* Update Psalm

* Ignore DocblockTypeContradiction and RedundantConditionGivenDocblockType

* Fix Psalm-errors

* Raise minimum PHP-version to 5.6

* Update lock-file accordingly

* Fix phpunit

* Suppress Psalm-issue

forward-port of my recent fix in branch 1.15

Also fixes edge-case situation where $_SERVER['SERVER_PORT'] is not set for an HTTPS connection, this function would return an explicit port 80 i.e. ":80" rather than an empty string.

This reverts commit 9ad60fe1.

Psalm is starting to get annoying. Both openssl_decrypt() and realpath() can return a string or false on error. Psalm seems to ignore the latter all of a sudden, so it assumes the returned variable will always be a string and then it fails when you check on errors. This fix explicitly declares the problematic variables with types string or false, so that psalm stops complaining.

This reverts commit 4f58b0ec.

Added 'no-store' to the cache-control header to prevent Google Chrome from serving the 302 redirect from disk cache

Don't bail out if the MDQ cache is broken or the query fails, because
later other metadata sources might provide the metadata for the entity.

This reverts commit 1218f38a.

When we are invoked from an outside application, SimpleSAMLphp cannot use 'baseurlpath' and in that case it tries to guess the current URL. The port was always added, even if the default port was used, leading to possible issues when comparing URLs that should actually be equivalent.

This resolves #696.

In order to fix this, we first sanitize any URL given to SimpleSAML\Utils\HTTP::checkURLAllowed() so that we make sure we have a true URL without spurious characters. Secondly, we stop using an "onload" event in the body of the redirect page to trigger the redirect automatically. Instead, we use a "meta refresh" redirection.

This double remediation is because there were two issues here: one, we were printing user input inside a chunk of javascript code. The other exploits the fact that the header() function silently breaks when a null character is part of the URL given to a "Location" header. In that case, the HTTP 302 Redirection doesn't happen, and then the browser loads the HTML and goes through it, running the injected javascript.

This fixes #699.

This method allows us to parse a URL and "rebase" it based on the $config['application']['baseURL'] configuration option. Thanks to this, applications will be able to configure a canonical base URL for the application, effectively translating any URL that might be built incorrectly (e.g. not using HTTPS because that is offloaded to a reverse proxy).