Skip to content
Snippets Groups Projects
  1. Aug 02, 2016
  2. Jul 29, 2016
  3. Jul 28, 2016
    • Jaime Pérez's avatar
      Use AttributeValue serializable objects instead of dumping manually the XML contents. · 6d215c0b
      Jaime Pérez authored
      This way, we avoid completely any possible XXE attack, and simplify the code as we don't need to deal directly with the DOM. The entire AttributeValue will be saved to the backend as XML, and then recovered back when unserializing.
      6d215c0b
    • Jaime Pérez's avatar
      Remove debugging leftovers. · f261dfc1
      Jaime Pérez authored
      f261dfc1
    • Jaime Pérez's avatar
      bugfix: Allow attributes to contain raw XML as their values. · 977b8e86
      Jaime Pérez authored
      A recent change in simplesamlphp/saml2#60 made the library return a DOMNodeList object when the contents of the AttributeValue element are not text. This lead to a bug, since the returned value is not serializable, and when storing it in the session it will go away as soon as we serialize the session to store it in the backend (whatever that is). This is always, as the SP will always redirect to the URL originating authentication. The result was an empty DOMNodeList object where there should be some value.
      
      This commit makes the SimpleSAML_Session to implement the Serializable interface. When obtaining the attributes during login (doLogin() method), the code will now look for DOMNodeList objects, and dump them as a string with the XML representation of their contents in the 'RawAttributes' array inside $this->authData[$authority]. This allows us to parse the XML back when unserializing, and restore the original DOMNodeList object as the value of the attribute.
      
      The issue was reported originally in the mailing list by Enrico Cavalli, affecting eduPersonTargetedID. This resolves #424.
      977b8e86
  4. Jul 26, 2016
    • Jaime Pérez's avatar
      Update the SAML2 library. · c23722a4
      Jaime Pérez authored
      Now that the SAML2 library has been updated to use the new SimpleSAML\Logger, we can update the dependency here. Since both libraries are interdependent, we are pointing to a specific commit in master, aliasing it to 2.2. That way we can keep business as usual for any other package which may depend on 2.2, while getting the changes into SimpleSAMLphp.
      c23722a4
    • Jaime Pérez's avatar
      Stop using SimpleSAML_Configuration::getBaseURL(). · a5ca1aa3
      Jaime Pérez authored
      Use the recently added SimpleSAML_Configuration::getBasePath() instead. It guarantees the path prepended with a slash, so no need to do that every time when calling the method. As a side effect, we get rid of buggy invocations (calling getBaseUrl() instead of getBaseURL()), and also of old-style convention for the 'baseurlpath' configuration option, allowing a star at the beginning.
      a5ca1aa3
    • Jaime Pérez's avatar
    • Jaime Pérez's avatar
      Bump the version of the SAML2 library. · b02c5432
      Jaime Pérez authored
      Now we are finally using the 2.x branch of the SAML2 library, which was also migrated to use namespaces. Even though the library provides an autoloader that allows loading the classes with the old names using class aliasing, we need to do the migration in one commit (at least for most part of it). This is due to the way SimpleSAMLphp checks data types, using inheritance to check objects agains abstract or more general classes. Even though class aliasing works, there's no way to replicate those relationships, and type checks that use the old class names will fail because the aliases are virtually new classes that don't inherit from others.
      b02c5432
    • Jaime Pérez's avatar
      Prepare to bump the version of XMLSecLibs that we are using. · 09b30417
      Jaime Pérez authored
      The 2.x branch of XMLSecLibs uses namespaces, so we need to make sure we can still load the XMLSec* classes after updating the dependency. We can do that in the autoloader, looking for the classes with namespaces, and creating class aliases.
      09b30417
  5. Jul 25, 2016
  6. Jul 22, 2016
  7. Jul 20, 2016
  8. Jul 19, 2016
    • Jaime Pérez's avatar
      Do not enforce reading the configuration from files. · 8eaf60b1
      Jaime Pérez authored
      The www/_include.php script, included by all scripts in www/, checks unconditionally for the existence of the config.php file. However, this prevents us from testing the scripts automatically. Instead of checking for the file, we just try to load the configuration, and live with it if it works. That way we can pre-load the configuration using SimpleSAML_Configuration::loadFromArray(), as we are doing in some tests.
      8eaf60b1
  9. Jul 15, 2016
    • Thijs Kinkhorst's avatar
    • Jaime Pérez's avatar
      bugfix: Restore the capability to get our self URL when invoked from a third-party script. · e8ee8c83
      Jaime Pérez authored
      Recent fixes for URL guessing and building addressed bugs in the code that were preventing the 'baseurlpath' from being used properly. However, they introduced a new issue, as the code was assuming the current URL would always point to a SimpleSAMLphp script. This is not always true, of course, as any script can invoke our API and end up trying to get its own URL (for example, when calling requireAuth()).
      
      In order to fix this, we monitor mismatches between SimpleSAMLphp's installation path and the absolute, real path to the current script. When there's a mismatch, it means we are running a third-party script outside SimpleSAMLphp, and therefore we should NOT enforce 'baseurlpath'. This introduces an additional issue, as applications behind a reverse proxy may cause trouble to guess the right URL (we will use the URL as seen by SimpleSAMLphp in the server, which is not necessarily the same as the user sees with a reverse proxy in between). For the moment, we'll leave the responsibility to sort that issue out to implementors. It might be a good idea to add a page to the wiki explaining how to do this.
      
      This resolves #418.
      e8ee8c83
    • Thijs Kinkhorst's avatar
      NL translation of warnings_outdated · e6fffdcb
      Thijs Kinkhorst authored
      e6fffdcb
  10. Jul 14, 2016
  11. Jul 13, 2016
  12. Jul 07, 2016
  13. Jul 06, 2016
Loading