From d1ff132d38ba01c765bbd78f76dbe04dd0793327 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no>
Date: Mon, 25 Dec 2017 20:27:05 +0100
Subject: [PATCH] Use parse_url() instead of preg_match() to check URLs.

---
 lib/SimpleSAML/Utils/HTTP.php | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/lib/SimpleSAML/Utils/HTTP.php b/lib/SimpleSAML/Utils/HTTP.php
index 750824984..96cfc62ec 100644
--- a/lib/SimpleSAML/Utils/HTTP.php
+++ b/lib/SimpleSAML/Utils/HTTP.php
@@ -338,14 +338,15 @@ class HTTP
         // validates the URL's host is among those allowed
         if (is_array($trustedSites)) {
             assert(is_array($trustedSites));
-            preg_match('@^http(s?)://([^/:]+)((?::\d+)?)@i', $url, $matches);
-            $hostname = $matches[2];
+            $components = parse_url($url);
+            $hostname = $components['host'];
 
             // allow URLs with standard ports specified (non-standard ports must then be allowed explicitly)
-            if (!empty($matches[3]) &&
-                (($matches[1] === '' && $matches[3] !== ':80') || ($matches[1]) === 's' && $matches[3] !== ':443')
+            if (isset($components['port']) &&
+                (($components['scheme'] === 'http' && $components['port'] !== 80) ||
+                 ($components['scheme'] === 'https' && $components['port'] !== 443))
             ) {
-                $hostname = $hostname.$matches[3];
+                $hostname = $hostname.':'.$components['port'];
             }
 
             $self_host = self::getSelfHostWithNonStandardPort();
-- 
GitLab