This reverts commit 1218f38a.

When we are invoked from an outside application, SimpleSAMLphp cannot use 'baseurlpath' and in that case it tries to guess the current URL. The port was always added, even if the default port was used, leading to possible issues when comparing URLs that should actually be equivalent.

This resolves #696.

This resolves #695.

In order to fix this, we first sanitize any URL given to SimpleSAML\Utils\HTTP::checkURLAllowed() so that we make sure we have a true URL without spurious characters. Secondly, we stop using an "onload" event in the body of the redirect page to trigger the redirect automatically. Instead, we use a "meta refresh" redirection.

This double remediation is because there were two issues here: one, we were printing user input inside a chunk of javascript code. The other exploits the fact that the header() function silently breaks when a null character is part of the URL given to a "Location" header. In that case, the HTTP 302 Redirection doesn't happen, and then the browser loads the HTML and goes through it, running the injected javascript.

This fixes #699.

Fix build as a side effect. When vimeo/psalm tries to resolve dependencies, it now fails with this.

This method allows us to parse a URL and "rebase" it based on the $config['application']['baseURL'] configuration option. Thanks to this, applications will be able to configure a canonical base URL for the application, effectively translating any URL that might be built incorrectly (e.g. not using HTTPS because that is offloaded to a reverse proxy).

It can now be used with \SimpleSAML\Auth\Simple, although the old name still works too.

searchformultiple() will loop over all the configured base dn's to
search in. However, it would break on the first search that does
not return `false`. A search that yields 0 hits is not `false`, however
(it is only false when an error occurred). So when using more than one
base, users would not be found if they were part of the second or later
base, which is contrary to the intention.

This is now changed so the loop breaks when the result is not false, and
the number of found results is > 0.

Also make the default namespace parameter mandatory, so that the function is not ADFS-specific.

I have been maintaining the PHP LDAP EXOP patch for a few years,
which include the ldapwhoami() function. This has finally made its
way into PHP distribution and will be available in PHP 7.3, but
with a modified prototype.

This changes adapts to this API change. While there, also update
exception handling on par with recent SimpleSAMLphp code.

Otherwise, a theme would not be able to include/embed/extend its own templates.

When opcache.validate_timestamps is disabled, then the new metadata will not be read after a metarefresh.
This can be solved by adding the metadata file to an opcache blacklist, but calling opcache_invalidate()
after writing a file is a nice out-of-the-box solution.

Hopefully, this will enable everybody that is using simplesamlphp to disable opcache.validate_timestamps
without running into problems.

This new interface allows themes to define a class that can be hooked at certain specific points of template initialization/handling, so that they can do stuff like automatically adding variables for all templates, or adding twig extensions. This classes must implement the new TemplateControllerInterface, and be specified in the "theme.controller" configuration option. This way, we avoid the performance hit if we use traditional hooks, and we also avoid hooks from other modules causing trouble.

For now, the interface offers two entry points: setUpTwig(), which allows managing the twig environment after initialization (e.g. to add an extension or define filters); and display(), which offers all the data passed to the template, and allows adding or modifying it.

This makes sense as those should be static values available to every template.

Additionally, add a "templateId" variable that we can use for templates to identify themselves.

Make sure if we are using a theme, its module is added as a valid domain where we can look for translations.

Therefore, it should be accessed using self, not $this.

To convert existing tests to use the base class use

 perl -p -i -e 's/PHPUnit_Framework_TestCase/SimpleSAML\\Test\\Utils\\ClearStateTestCase/g' `grep -rl PHPUnit_Framework_TestCase tests | grep -v ClearStateTestCase.php`

A PHPUnit listener unsets SSP environmental variables and attempts
to restore globals.

Instead of one cache, we need to use two: one for the list of modules available, and the other for the details for them. Those caches should be filled independently, so that someone calling getModules() does not trigger the code checking of the modules are enabled or finding their hooks.

It has also an impact in performance, and covers an unlikely scenario. Instead, if you plan to use templates from another module, now you need to call the "addTemplatesFromModule()" method right after creating the template. That way you can register manually what templates you are supposed to use, being much more efficient.

An alternative way to inject data in the templates should be used. This has a terrible impact in performance, and could have undesired side effects.

This allows template users to use their own twig extensions if they want, while also allowing us to remove the "twigInit" hook. Hooks come at a price, and it doesn't make much sense to use them in this case, as they would only be useful if a module wants to add a twig extension even if the code instantiating SimpleSAML_XHTML_Template does not belong to that module. This could lead to unexpected behaviour (i.e. a module adding a hook that creates trouble for the templates defined in another module), so given the lack of use cases supporting the hook and the possible negative consequences implied, it's better to remove it.

The issue here is that every time we need to list the modules or check if they are enabled, we just iterate over the modules directory and subdirectories, which is terribly expensive. Instead of doing so, we build a cache of modules specifying if they are enabled or not. In the end, this is also fixing another issue, given that enabling/disabling a module in the middle of a request being processed could lead to inconsistencies and unexpected behaviour (likely exceptions and horrible crashes). Modules should be checked in the beginning of a request and their state (enabled/disabled) frozen until the request is processed to avoid that, and this is the way to achieve so.

Additionally, we take the chance to check if modules are enabled when we search for them. This reduces the processing time to around a third of the original without this fix.

This allows us to get rid of SHA-1.

The offset is prepended in clear to the token itself, so that we can subtract it from the current time and get the original time slot. However, the time slot, salt and verification data are authenticated by means of the hash function, but not the offset. This means we can take an expired token and make it valid by simply increasing the prepended offset as much as needed to hit the time slot it was generated on. This is an important security issue as the tokens are therefore not bound to the current time at all.

In order to fix it, the offset itself is added to the hash computation, so that a change in the offset produces a new hash that won't match.

s/generateToken/generate/ && s/validateToken/validate/