diff --git a/lib/SimpleSAML/Auth/ProcessingChain.php b/lib/SimpleSAML/Auth/ProcessingChain.php index cfb452e6f6c789a63ea448dca203ebc18cbec294..da75fcc3f383c954aa5ab5318b8f18c7c19f9011 100644 --- a/lib/SimpleSAML/Auth/ProcessingChain.php +++ b/lib/SimpleSAML/Auth/ProcessingChain.php @@ -301,11 +301,9 @@ class SimpleSAML_Auth_ProcessingChain { /** * Retrieve a state which has finished processing. * - * @param string $id The state identifier. This can be found in the - * SimpleSAML_Auth_ProcessingChain::AUTHPARAM request parameter. Please - * make sure to sanitize it properly by calling the - * SimpleSAML_Utilities::checkURLAllowed() function with the embedded - * restart URL, if any. See also SimpleSAML_Utilities::parseStateID(). + * @param string $id The state identifier. + * @see SimpleSAML_Utilities::parseStateID() + * @return Array The state referenced by the $id parameter. */ public static function fetchProcessedState($id) { assert('is_string($id)'); diff --git a/lib/SimpleSAML/Auth/State.php b/lib/SimpleSAML/Auth/State.php index 1fe4ebf6017b3379a05985d40e1cf44efab858a3..4684f5d8fc8af222254716a3f753e18754eaa5c1 100644 --- a/lib/SimpleSAML/Auth/State.php +++ b/lib/SimpleSAML/Auth/State.php @@ -225,7 +225,7 @@ class SimpleSAML_Auth_State { throw new SimpleSAML_Error_NoState(); } - SimpleSAML_Utilities::redirectTrustedURL($sid['url']); + SimpleSAML_Utilities::redirectUntrustedURL($sid['url']); } $state = unserialize($state); @@ -249,7 +249,7 @@ class SimpleSAML_Auth_State { throw new Exception($msg); } - SimpleSAML_Utilities::redirectTrustedURL($sid['url']); + SimpleSAML_Utilities::redirectUntrustedURL($sid['url']); } return $state; diff --git a/lib/SimpleSAML/IdP/LogoutTraditional.php b/lib/SimpleSAML/IdP/LogoutTraditional.php index 1a43252a1a17eabee96528fd0f2cd1d0476e1b0d..4cd16dd860eab243baa0b0e5240f6ed11695c7db 100644 --- a/lib/SimpleSAML/IdP/LogoutTraditional.php +++ b/lib/SimpleSAML/IdP/LogoutTraditional.php @@ -75,12 +75,6 @@ class SimpleSAML_IdP_LogoutTraditional extends SimpleSAML_IdP_LogoutHandler { throw new SimpleSAML_Error_Exception('RelayState lost during logout.'); } - // sanitize the input - $sid = SimpleSAML_Utilities::parseStateID($relayState); - if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); - } - $state = SimpleSAML_Auth_State::loadState($relayState, 'core:LogoutTraditional'); if ($error === NULL) { diff --git a/modules/aselect/www/credentials.php b/modules/aselect/www/credentials.php index 09b4b065758fa626cca7855d747c44199d65d062..a1bb0043434e800ff02a2e9b3c65823ba63590f8 100644 --- a/modules/aselect/www/credentials.php +++ b/modules/aselect/www/credentials.php @@ -9,15 +9,7 @@ if (!array_key_exists('ssp_state', $_REQUEST)) { throw new SimpleSAML_Error_Exception("Missing ssp_state parameter"); } -$id = $_REQUEST['ssp_state']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($id); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -$state = SimpleSAML_Auth_State::loadState($id, 'aselect:login'); +$state = SimpleSAML_Auth_State::loadState($_REQUEST['ssp_state'], 'aselect:login'); if (!array_key_exists('a-select-server', $_REQUEST)) { SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing a-select-server parameter")); diff --git a/modules/authYubiKey/lib/Auth/Source/YubiKey.php b/modules/authYubiKey/lib/Auth/Source/YubiKey.php index a6227c0602e50d42a1b783782513989feefd3d1d..48c3047ac8e41afe52cacc9eac12dccdeb147ef1 100644 --- a/modules/authYubiKey/lib/Auth/Source/YubiKey.php +++ b/modules/authYubiKey/lib/Auth/Source/YubiKey.php @@ -123,12 +123,6 @@ class sspmod_authYubiKey_Auth_Source_YubiKey extends SimpleSAML_Auth_Source { assert('is_string($authStateId)'); assert('is_string($otp)'); - // sanitize the input - $sid = SimpleSAML_Utilities::parseStateID($authStateId); - if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); - } - /* Retrieve the authentication state. */ $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); diff --git a/modules/authfacebook/www/linkback.php b/modules/authfacebook/www/linkback.php index 0ab3656c242014306855c9aa41e46e1878e5b4e4..aed4404c76f870eb210d89e5b30958bf633e003a 100644 --- a/modules/authfacebook/www/linkback.php +++ b/modules/authfacebook/www/linkback.php @@ -7,16 +7,7 @@ if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState'])) { throw new SimpleSAML_Error_BadRequest('Missing state parameter on facebook linkback endpoint.'); } - -$stateID = $_REQUEST['AuthState']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($stateID); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -$state = SimpleSAML_Auth_State::loadState($stateID, sspmod_authfacebook_Auth_Source_Facebook::STAGE_INIT); +$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], sspmod_authfacebook_Auth_Source_Facebook::STAGE_INIT); /* Find authentication source. */ if (!array_key_exists(sspmod_authfacebook_Auth_Source_Facebook::AUTHID, $state)) { diff --git a/modules/authlinkedin/www/linkback.php b/modules/authlinkedin/www/linkback.php index e65a8aab67e8b1e2eca3ebdd6d250a81fa2ee2a6..8a6c6f4fd8454bf76771f3063d236ddbb4ed1848 100644 --- a/modules/authlinkedin/www/linkback.php +++ b/modules/authlinkedin/www/linkback.php @@ -4,19 +4,10 @@ * Handle linkback() response from LinkedIn. */ -if (array_key_exists('stateid', $_REQUEST)) { - $stateId = $_REQUEST['stateid']; -} else { - throw new Exception('Lost OAuth Client State'); -} - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($stateId); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); +if (!array_key_exists('stateid', $_REQUEST)) { + throw new Exception('Lost OAuth Client State'); } - -$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authlinkedin_Auth_Source_LinkedIn::STAGE_INIT); +$state = SimpleSAML_Auth_State::loadState($_REQUEST['stateid'], sspmod_authlinkedin_Auth_Source_LinkedIn::STAGE_INIT); // http://developer.linkedin.com/docs/DOC-1008#2_Redirect_the_User_to_our_Authorization_Server if (array_key_exists('oauth_verifier', $_REQUEST)) { diff --git a/modules/authmyspace/www/linkback.php b/modules/authmyspace/www/linkback.php index 4dbaf79ff0290577e37dd6be7d9f4eb44adea78e..da78d125b89f6e67e81161f2aa0cd9c023c255f9 100644 --- a/modules/authmyspace/www/linkback.php +++ b/modules/authmyspace/www/linkback.php @@ -4,19 +4,10 @@ * Handle linkback() response from MySpace. */ -if (array_key_exists('stateid', $_REQUEST)) { - $stateId = $_REQUEST['stateid']; -} else { +if (!array_key_exists('stateid', $_REQUEST)) { throw new Exception('State Lost - not returned by MySpace Auth'); } - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($stateId); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authmyspace_Auth_Source_MySpace::STAGE_INIT); +$state = SimpleSAML_Auth_State::loadState($_REQUEST['stateid'], sspmod_authmyspace_Auth_Source_MySpace::STAGE_INIT); if (array_key_exists('oauth_problem', $_REQUEST)) { // oauth_problem of 'user_refused' means user chose not to login with MySpace diff --git a/modules/authorize/www/authorize_403.php b/modules/authorize/www/authorize_403.php index 4342e0a6aa5c2e1a47f0bfd86650d475890ac38b..0f57ade2238de66933e1bd176529701908266351 100644 --- a/modules/authorize/www/authorize_403.php +++ b/modules/authorize/www/authorize_403.php @@ -8,16 +8,7 @@ if (!array_key_exists('StateId', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.'); } - -$id = $_REQUEST['StateId']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($id); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -$state = SimpleSAML_Auth_State::loadState($id, 'authorize:Authorize'); +$state = SimpleSAML_Auth_State::loadState($_REQUEST['StateId'], 'authorize:Authorize'); $globalConfig = SimpleSAML_Configuration::getInstance(); $t = new SimpleSAML_XHTML_Template($globalConfig, 'authorize:authorize_403.php'); diff --git a/modules/authtwitter/www/linkback.php b/modules/authtwitter/www/linkback.php index 9a397eda66882fab36887d50116923d5c798e583..5afca477d969f52c564a6d3f3f087d7a0decb553 100644 --- a/modules/authtwitter/www/linkback.php +++ b/modules/authtwitter/www/linkback.php @@ -7,15 +7,7 @@ if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState'])) { throw new SimpleSAML_Error_BadRequest('Missing state parameter on twitter linkback endpoint.'); } -$stateID = $_REQUEST['AuthState']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($stateID); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -$state = SimpleSAML_Auth_State::loadState($stateID, sspmod_authtwitter_Auth_Source_Twitter::STAGE_INIT); +$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], sspmod_authtwitter_Auth_Source_Twitter::STAGE_INIT); /* Find authentication source. */ if (!array_key_exists(sspmod_authtwitter_Auth_Source_Twitter::AUTHID, $state)) { diff --git a/modules/authwindowslive/www/linkback.php b/modules/authwindowslive/www/linkback.php index 29b8b0d6077ec36d90e6b59d9c8d1ac9452222b8..d2d1d077ac92de1abcf01795504d2f3a5d61ba5e 100644 --- a/modules/authwindowslive/www/linkback.php +++ b/modules/authwindowslive/www/linkback.php @@ -4,19 +4,10 @@ * Handle linkback() response from Windows Live ID. */ -if (array_key_exists('wrap_client_state', $_REQUEST)) { - $stateId = $_REQUEST['wrap_client_state']; - - // sanitize the input - $sid = SimpleSAML_Utilities::parseStateID($stateId); - if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); - } - - $state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authwindowslive_Auth_Source_LiveID::STAGE_INIT); -} else { +if (!array_key_exists('wrap_client_state', $_REQUEST)) { throw new Exception('Lost OAuth-WRAP Client State'); } +$state = SimpleSAML_Auth_State::loadState($_REQUEST['wrap_client_state'], sspmod_authwindowslive_Auth_Source_LiveID::STAGE_INIT); // http://msdn.microsoft.com/en-us/library/ff749771.aspx if (array_key_exists('wrap_verification_code', $_REQUEST)) { diff --git a/modules/cas/www/linkback.php b/modules/cas/www/linkback.php index 473c44b4813ccb7af431ac00dc76f672ab7c58e6..3f87b7b6f392b97acc82e5bf47759dfee5fcc57f 100644 --- a/modules/cas/www/linkback.php +++ b/modules/cas/www/linkback.php @@ -7,19 +7,11 @@ if (!isset($_GET['stateID'])) { throw new SimpleSAML_Error_BadRequest('Missing stateID parameter.'); } -$stateId = (string)$_GET['stateID']; +$state = SimpleSAML_Auth_State::loadState($_GET['stateID'], sspmod_cas_Auth_Source_CAS::STAGE_INIT); if (!isset($_GET['ticket'])) { throw new SimpleSAML_Error_BadRequest('Missing ticket parameter.'); } - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($stateId); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_cas_Auth_Source_CAS::STAGE_INIT); $state['cas:ticket'] = (string)$_GET['ticket']; /* Find authentication source. */ diff --git a/modules/cdc/www/resume.php b/modules/cdc/www/resume.php index 8d7258dc9976403f0b15f9b25052867910ddf35d..a7f821998c953ff4a290315cf839a8d2a03dd815 100644 --- a/modules/cdc/www/resume.php +++ b/modules/cdc/www/resume.php @@ -16,13 +16,6 @@ if ($response === NULL) { if (!isset($response['id'])) { throw new SimpleSAML_Error_BadRequest('CDCResponse without id.'); } - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($response['id']); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - $state = SimpleSAML_Auth_State::loadState($response['id'], 'cdc:resume'); SimpleSAML_Auth_ProcessingChain::resumeProcessing($state); diff --git a/modules/consent/www/getconsent.php b/modules/consent/www/getconsent.php index ef660316850138221f7cad43f377d0909e282ed2..66c16c03fb8ed3aa280adfa21ddd4fd228281ae9 100644 --- a/modules/consent/www/getconsent.php +++ b/modules/consent/www/getconsent.php @@ -30,13 +30,6 @@ if (!array_key_exists('StateId', $_REQUEST)) { } $id = $_REQUEST['StateId']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($id); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - $state = SimpleSAML_Auth_State::loadState($id, 'consent:request'); if (array_key_exists('core:SP', $state)) { diff --git a/modules/consent/www/logout.php b/modules/consent/www/logout.php index 4bd09380b2e978e30818c0b7a978831a657fb4ad..58de97c36c6120e69a3bffef0825eea39d0b3081 100644 --- a/modules/consent/www/logout.php +++ b/modules/consent/www/logout.php @@ -8,15 +8,7 @@ if (!array_key_exists('StateId', $_GET)) { throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.'); } -$id = (string)$_GET['StateId']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($id); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -$state = SimpleSAML_Auth_State::loadState($id, 'consent:request'); +$state = SimpleSAML_Auth_State::loadState($_GET['StateId'], 'consent:request'); $state['Responder'] = array('sspmod_consent_Logout', 'postLogout'); diff --git a/modules/consent/www/noconsent.php b/modules/consent/www/noconsent.php index 4e847ce2055992845295cdd7274efb9ed2651c4c..c9715b66137962c4d4718590455490da51be7019 100644 --- a/modules/consent/www/noconsent.php +++ b/modules/consent/www/noconsent.php @@ -11,13 +11,6 @@ if (!array_key_exists('StateId', $_REQUEST)) { } $id = $_REQUEST['StateId']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($id); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - $state = SimpleSAML_Auth_State::loadState($id, 'consent:request'); $resumeFrom = SimpleSAML_Module::getModuleURL( diff --git a/modules/core/lib/Auth/UserPassBase.php b/modules/core/lib/Auth/UserPassBase.php index de79c1f19449768a9da47c8c7759a14e0de4b84e..a97fba73a3e92541326986e37755a116ab0c9b49 100644 --- a/modules/core/lib/Auth/UserPassBase.php +++ b/modules/core/lib/Auth/UserPassBase.php @@ -233,12 +233,6 @@ abstract class sspmod_core_Auth_UserPassBase extends SimpleSAML_Auth_Source { assert('is_string($username)'); assert('is_string($password)'); - // sanitize the input - $sid = SimpleSAML_Utilities::parseStateID($authStateId); - if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); - } - /* Here we retrieve the state array we saved in the authenticate-function. */ $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); diff --git a/modules/core/lib/Auth/UserPassOrgBase.php b/modules/core/lib/Auth/UserPassOrgBase.php index 1ffdb53baa19eabca6c70d339d2a49035b44a152..7bbddf24fc3973c860b39060a888167568863f61 100644 --- a/modules/core/lib/Auth/UserPassOrgBase.php +++ b/modules/core/lib/Auth/UserPassOrgBase.php @@ -208,12 +208,6 @@ abstract class sspmod_core_Auth_UserPassOrgBase extends SimpleSAML_Auth_Source { assert('is_string($password)'); assert('is_string($organization)'); - // sanitize the input - $sid = SimpleSAML_Utilities::parseStateID($authStateId); - if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); - } - /* Retrieve the authentication state. */ $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); @@ -262,12 +256,6 @@ abstract class sspmod_core_Auth_UserPassOrgBase extends SimpleSAML_Auth_Source { public static function listOrganizations($authStateId) { assert('is_string($authStateId)'); - // sanitize the input - $sid = SimpleSAML_Utilities::parseStateID($authStateId); - if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); - } - /* Retrieve the authentication state. */ $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); diff --git a/modules/core/www/idp/logout-iframe-done.php b/modules/core/www/idp/logout-iframe-done.php index fe69f40076e4e2e1d4a7bd694de316c56dc338c0..eeb4f2b0a85bff2308da13808d4dc7ee4557f823 100644 --- a/modules/core/www/idp/logout-iframe-done.php +++ b/modules/core/www/idp/logout-iframe-done.php @@ -3,15 +3,7 @@ if (!isset($_REQUEST['id'])) { throw new SimpleSAML_Error_BadRequest('Missing required parameter: id'); } -$id = (string)$_REQUEST['id']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($id); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -$state = SimpleSAML_Auth_State::loadState($id, 'core:Logout-IFrame'); +$state = SimpleSAML_Auth_State::loadState($_REQUEST['id'], 'core:Logout-IFrame'); $idp = SimpleSAML_IdP::getByState($state); $associations = $idp->getAssociations(); diff --git a/modules/core/www/idp/logout-iframe.php b/modules/core/www/idp/logout-iframe.php index e2a136e4c0dbd86b3782881fa4fd8b0aaa1ae11b..670d3305229650422c44f9a52842e1e162d1098f 100644 --- a/modules/core/www/idp/logout-iframe.php +++ b/modules/core/www/idp/logout-iframe.php @@ -3,7 +3,6 @@ if (!isset($_REQUEST['id'])) { throw new SimpleSAML_Error_BadRequest('Missing required parameter: id'); } -$id = (string)$_REQUEST['id']; if (isset($_REQUEST['type'])) { $type = (string)$_REQUEST['type']; @@ -19,13 +18,7 @@ if ($type !== 'embed' && $type !== 'async') { SimpleSAML_Stats::log('core:idp:logout-iframe:page', array('type' => $type)); } -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($id); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -$state = SimpleSAML_Auth_State::loadState($id, 'core:Logout-IFrame'); +$state = SimpleSAML_Auth_State::loadState($_REQUEST['id'], 'core:Logout-IFrame'); $idp = SimpleSAML_IdP::getByState($state); if ($type !== 'init') { diff --git a/modules/core/www/idp/resumelogout.php b/modules/core/www/idp/resumelogout.php index 0077909f57c9af25a94ad6fe81ce2611b036a377..7a524f61bd5667cd5e99f16dba6331ce24523a74 100644 --- a/modules/core/www/idp/resumelogout.php +++ b/modules/core/www/idp/resumelogout.php @@ -3,15 +3,7 @@ if (!isset($_REQUEST['id'])) { throw new SimpleSAML_Error_BadRequest('Missing id-parameter.'); } -$id = (string)$_REQUEST['id']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($id); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -$state = SimpleSAML_Auth_State::loadState($id, 'core:Logout:afterbridge'); +$state = SimpleSAML_Auth_State::loadState($_REQUEST['id'], 'core:Logout:afterbridge'); $idp = SimpleSAML_IdP::getByState($state); $assocId = $state['core:TerminatedAssocId']; diff --git a/modules/core/www/loginuserpass.php b/modules/core/www/loginuserpass.php index 35994ed6d23e9bc147c895673f7ba93ed48cb8b0..4ce0f93e66dca80463268a4d82b83c8bbb584778 100644 --- a/modules/core/www/loginuserpass.php +++ b/modules/core/www/loginuserpass.php @@ -9,21 +9,13 @@ * @package simpleSAMLphp */ +/* Retrieve the authentication state. */ if (!array_key_exists('AuthState', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.'); } $authStateId = $_REQUEST['AuthState']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($authStateId); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -/* Retrieve the authentication state. */ $state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_core_Auth_UserPassBase::STAGEID); - $source = SimpleSAML_Auth_Source::getById($state[sspmod_core_Auth_UserPassBase::AUTHID]); if ($source === NULL) { throw new Exception('Could not find authentication source with id ' . $state[sspmod_core_Auth_UserPassBase::AUTHID]); diff --git a/modules/core/www/loginuserpassorg.php b/modules/core/www/loginuserpassorg.php index fa6a47280deb740d3543c6e2fa0c69aacd3f6a6b..ad4ba44b04b2bf7c2ace3de4cf47e10c57e05d95 100644 --- a/modules/core/www/loginuserpassorg.php +++ b/modules/core/www/loginuserpassorg.php @@ -9,18 +9,11 @@ * @package simpleSAMLphp */ +/* Retrieve the authentication state. */ if (!array_key_exists('AuthState', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.'); } $authStateId = $_REQUEST['AuthState']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($authStateId); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -/* Retrieve the authentication state. */ $state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_core_Auth_UserPassOrgBase::STAGEID); $source = SimpleSAML_Auth_Source::getById($state[sspmod_core_Auth_UserPassOrgBase::AUTHID]); diff --git a/modules/core/www/short_sso_interval.php b/modules/core/www/short_sso_interval.php index 6536631ab7a9c1ce1dc776e1925c2f032f0c72ff..5e225bfbfb1c276f07ed6fca0290e909852c69c0 100644 --- a/modules/core/www/short_sso_interval.php +++ b/modules/core/www/short_sso_interval.php @@ -9,15 +9,7 @@ if (!array_key_exists('StateId', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.'); } - $id = $_REQUEST['StateId']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($id); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - $state = SimpleSAML_Auth_State::loadState($id, 'core:short_sso_interval'); $session = SimpleSAML_Session::getSessionFromRequest(); diff --git a/modules/exampleauth/lib/Auth/Source/External.php b/modules/exampleauth/lib/Auth/Source/External.php index c141a4a2a2b38a67d62b3315b0e82ab39428e939..37038527b5a3fb0888ad0ec0d2c460409ad86ca2 100644 --- a/modules/exampleauth/lib/Auth/Source/External.php +++ b/modules/exampleauth/lib/Auth/Source/External.php @@ -183,19 +183,12 @@ class sspmod_exampleauth_Auth_Source_External extends SimpleSAML_Auth_Source { if (!isset($_REQUEST['State'])) { throw new SimpleSAML_Error_BadRequest('Missing "State" parameter.'); } - $stateId = (string)$_REQUEST['State']; - - // sanitize the input - $sid = SimpleSAML_Utilities::parseStateID($stateId); - if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); - } /* * Once again, note the second parameter to the loadState function. This must * match the string we used in the saveState-call above. */ - $state = SimpleSAML_Auth_State::loadState($stateId, 'exampleauth:External'); + $state = SimpleSAML_Auth_State::loadState($_REQUEST['State'], 'exampleauth:External'); /* * Now we have the $state-array, and can use it to locate the authentication diff --git a/modules/exampleauth/www/authpage.php b/modules/exampleauth/www/authpage.php index 819cc2c2895f24376ce32e37582a9eb101f5c302..7b3dca26748ff1754560bef07f4fa7ad39440d0e 100644 --- a/modules/exampleauth/www/authpage.php +++ b/modules/exampleauth/www/authpage.php @@ -29,15 +29,7 @@ $returnTo = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['ReturnTo']); if (!preg_match('@State=(.*)@', $returnTo, $matches)) { die('Invalid ReturnTo URL for this example.'); } -$stateId = urldecode($matches[1]); - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($stateId); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -SimpleSAML_Auth_State::loadState($stateId, 'exampleauth:External'); +SimpleSAML_Auth_State::loadState(urldecode($matches[1]), 'exampleauth:External'); /* * The loadState-function will not return if the second parameter does not diff --git a/modules/exampleauth/www/redirecttest.php b/modules/exampleauth/www/redirecttest.php index 03ed359e3d5495fd6cffc95b378ca663fe3d29a2..147051cd1de971505380c973350d6af08bd78817 100644 --- a/modules/exampleauth/www/redirecttest.php +++ b/modules/exampleauth/www/redirecttest.php @@ -10,16 +10,7 @@ if (!array_key_exists('StateId', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.'); } - -$id = $_REQUEST['StateId']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($id); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -$state = SimpleSAML_Auth_State::loadState($id, 'exampleauth:redirectfilter-test'); +$state = SimpleSAML_Auth_State::loadState($_REQUEST['StateId'], 'exampleauth:redirectfilter-test'); $state['Attributes']['RedirectTest2'] = array('OK'); diff --git a/modules/expirycheck/www/about2expire.php b/modules/expirycheck/www/about2expire.php index 551a18c56ac58d6e27bd2c567ea584dde5fbb4e0..9531fcbda333742f501e83650aaf4e87655f2c4b 100644 --- a/modules/expirycheck/www/about2expire.php +++ b/modules/expirycheck/www/about2expire.php @@ -11,18 +11,9 @@ SimpleSAML_Logger::info('expirycheck - User has been warned that NetID is near t if (!array_key_exists('StateId', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.'); } - $id = $_REQUEST['StateId']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($id); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - $state = SimpleSAML_Auth_State::loadState($id, 'expirywarning:about2expire'); - if (array_key_exists('yes', $_REQUEST)) { /* The user has pressed the yes-button. */ SimpleSAML_Auth_ProcessingChain::resumeProcessing($state); diff --git a/modules/expirycheck/www/expired.php b/modules/expirycheck/www/expired.php index 69fb16dc8df585d1491a8b5612082919ec666769..5be027e09517d7d12ecce5661c9288f01fc78e99 100644 --- a/modules/expirycheck/www/expired.php +++ b/modules/expirycheck/www/expired.php @@ -11,16 +11,7 @@ SimpleSAML_Logger::info('expirycheck - User has been warned that NetID is near t if (!array_key_exists('StateId', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.'); } - -$id = $_REQUEST['StateId']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($id); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -$state = SimpleSAML_Auth_State::loadState($id, 'expirywarning:expired'); +$state = SimpleSAML_Auth_State::loadState($_REQUEST['StateId'], 'expirywarning:expired'); $globalConfig = SimpleSAML_Configuration::getInstance(); diff --git a/modules/multiauth/www/selectsource.php b/modules/multiauth/www/selectsource.php index ecd76211545e3637c2855801de94441571281ea1..8881d86ec0d777c31ee4f144cf2154aad35dce1a 100644 --- a/modules/multiauth/www/selectsource.php +++ b/modules/multiauth/www/selectsource.php @@ -10,18 +10,11 @@ * @package simpleSAMLphp */ +/* Retrieve the authentication state. */ if (!array_key_exists('AuthState', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.'); } $authStateId = $_REQUEST['AuthState']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($authStateId); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -/* Retrieve the authentication state. */ $state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_multiauth_Auth_Source_MultiAuth::STAGEID); if (array_key_exists("SimpleSAML_Auth_Default.id", $state)) { diff --git a/modules/negotiate/www/backend.php b/modules/negotiate/www/backend.php index 0292d247a3ce5458231c38f4413211c79aae15b1..7348fd98fb7c2cf3e4595652f57c0b2c558ffdc2 100644 --- a/modules/negotiate/www/backend.php +++ b/modules/negotiate/www/backend.php @@ -8,15 +8,7 @@ * @package simpleSAMLphp */ -$authStateId = $_REQUEST['AuthState']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($authStateId); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -$state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_negotiate_Auth_Source_Negotiate::STAGEID); +$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], sspmod_negotiate_Auth_Source_Negotiate::STAGEID); SimpleSAML_Logger::debug('backend - fallback: '.$state['LogoutState']['negotiate:backend']); sspmod_negotiate_Auth_Source_Negotiate::fallBack($state); diff --git a/modules/negotiate/www/retry.php b/modules/negotiate/www/retry.php index a659c61fc6c7e732492aab75c2283417d47705e1..23d51c2dff86b242792caf50f03ce079a8985baf 100644 --- a/modules/negotiate/www/retry.php +++ b/modules/negotiate/www/retry.php @@ -8,15 +8,7 @@ * @package simpleSAMLphp */ -$authStateId = $_REQUEST['AuthState']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($authStateId); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -$state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_negotiate_Auth_Source_Negotiate::STAGEID); +$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], sspmod_negotiate_Auth_Source_Negotiate::STAGEID); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted', 'metaindex'); diff --git a/modules/preprodwarning/www/showwarning.php b/modules/preprodwarning/www/showwarning.php index 43a07cff0d4b6afca49d545c3d4be6f3e8ebf379..7be7493c3a29b09d8308750ff7285a0f4c09b10e 100644 --- a/modules/preprodwarning/www/showwarning.php +++ b/modules/preprodwarning/www/showwarning.php @@ -12,15 +12,7 @@ SimpleSAML_Logger::info('PreProdWarning - Showing warning to user'); if (!array_key_exists('StateId', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.'); } - $id = $_REQUEST['StateId']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($id); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - $state = SimpleSAML_Auth_State::loadState($id, 'warning:request'); diff --git a/modules/saml/www/sp/discoresp.php b/modules/saml/www/sp/discoresp.php index 5d6d55bb7b0b12be7d0999ff638f24f8ada4a65d..a10c5ecd106ec59ccf3fe273b7b13548f96fd8da 100644 --- a/modules/saml/www/sp/discoresp.php +++ b/modules/saml/www/sp/discoresp.php @@ -11,16 +11,7 @@ if (!array_key_exists('AuthID', $_REQUEST)) { if (!array_key_exists('idpentityid', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing idpentityid to discovery service response handler'); } - -$stateID = $_REQUEST['AuthID']; - -// sanitize the input -$sid = SimpleSAML_Utilities::parseStateID($stateID); -if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); -} - -$state = SimpleSAML_Auth_State::loadState($stateID, 'saml:sp:sso'); +$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthID'], 'saml:sp:sso'); /* Find authentication source. */ assert('array_key_exists("saml:sp:AuthId", $state)'); diff --git a/modules/saml/www/sp/saml1-acs.php b/modules/saml/www/sp/saml1-acs.php index de98e34915031a54a1821e1b9911ae2ac5a9a42c..a8d1dc7246250bbfd86b7781c267f172ddf0a27a 100644 --- a/modules/saml/www/sp/saml1-acs.php +++ b/modules/saml/www/sp/saml1-acs.php @@ -33,15 +33,7 @@ if (preg_match('@^https?://@i', $target)) { 'saml:sp:RelayState' => SimpleSAML_Utilities::checkURLAllowed($target), ); } else { - $stateID = $_REQUEST['TARGET']; - - // sanitize the input - $sid = SimpleSAML_Utilities::parseStateID($stateID); - if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); - } - - $state = SimpleSAML_Auth_State::loadState($stateID, 'saml:sp:sso'); + $state = SimpleSAML_Auth_State::loadState($_REQUEST['TARGET'], 'saml:sp:sso'); /* Check that the authentication source is correct. */ assert('array_key_exists("saml:sp:AuthId", $state)'); diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php index b9fb760b18cc7e648186d2336af2f69230412e4a..d22286278f1a57de3cfde0ea02c395937bf46c3a 100644 --- a/modules/saml/www/sp/saml2-acs.php +++ b/modules/saml/www/sp/saml2-acs.php @@ -56,13 +56,6 @@ $idpMetadata = array(); $stateId = $response->getInResponseTo(); if (!empty($stateId)) { - - // sanitize the input - $sid = SimpleSAML_Utilities::parseStateID($stateId); - if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); - } - /* This is a response to a request we sent earlier. */ $state = SimpleSAML_Auth_State::loadState($stateId, 'saml:sp:sso'); diff --git a/modules/saml/www/sp/saml2-logout.php b/modules/saml/www/sp/saml2-logout.php index b39f3bff0c96c8bbfb7ce0cc01dc5033dc607ef3..d3898e779b4d558239ab8f31d5787b15380b1158 100644 --- a/modules/saml/www/sp/saml2-logout.php +++ b/modules/saml/www/sp/saml2-logout.php @@ -54,12 +54,6 @@ if ($message instanceof SAML2_LogoutResponse) { SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . sspmod_saml_Message::getResponseError($message)); } - // sanitize the input - $sid = SimpleSAML_Utilities::parseStateID($relayState); - if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); - } - $state = SimpleSAML_Auth_State::loadState($relayState, 'saml:slosent'); $state['saml:sp:LogoutStatus'] = $message->getStatus(); SimpleSAML_Auth_Source::completeLogout($state);