From b6b6bfcd7b05ff83d7ea2a0522bea8dca3c1eea0 Mon Sep 17 00:00:00 2001
From: Jaime Perez <jaime.perez@uninett.no>
Date: Wed, 8 Oct 2014 15:39:41 +0200
Subject: [PATCH] Remove extra URL validation as normalizeURL() will have done
 that already. Return an empty string if the input URL is empty (disregarding
 its type). This should make the checkURLAllowed() function transparent and
 avoid it returning the current URL (normalized) when input is empty. Fixes
 #99.

---
 lib/SimpleSAML/Utilities.php | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php
index abbf9d866..e4a9f98e3 100644
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -309,12 +309,10 @@ class SimpleSAML_Utilities {
 	 * allowed by configuration.
 	 */
 	public static function checkURLAllowed($url, array $trustedSites = NULL) {
-		$url = self::normalizeURL($url);
-
-		// verify that the URL points to an http or https site
-		if (!preg_match('@^https?://@i', $url)) {
-			throw new SimpleSAML_Error_Exception('Invalid URL: '.$url);
+		if (empty($url)) {
+			return '';
 		}
+		$url = self::normalizeURL($url);
 
 		// get the white list of domains
 		if ($trustedSites === NULL) {
-- 
GitLab