This reverts commit 1218f38a.

When we are invoked from an outside application, SimpleSAMLphp cannot use 'baseurlpath' and in that case it tries to guess the current URL. The port was always added, even if the default port was used, leading to possible issues when comparing URLs that should actually be equivalent.

This resolves #696.

In order to fix this, we first sanitize any URL given to SimpleSAML\Utils\HTTP::checkURLAllowed() so that we make sure we have a true URL without spurious characters. Secondly, we stop using an "onload" event in the body of the redirect page to trigger the redirect automatically. Instead, we use a "meta refresh" redirection.

This double remediation is because there were two issues here: one, we were printing user input inside a chunk of javascript code. The other exploits the fact that the header() function silently breaks when a null character is part of the URL given to a "Location" header. In that case, the HTTP 302 Redirection doesn't happen, and then the browser loads the HTML and goes through it, running the injected javascript.

This fixes #699.

Fix build as a side effect. When vimeo/psalm tries to resolve dependencies, it now fails with this.

This method allows us to parse a URL and "rebase" it based on the $config['application']['baseURL'] configuration option. Thanks to this, applications will be able to configure a canonical base URL for the application, effectively translating any URL that might be built incorrectly (e.g. not using HTTPS because that is offloaded to a reverse proxy).

Also make the default namespace parameter mandatory, so that the function is not ADFS-specific.

When opcache.validate_timestamps is disabled, then the new metadata will not be read after a metarefresh.
This can be solved by adding the metadata file to an opcache blacklist, but calling opcache_invalidate()
after writing a file is a nice out-of-the-box solution.

Hopefully, this will enable everybody that is using simplesamlphp to disable opcache.validate_timestamps
without running into problems.

A PHPUnit listener unsets SSP environmental variables and attempts
to restore globals.

This also required adding an additional argument to
SimpleSAML\Utils\Crypto::loadPrivateKey to ease in testing. Without
this additional argument, SimpleSAML_Configuration::getBaseDir eventually
gets called to determine the private key location.  This doesn't work
well with vfsstream. This argument shouldn't cause too much trouble, and
seems cohesive enough with the function's purpose.

The reason was the lack of conversion to integer for each character of the strings before applying the XOR operator to them. The operator returns always an empty string when applied to two characters, and applying a binary-wise OR between 0 and an empty string, yields 0. Therefore, $diff is always 0, and the function returns true for every two strings with same length, regardless of their contents.

This reverts commit b1b0d0ef.

This reverts commit c441f9c9.

It looks like mb_substr() doesn’t cope well with NULL as the third parameter in PHP 5.3.

IVs must be random and one-time (never reused). Additionally, by deriving it from the key, the key length was effectively reduced to 128 bits.

It actually needs a DOMNode, so it has been renamed to isDOMNodeOfType().

Additionally, some superfluous asserts() have been removed, and SimpleSAML\Utils\XML::getDOMChildren() has also changed its signature, as it should also receive a DOMNode, not a DOMElement.

Use it when constant-time comparisons are needed to avoid side-channel attacks.

To put it differently, to avoid OSX machines being identified as windows boxes, “darwin” should be evaluated *before* “win”.

If a standard port is specified, then ignore it. Otherwise, include the port in the check so that non-standard ports must be whitelisted explicitly.

This resolves #476.

Cannot provide array_filter() output directly to empty() in conditional in PHP <= 5.4.

It is possible that the current script ($_SERVER['SCRIPT_FILENAME']) is inside SimpleSAMLphp's 'www' directory. However, even if that's the case, we should not enforce our base URL (as set in the 'baseurlpath' configuration option) if the request URI ($_SERVER['REQUEST_URI']) does not contain the relative path to the script. This is the case of AuthMemCookie, for example, where accessing a random URL protected by Apache, leads to the execution of a SimpleSAMLphp script, where SimpleSAML\Utils\HTTP::getSelfURL() must not try to be smart when guessing the current URL.

Some things, like logging of SAML messages or backtraces, are controlled with the 'debug' configuration option. However, it might be possible that we don't want one while we want the other, but that's impossible with just one option.

This commit allows us to configure debugging options independently, but groupping all of them together. This is particularly useful if we want to log backtraces to debug errors, for example, but we don't want to log SAML messages to keep the privacy of the users. This also allows us to get rid of the 'debug.validatexml' configuration option, and group it with other debug options.

This changes are backwards-compatible. Old and new configurations will work at the same time.

Issue a notice when the option is used nonetheless.

Closes: #432

Now we are finally using the 2.x branch of the SAML2 library, which was also migrated to use namespaces. Even though the library provides an autoloader that allows loading the classes with the old names using class aliasing, we need to do the migration in one commit (at least for most part of it). This is due to the way SimpleSAMLphp checks data types, using inheritance to check objects agains abstract or more general classes. Even though class aliasing works, there's no way to replicate those relationships, and type checks that use the old class names will fail because the aliases are virtually new classes that don't inherit from others.