From abb3a2b0a4ddebc00c6d779d458082799ab41b28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no> Date: Mon, 16 Jan 2017 13:03:08 +0100 Subject: [PATCH] Allow standard ports when evaluating trusted URLs. If a standard port is specified, then ignore it. Otherwise, include the port in the check so that non-standard ports must be whitelisted explicitly. --- lib/SimpleSAML/Utils/HTTP.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/lib/SimpleSAML/Utils/HTTP.php b/lib/SimpleSAML/Utils/HTTP.php index 9f5a50e40..1acdea672 100644 --- a/lib/SimpleSAML/Utils/HTTP.php +++ b/lib/SimpleSAML/Utils/HTTP.php @@ -323,8 +323,15 @@ class HTTP // validates the URL's host is among those allowed if (is_array($trustedSites)) { assert(is_array($trustedSites)); - preg_match('@^https?://([^/]+)@i', $url, $matches); - $hostname = $matches[1]; + preg_match('@^http(s?)://([^/:]+)((?::\d+)?)@i', $url, $matches); + $hostname = $matches[2]; + + // allow URLs with standard ports specified (non-standard ports must then be allowed explicitly) + if (!empty($matches[3]) && + (($matches[1] === '' && $matches[3] !== ':80') || ($matches[1]) === 's' && $matches[3] !== ':443') + ) { + $hostname = $hostname.$matches[3]; + } $self_host = self::getSelfHostWithNonStandardPort(); -- GitLab