From abb3a2b0a4ddebc00c6d779d458082799ab41b28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no>
Date: Mon, 16 Jan 2017 13:03:08 +0100
Subject: [PATCH] Allow standard ports when evaluating trusted URLs.

If a standard port is specified, then ignore it. Otherwise, include the port in the check so that non-standard ports must be whitelisted explicitly.
---
 lib/SimpleSAML/Utils/HTTP.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/SimpleSAML/Utils/HTTP.php b/lib/SimpleSAML/Utils/HTTP.php
index 9f5a50e40..1acdea672 100644
--- a/lib/SimpleSAML/Utils/HTTP.php
+++ b/lib/SimpleSAML/Utils/HTTP.php
@@ -323,8 +323,15 @@ class HTTP
         // validates the URL's host is among those allowed
         if (is_array($trustedSites)) {
             assert(is_array($trustedSites));
-            preg_match('@^https?://([^/]+)@i', $url, $matches);
-            $hostname = $matches[1];
+            preg_match('@^http(s?)://([^/:]+)((?::\d+)?)@i', $url, $matches);
+            $hostname = $matches[2];
+
+            // allow URLs with standard ports specified (non-standard ports must then be allowed explicitly)
+            if (!empty($matches[3]) &&
+                (($matches[1] === '' && $matches[3] !== ':80') || ($matches[1]) === 's' && $matches[3] !== ':443')
+            ) {
+                $hostname = $hostname.$matches[3];
+            }
 
             $self_host = self::getSelfHostWithNonStandardPort();
 
-- 
GitLab