From 2970e12a48cb5fbddc36835a5b41c69671c992a5 Mon Sep 17 00:00:00 2001
From: Jaime Perez Crespo <jaime.perez@uninett.no>
Date: Fri, 27 Feb 2015 12:47:20 +0100
Subject: [PATCH] Solve a security issue with some modules (not validating URLs
we are redirecting to) by moving the check to the
SimpleSAML_Auth_State::loadState() method.
---
lib/SimpleSAML/Auth/ProcessingChain.php | 8 +++-----
lib/SimpleSAML/Auth/State.php | 4 ++--
lib/SimpleSAML/IdP/LogoutTraditional.php | 6 ------
modules/aselect/www/credentials.php | 10 +---------
modules/authYubiKey/lib/Auth/Source/YubiKey.php | 6 ------
modules/authfacebook/www/linkback.php | 11 +----------
modules/authlinkedin/www/linkback.php | 15 +++------------
modules/authmyspace/www/linkback.php | 13 ++-----------
modules/authorize/www/authorize_403.php | 11 +----------
modules/authtwitter/www/linkback.php | 10 +---------
modules/authwindowslive/www/linkback.php | 13 ++-----------
modules/cas/www/linkback.php | 10 +---------
modules/cdc/www/resume.php | 7 -------
modules/consent/www/getconsent.php | 7 -------
modules/consent/www/logout.php | 10 +---------
modules/consent/www/noconsent.php | 7 -------
modules/core/lib/Auth/UserPassBase.php | 6 ------
modules/core/lib/Auth/UserPassOrgBase.php | 12 ------------
modules/core/www/idp/logout-iframe-done.php | 10 +---------
modules/core/www/idp/logout-iframe.php | 9 +--------
modules/core/www/idp/resumelogout.php | 10 +---------
modules/core/www/loginuserpass.php | 10 +---------
modules/core/www/loginuserpassorg.php | 9 +--------
modules/core/www/short_sso_interval.php | 8 --------
modules/exampleauth/lib/Auth/Source/External.php | 9 +--------
modules/exampleauth/www/authpage.php | 10 +---------
modules/exampleauth/www/redirecttest.php | 11 +----------
modules/expirycheck/www/about2expire.php | 9 ---------
modules/expirycheck/www/expired.php | 11 +----------
modules/multiauth/www/selectsource.php | 9 +--------
modules/negotiate/www/backend.php | 10 +---------
modules/negotiate/www/retry.php | 10 +---------
modules/preprodwarning/www/showwarning.php | 8 --------
modules/saml/www/sp/discoresp.php | 11 +----------
modules/saml/www/sp/saml1-acs.php | 10 +---------
modules/saml/www/sp/saml2-acs.php | 7 -------
modules/saml/www/sp/saml2-logout.php | 6 ------
37 files changed, 32 insertions(+), 311 deletions(-)
diff --git a/lib/SimpleSAML/Auth/ProcessingChain.php b/lib/SimpleSAML/Auth/ProcessingChain.php
index cfb452e6f..da75fcc3f 100644
--- a/lib/SimpleSAML/Auth/ProcessingChain.php
+++ b/lib/SimpleSAML/Auth/ProcessingChain.php
@@ -301,11 +301,9 @@ class SimpleSAML_Auth_ProcessingChain {
/**
* Retrieve a state which has finished processing.
*
- * @param string $id The state identifier. This can be found in the
- * SimpleSAML_Auth_ProcessingChain::AUTHPARAM request parameter. Please
- * make sure to sanitize it properly by calling the
- * SimpleSAML_Utilities::checkURLAllowed() function with the embedded
- * restart URL, if any. See also SimpleSAML_Utilities::parseStateID().
+ * @param string $id The state identifier.
+ * @see SimpleSAML_Utilities::parseStateID()
+ * @return Array The state referenced by the $id parameter.
*/
public static function fetchProcessedState($id) {
assert('is_string($id)');
diff --git a/lib/SimpleSAML/Auth/State.php b/lib/SimpleSAML/Auth/State.php
index 1fe4ebf60..4684f5d8f 100644
--- a/lib/SimpleSAML/Auth/State.php
+++ b/lib/SimpleSAML/Auth/State.php
@@ -225,7 +225,7 @@ class SimpleSAML_Auth_State {
throw new SimpleSAML_Error_NoState();
}
- SimpleSAML_Utilities::redirectTrustedURL($sid['url']);
+ SimpleSAML_Utilities::redirectUntrustedURL($sid['url']);
}
$state = unserialize($state);
@@ -249,7 +249,7 @@ class SimpleSAML_Auth_State {
throw new Exception($msg);
}
- SimpleSAML_Utilities::redirectTrustedURL($sid['url']);
+ SimpleSAML_Utilities::redirectUntrustedURL($sid['url']);
}
return $state;
diff --git a/lib/SimpleSAML/IdP/LogoutTraditional.php b/lib/SimpleSAML/IdP/LogoutTraditional.php
index 1a43252a1..4cd16dd86 100644
--- a/lib/SimpleSAML/IdP/LogoutTraditional.php
+++ b/lib/SimpleSAML/IdP/LogoutTraditional.php
@@ -75,12 +75,6 @@ class SimpleSAML_IdP_LogoutTraditional extends SimpleSAML_IdP_LogoutHandler {
throw new SimpleSAML_Error_Exception('RelayState lost during logout.');
}
- // sanitize the input
- $sid = SimpleSAML_Utilities::parseStateID($relayState);
- if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
- }
-
$state = SimpleSAML_Auth_State::loadState($relayState, 'core:LogoutTraditional');
if ($error === NULL) {
diff --git a/modules/aselect/www/credentials.php b/modules/aselect/www/credentials.php
index 09b4b0657..a1bb00434 100644
--- a/modules/aselect/www/credentials.php
+++ b/modules/aselect/www/credentials.php
@@ -9,15 +9,7 @@
if (!array_key_exists('ssp_state', $_REQUEST)) {
throw new SimpleSAML_Error_Exception("Missing ssp_state parameter");
}
-$id = $_REQUEST['ssp_state'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'aselect:login');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['ssp_state'], 'aselect:login');
if (!array_key_exists('a-select-server', $_REQUEST)) {
SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing a-select-server parameter"));
diff --git a/modules/authYubiKey/lib/Auth/Source/YubiKey.php b/modules/authYubiKey/lib/Auth/Source/YubiKey.php
index a6227c060..48c3047ac 100644
--- a/modules/authYubiKey/lib/Auth/Source/YubiKey.php
+++ b/modules/authYubiKey/lib/Auth/Source/YubiKey.php
@@ -123,12 +123,6 @@ class sspmod_authYubiKey_Auth_Source_YubiKey extends SimpleSAML_Auth_Source {
assert('is_string($authStateId)');
assert('is_string($otp)');
- // sanitize the input
- $sid = SimpleSAML_Utilities::parseStateID($authStateId);
- if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
- }
-
/* Retrieve the authentication state. */
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
diff --git a/modules/authfacebook/www/linkback.php b/modules/authfacebook/www/linkback.php
index 0ab3656c2..aed4404c7 100644
--- a/modules/authfacebook/www/linkback.php
+++ b/modules/authfacebook/www/linkback.php
@@ -7,16 +7,7 @@
if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState'])) {
throw new SimpleSAML_Error_BadRequest('Missing state parameter on facebook linkback endpoint.');
}
-
-$stateID = $_REQUEST['AuthState'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($stateID);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($stateID, sspmod_authfacebook_Auth_Source_Facebook::STAGE_INIT);
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], sspmod_authfacebook_Auth_Source_Facebook::STAGE_INIT);
/* Find authentication source. */
if (!array_key_exists(sspmod_authfacebook_Auth_Source_Facebook::AUTHID, $state)) {
diff --git a/modules/authlinkedin/www/linkback.php b/modules/authlinkedin/www/linkback.php
index e65a8aab6..8a6c6f4fd 100644
--- a/modules/authlinkedin/www/linkback.php
+++ b/modules/authlinkedin/www/linkback.php
@@ -4,19 +4,10 @@
* Handle linkback() response from LinkedIn.
*/
-if (array_key_exists('stateid', $_REQUEST)) {
- $stateId = $_REQUEST['stateid'];
-} else {
- throw new Exception('Lost OAuth Client State');
-}
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($stateId);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
+if (!array_key_exists('stateid', $_REQUEST)) {
+ throw new Exception('Lost OAuth Client State');
}
-
-$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authlinkedin_Auth_Source_LinkedIn::STAGE_INIT);
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['stateid'], sspmod_authlinkedin_Auth_Source_LinkedIn::STAGE_INIT);
// http://developer.linkedin.com/docs/DOC-1008#2_Redirect_the_User_to_our_Authorization_Server
if (array_key_exists('oauth_verifier', $_REQUEST)) {
diff --git a/modules/authmyspace/www/linkback.php b/modules/authmyspace/www/linkback.php
index 4dbaf79ff..da78d125b 100644
--- a/modules/authmyspace/www/linkback.php
+++ b/modules/authmyspace/www/linkback.php
@@ -4,19 +4,10 @@
* Handle linkback() response from MySpace.
*/
-if (array_key_exists('stateid', $_REQUEST)) {
- $stateId = $_REQUEST['stateid'];
-} else {
+if (!array_key_exists('stateid', $_REQUEST)) {
throw new Exception('State Lost - not returned by MySpace Auth');
}
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($stateId);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authmyspace_Auth_Source_MySpace::STAGE_INIT);
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['stateid'], sspmod_authmyspace_Auth_Source_MySpace::STAGE_INIT);
if (array_key_exists('oauth_problem', $_REQUEST)) {
// oauth_problem of 'user_refused' means user chose not to login with MySpace
diff --git a/modules/authorize/www/authorize_403.php b/modules/authorize/www/authorize_403.php
index 4342e0a6a..0f57ade22 100644
--- a/modules/authorize/www/authorize_403.php
+++ b/modules/authorize/www/authorize_403.php
@@ -8,16 +8,7 @@
if (!array_key_exists('StateId', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
}
-
-$id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'authorize:Authorize');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['StateId'], 'authorize:Authorize');
$globalConfig = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($globalConfig, 'authorize:authorize_403.php');
diff --git a/modules/authtwitter/www/linkback.php b/modules/authtwitter/www/linkback.php
index 9a397eda6..5afca477d 100644
--- a/modules/authtwitter/www/linkback.php
+++ b/modules/authtwitter/www/linkback.php
@@ -7,15 +7,7 @@
if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState'])) {
throw new SimpleSAML_Error_BadRequest('Missing state parameter on twitter linkback endpoint.');
}
-$stateID = $_REQUEST['AuthState'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($stateID);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($stateID, sspmod_authtwitter_Auth_Source_Twitter::STAGE_INIT);
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], sspmod_authtwitter_Auth_Source_Twitter::STAGE_INIT);
/* Find authentication source. */
if (!array_key_exists(sspmod_authtwitter_Auth_Source_Twitter::AUTHID, $state)) {
diff --git a/modules/authwindowslive/www/linkback.php b/modules/authwindowslive/www/linkback.php
index 29b8b0d60..d2d1d077a 100644
--- a/modules/authwindowslive/www/linkback.php
+++ b/modules/authwindowslive/www/linkback.php
@@ -4,19 +4,10 @@
* Handle linkback() response from Windows Live ID.
*/
-if (array_key_exists('wrap_client_state', $_REQUEST)) {
- $stateId = $_REQUEST['wrap_client_state'];
-
- // sanitize the input
- $sid = SimpleSAML_Utilities::parseStateID($stateId);
- if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
- }
-
- $state = SimpleSAML_Auth_State::loadState($stateId, sspmod_authwindowslive_Auth_Source_LiveID::STAGE_INIT);
-} else {
+if (!array_key_exists('wrap_client_state', $_REQUEST)) {
throw new Exception('Lost OAuth-WRAP Client State');
}
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['wrap_client_state'], sspmod_authwindowslive_Auth_Source_LiveID::STAGE_INIT);
// http://msdn.microsoft.com/en-us/library/ff749771.aspx
if (array_key_exists('wrap_verification_code', $_REQUEST)) {
diff --git a/modules/cas/www/linkback.php b/modules/cas/www/linkback.php
index 473c44b48..3f87b7b6f 100644
--- a/modules/cas/www/linkback.php
+++ b/modules/cas/www/linkback.php
@@ -7,19 +7,11 @@
if (!isset($_GET['stateID'])) {
throw new SimpleSAML_Error_BadRequest('Missing stateID parameter.');
}
-$stateId = (string)$_GET['stateID'];
+$state = SimpleSAML_Auth_State::loadState($_GET['stateID'], sspmod_cas_Auth_Source_CAS::STAGE_INIT);
if (!isset($_GET['ticket'])) {
throw new SimpleSAML_Error_BadRequest('Missing ticket parameter.');
}
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($stateId);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_cas_Auth_Source_CAS::STAGE_INIT);
$state['cas:ticket'] = (string)$_GET['ticket'];
/* Find authentication source. */
diff --git a/modules/cdc/www/resume.php b/modules/cdc/www/resume.php
index 8d7258dc9..a7f821998 100644
--- a/modules/cdc/www/resume.php
+++ b/modules/cdc/www/resume.php
@@ -16,13 +16,6 @@ if ($response === NULL) {
if (!isset($response['id'])) {
throw new SimpleSAML_Error_BadRequest('CDCResponse without id.');
}
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($response['id']);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
$state = SimpleSAML_Auth_State::loadState($response['id'], 'cdc:resume');
SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
diff --git a/modules/consent/www/getconsent.php b/modules/consent/www/getconsent.php
index ef6603168..66c16c03f 100644
--- a/modules/consent/www/getconsent.php
+++ b/modules/consent/www/getconsent.php
@@ -30,13 +30,6 @@ if (!array_key_exists('StateId', $_REQUEST)) {
}
$id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
$state = SimpleSAML_Auth_State::loadState($id, 'consent:request');
if (array_key_exists('core:SP', $state)) {
diff --git a/modules/consent/www/logout.php b/modules/consent/www/logout.php
index 4bd09380b..58de97c36 100644
--- a/modules/consent/www/logout.php
+++ b/modules/consent/www/logout.php
@@ -8,15 +8,7 @@
if (!array_key_exists('StateId', $_GET)) {
throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
}
-$id = (string)$_GET['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'consent:request');
+$state = SimpleSAML_Auth_State::loadState($_GET['StateId'], 'consent:request');
$state['Responder'] = array('sspmod_consent_Logout', 'postLogout');
diff --git a/modules/consent/www/noconsent.php b/modules/consent/www/noconsent.php
index 4e847ce20..c9715b661 100644
--- a/modules/consent/www/noconsent.php
+++ b/modules/consent/www/noconsent.php
@@ -11,13 +11,6 @@ if (!array_key_exists('StateId', $_REQUEST)) {
}
$id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
$state = SimpleSAML_Auth_State::loadState($id, 'consent:request');
$resumeFrom = SimpleSAML_Module::getModuleURL(
diff --git a/modules/core/lib/Auth/UserPassBase.php b/modules/core/lib/Auth/UserPassBase.php
index de79c1f19..a97fba73a 100644
--- a/modules/core/lib/Auth/UserPassBase.php
+++ b/modules/core/lib/Auth/UserPassBase.php
@@ -233,12 +233,6 @@ abstract class sspmod_core_Auth_UserPassBase extends SimpleSAML_Auth_Source {
assert('is_string($username)');
assert('is_string($password)');
- // sanitize the input
- $sid = SimpleSAML_Utilities::parseStateID($authStateId);
- if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
- }
-
/* Here we retrieve the state array we saved in the authenticate-function. */
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
diff --git a/modules/core/lib/Auth/UserPassOrgBase.php b/modules/core/lib/Auth/UserPassOrgBase.php
index 1ffdb53ba..7bbddf24f 100644
--- a/modules/core/lib/Auth/UserPassOrgBase.php
+++ b/modules/core/lib/Auth/UserPassOrgBase.php
@@ -208,12 +208,6 @@ abstract class sspmod_core_Auth_UserPassOrgBase extends SimpleSAML_Auth_Source {
assert('is_string($password)');
assert('is_string($organization)');
- // sanitize the input
- $sid = SimpleSAML_Utilities::parseStateID($authStateId);
- if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
- }
-
/* Retrieve the authentication state. */
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
@@ -262,12 +256,6 @@ abstract class sspmod_core_Auth_UserPassOrgBase extends SimpleSAML_Auth_Source {
public static function listOrganizations($authStateId) {
assert('is_string($authStateId)');
- // sanitize the input
- $sid = SimpleSAML_Utilities::parseStateID($authStateId);
- if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
- }
-
/* Retrieve the authentication state. */
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
diff --git a/modules/core/www/idp/logout-iframe-done.php b/modules/core/www/idp/logout-iframe-done.php
index fe69f4007..eeb4f2b0a 100644
--- a/modules/core/www/idp/logout-iframe-done.php
+++ b/modules/core/www/idp/logout-iframe-done.php
@@ -3,15 +3,7 @@
if (!isset($_REQUEST['id'])) {
throw new SimpleSAML_Error_BadRequest('Missing required parameter: id');
}
-$id = (string)$_REQUEST['id'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'core:Logout-IFrame');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['id'], 'core:Logout-IFrame');
$idp = SimpleSAML_IdP::getByState($state);
$associations = $idp->getAssociations();
diff --git a/modules/core/www/idp/logout-iframe.php b/modules/core/www/idp/logout-iframe.php
index e2a136e4c..670d33052 100644
--- a/modules/core/www/idp/logout-iframe.php
+++ b/modules/core/www/idp/logout-iframe.php
@@ -3,7 +3,6 @@
if (!isset($_REQUEST['id'])) {
throw new SimpleSAML_Error_BadRequest('Missing required parameter: id');
}
-$id = (string)$_REQUEST['id'];
if (isset($_REQUEST['type'])) {
$type = (string)$_REQUEST['type'];
@@ -19,13 +18,7 @@ if ($type !== 'embed' && $type !== 'async') {
SimpleSAML_Stats::log('core:idp:logout-iframe:page', array('type' => $type));
}
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'core:Logout-IFrame');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['id'], 'core:Logout-IFrame');
$idp = SimpleSAML_IdP::getByState($state);
if ($type !== 'init') {
diff --git a/modules/core/www/idp/resumelogout.php b/modules/core/www/idp/resumelogout.php
index 0077909f5..7a524f61b 100644
--- a/modules/core/www/idp/resumelogout.php
+++ b/modules/core/www/idp/resumelogout.php
@@ -3,15 +3,7 @@
if (!isset($_REQUEST['id'])) {
throw new SimpleSAML_Error_BadRequest('Missing id-parameter.');
}
-$id = (string)$_REQUEST['id'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'core:Logout:afterbridge');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['id'], 'core:Logout:afterbridge');
$idp = SimpleSAML_IdP::getByState($state);
$assocId = $state['core:TerminatedAssocId'];
diff --git a/modules/core/www/loginuserpass.php b/modules/core/www/loginuserpass.php
index 35994ed6d..4ce0f93e6 100644
--- a/modules/core/www/loginuserpass.php
+++ b/modules/core/www/loginuserpass.php
@@ -9,21 +9,13 @@
* @package simpleSAMLphp
*/
+/* Retrieve the authentication state. */
if (!array_key_exists('AuthState', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.');
}
$authStateId = $_REQUEST['AuthState'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($authStateId);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-/* Retrieve the authentication state. */
$state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_core_Auth_UserPassBase::STAGEID);
-
$source = SimpleSAML_Auth_Source::getById($state[sspmod_core_Auth_UserPassBase::AUTHID]);
if ($source === NULL) {
throw new Exception('Could not find authentication source with id ' . $state[sspmod_core_Auth_UserPassBase::AUTHID]);
diff --git a/modules/core/www/loginuserpassorg.php b/modules/core/www/loginuserpassorg.php
index fa6a47280..ad4ba44b0 100644
--- a/modules/core/www/loginuserpassorg.php
+++ b/modules/core/www/loginuserpassorg.php
@@ -9,18 +9,11 @@
* @package simpleSAMLphp
*/
+/* Retrieve the authentication state. */
if (!array_key_exists('AuthState', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.');
}
$authStateId = $_REQUEST['AuthState'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($authStateId);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-/* Retrieve the authentication state. */
$state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_core_Auth_UserPassOrgBase::STAGEID);
$source = SimpleSAML_Auth_Source::getById($state[sspmod_core_Auth_UserPassOrgBase::AUTHID]);
diff --git a/modules/core/www/short_sso_interval.php b/modules/core/www/short_sso_interval.php
index 6536631ab..5e225bfbf 100644
--- a/modules/core/www/short_sso_interval.php
+++ b/modules/core/www/short_sso_interval.php
@@ -9,15 +9,7 @@
if (!array_key_exists('StateId', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
}
-
$id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
$state = SimpleSAML_Auth_State::loadState($id, 'core:short_sso_interval');
$session = SimpleSAML_Session::getSessionFromRequest();
diff --git a/modules/exampleauth/lib/Auth/Source/External.php b/modules/exampleauth/lib/Auth/Source/External.php
index c141a4a2a..37038527b 100644
--- a/modules/exampleauth/lib/Auth/Source/External.php
+++ b/modules/exampleauth/lib/Auth/Source/External.php
@@ -183,19 +183,12 @@ class sspmod_exampleauth_Auth_Source_External extends SimpleSAML_Auth_Source {
if (!isset($_REQUEST['State'])) {
throw new SimpleSAML_Error_BadRequest('Missing "State" parameter.');
}
- $stateId = (string)$_REQUEST['State'];
-
- // sanitize the input
- $sid = SimpleSAML_Utilities::parseStateID($stateId);
- if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
- }
/*
* Once again, note the second parameter to the loadState function. This must
* match the string we used in the saveState-call above.
*/
- $state = SimpleSAML_Auth_State::loadState($stateId, 'exampleauth:External');
+ $state = SimpleSAML_Auth_State::loadState($_REQUEST['State'], 'exampleauth:External');
/*
* Now we have the $state-array, and can use it to locate the authentication
diff --git a/modules/exampleauth/www/authpage.php b/modules/exampleauth/www/authpage.php
index 819cc2c28..7b3dca267 100644
--- a/modules/exampleauth/www/authpage.php
+++ b/modules/exampleauth/www/authpage.php
@@ -29,15 +29,7 @@ $returnTo = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['ReturnTo']);
if (!preg_match('@State=(.*)@', $returnTo, $matches)) {
die('Invalid ReturnTo URL for this example.');
}
-$stateId = urldecode($matches[1]);
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($stateId);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-SimpleSAML_Auth_State::loadState($stateId, 'exampleauth:External');
+SimpleSAML_Auth_State::loadState(urldecode($matches[1]), 'exampleauth:External');
/*
* The loadState-function will not return if the second parameter does not
diff --git a/modules/exampleauth/www/redirecttest.php b/modules/exampleauth/www/redirecttest.php
index 03ed359e3..147051cd1 100644
--- a/modules/exampleauth/www/redirecttest.php
+++ b/modules/exampleauth/www/redirecttest.php
@@ -10,16 +10,7 @@
if (!array_key_exists('StateId', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
}
-
-$id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'exampleauth:redirectfilter-test');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['StateId'], 'exampleauth:redirectfilter-test');
$state['Attributes']['RedirectTest2'] = array('OK');
diff --git a/modules/expirycheck/www/about2expire.php b/modules/expirycheck/www/about2expire.php
index 551a18c56..9531fcbda 100644
--- a/modules/expirycheck/www/about2expire.php
+++ b/modules/expirycheck/www/about2expire.php
@@ -11,18 +11,9 @@ SimpleSAML_Logger::info('expirycheck - User has been warned that NetID is near t
if (!array_key_exists('StateId', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
}
-
$id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
$state = SimpleSAML_Auth_State::loadState($id, 'expirywarning:about2expire');
-
if (array_key_exists('yes', $_REQUEST)) {
/* The user has pressed the yes-button. */
SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
diff --git a/modules/expirycheck/www/expired.php b/modules/expirycheck/www/expired.php
index 69fb16dc8..5be027e09 100644
--- a/modules/expirycheck/www/expired.php
+++ b/modules/expirycheck/www/expired.php
@@ -11,16 +11,7 @@ SimpleSAML_Logger::info('expirycheck - User has been warned that NetID is near t
if (!array_key_exists('StateId', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
}
-
-$id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($id, 'expirywarning:expired');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['StateId'], 'expirywarning:expired');
$globalConfig = SimpleSAML_Configuration::getInstance();
diff --git a/modules/multiauth/www/selectsource.php b/modules/multiauth/www/selectsource.php
index ecd762115..8881d86ec 100644
--- a/modules/multiauth/www/selectsource.php
+++ b/modules/multiauth/www/selectsource.php
@@ -10,18 +10,11 @@
* @package simpleSAMLphp
*/
+/* Retrieve the authentication state. */
if (!array_key_exists('AuthState', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.');
}
$authStateId = $_REQUEST['AuthState'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($authStateId);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-/* Retrieve the authentication state. */
$state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_multiauth_Auth_Source_MultiAuth::STAGEID);
if (array_key_exists("SimpleSAML_Auth_Default.id", $state)) {
diff --git a/modules/negotiate/www/backend.php b/modules/negotiate/www/backend.php
index 0292d247a..7348fd98f 100644
--- a/modules/negotiate/www/backend.php
+++ b/modules/negotiate/www/backend.php
@@ -8,15 +8,7 @@
* @package simpleSAMLphp
*/
-$authStateId = $_REQUEST['AuthState'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($authStateId);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_negotiate_Auth_Source_Negotiate::STAGEID);
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], sspmod_negotiate_Auth_Source_Negotiate::STAGEID);
SimpleSAML_Logger::debug('backend - fallback: '.$state['LogoutState']['negotiate:backend']);
sspmod_negotiate_Auth_Source_Negotiate::fallBack($state);
diff --git a/modules/negotiate/www/retry.php b/modules/negotiate/www/retry.php
index a659c61fc..23d51c2df 100644
--- a/modules/negotiate/www/retry.php
+++ b/modules/negotiate/www/retry.php
@@ -8,15 +8,7 @@
* @package simpleSAMLphp
*/
-$authStateId = $_REQUEST['AuthState'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($authStateId);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($authStateId, sspmod_negotiate_Auth_Source_Negotiate::STAGEID);
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], sspmod_negotiate_Auth_Source_Negotiate::STAGEID);
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted', 'metaindex');
diff --git a/modules/preprodwarning/www/showwarning.php b/modules/preprodwarning/www/showwarning.php
index 43a07cff0..7be7493c3 100644
--- a/modules/preprodwarning/www/showwarning.php
+++ b/modules/preprodwarning/www/showwarning.php
@@ -12,15 +12,7 @@ SimpleSAML_Logger::info('PreProdWarning - Showing warning to user');
if (!array_key_exists('StateId', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
}
-
$id = $_REQUEST['StateId'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($id);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
$state = SimpleSAML_Auth_State::loadState($id, 'warning:request');
diff --git a/modules/saml/www/sp/discoresp.php b/modules/saml/www/sp/discoresp.php
index 5d6d55bb7..a10c5ecd1 100644
--- a/modules/saml/www/sp/discoresp.php
+++ b/modules/saml/www/sp/discoresp.php
@@ -11,16 +11,7 @@ if (!array_key_exists('AuthID', $_REQUEST)) {
if (!array_key_exists('idpentityid', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing idpentityid to discovery service response handler');
}
-
-$stateID = $_REQUEST['AuthID'];
-
-// sanitize the input
-$sid = SimpleSAML_Utilities::parseStateID($stateID);
-if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
-}
-
-$state = SimpleSAML_Auth_State::loadState($stateID, 'saml:sp:sso');
+$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthID'], 'saml:sp:sso');
/* Find authentication source. */
assert('array_key_exists("saml:sp:AuthId", $state)');
diff --git a/modules/saml/www/sp/saml1-acs.php b/modules/saml/www/sp/saml1-acs.php
index de98e3491..a8d1dc724 100644
--- a/modules/saml/www/sp/saml1-acs.php
+++ b/modules/saml/www/sp/saml1-acs.php
@@ -33,15 +33,7 @@ if (preg_match('@^https?://@i', $target)) {
'saml:sp:RelayState' => SimpleSAML_Utilities::checkURLAllowed($target),
);
} else {
- $stateID = $_REQUEST['TARGET'];
-
- // sanitize the input
- $sid = SimpleSAML_Utilities::parseStateID($stateID);
- if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
- }
-
- $state = SimpleSAML_Auth_State::loadState($stateID, 'saml:sp:sso');
+ $state = SimpleSAML_Auth_State::loadState($_REQUEST['TARGET'], 'saml:sp:sso');
/* Check that the authentication source is correct. */
assert('array_key_exists("saml:sp:AuthId", $state)');
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index b9fb760b1..d22286278 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -56,13 +56,6 @@ $idpMetadata = array();
$stateId = $response->getInResponseTo();
if (!empty($stateId)) {
-
- // sanitize the input
- $sid = SimpleSAML_Utilities::parseStateID($stateId);
- if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
- }
-
/* This is a response to a request we sent earlier. */
$state = SimpleSAML_Auth_State::loadState($stateId, 'saml:sp:sso');
diff --git a/modules/saml/www/sp/saml2-logout.php b/modules/saml/www/sp/saml2-logout.php
index b39f3bff0..d3898e779 100644
--- a/modules/saml/www/sp/saml2-logout.php
+++ b/modules/saml/www/sp/saml2-logout.php
@@ -54,12 +54,6 @@ if ($message instanceof SAML2_LogoutResponse) {
SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . sspmod_saml_Message::getResponseError($message));
}
- // sanitize the input
- $sid = SimpleSAML_Utilities::parseStateID($relayState);
- if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
- }
-
$state = SimpleSAML_Auth_State::loadState($relayState, 'saml:slosent');
$state['saml:sp:LogoutStatus'] = $message->getStatus();
SimpleSAML_Auth_Source::completeLogout($state);
--
GitLab