From 015ab4a0386cafc3539c772c164d9b9dfa8a694e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20P=C3=A9rez=20Crespo?= <jaime.perez@uninett.no>
Date: Fri, 17 Jan 2014 15:40:02 +0000
Subject: [PATCH] Start using the redirectTrustedURL() and
redirectUntrustedURL() wrappers.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3326 44740490-163a-0410-bde0-09ae8108e29a
---
lib/SimpleSAML/Auth/BWC.php | 9 ++++-----
lib/SimpleSAML/Auth/Default.php | 6 +++---
lib/SimpleSAML/Auth/ProcessingChain.php | 2 +-
lib/SimpleSAML/Auth/Simple.php | 2 +-
lib/SimpleSAML/Auth/State.php | 6 +++---
lib/SimpleSAML/IdP.php | 2 +-
lib/SimpleSAML/IdP/LogoutIFrame.php | 2 +-
lib/SimpleSAML/IdP/LogoutTraditional.php | 2 +-
lib/SimpleSAML/XHTML/IdPDisco.php | 8 ++++----
modules/InfoCard/lib/Auth/Source/ICAuth.php | 2 +-
modules/adfs/lib/IdP/ADFS.php | 2 +-
modules/aselect/lib/Auth/Source/aselect.php | 2 +-
modules/authYubiKey/lib/Auth/Source/YubiKey.php | 2 +-
modules/authfacebook/lib/Auth/Source/Facebook.php | 2 +-
modules/authorize/lib/Auth/Process/Authorize.php | 2 +-
modules/authwindowslive/lib/Auth/Source/LiveID.php | 2 +-
modules/cas/lib/Auth/Source/CAS.php | 4 ++--
modules/casserver/www/login.php | 2 +-
modules/cdc/lib/Server.php | 2 +-
modules/consent/lib/Auth/Process/Consent.php | 2 +-
modules/consent/lib/Logout.php | 2 +-
modules/core/lib/Auth/Process/WarnShortSSOInterval.php | 2 +-
modules/core/lib/Auth/UserPassBase.php | 2 +-
modules/core/lib/Auth/UserPassOrgBase.php | 2 +-
modules/core/www/as_login.php | 2 +-
modules/core/www/bwc_resumeauth.php | 2 +-
modules/core/www/cleardiscochoices.php | 2 +-
modules/core/www/login-admin.php | 2 +-
modules/discopower/lib/PowerIdPDisco.php | 6 +++---
modules/exampleauth/lib/Auth/Process/RedirectTest.php | 2 +-
modules/exampleauth/lib/Auth/Source/External.php | 2 +-
modules/expirycheck/lib/Auth/Process/ExpiryDate.php | 4 ++--
modules/multiauth/lib/Auth/Source/MultiAuth.php | 2 +-
modules/oauth/lib/Consumer.php | 2 +-
modules/oauth/www/authorize.php | 4 ++--
modules/openid/lib/Auth/Source/OpenIDConsumer.php | 4 ++--
modules/openidProvider/lib/Server.php | 2 +-
modules/openidProvider/www/user.php | 4 ++--
modules/preprodwarning/lib/Auth/Process/Warning.php | 2 +-
.../lib/Auth/Process/ExpectedAuthnContextClassRef.php | 2 +-
modules/saml/lib/Auth/Source/SP.php | 4 ++--
modules/saml/www/sp/saml2-acs.php | 2 +-
www/auth/login-admin.php | 2 +-
www/auth/login-cas-ldap.php | 4 ++--
www/auth/login-ldapmulti.php | 2 +-
www/auth/login-radius.php | 2 +-
www/auth/login-tlsclient.php | 2 +-
www/auth/login-wayf-ldap.php | 2 +-
www/auth/login.php | 2 +-
www/authmemcookie.php | 2 +-
www/errorreport.php | 2 +-
www/example-simple/attributequery.php | 2 +-
www/example-simple/saml2-example.php | 2 +-
www/example-simple/shib13-example.php | 2 +-
www/example-simple/wsfed-example.php | 2 +-
www/index.php | 2 +-
www/saml2/sp/AssertionConsumerService.php | 4 ++--
www/saml2/sp/SingleLogoutService.php | 2 +-
www/saml2/sp/initSLO.php | 4 ++--
www/saml2/sp/initSSO.php | 4 ++--
www/shib13/sp/AssertionConsumerService.php | 2 +-
www/shib13/sp/initSSO.php | 6 +++---
www/wsfed/sp/initSLO.php | 4 ++--
www/wsfed/sp/initSSO.php | 4 ++--
www/wsfed/sp/prp.php | 4 ++--
65 files changed, 92 insertions(+), 93 deletions(-)
diff --git a/lib/SimpleSAML/Auth/BWC.php b/lib/SimpleSAML/Auth/BWC.php
index 2866f11c2..290c514b5 100644
--- a/lib/SimpleSAML/Auth/BWC.php
+++ b/lib/SimpleSAML/Auth/BWC.php
@@ -120,7 +120,7 @@ class SimpleSAML_Auth_BWC extends SimpleSAML_Auth_Simple {
$config = SimpleSAML_Configuration::getInstance();
$authurl = '/' . $config->getBaseURL() . $this->auth;
- SimpleSAML_Utilities::redirect($authurl, array(
+ SimpleSAML_Utilities::redirectTrustedURL($authurl, array(
'RelayState' => $relayState,
'AuthId' => $authId,
'protocol' => 'saml2',
@@ -143,20 +143,19 @@ class SimpleSAML_Auth_BWC extends SimpleSAML_Auth_Simple {
$session = SimpleSAML_Session::getInstance();
if (!$session->isValid($this->authority)) {
/* Not authenticated to this authentication source. */
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectUntrustedURL($url);
assert('FALSE');
}
if ($this->authority === 'saml2') {
$config = SimpleSAML_Configuration::getInstance();
- SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'saml2/sp/initSLO.php',
+ SimpleSAML_Utilities::redirectUntrustedURL('/' . $config->getBaseURL() . 'saml2/sp/initSLO.php',
array('RelayState' => $url)
);
}
$session->doLogout($this->authority);
-
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectUntrustedURL($url);
}
}
diff --git a/lib/SimpleSAML/Auth/Default.php b/lib/SimpleSAML/Auth/Default.php
index 39cc174f3..34686aa2d 100644
--- a/lib/SimpleSAML/Auth/Default.php
+++ b/lib/SimpleSAML/Auth/Default.php
@@ -121,7 +121,7 @@ class SimpleSAML_Auth_Default {
if (is_string($return)) {
/* Redirect... */
- SimpleSAML_Utilities::redirect($return);
+ SimpleSAML_Utilities::redirectUntrustedURL($return);
} else {
call_user_func($return, $state);
assert('FALSE');
@@ -184,7 +184,7 @@ class SimpleSAML_Auth_Default {
self::initLogoutReturn($returnURL, $authority);
/* Redirect... */
- SimpleSAML_Utilities::redirect($returnURL);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnURL);
}
@@ -202,7 +202,7 @@ class SimpleSAML_Auth_Default {
$returnURL = $state['SimpleSAML_Auth_Default.ReturnURL'];
/* Redirect... */
- SimpleSAML_Utilities::redirect($returnURL);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnURL);
}
diff --git a/lib/SimpleSAML/Auth/ProcessingChain.php b/lib/SimpleSAML/Auth/ProcessingChain.php
index 238b58f84..da0453264 100644
--- a/lib/SimpleSAML/Auth/ProcessingChain.php
+++ b/lib/SimpleSAML/Auth/ProcessingChain.php
@@ -248,7 +248,7 @@ class SimpleSAML_Auth_ProcessingChain {
* in $state['ReturnURL'].
*/
$id = SimpleSAML_Auth_State::saveState($state, self::COMPLETED_STAGE);
- SimpleSAML_Utilities::redirect($state['ReturnURL'], array(self::AUTHPARAM => $id));
+ SimpleSAML_Utilities::redirectUntrustedURL($state['ReturnURL'], array(self::AUTHPARAM => $id));
} else {
/* Pass the state to the function defined in $state['ReturnCall']. */
diff --git a/lib/SimpleSAML/Auth/Simple.php b/lib/SimpleSAML/Auth/Simple.php
index 0041dddb9..8577379e8 100644
--- a/lib/SimpleSAML/Auth/Simple.php
+++ b/lib/SimpleSAML/Auth/Simple.php
@@ -219,7 +219,7 @@ class SimpleSAML_Auth_Simple {
$params[$state['ReturnStateParam']] = $stateID;
}
- SimpleSAML_Utilities::redirect($state['ReturnTo'], $params);
+ SimpleSAML_Utilities::redirectUntrustedURL($state['ReturnTo'], $params);
}
}
diff --git a/lib/SimpleSAML/Auth/State.php b/lib/SimpleSAML/Auth/State.php
index 5eb1b555e..57387665d 100644
--- a/lib/SimpleSAML/Auth/State.php
+++ b/lib/SimpleSAML/Auth/State.php
@@ -232,7 +232,7 @@ class SimpleSAML_Auth_State {
throw new SimpleSAML_Error_NoState();
}
- SimpleSAML_Utilities::redirect($restartURL);
+ SimpleSAML_Utilities::redirectTrustedURL($restartURL);
}
$state = unserialize($state);
@@ -256,7 +256,7 @@ class SimpleSAML_Auth_State {
throw new Exception($msg);
}
- SimpleSAML_Utilities::redirect($restartURL);
+ SimpleSAML_Utilities::redirectTrustedURL($restartURL);
}
return $state;
@@ -301,7 +301,7 @@ class SimpleSAML_Auth_State {
$id = self::saveState($state, self::EXCEPTION_STAGE);
/* Redirect to the exception handler. */
- SimpleSAML_Utilities::redirect($state[self::EXCEPTION_HANDLER_URL], array(self::EXCEPTION_PARAM => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($state[self::EXCEPTION_HANDLER_URL], array(self::EXCEPTION_PARAM => $id));
} elseif (array_key_exists(self::EXCEPTION_HANDLER_FUNC, $state)) {
/* Call the exception handler. */
diff --git a/lib/SimpleSAML/IdP.php b/lib/SimpleSAML/IdP.php
index de19898bf..630662dd7 100644
--- a/lib/SimpleSAML/IdP.php
+++ b/lib/SimpleSAML/IdP.php
@@ -529,7 +529,7 @@ class SimpleSAML_IdP {
public static function finishLogoutRedirect(SimpleSAML_IdP $idp, array $state) {
assert('isset($state["core:Logout:URL"])');
- SimpleSAML_Utilities::redirect($state['core:Logout:URL']);
+ SimpleSAML_Utilities::redirectUntrustedURL($state['core:Logout:URL']);
assert('FALSE');
}
diff --git a/lib/SimpleSAML/IdP/LogoutIFrame.php b/lib/SimpleSAML/IdP/LogoutIFrame.php
index 094c1a4b4..d0c7eee45 100644
--- a/lib/SimpleSAML/IdP/LogoutIFrame.php
+++ b/lib/SimpleSAML/IdP/LogoutIFrame.php
@@ -49,7 +49,7 @@ class SimpleSAML_IdP_LogoutIFrame extends SimpleSAML_IdP_LogoutHandler {
}
$url = SimpleSAML_Module::getModuleURL('core/idp/logout-iframe.php', $params);
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectTrustedURL($url);
}
diff --git a/lib/SimpleSAML/IdP/LogoutTraditional.php b/lib/SimpleSAML/IdP/LogoutTraditional.php
index 5a4846608..86ce301e9 100644
--- a/lib/SimpleSAML/IdP/LogoutTraditional.php
+++ b/lib/SimpleSAML/IdP/LogoutTraditional.php
@@ -30,7 +30,7 @@ class SimpleSAML_IdP_LogoutTraditional extends SimpleSAML_IdP_LogoutHandler {
try {
$idp = SimpleSAML_IdP::getByState($association);
$url = call_user_func(array($association['Handler'], 'getLogoutURL'), $idp, $association, $relayState);
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectTrustedURL($url);
} catch (Exception $e) {
SimpleSAML_Logger::warning('Unable to initialize logout to ' . var_export($id, TRUE) . '.');
$this->idp->terminateAssociation($id);
diff --git a/lib/SimpleSAML/XHTML/IdPDisco.php b/lib/SimpleSAML/XHTML/IdPDisco.php
index 4b7e51494..c1c5be0c4 100644
--- a/lib/SimpleSAML/XHTML/IdPDisco.php
+++ b/lib/SimpleSAML/XHTML/IdPDisco.php
@@ -463,7 +463,7 @@ class SimpleSAML_XHTML_IdPDisco {
$extDiscoveryStorage = $this->config->getString('idpdisco.extDiscoveryStorage', NULL);
if ($extDiscoveryStorage !== NULL) {
$this->log('Choice made [' . $idp . '] (Forwarding to external discovery storage)');
- SimpleSAML_Utilities::redirect($extDiscoveryStorage, array(
+ SimpleSAML_Utilities::redirectTrustedURL($extDiscoveryStorage, array(
// $this->returnIdParam => $idp,
'entityID' => $this->spEntityId,
'IdPentityID' => $idp,
@@ -474,7 +474,7 @@ class SimpleSAML_XHTML_IdPDisco {
} else {
$this->log('Choice made [' . $idp . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')');
- SimpleSAML_Utilities::redirect($this->returnURL, array($this->returnIdParam => $idp));
+ SimpleSAML_Utilities::redirectUntrustedURL($this->returnURL, array($this->returnIdParam => $idp));
}
return;
@@ -482,7 +482,7 @@ class SimpleSAML_XHTML_IdPDisco {
if ($this->isPassive) {
$this->log('Choice not made. (Redirecting the user back without answer)');
- SimpleSAML_Utilities::redirect($this->returnURL);
+ SimpleSAML_Utilities::redirectUntrustedURL($this->returnURL);
return;
}
@@ -500,7 +500,7 @@ class SimpleSAML_XHTML_IdPDisco {
if(sizeof($idpintersection) == 1) {
$this->log('Choice made [' . $idpintersection[0] . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')');
- SimpleSAML_Utilities::redirect($this->returnURL, array($this->returnIdParam => $idpintersection[0]));
+ SimpleSAML_Utilities::redirectUntrustedURL($this->returnURL, array($this->returnIdParam => $idpintersection[0]));
}
/*
diff --git a/modules/InfoCard/lib/Auth/Source/ICAuth.php b/modules/InfoCard/lib/Auth/Source/ICAuth.php
index 5f11dc2ae..39e746c56 100644
--- a/modules/InfoCard/lib/Auth/Source/ICAuth.php
+++ b/modules/InfoCard/lib/Auth/Source/ICAuth.php
@@ -37,7 +37,7 @@ class sspmod_InfoCard_Auth_Source_ICAuth extends SimpleSAML_Auth_Source {
$state[self::AUTHID] = $this->authId;
$id = SimpleSAML_Auth_State::saveState($state, self::STAGEID);
$url = SimpleSAML_Module::getModuleURL('InfoCard/login-infocard.php');
- SimpleSAML_Utilities::redirect($url, array('AuthState' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('AuthState' => $id));
}
diff --git a/modules/adfs/lib/IdP/ADFS.php b/modules/adfs/lib/IdP/ADFS.php
index 1353d01bc..0594cc78e 100644
--- a/modules/adfs/lib/IdP/ADFS.php
+++ b/modules/adfs/lib/IdP/ADFS.php
@@ -171,7 +171,7 @@ class sspmod_adfs_IdP_ADFS {
// NB:: we don't know from which SP the logout request came from
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpMetadata = $idp->getConfig();
- SimpleSAML_Utilities::redirect($idpMetadata->getValue('redirect-after-logout', SimpleSAML_Utilities::getBaseURL()));
+ SimpleSAML_Utilities::redirectTrustedURL($idpMetadata->getValue('redirect-after-logout', SimpleSAML_Utilities::getBaseURL()));
}
public static function receiveLogoutMessage(SimpleSAML_IdP $idp) {
diff --git a/modules/aselect/lib/Auth/Source/aselect.php b/modules/aselect/lib/Auth/Source/aselect.php
index c7cb88d2f..c503361e1 100644
--- a/modules/aselect/lib/Auth/Source/aselect.php
+++ b/modules/aselect/lib/Auth/Source/aselect.php
@@ -52,7 +52,7 @@ class sspmod_aselect_Auth_Source_aselect extends SimpleSAML_Auth_Source {
$app_url = SimpleSAML_Module::getModuleURL('aselect/credentials.php', array('ssp_state' => $id));
$as_url = $this->request_authentication($app_url);
- SimpleSAML_Utilities::redirect($as_url);
+ SimpleSAML_Utilities::redirectTrustedURL($as_url);
} catch(Exception $e) {
// attach the exception to the state
SimpleSAML_Auth_State::throwException($state, $e);
diff --git a/modules/authYubiKey/lib/Auth/Source/YubiKey.php b/modules/authYubiKey/lib/Auth/Source/YubiKey.php
index 1381ee68f..ae98920d6 100644
--- a/modules/authYubiKey/lib/Auth/Source/YubiKey.php
+++ b/modules/authYubiKey/lib/Auth/Source/YubiKey.php
@@ -104,7 +104,7 @@ class sspmod_authYubiKey_Auth_Source_YubiKey extends SimpleSAML_Auth_Source {
$id = SimpleSAML_Auth_State::saveState($state, self::STAGEID);
$url = SimpleSAML_Module::getModuleURL('authYubiKey/yubikeylogin.php');
- SimpleSAML_Utilities::redirect($url, array('AuthState' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('AuthState' => $id));
}
diff --git a/modules/authfacebook/lib/Auth/Source/Facebook.php b/modules/authfacebook/lib/Auth/Source/Facebook.php
index 67ab3cbf0..5c2e62dd1 100644
--- a/modules/authfacebook/lib/Auth/Source/Facebook.php
+++ b/modules/authfacebook/lib/Auth/Source/Facebook.php
@@ -80,7 +80,7 @@ class sspmod_authfacebook_Auth_Source_Facebook extends SimpleSAML_Auth_Source {
$url = $facebook->getLoginUrl(array('redirect_uri' => $linkback, 'scope' => $this->req_perms));
SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT);
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectTrustedURL($url);
}
diff --git a/modules/authorize/lib/Auth/Process/Authorize.php b/modules/authorize/lib/Auth/Process/Authorize.php
index cd8155601..ab573fed3 100644
--- a/modules/authorize/lib/Auth/Process/Authorize.php
+++ b/modules/authorize/lib/Auth/Process/Authorize.php
@@ -129,7 +129,7 @@ class sspmod_authorize_Auth_Process_Authorize extends SimpleSAML_Auth_Processing
'authorize:Authorize');
$url = SimpleSAML_Module::getModuleURL(
'authorize/authorize_403.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
}
diff --git a/modules/authwindowslive/lib/Auth/Source/LiveID.php b/modules/authwindowslive/lib/Auth/Source/LiveID.php
index 2dcd532bf..cbbff0ffb 100644
--- a/modules/authwindowslive/lib/Auth/Source/LiveID.php
+++ b/modules/authwindowslive/lib/Auth/Source/LiveID.php
@@ -72,7 +72,7 @@ class sspmod_authwindowslive_Auth_Source_LiveID extends SimpleSAML_Auth_Source {
. '&wrap_scope=WL_Profiles.View,Messenger.SignIn'
;
- SimpleSAML_Utilities::redirect($authorizeURL);
+ SimpleSAML_Utilities::redirectTrustedURL($authorizeURL);
}
diff --git a/modules/cas/lib/Auth/Source/CAS.php b/modules/cas/lib/Auth/Source/CAS.php
index faa52d09c..e1f2a93a0 100644
--- a/modules/cas/lib/Auth/Source/CAS.php
+++ b/modules/cas/lib/Auth/Source/CAS.php
@@ -206,7 +206,7 @@ class sspmod_cas_Auth_Source_CAS extends SimpleSAML_Auth_Source {
$serviceUrl = SimpleSAML_Module::getModuleURL('cas/linkback.php', array('stateID' => $stateID));
- SimpleSAML_Utilities::redirect($this->_loginMethod, array(
+ SimpleSAML_Utilities::redirectTrustedURL($this->_loginMethod, array(
'service' => $serviceUrl));
}
@@ -230,7 +230,7 @@ class sspmod_cas_Auth_Source_CAS extends SimpleSAML_Auth_Source {
SimpleSAML_Auth_State::deleteState($state);
// we want cas to log us out
- SimpleSAML_Utilities::redirect($logoutUrl, array());
+ SimpleSAML_Utilities::redirectTrustedURL($logoutUrl);
}
}
diff --git a/modules/casserver/www/login.php b/modules/casserver/www/login.php
index be417d336..e59c33248 100644
--- a/modules/casserver/www/login.php
+++ b/modules/casserver/www/login.php
@@ -48,7 +48,7 @@ storeTicket($ticket, $path, array('service' => $service,
'proxies' => array(),
'validbefore' => time() + 5));
-SimpleSAML_Utilities::redirect(
+SimpleSAML_Utilities::redirectUntrustedURL(
SimpleSAML_Utilities::addURLparameter($service,
array('ticket' => $ticket)
)
diff --git a/modules/cdc/lib/Server.php b/modules/cdc/lib/Server.php
index 5f7636ccc..403ff950b 100644
--- a/modules/cdc/lib/Server.php
+++ b/modules/cdc/lib/Server.php
@@ -325,7 +325,7 @@ class sspmod_cdc_Server {
$url = SimpleSAML_Utilities::addURLparameter($to, $params);
if (strlen($url) < 2048) {
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectUntrustedURL($url);
} else {
SimpleSAML_Utilities::postRedirect($to, $params);
}
diff --git a/modules/consent/lib/Auth/Process/Consent.php b/modules/consent/lib/Auth/Process/Consent.php
index 25067ec97..eaacd3eb7 100644
--- a/modules/consent/lib/Auth/Process/Consent.php
+++ b/modules/consent/lib/Auth/Process/Consent.php
@@ -278,7 +278,7 @@ class sspmod_consent_Auth_Process_Consent extends SimpleSAML_Auth_ProcessingFilt
// Save state and redirect
$id = SimpleSAML_Auth_State::saveState($state, 'consent:request');
$url = SimpleSAML_Module::getModuleURL('consent/getconsent.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
/**
diff --git a/modules/consent/lib/Logout.php b/modules/consent/lib/Logout.php
index ad7ca4e11..f605e9892 100644
--- a/modules/consent/lib/Logout.php
+++ b/modules/consent/lib/Logout.php
@@ -10,7 +10,7 @@ class sspmod_consent_Logout {
public static function postLogout(SimpleSAML_IdP $idp, array $state) {
$url = SimpleSAML_Module::getModuleURL('consent/logout_completed.php');
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectTrustedURL($url);
}
}
diff --git a/modules/core/lib/Auth/Process/WarnShortSSOInterval.php b/modules/core/lib/Auth/Process/WarnShortSSOInterval.php
index 6d250ed0e..6ac34d7c1 100644
--- a/modules/core/lib/Auth/Process/WarnShortSSOInterval.php
+++ b/modules/core/lib/Auth/Process/WarnShortSSOInterval.php
@@ -47,7 +47,7 @@ class sspmod_core_Auth_Process_WarnShortSSOInterval extends SimpleSAML_Auth_Proc
/* Save state and redirect. */
$id = SimpleSAML_Auth_State::saveState($state, 'core:short_sso_interval');
$url = SimpleSAML_Module::getModuleURL('core/short_sso_interval.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
}
diff --git a/modules/core/lib/Auth/UserPassBase.php b/modules/core/lib/Auth/UserPassBase.php
index 80eae48ee..633a7484a 100644
--- a/modules/core/lib/Auth/UserPassBase.php
+++ b/modules/core/lib/Auth/UserPassBase.php
@@ -158,7 +158,7 @@ abstract class sspmod_core_Auth_UserPassBase extends SimpleSAML_Auth_Source {
*/
$url = SimpleSAML_Module::getModuleURL('core/loginuserpass.php');
$params = array('AuthState' => $id);
- SimpleSAML_Utilities::redirect($url, $params);
+ SimpleSAML_Utilities::redirectTrustedURL($url, $params);
/* The previous function never returns, so this code is never executed. */
assert('FALSE');
diff --git a/modules/core/lib/Auth/UserPassOrgBase.php b/modules/core/lib/Auth/UserPassOrgBase.php
index dc3a92eb6..f79c3aefa 100644
--- a/modules/core/lib/Auth/UserPassOrgBase.php
+++ b/modules/core/lib/Auth/UserPassOrgBase.php
@@ -157,7 +157,7 @@ abstract class sspmod_core_Auth_UserPassOrgBase extends SimpleSAML_Auth_Source {
$url = SimpleSAML_Module::getModuleURL('core/loginuserpassorg.php');
$params = array('AuthState' => $id);
- SimpleSAML_Utilities::redirect($url, $params);
+ SimpleSAML_Utilities::redirectTrustedURL($url, $params);
}
diff --git a/modules/core/www/as_login.php b/modules/core/www/as_login.php
index 143dde6c1..a30bd1f77 100644
--- a/modules/core/www/as_login.php
+++ b/modules/core/www/as_login.php
@@ -35,4 +35,4 @@ if (!empty($_REQUEST['saml:idp'])) {
$as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']);
$as->requireAuth($options);
-SimpleSAML_Utilities::redirect($_REQUEST['ReturnTo']);
+SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['ReturnTo']);
diff --git a/modules/core/www/bwc_resumeauth.php b/modules/core/www/bwc_resumeauth.php
index 5da50c3dc..68b205504 100644
--- a/modules/core/www/bwc_resumeauth.php
+++ b/modules/core/www/bwc_resumeauth.php
@@ -20,7 +20,7 @@ if ($requestcache['ForceAuthn'] && $requestcache['core:prevSession'] === $sessio
}
if (isset($state['ReturnTo'])) {
- SimpleSAML_Utilities::redirect($state['ReturnTo']);
+ SimpleSAML_Utilities::redirectUntrustedURL($state['ReturnTo']);
}
foreach ($session->getAuthState($authority) as $k => $v) {
diff --git a/modules/core/www/cleardiscochoices.php b/modules/core/www/cleardiscochoices.php
index 7cf7fa03f..c94e411e2 100644
--- a/modules/core/www/cleardiscochoices.php
+++ b/modules/core/www/cleardiscochoices.php
@@ -33,5 +33,5 @@ if(array_key_exists('ReturnTo', $_REQUEST)) {
}
/* Redirect to destination. */
-SimpleSAML_Utilities::redirect($returnTo);
+SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
diff --git a/modules/core/www/login-admin.php b/modules/core/www/login-admin.php
index 16acc1e0f..83886a181 100644
--- a/modules/core/www/login-admin.php
+++ b/modules/core/www/login-admin.php
@@ -10,5 +10,5 @@ $returnTo = $_REQUEST['ReturnTo'];
SimpleSAML_Utilities::requireAdmin();
-SimpleSAML_Utilities::redirect($returnTo);
+SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
diff --git a/modules/discopower/lib/PowerIdPDisco.php b/modules/discopower/lib/PowerIdPDisco.php
index 072e6afb3..bb33a3c6d 100644
--- a/modules/discopower/lib/PowerIdPDisco.php
+++ b/modules/discopower/lib/PowerIdPDisco.php
@@ -193,7 +193,7 @@ class sspmod_discopower_PowerIdPDisco extends SimpleSAML_XHTML_IdPDisco {
if ($this->config->getBoolean('idpdisco.extDiscoveryStorage', NULL) != NULL) {
$extDiscoveryStorage = $this->config->getBoolean('idpdisco.extDiscoveryStorage');
$this->log('Choice made [' . $idp . '] (Forwarding to external discovery storage)');
- SimpleSAML_Utilities::redirect($extDiscoveryStorage, array(
+ SimpleSAML_Utilities::redirectTrustedURL($extDiscoveryStorage, array(
'entityID' => $this->spEntityId,
'IdPentityID' => $idp,
'returnIDParam' => $this->returnIdParam,
@@ -203,7 +203,7 @@ class sspmod_discopower_PowerIdPDisco extends SimpleSAML_XHTML_IdPDisco {
} else {
$this->log('Choice made [' . $idp . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')');
- SimpleSAML_Utilities::redirect($this->returnURL, array($this->returnIdParam => $idp));
+ SimpleSAML_Utilities::redirectUntrustedURL($this->returnURL, array($this->returnIdParam => $idp));
}
return;
@@ -211,7 +211,7 @@ class sspmod_discopower_PowerIdPDisco extends SimpleSAML_XHTML_IdPDisco {
if ($this->isPassive) {
$this->log('Choice not made. (Redirecting the user back without answer)');
- SimpleSAML_Utilities::redirect($this->returnURL);
+ SimpleSAML_Utilities::redirectUntrustedURL($this->returnURL);
return;
}
diff --git a/modules/exampleauth/lib/Auth/Process/RedirectTest.php b/modules/exampleauth/lib/Auth/Process/RedirectTest.php
index 02a4220d6..1ed810394 100644
--- a/modules/exampleauth/lib/Auth/Process/RedirectTest.php
+++ b/modules/exampleauth/lib/Auth/Process/RedirectTest.php
@@ -22,7 +22,7 @@ class sspmod_exampleauth_Auth_Process_RedirectTest extends SimpleSAML_Auth_Proce
/* Save state and redirect. */
$id = SimpleSAML_Auth_State::saveState($state, 'exampleauth:redirectfilter-test');
$url = SimpleSAML_Module::getModuleURL('exampleauth/redirecttest.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
}
diff --git a/modules/exampleauth/lib/Auth/Source/External.php b/modules/exampleauth/lib/Auth/Source/External.php
index fee9489aa..d3b16f020 100644
--- a/modules/exampleauth/lib/Auth/Source/External.php
+++ b/modules/exampleauth/lib/Auth/Source/External.php
@@ -156,7 +156,7 @@ class sspmod_exampleauth_Auth_Source_External extends SimpleSAML_Auth_Source {
* Note the 'ReturnTo' parameter. This must most likely be replaced with
* the real name of the parameter for the login page.
*/
- SimpleSAML_Utilities::redirect($authPage, array(
+ SimpleSAML_Utilities::redirectTrustedURL($authPage, array(
'ReturnTo' => $returnTo,
));
diff --git a/modules/expirycheck/lib/Auth/Process/ExpiryDate.php b/modules/expirycheck/lib/Auth/Process/ExpiryDate.php
index 65a56ca17..113261759 100644
--- a/modules/expirycheck/lib/Auth/Process/ExpiryDate.php
+++ b/modules/expirycheck/lib/Auth/Process/ExpiryDate.php
@@ -136,7 +136,7 @@ class sspmod_expirycheck_Auth_Process_ExpiryDate extends SimpleSAML_Auth_Process
$state['netId'] = $netId;
$id = SimpleSAML_Auth_State::saveState($state, 'expirywarning:about2expire');
$url = SimpleSAML_Module::getModuleURL('expirycheck/about2expire.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
if (!self::checkDate($expireOnDate)) {
@@ -149,7 +149,7 @@ class sspmod_expirycheck_Auth_Process_ExpiryDate extends SimpleSAML_Auth_Process
$state['netId'] = $netId;
$id = SimpleSAML_Auth_State::saveState($state, 'expirywarning:expired');
$url = SimpleSAML_Module::getModuleURL('expirycheck/expired.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
}
diff --git a/modules/multiauth/lib/Auth/Source/MultiAuth.php b/modules/multiauth/lib/Auth/Source/MultiAuth.php
index 2b975d4fe..ea74df5a8 100644
--- a/modules/multiauth/lib/Auth/Source/MultiAuth.php
+++ b/modules/multiauth/lib/Auth/Source/MultiAuth.php
@@ -121,7 +121,7 @@ class sspmod_multiauth_Auth_Source_MultiAuth extends SimpleSAML_Auth_Source {
$params['source'] = $_GET['source'];
}
- SimpleSAML_Utilities::redirect($url, $params);
+ SimpleSAML_Utilities::redirectTrustedURL($url, $params);
/* The previous function never returns, so this code is never
executed */
diff --git a/modules/oauth/lib/Consumer.php b/modules/oauth/lib/Consumer.php
index 734fd4336..36065fec2 100644
--- a/modules/oauth/lib/Consumer.php
+++ b/modules/oauth/lib/Consumer.php
@@ -94,7 +94,7 @@ class sspmod_oauth_Consumer {
}
$authorizeURL = SimpleSAML_Utilities::addURLparameter($url, $params);
if ($redirect) {
- SimpleSAML_Utilities::redirect($authorizeURL);
+ SimpleSAML_Utilities::redirectTrustedURL($authorizeURL);
exit;
}
return $authorizeURL;
diff --git a/modules/oauth/www/authorize.php b/modules/oauth/www/authorize.php
index a2329d1ba..9b3e032e1 100644
--- a/modules/oauth/www/authorize.php
+++ b/modules/oauth/www/authorize.php
@@ -56,11 +56,11 @@ try {
if ($url) {
// If authorize() returns a URL, take user there (oauth1.0a)
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectUntrustedURL($url);
}
else if (isset($_REQUEST['oauth_callback'])) {
// If callback was provided in the request (oauth1.0)
- SimpleSAML_Utilities::redirect($_REQUEST['oauth_callback']);
+ SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['oauth_callback']);
} else {
// No callback provided, display standard template
diff --git a/modules/openid/lib/Auth/Source/OpenIDConsumer.php b/modules/openid/lib/Auth/Source/OpenIDConsumer.php
index 2144ad1b0..ce5a758be 100644
--- a/modules/openid/lib/Auth/Source/OpenIDConsumer.php
+++ b/modules/openid/lib/Auth/Source/OpenIDConsumer.php
@@ -123,7 +123,7 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source {
$id = SimpleSAML_Auth_State::saveState($state, 'openid:init');
$url = SimpleSAML_Module::getModuleURL('openid/consumer.php');
- SimpleSAML_Utilities::redirect($url, array('AuthState' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('AuthState' => $id));
}
@@ -251,7 +251,7 @@ class sspmod_openid_Auth_Source_OpenIDConsumer extends SimpleSAML_Auth_Source {
// For OpenID 2 failover to POST if redirect URL is longer than 2048
if ($should_send_redirect || strlen($redirect_url) <= 2048) {
- SimpleSAML_Utilities::redirect($redirect_url);
+ SimpleSAML_Utilities::redirectTrustedURL($redirect_url);
assert('FALSE');
}
}
diff --git a/modules/openidProvider/lib/Server.php b/modules/openidProvider/lib/Server.php
index 417191e17..f0596d18f 100644
--- a/modules/openidProvider/lib/Server.php
+++ b/modules/openidProvider/lib/Server.php
@@ -401,7 +401,7 @@ class sspmod_openidProvider_Server {
}
$trustURL = $this->getStateURL('trust.php', $state);
- SimpleSAML_Utilities::redirect($trustURL);
+ SimpleSAML_Utilities::redirectTrustedURL($trustURL);
}
if (!$trusted) {
diff --git a/modules/openidProvider/www/user.php b/modules/openidProvider/www/user.php
index 696476286..74aa1a7c8 100644
--- a/modules/openidProvider/www/user.php
+++ b/modules/openidProvider/www/user.php
@@ -15,7 +15,7 @@ if (!$userId && $identity) {
* We are accessing the front-page, but are logged in.
* Redirect to the correct page.
*/
- SimpleSAML_Utilities::redirect($identity);
+ SimpleSAML_Utilities::redirectTrustedURL($identity);
}
/* Determine whether we are at the users own page. */
@@ -39,7 +39,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
}
}
- SimpleSAML_Utilities::redirect($identity);
+ SimpleSAML_Utilities::redirectTrustedURL($identity);
}
if ($ownPage) {
diff --git a/modules/preprodwarning/lib/Auth/Process/Warning.php b/modules/preprodwarning/lib/Auth/Process/Warning.php
index 089801534..b9ea10ed9 100644
--- a/modules/preprodwarning/lib/Auth/Process/Warning.php
+++ b/modules/preprodwarning/lib/Auth/Process/Warning.php
@@ -29,7 +29,7 @@ class sspmod_preprodwarning_Auth_Process_Warning extends SimpleSAML_Auth_Process
/* Save state and redirect. */
$id = SimpleSAML_Auth_State::saveState($state, 'warning:request');
$url = SimpleSAML_Module::getModuleURL('preprodwarning/showwarning.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
diff --git a/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php b/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php
index 4ee754bb5..bfc2dc180 100644
--- a/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php
+++ b/modules/saml/lib/Auth/Process/ExpectedAuthnContextClassRef.php
@@ -80,6 +80,6 @@ class sspmod_saml_Auth_Process_ExpectedAuthnContextClassRef extends SimpleSAML_A
$id = SimpleSAML_Auth_State::saveState($request, 'saml:ExpectedAuthnContextClassRef:unauthorized');
$url = SimpleSAML_Module::getModuleURL(
'saml/sp/wrong_authncontextclassref.php');
- SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
+ SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
}
diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index 9bc623468..a2b223588 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -168,7 +168,7 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
SimpleSAML_Logger::debug('Starting SAML 1 SSO to ' . var_export($idpEntityId, TRUE) .
' from ' . var_export($this->entityId, TRUE) . '.');
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectTrustedURL($url);
}
@@ -355,7 +355,7 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
$params['isPassive'] = 'true';
}
- SimpleSAML_Utilities::redirect($discoURL, $params);
+ SimpleSAML_Utilities::redirectTrustedURL($discoURL, $params);
}
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index 4c4b6db29..a3c8200bc 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -45,7 +45,7 @@ if ($prevAuth !== NULL && $prevAuth['id'] === $response->getId() && $prevAuth['i
* instead of displaying a confusing error message.
*/
SimpleSAML_Logger::info('Duplicate SAML 2 response detected - ignoring the response and redirecting the user to the correct page.');
- SimpleSAML_Utilities::redirect($prevAuth['redirect']);
+ SimpleSAML_Utilities::redirectTrustedURL($prevAuth['redirect']);
}
$idpMetadata = array();
diff --git a/www/auth/login-admin.php b/www/auth/login-admin.php
index f660dd941..42ac0ecf0 100644
--- a/www/auth/login-admin.php
+++ b/www/auth/login-admin.php
@@ -59,7 +59,7 @@ if (isset($_POST['password'])) {
else
SimpleSAML_Logger::stats('AUTH-login-admin OK');
- SimpleSAML_Utilities::redirect($relaystate);
+ SimpleSAML_Utilities::redirectUntrustedURL($relaystate);
exit(0);
} else {
SimpleSAML_Logger::stats('AUTH-login-admin Failed');
diff --git a/www/auth/login-cas-ldap.php b/www/auth/login-cas-ldap.php
index dff33f1fd..2ba907ade 100644
--- a/www/auth/login-cas-ldap.php
+++ b/www/auth/login-cas-ldap.php
@@ -104,7 +104,7 @@ function casValidate($cas) {
*/
} else {
SimpleSAML_Logger::info("AUTH - cas-ldap: redirecting to {$cas['login']}");
- SimpleSAML_Utilities::redirect($cas['login'], array(
+ SimpleSAML_Utilities::redirectTrustedURL($cas['login'], array(
'service' => $service
));
}
@@ -132,7 +132,7 @@ try {
$session->setNameID(array(
'value' => SimpleSAML_Utilities::generateID(),
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
- SimpleSAML_Utilities::redirect($relaystate);
+ SimpleSAML_Utilities::redirectUntrustedURL($relaystate);
} catch(Exception $exception) {
throw new SimpleSAML_Error_Error('CASERROR', $exception);
diff --git a/www/auth/login-ldapmulti.php b/www/auth/login-ldapmulti.php
index 9e070b41a..aab198afc 100644
--- a/www/auth/login-ldapmulti.php
+++ b/www/auth/login-ldapmulti.php
@@ -71,7 +71,7 @@ if (isset($_POST['username'])) {
$returnto = $_REQUEST['RelayState'];
- SimpleSAML_Utilities::redirect($returnto);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnto);
} catch (Exception $e) {
diff --git a/www/auth/login-radius.php b/www/auth/login-radius.php
index 73e24b601..b95c7ae92 100644
--- a/www/auth/login-radius.php
+++ b/www/auth/login-radius.php
@@ -110,7 +110,7 @@ if (isset($_POST['username'])) {
$returnto = $_REQUEST['RelayState'];
- SimpleSAML_Utilities::redirect($returnto);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnto);
case RADIUS_ACCESS_REJECT:
diff --git a/www/auth/login-tlsclient.php b/www/auth/login-tlsclient.php
index 3fe22faf1..42e2678ae 100644
--- a/www/auth/login-tlsclient.php
+++ b/www/auth/login-tlsclient.php
@@ -69,7 +69,7 @@ try {
$returnto = $_REQUEST['RelayState'];
- SimpleSAML_Utilities::redirect($returnto);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnto);
} catch (Exception $e) {
diff --git a/www/auth/login-wayf-ldap.php b/www/auth/login-wayf-ldap.php
index 980e482a1..73d5f57a4 100644
--- a/www/auth/login-wayf-ldap.php
+++ b/www/auth/login-wayf-ldap.php
@@ -59,7 +59,7 @@ if ($username = $_POST['username']) {
$session->setNameID(array(
'value' => SimpleSAML_Utilities::generateID(),
'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
- SimpleSAML_Utilities::redirect($relaystate);
+ SimpleSAML_Utilities::redirectUntrustedURL($relaystate);
}
} catch(Exception $e) {
throw new SimpleSAML_Error_Error('LDAPERROR', $e);
diff --git a/www/auth/login.php b/www/auth/login.php
index 308cc283f..57ccd3b58 100644
--- a/www/auth/login.php
+++ b/www/auth/login.php
@@ -126,7 +126,7 @@ if (isset($_POST['username'])) {
$returnto = $_REQUEST['RelayState'];
- SimpleSAML_Utilities::redirect($returnto);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnto);
} catch (Exception $e) {
diff --git a/www/authmemcookie.php b/www/authmemcookie.php
index b6b398fdf..a4e877a7c 100644
--- a/www/authmemcookie.php
+++ b/www/authmemcookie.php
@@ -109,7 +109,7 @@ try {
$session->registerLogoutHandler('SimpleSAML_AuthMemCookie', 'logoutHandler');
/* Redirect the user back to this page to signal that the login is completed. */
- SimpleSAML_Utilities::redirect(SimpleSAML_Utilities::selfURL());
+ SimpleSAML_Utilities::redirectTrustedURL(SimpleSAML_Utilities::selfURL());
} catch(Exception $e) {
throw new SimpleSAML_Error_Error('CONFIG', $e);
}
diff --git a/www/errorreport.php b/www/errorreport.php
index 101eae951..580a2bd39 100644
--- a/www/errorreport.php
+++ b/www/errorreport.php
@@ -99,4 +99,4 @@ if ($config->getBoolean('errorreporting', TRUE) && $toAddress !== 'na@example.or
}
/* Redirect the user back to this page to clear the POST request. */
-SimpleSAML_Utilities::redirect(SimpleSAML_Utilities::selfURLNoQuery());
+SimpleSAML_Utilities::redirectTrustedURL(SimpleSAML_Utilities::selfURLNoQuery());
diff --git a/www/example-simple/attributequery.php b/www/example-simple/attributequery.php
index 8ec2fc614..835baa3b1 100644
--- a/www/example-simple/attributequery.php
+++ b/www/example-simple/attributequery.php
@@ -61,7 +61,7 @@ function handleResponse() {
$data['attributes'] = $assertion->getAttributes();
$GLOBALS['session']->setData('attributequeryexample:data', $dataId, $data, 3600);
- SimpleSAML_Utilities::redirect(SimpleSAML_Utilities::selfURLNoQuery(),
+ SimpleSAML_Utilities::redirectTrustedURL(SimpleSAML_Utilities::selfURLNoQuery(),
array('dataId' => $dataId));
}
diff --git a/www/example-simple/saml2-example.php b/www/example-simple/saml2-example.php
index c0483c9e8..8c80d1bdc 100644
--- a/www/example-simple/saml2-example.php
+++ b/www/example-simple/saml2-example.php
@@ -41,7 +41,7 @@ $session = SimpleSAML_Session::getInstance();
* retrieving attributes from the session.
*/
if (!$session->isValid('saml2') ) {
- SimpleSAML_Utilities::redirect(
+ SimpleSAML_Utilities::redirectTrustedURL(
'/' . $config->getBaseURL() . 'saml2/sp/initSSO.php',
array('RelayState' => SimpleSAML_Utilities::selfURL())
);
diff --git a/www/example-simple/shib13-example.php b/www/example-simple/shib13-example.php
index dbec3bc41..0dfa07daa 100644
--- a/www/example-simple/shib13-example.php
+++ b/www/example-simple/shib13-example.php
@@ -41,7 +41,7 @@ $session = SimpleSAML_Session::getInstance();
* retrieving attributes from the session.
*/
if (!$session->isValid('shib13') ) {
- SimpleSAML_Utilities::redirect(
+ SimpleSAML_Utilities::redirectTrustedURL(
'/' . $config->getBaseURL() . 'shib13/sp/initSSO.php',
array('RelayState' => SimpleSAML_Utilities::selfURL())
);
diff --git a/www/example-simple/wsfed-example.php b/www/example-simple/wsfed-example.php
index 6962ab884..c75884871 100644
--- a/www/example-simple/wsfed-example.php
+++ b/www/example-simple/wsfed-example.php
@@ -6,7 +6,7 @@ $config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance();
if (!$session->isValid('wsfed') ) {
- SimpleSAML_Utilities::redirect(
+ SimpleSAML_Utilities::redirectTrustedURL(
'/' . $config->getBaseURL() . 'wsfed/sp/initSSO.php',
array('RelayState' => SimpleSAML_Utilities::selfURL())
);
diff --git a/www/index.php b/www/index.php
index 017a0d737..4ca3a3baa 100644
--- a/www/index.php
+++ b/www/index.php
@@ -3,4 +3,4 @@
require_once('_include.php');
-SimpleSAML_Utilities::redirect(SimpleSAML_Module::getModuleURL('core/frontpage_welcome.php'));
+SimpleSAML_Utilities::redirectTrustedURL(SimpleSAML_Module::getModuleURL('core/frontpage_welcome.php'));
diff --git a/www/saml2/sp/AssertionConsumerService.php b/www/saml2/sp/AssertionConsumerService.php
index bb5a3c1da..e024489ba 100644
--- a/www/saml2/sp/AssertionConsumerService.php
+++ b/www/saml2/sp/AssertionConsumerService.php
@@ -47,7 +47,7 @@ function finishLogin($authProcState) {
global $session;
$session->doLogin('saml2', $authData);
- SimpleSAML_Utilities::redirect($authProcState['core:saml20-sp:TargetURL']);
+ SimpleSAML_Utilities::redirectUntrustedURL($authProcState['core:saml20-sp:TargetURL']);
}
SimpleSAML_Logger::info('SAML2.0 - SP.AssertionConsumerService: Accessing SAML 2.0 SP endpoint AssertionConsumerService');
@@ -116,7 +116,7 @@ try {
$status = $response->getStatus();
if(array_key_exists('OnError', $info)) {
/* We have an error handler. Return the error to it. */
- SimpleSAML_Utilities::redirect($info['OnError'], array('StatusCode' => $status['Code']));
+ SimpleSAML_Utilities::redirectTrustedURL($info['OnError'], array('StatusCode' => $status['Code']));
}
/* We don't have an error handler. Show an error page. */
diff --git a/www/saml2/sp/SingleLogoutService.php b/www/saml2/sp/SingleLogoutService.php
index a2546f74e..0bd8c731e 100644
--- a/www/saml2/sp/SingleLogoutService.php
+++ b/www/saml2/sp/SingleLogoutService.php
@@ -88,7 +88,7 @@ if ($message instanceof SAML2_LogoutRequest) {
throw new SimpleSAML_Error_Error('LOGOUTINFOLOST');
}
- SimpleSAML_Utilities::redirect($returnTo);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
} else {
throw new SimpleSAML_Error_Error('SLOSERVICEPARAMS');
diff --git a/www/saml2/sp/initSLO.php b/www/saml2/sp/initSLO.php
index 688680ed9..8402a36c0 100644
--- a/www/saml2/sp/initSLO.php
+++ b/www/saml2/sp/initSLO.php
@@ -25,7 +25,7 @@ try {
$idpEntityId = $session->getAuthData('saml2', 'saml:sp:IdP');
if ($idpEntityId === NULL) {
SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: User not authenticated with an IdP.');
- SimpleSAML_Utilities::redirect($returnTo);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
}
$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-remote');
$SLOendpoint = $idpMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', array(
@@ -35,7 +35,7 @@ try {
if ($SLOendpoint === NULL) {
$session->doLogout('saml2');
SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: No supported SingleLogoutService endpoint in IdP.');
- SimpleSAML_Utilities::redirect($returnTo);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
}
$spEntityId = isset($_GET['spentityid']) ? $_GET['spentityid'] : $metadata->getMetaDataCurrentEntityID();
diff --git a/www/saml2/sp/initSSO.php b/www/saml2/sp/initSSO.php
index 491a18d17..880674837 100644
--- a/www/saml2/sp/initSSO.php
+++ b/www/saml2/sp/initSSO.php
@@ -96,7 +96,7 @@ if ($idpentityid === NULL) {
$extDiscoveryStorage = $config->getBoolean('idpdisco.extDiscoveryStorage');
- SimpleSAML_Utilities::redirect($extDiscoveryStorage, array(
+ SimpleSAML_Utilities::redirectTrustedURL($extDiscoveryStorage, array(
'entityID' => $spentityid,
'return' => SimpleSAML_Utilities::addURLparameter($discourl, array(
'return' => SimpleSAML_Utilities::selfURL(),
@@ -120,7 +120,7 @@ if ($idpentityid === NULL) {
$discoparameters['IDPList'] = $reachableIDPs;
}
- SimpleSAML_Utilities::redirect($discourl, $discoparameters);
+ SimpleSAML_Utilities::redirectTrustedURL($discourl, $discoparameters);
}
diff --git a/www/shib13/sp/AssertionConsumerService.php b/www/shib13/sp/AssertionConsumerService.php
index c392cebc6..f523c28a4 100644
--- a/www/shib13/sp/AssertionConsumerService.php
+++ b/www/shib13/sp/AssertionConsumerService.php
@@ -34,7 +34,7 @@ function finishLogin($authProcState) {
global $session;
$session->doLogin('shib13', $authData);
- SimpleSAML_Utilities::redirect($authProcState['core:shib13-sp:TargetURL']);
+ SimpleSAML_Utilities::redirectTrustedURL($authProcState['core:shib13-sp:TargetURL']);
}
diff --git a/www/shib13/sp/initSSO.php b/www/shib13/sp/initSSO.php
index d8fc8720b..d666b8b86 100644
--- a/www/shib13/sp/initSSO.php
+++ b/www/shib13/sp/initSSO.php
@@ -58,7 +58,7 @@ if (!isset($session) || !$session->isValid('shib13') ) {
$discservice = '/' . $config->getBaseURL() . 'shib13/sp/idpdisco.php';
}
- SimpleSAML_Utilities::redirect($discservice, array(
+ SimpleSAML_Utilities::redirectTrustedURL($discservice, array(
'entityID' => $spentityid,
'return' => SimpleSAML_Utilities::selfURL(),
'returnIDParam' => 'idpentityid',
@@ -75,7 +75,7 @@ if (!isset($session) || !$session->isValid('shib13') ) {
SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: SP (' . $spentityid . ') is sending AuthNRequest to IdP (' . $idpentityid . ')');
$url = $ar->createRedirect($idpentityid);
- SimpleSAML_Utilities::redirect($url);
+ SimpleSAML_Utilities::redirectTrustedURL($url);
} catch(Exception $exception) {
throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception);
@@ -88,7 +88,7 @@ if (!isset($session) || !$session->isValid('shib13') ) {
if (isset($relaystate) && !empty($relaystate)) {
SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: Already Authenticated, Go back to RelayState');
- SimpleSAML_Utilities::redirect($relaystate);
+ SimpleSAML_Utilities::redirectUntrustedURL($relaystate);
} else {
throw new SimpleSAML_Error_Error('NORELAYSTATE');
}
diff --git a/www/wsfed/sp/initSLO.php b/www/wsfed/sp/initSLO.php
index 9aef7fc26..f31ebaaca 100644
--- a/www/wsfed/sp/initSLO.php
+++ b/www/wsfed/sp/initSLO.php
@@ -38,7 +38,7 @@ if (isset($session) ) {
$idpmeta = $metadata->getMetaData($idpentityid, 'wsfed-idp-remote');
- SimpleSAML_Utilities::redirect($idpmeta['prp'], array(
+ SimpleSAML_Utilities::redirectTrustedURL($idpmeta['prp'], array(
'wa' => 'wsignout1.0',
'wct' => gmdate('Y-m-d\TH:i:s\Z', time()),
'wtrealm' => $spentityid,
@@ -53,7 +53,7 @@ if (isset($session) ) {
} else {
SimpleSAML_Logger::info('WS-Fed - SP.initSLO: User is already logged out. Go back to relaystate');
- SimpleSAML_Utilities::redirect($returnTo);
+ SimpleSAML_Utilities::redirectUntrustedURL($returnTo);
}
diff --git a/www/wsfed/sp/initSSO.php b/www/wsfed/sp/initSSO.php
index fd038b5d9..0e0b8613f 100644
--- a/www/wsfed/sp/initSSO.php
+++ b/www/wsfed/sp/initSSO.php
@@ -38,7 +38,7 @@ if ($idpentityid == null) {
SimpleSAML_Logger::info('WS-Fed - SP.initSSO: No chosen or default IdP, go to WSFeddisco');
- SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'wsfed/sp/idpdisco.php', array(
+ SimpleSAML_Utilities::redirectTrustedURL('/' . $config->getBaseURL() . 'wsfed/sp/idpdisco.php', array(
'entityID' => $spentityid,
'return' => SimpleSAML_Utilities::selfURL(),
'returnIDParam' => 'idpentityid')
@@ -51,7 +51,7 @@ try {
$idpmeta = $metadata->getMetaData($idpentityid, 'wsfed-idp-remote');
$spmeta = $metadata->getMetaData($spentityid, 'wsfed-sp-hosted');
- SimpleSAML_Utilities::redirect($idpmeta['prp'], array(
+ SimpleSAML_Utilities::redirectTrustedURL($idpmeta['prp'], array(
'wa' => 'wsignin1.0',
'wct' => gmdate('Y-m-d\TH:i:s\Z', time()),
'wtrealm' => $spentityid,
diff --git a/www/wsfed/sp/prp.php b/www/wsfed/sp/prp.php
index 06c1aa5cc..56b9b2496 100644
--- a/www/wsfed/sp/prp.php
+++ b/www/wsfed/sp/prp.php
@@ -28,7 +28,7 @@ if (!empty($_GET['wa']) and ($_GET['wa'] == 'wsignoutcleanup1.0')) {
$session->doLogout('wsfed');
}
if (!empty($_GET['wreply'])) {
- SimpleSAML_Utilities::redirect(urldecode($_GET['wreply']));
+ SimpleSAML_Utilities::redirectUntrustedURL(urldecode($_GET['wreply']));
}
exit;
}
@@ -147,7 +147,7 @@ try {
$session->doLogin('wsfed', $authData);
/* Redirect the user back to the page which requested the login. */
- SimpleSAML_Utilities::redirect($wctx);
+ SimpleSAML_Utilities::redirectUntrustedURL($wctx);
} catch(Exception $exception) {
throw new SimpleSAML_Error_Error('PROCESSASSERTION', $exception);
--
GitLab