From 3f2621e32d43f2f5e41c53c1f29c3e127a2248ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez?= <jaime.perez@uninett.no>
Date: Mon, 4 Jul 2016 15:27:57 +0200
Subject: [PATCH] Enhance redirections and make them more resilient.

Currently, if headers have already been sent, a redirection will fail and generate errors in the error log. The user will be presented with a page containing a link that he or she will need to click on. Checking if headers have already been sent we can avoid errors, and adding a simple javascript to the "onload" event in the body of the page, we can still redirect automatically. That way, only when headers have already been sent and the users have javascript disabled, they will get to see the page.
---
 lib/SimpleSAML/Utils/HTTP.php | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/lib/SimpleSAML/Utils/HTTP.php b/lib/SimpleSAML/Utils/HTTP.php
index a586ef8a4..612bf5c42 100644
--- a/lib/SimpleSAML/Utils/HTTP.php
+++ b/lib/SimpleSAML/Utils/HTTP.php
@@ -162,12 +162,14 @@ class HTTP
             Logger::warning('Redirecting to a URL longer than 2048 bytes.');
         }
 
-        // set the location header
-        header('Location: '.$url, true, $code);
+        if (!headers_sent()) {
+            // set the location header
+            header('Location: '.$url, true, $code);
 
-        // disable caching of this response
-        header('Pragma: no-cache');
-        header('Cache-Control: no-cache, must-revalidate');
+            // disable caching of this response
+            header('Pragma: no-cache');
+            header('Cache-Control: no-cache, must-revalidate');
+        }
 
         // show a minimal web page with a clickable link to the URL
         echo '<?xml version="1.0" encoding="UTF-8"?>'."\n";
@@ -178,7 +180,7 @@ class HTTP
         echo '    <meta http-equiv="content-type" content="text/html; charset=utf-8">'."\n";
         echo "    <title>Redirect</title>\n";
         echo "  </head>\n";
-        echo "  <body>\n";
+        echo "  <body onload=\"window.location.replace('".htmlspecialchars($url)."');\">\n";
         echo "    <h1>Redirect</h1>\n";
         echo '      <p>You were redirected to: <a id="redirlink" href="'.htmlspecialchars($url).'">';
         echo htmlspecialchars($url)."</a>\n";
-- 
GitLab