From 7be5684e41effce46df3cf48dbfdefb3b876d749 Mon Sep 17 00:00:00 2001
From: Jaime Perez Crespo <jaime.perez@uninett.no>
Date: Wed, 21 Oct 2015 12:07:40 +0200
Subject: [PATCH] Make SimpleSAMLphp resilient to open redirections by default.

---
 lib/SimpleSAML/Utils/HTTP.php | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/lib/SimpleSAML/Utils/HTTP.php b/lib/SimpleSAML/Utils/HTTP.php
index 8b0caf307..fd6437eb5 100644
--- a/lib/SimpleSAML/Utils/HTTP.php
+++ b/lib/SimpleSAML/Utils/HTTP.php
@@ -313,15 +313,11 @@ class HTTP
 
         // get the white list of domains
         if ($trustedSites === null) {
-            $trustedSites = \SimpleSAML_Configuration::getInstance()->getArray('trusted.url.domains', null);
-            // TODO: remove this before 2.0
-            if ($trustedSites === null) {
-                $trustedSites = \SimpleSAML_Configuration::getInstance()->getArray('redirect.trustedsites', null);
-            }
+            $trustedSites = \SimpleSAML_Configuration::getInstance()->getValue('trusted.url.domains', array());
         }
 
         // validates the URL's host is among those allowed
-        if ($trustedSites !== null) {
+        if (is_array($trustedSites)) {
             assert(is_array($trustedSites));
             preg_match('@^https?://([^/]+)@i', $url, $matches);
             $hostname = $matches[1];
-- 
GitLab