* Save state and redirect. */
$id = SimpleSAML_Auth_State::saveState($state, 'warning:request');
$url = SimpleSAML_Module::getModuleURL('preprodwarning/showwarning.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
diff --git a/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php b/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php
index 4ee754bb5134db9ccddb5920451789b95cbbf30d..bfc2dc180a09ed168bee89aad01270de61844d96 100644
--- a/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php
+++ b/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php
@@ -80,6 +80,6 @@ class sspmod_saml_Auth_Process_ExpectedAuthnContextClassRef extends SimpleSAML_A
$id = SimpleSAML_Auth_State::saveState($request, 'saml:ExpectedAuthnContextClassRef:unauthorized');
$url = SimpleSAML_Module::getModuleURL(
'saml/sp/wrong_authncontextclassref.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
}
diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index 9bc6234683f96a8e7e589b1f18e0f766d9fdf00b..a2b223588e4f0068056f1aa4aad64ff89ddee00e 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -168,7 +168,7 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
SimpleSAML_Logger::debug('Starting SAML 1 SSO to ' . var_export($idpEntityId, TRUE) .
' from ' . var_export($this->entityId, TRUE) . '.');
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectTrustedURL($url);
}
@@ -355,7 +355,7 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
$params['isPassive'] = 'true';
}
- SimpleSAML_Utilities::redirect($discoURL, $params);
+ SimpleSAML_Utilities::redirectTrustedURL($discoURL, $params);
}
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index 4c4b6db29e34335a0139ec331e46818c8037a7d9..a3c8200bcdc1033ed12537edaf282d7eacee527b 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -45,7 +45,7 @@ if ($prevAuth !== NULL && $prevAuth['id'] === $response->getId() && $prevAuth['i
* instead of displaying a confusing error message.
*/
SimpleSAML_Logger::info('Duplicate SAML 2 response detected - ignoring the response and redirecting the user to the correct page.');
- SimpleSAML_Utilities::redirect($prevAuth['redirect']);
+ SimpleSAML_Utilities::redirectTrustedURL($prevAuth['redirect']);
}
$idpMetadata = array();
diff --git a/www/auth/login-admin.php b/www/auth/login-admin.php
index f660dd94141d3eb2245d21ad35bd7a67b60b1b0d..42ac0ecf0b66d816353d7ce86051ecfb2d9bfe04 100644
--- a/www/auth/login-admin.php
+++ b/www/auth/login-admin.php
@@ -59,7 +59,7 @@ if (isset($_POST['password'])) {
else
SimpleSAML_Logger::stats('AUTH-login-admin OK');
- SimpleSAML_Utilities::redirect($relaystate);
+ SimpleSAML_Utilities::redirectUntrustedURL($relaystate);
exit(0);
} else {
SimpleSAML_Logger::stats('AUTH-login-admin Failed');
diff --git a/www/auth/login-cas-ldap.php b/www/auth/login-cas-ldap.php
index dff33f1fdc00d463111b960167d716f391390f31..2ba907adee87641ea11519194a456fc3e4d737e7 100644
--- a/www/auth/login-cas-ldap.php
+++ b/www/auth/login-cas-ldap.php
@@ -104,7 +104,7 @@ function casValidate($cas) {
*/
} else {
SimpleSAML_Logger::info("AUTH - cas-ldap: redirecting to {$cas['login']}");
- SimpleSAML_Utilities::redirect($cas['login'], array(
+ SimpleSAML_Utilities::redirectTrustedURL($cas['login'], array(
'service' => $service
));
}
@@ -132,7 +132,7 @@ try {
$session->setNameID(array(
'value' => SimpleSAML_Utilities::generateID(),
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
- SimpleSAML_Utilities::redirect($relaystate);
+ SimpleSAML_Utilities::redirectUntrustedURL($relaystate);
} catch(Exception $exception) {
throw new SimpleSAML_Error_Error('CASERROR', $exception);
diff --git a/www/auth/login-ldapmulti.php b/www/auth/login-ldapmulti.php
index 9e070b41a279286d11eb8b2f6a2c27b7fb206a61..aab198afc883877f6eecf1b1e197ad1739a7246f 100644
--- a/www/auth/login-ldapmulti.php
+++ b/www/auth/login-ldapmulti.php
@@ -71,7 +71,7 @@ if (isset($_POST['username'])) {
$returnto = $_REQUEST['RelayState'];
- SimpleSAML_Utilities::redirect($returnto);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnto);
} catch (Exception $e) {
diff --git a/www/auth/login-radius.php b/www/auth/login-radius.php
index 73e24b601e5ed5a1a31d6dd51414d20e1471c3de..b95c7ae92a304a4964937859c1db7344259566f8 100644
--- a/www/auth/login-radius.php
+++ b/www/auth/login-radius.php
@@ -110,7 +110,7 @@ if (isset($_POST['username'])) {
$returnto = $_REQUEST['RelayState'];
- SimpleSAML_Utilities::redirect($returnto);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnto);
case RADIUS_ACCESS_REJECT:
diff --git a/www/auth/login-tlsclient.php b/www/auth/login-tlsclient.php
index 3fe22faf19f031bafaeecf20323d59c18e5614b5..42e2678ae679d6ab94f870cd9f405ee1601a9602 100644
--- a/www/auth/login-tlsclient.php
+++ b/www/auth/login-tlsclient.php
@@ -69,7 +69,7 @@ try {
$returnto = $_REQUEST['RelayState'];
- SimpleSAML_Utilities::redirect($returnto);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnto);
} catch (Exception $e) {
diff --git a/www/auth/login-wayf-ldap.php b/www/auth/login-wayf-ldap.php
index 980e482a143ec35adf9af1e73ee2807ed880472f..73d5f57a4cf3b6dfc676922e82ecd732b7f44d69 100644
--- a/www/auth/login-wayf-ldap.php
+++ b/www/auth/login-wayf-ldap.php
@@ -59,7 +59,7 @@ if ($username = $_POST['username']) {
$session->setNameID(array(
'value' => SimpleSAML_Utilities::generateID(),
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
- SimpleSAML_Utilities::redirect($relaystate);
+ SimpleSAML_Utilities::redirectUntrustedURL($relaystate);
}
} catch(Exception $e) {
throw new SimpleSAML_Error_Error('LDAPERROR', $e);
diff --git a/www/auth/login.php b/www/auth/login.php
index 308cc283faa12cce94e66b38adc56f86ca18cfa1..57ccd3b583ff47cc9e36d0c5542878005e495197 100644
--- a/www/auth/login.php
+++ b/www/auth/login.php
@@ -126,7 +126,7 @@ if (isset($_POST['username'])) {
$returnto = $_REQUEST['RelayState'];
- SimpleSAML_Utilities::redirect($returnto);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnto);
} catch (Exception $e) {
diff --git a/www/authmemcookie.php b/www/authmemcookie.php
index b6b398fdf2da6eba0d89727d1dffa4636f0343dd..a4e877a7c4dbb04be1ae001dd5587c8dfb759c97 100644
--- a/www/authmemcookie.php
+++ b/www/authmemcookie.php
@@ -109,7 +109,7 @@ try {
$session->registerLogoutHandler('SimpleSAML_AuthMemCookie', 'logoutHandler');
/* Redirect the user back to this page to signal that the login is completed. */
- SimpleSAML_Utilities::redirect(SimpleSAML_Utilities::selfURL());
+ SimpleSAML_Utilities::redirectTrustedURL(SimpleSAML_Utilities::selfURL());
} catch(Exception $e) {
throw new SimpleSAML_Error_Error('CONFIG', $e);
}
diff --git a/www/errorreport.php b/www/errorreport.php
index 101eae951cb6b5f0c8d6c56b7b7f8deb69944943..580a2bd3968ed0d94fd1498df1f07f21e937bd2b 100644
--- a/www/errorreport.php
+++ b/www/errorreport.php
@@ -99,4 +99,4 @@ if ($config->getBoolean('errorreporting', TRUE) && $toAddress !== 'na@example.or
}
/* Redirect the user back to this page to clear the POST request. */
-SimpleSAML_Utilities::redirect(SimpleSAML_Utilities::selfURLNoQuery());
+SimpleSAML_Utilities::redirectTrustedURL(SimpleSAML_Utilities::selfURLNoQuery());
diff --git a/www/example-simple/attributequery.php b/www/example-simple/attributequery.php
index 8ec2fc6143e34e71e1bf8316393ebda49b92a8d0..835baa3b13fa90210b657c494f54cf053d171b70 100644
--- a/www/example-simple/attributequery.php
+++ b/www/example-simple/attributequery.php
@@ -61,7 +61,7 @@ function handleResponse() {
$data['attributes'] = $assertion->getAttributes();
$GLOBALS['session']->setData('attributequeryexample:data', $dataId, $data, 3600);
- SimpleSAML_Utilities::redirect(SimpleSAML_Utilities::selfURLNoQuery(),
+ SimpleSAML_Utilities::redirectTrustedURL(SimpleSAML_Utilities::selfURLNoQuery(),
array('dataId' => $dataId));
}
diff --git a/www/example-simple/saml2-example.php b/www/example-simple/saml2-example.php
index c0483c9e8089cdd344172ddd3bef5a06ef61f60c..8c80d1bdcd4629e9b62ed48f9ce317eacba35d10 100644
--- a/www/example-simple/saml2-example.php
+++ b/www/example-simple/saml2-example.php
@@ -41,7 +41,7 @@ $session = SimpleSAML_Session::getInstance();
* retrieving attributes from the session.
*/
if (!$session->isValid('saml2') ) {
- SimpleSAML_Utilities::redirect(
+ SimpleSAML_Utilities::redirectTrustedURL(
'/' . $config->getBaseURL() . 'saml2/sp/initSSO.php',
array('RelayState' => SimpleSAML_Utilities::selfURL())
);
diff --git a/www/example-simple/shib13-example.php b/www/example-simple/shib13-example.php
index dbec3bc4118f94441cd69bb75e606aabc7e8beab..0dfa07daa594bd9f1764371ba25858f2d2ea215d 100644
--- a/www/example-simple/shib13-example.php
+++ b/www/example-simple/shib13-example.php
@@ -41,7 +41,7 @@ $session = SimpleSAML_Session::getInstance();
* retrieving attributes from the session.
*/
if (!$session->isValid('shib13') ) {
- SimpleSAML_Utilities::redirect(
+ SimpleSAML_Utilities::redirectTrustedURL(
'/' . $config->getBaseURL() . 'shib13/sp/initSSO.php',
array('RelayState' => SimpleSAML_Utilities::selfURL())
);
diff --git a/www/example-simple/wsfed-example.php b/www/example-simple/wsfed-example.php
index 6962ab884ecaa1d4ef4b6329f3c2ae3a46b520d8..c758848710793f4ea659c7388520ec4421e25443 100644
--- a/www/example-simple/wsfed-example.php
+++ b/www/example-simple/wsfed-example.php
@@ -6,7 +6,7 @@ $config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance();
if (!$session->isValid('wsfed') ) {
- SimpleSAML_Utilities::redirect(
+ SimpleSAML_Utilities::redirectTrustedURL(
'/' . $config->getBaseURL() . 'wsfed/sp/initSSO.php',
array('RelayState' => SimpleSAML_Utilities::selfURL())
);
diff --git a/www/index.php b/www/index.php
index 017a0d7375816850a3fea1c5ca390a2ed5bd1846..4ca3a3baa488451210fb51735c233a2db13bb782 100644
--- a/www/index.php
+++ b/www/index.php
@@ -3,4 +3,4 @@
require_once('_include.php');
-SimpleSAML_Utilities::redirect(SimpleSAML_Module::getModuleURL('core/frontpage_welcome.php'));
+SimpleSAML_Utilities::redirectTrustedURL(SimpleSAML_Module::getModuleURL('core/frontpage_welcome.php'));
diff --git a/www/saml2/sp/AssertionConsumerService.php b/www/saml2/sp/AssertionConsumerService.php
index bb5a3c1dae49861a31b51eac1848d65e6bc6038e..e024489bacacfeb7f4bf46d9336928789de8deee 100644
--- a/www/saml2/sp/AssertionConsumerService.php
+++ b/www/saml2/sp/AssertionConsumerService.php
@@ -47,7 +47,7 @@ function finishLogin($authProcState) {
global $session;
$session->doLogin('saml2', $authData);
- SimpleSAML_Utilities::redirect($authProcState['core:saml20-sp:TargetURL']);
+ SimpleSAML_Utilities::redirectUntrustedURL($authProcState['core:saml20-sp:TargetURL']);
}
SimpleSAML_Logger::info('SAML2.0 - SP.AssertionConsumerService: Accessing SAML 2.0 SP endpoint AssertionConsumerService');
@@ -116,7 +116,7 @@ try {
$status = $response->getStatus();
if(array_key_exists('OnError', $info)) {
/* We have an error handler. Return the error to it. */
- SimpleSAML_Utilities::redirect($info['OnError'], array('StatusCode' => $status['Code']));
+ SimpleSAML_Utilities::redirectTrustedURL($info['OnError'], array('StatusCode' => $status['Code']));
}
/* We don't have an error handler. Show an error page. */
diff --git a/www/saml2/sp/SingleLogoutService.php b/www/saml2/sp/SingleLogoutService.php
index a2546f74efe8d974a65e8731dd0095e0615555e3..0bd8c731e412223cde8ff8aa11c8f76bd33c3ea2 100644
--- a/www/saml2/sp/SingleLogoutService.php
+++ b/www/saml2/sp/SingleLogoutService.php
@@ -88,7 +88,7 @@ if ($message instanceof SAML2_LogoutRequest) {
throw new SimpleSAML_Error_Error('LOGOUTINFOLOST');
}
- SimpleSAML_Utilities::redirect($returnTo);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
} else {
throw new SimpleSAML_Error_Error('SLOSERVICEPARAMS');
diff --git a/www/saml2/sp/initSLO.php b/www/saml2/sp/initSLO.php
index 688680ed97b052fa4f2e5669447ab78967525ca8..8402a36c0de27cc35fa4f3686f9d1f751bf32abc 100644
--- a/www/saml2/sp/initSLO.php
+++ b/www/saml2/sp/initSLO.php
@@ -25,7 +25,7 @@ try {
$idpEntityId = $session->getAuthData('saml2', 'saml:sp:IdP');
if ($idpEntityId === NULL) {
SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: User not authenticated with an IdP.');
- SimpleSAML_Utilities::redirect($returnTo);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
}
$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-remote');
$SLOendpoint = $idpMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', array(
@@ -35,7 +35,7 @@ try {
if ($SLOendpoint === NULL) {
$session->doLogout('saml2');
SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: No supported SingleLogoutService endpoint in IdP.');
- SimpleSAML_Utilities::redirect($returnTo);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
}
$spEntityId = isset($_GET['spentityid']) ? $_GET['spentityid'] : $metadata->getMetaDataCurrentEntityID();
diff --git a/www/saml2/sp/initSSO.php b/www/saml2/sp/initSSO.php
index 491a18d17d1c251f59e9fd06d4324cb79f98c98a..8806748377a2c1858f7f40aa8cfeb654fe680961 100644
--- a/www/saml2/sp/initSSO.php
+++ b/www/saml2/sp/initSSO.php
@@ -96,7 +96,7 @@ if ($idpentityid === NULL) {
$extDiscoveryStorage = $config->getBoolean('idpdisco.extDiscoveryStorage');
- SimpleSAML_Utilities::redirect($extDiscoveryStorage, array(
+ SimpleSAML_Utilities::redirectTrustedURL($extDiscoveryStorage, array(
'entityID' => $spentityid,
'return' => SimpleSAML_Utilities::addURLparameter($discourl, array(
'return' => SimpleSAML_Utilities::selfURL(),
@@ -120,7 +120,7 @@ if ($idpentityid === NULL) {
$discoparameters['IDPList'] = $reachableIDPs;
}
- SimpleSAML_Utilities::redirect($discourl, $discoparameters);
+ SimpleSAML_Utilities::redirectTrustedURL($discourl, $discoparameters);
}
diff --git a/www/shib13/sp/AssertionConsumerService.php b/www/shib13/sp/AssertionConsumerService.php
index c392cebc6d4b6c64a9a9b7fc2f8c7870c22a06d0..f523c28a47f08e0a84f90365be34c615521b7c40 100644
--- a/www/shib13/sp/AssertionConsumerService.php
+++ b/www/shib13/sp/AssertionConsumerService.php
@@ -34,7 +34,7 @@ function finishLogin($authProcState) {
global $session;
$session->doLogin('shib13', $authData);
- SimpleSAML_Utilities::redirect($authProcState['core:shib13-sp:TargetURL']);
+ SimpleSAML_Utilities::redirectTrustedURL($authProcState['core:shib13-sp:TargetURL']);
}
diff --git a/www/shib13/sp/initSSO.php b/www/shib13/sp/initSSO.php
index d8fc8720bbb1b8fb1517b79a1de9c137d41a0f9b..d666b8b86901a11bb950a19d88f104c57d29de29 100644
--- a/www/shib13/sp/initSSO.php
+++ b/www/shib13/sp/initSSO.php
@@ -58,7 +58,7 @@ if (!isset($session) || !$session->isValid('shib13') ) {
$discservice = '/' . $config->getBaseURL() . 'shib13/sp/idpdisco.php';
}
- SimpleSAML_Utilities::redirect($discservice, array(
+ SimpleSAML_Utilities::redirectTrustedURL($discservice, array(
'entityID' => $spentityid,
'return' => SimpleSAML_Utilities::selfURL(),
'returnIDParam' => 'idpentityid',
@@ -75,7 +75,7 @@ if (!isset($session) || !$session->isValid('shib13') ) {
SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: SP (' . $spentityid . ') is sending AuthNRequest to IdP (' . $idpentityid . ')');
$url = $ar->createRedirect($idpentityid);
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectTrustedURL($url);
} catch(Exception $exception) {
throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception);
@@ -88,7 +88,7 @@ if (!isset($session) || !$session->isValid('shib13') ) {
if (isset($relaystate) && !empty($relaystate)) {
SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: Already Authenticated, Go back to RelayState');
- SimpleSAML_Utilities::redirect($relaystate);
+ SimpleSAML_Utilities::redirectUntrustedURL($relaystate);
} else {
throw new SimpleSAML_Error_Error('NORELAYSTATE');
}
diff --git a/www/wsfed/sp/initSLO.php b/www/wsfed/sp/initSLO.php
index 9aef7fc26541e0ee5ffc343a1858c68afebd635c..f31ebaaca2480ba1ed8720171fd2016d031030d3 100644
--- a/www/wsfed/sp/initSLO.php
+++ b/www/wsfed/sp/initSLO.php
@@ -38,7 +38,7 @@ if (isset($session) ) {
$idpmeta = $metadata->getMetaData($idpentityid, 'wsfed-idp-remote');
- SimpleSAML_Utilities::redirect($idpmeta['prp'], array(
+ SimpleSAML_Utilities::redirectTrustedURL($idpmeta['prp'], array(
'wa' => 'wsignout1.0',
'wct' => gmdate('Y-m-d\TH:i:s\Z', time()),
'wtrealm' => $spentityid,
@@ -53,7 +53,7 @@ if (isset($session) ) {
} else {
SimpleSAML_Logger::info('WS-Fed - SP.initSLO: User is already logged out. Go back to relaystate');
- SimpleSAML_Utilities::redirect($returnTo);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
}
diff --git a/www/wsfed/sp/initSSO.php b/www/wsfed/sp/initSSO.php
index fd038b5d97293ea44c6070ebc942c7c495935f47..0e0b8613fdb009514264ac60189aa44fd3b6a166 100644
--- a/www/wsfed/sp/initSSO.php
+++ b/www/wsfed/sp/initSSO.php
@@ -38,7 +38,7 @@ if ($idpentityid == null) {
SimpleSAML_Logger::info('WS-Fed - SP.initSSO: No chosen or default IdP, go to WSFeddisco');
- SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'wsfed/sp/idpdisco.php', array(
+ SimpleSAML_Utilities::redirectTrustedURL('/' . $config->getBaseURL() . 'wsfed/sp/idpdisco.php', array(
'entityID' => $spentityid,
'return' => SimpleSAML_Utilities::selfURL(),
'returnIDParam' => 'idpentityid')
@@ -51,7 +51,7 @@ try {
$idpmeta = $metadata->getMetaData($idpentityid, 'wsfed-idp-remote');
$spmeta = $metadata->getMetaData($spentityid, 'wsfed-sp-hosted');
- SimpleSAML_Utilities::redirect($idpmeta['prp'], array(
+ SimpleSAML_Utilities::redirectTrustedURL($idpmeta['prp'], array(
'wa' => 'wsignin1.0',
'wct' => gmdate('Y-m-d\TH:i:s\Z', time()),
'wtrealm' => $spentityid,
diff --git a/www/wsfed/sp/prp.php b/www/wsfed/sp/prp.php
index 06c1aa5ccfdff0c365e4811a9e3024643c0af95b..56b9b24965bc831033647121f477506639db6bd8 100644
--- a/www/wsfed/sp/prp.php
+++ b/www/wsfed/sp/prp.php
@@ -28,7 +28,7 @@ if (!empty($_GET['wa']) and ($_GET['wa'] == 'wsignoutcleanup1.0')) {
$session->doLogout('wsfed');
}
if (!empty($_GET['wreply'])) {
- SimpleSAML_Utilities::redirect(urldecode($_GET['wreply']));
+ SimpleSAML_Utilities::redirectUntrustedURL(urldecode($_GET['wreply']));
}
exit;
}
@@ -147,7 +147,7 @@ try {
$session->doLogin('wsfed', $authData);
/* Redirect the user back to the page which requested the login. */
- SimpleSAML_Utilities::redirect($wctx);
+ SimpleSAML_Utilities::redirectUntrustedURL($wctx);
} catch(Exception $exception) {
throw new SimpleSAML_Error_Error('PROCESSASSERTION', $exception);