- Oct 16, 2017
-
-
Jaime Pérez Crespo authored
This reverts commit 1218f38a.
-
Jaime Pérez Crespo authored
When we are invoked from an outside application, SimpleSAMLphp cannot use 'baseurlpath' and in that case it tries to guess the current URL. The port was always added, even if the default port was used, leading to possible issues when comparing URLs that should actually be equivalent. This resolves #696.
-
- Oct 10, 2017
-
-
Jaime Pérez Crespo authored
In order to fix this, we first sanitize any URL given to SimpleSAML\Utils\HTTP::checkURLAllowed() so that we make sure we have a true URL without spurious characters. Secondly, we stop using an "onload" event in the body of the redirect page to trigger the redirect automatically. Instead, we use a "meta refresh" redirection. This double remediation is because there were two issues here: one, we were printing user input inside a chunk of javascript code. The other exploits the fact that the header() function silently breaks when a null character is part of the URL given to a "Location" header. In that case, the HTTP 302 Redirection doesn't happen, and then the browser loads the HTML and goes through it, running the injected javascript. This fixes #699.
-
- Sep 07, 2017
-
-
Jaime Pérez Crespo authored
This method allows us to parse a URL and "rebase" it based on the $config['application']['baseURL'] configuration option. Thanks to this, applications will be able to configure a canonical base URL for the application, effectively translating any URL that might be built incorrectly (e.g. not using HTTPS because that is offloaded to a reverse proxy).
-
- Sep 01, 2017
-
-
Jaime Pérez Crespo authored
-
- Mar 30, 2017
-
-
Jaime Pérez Crespo authored
-
- Jan 19, 2017
-
-
dev authored
-
- Jan 16, 2017
-
-
Jaime Pérez Crespo authored
If a standard port is specified, then ignore it. Otherwise, include the port in the check so that non-standard ports must be whitelisted explicitly.
-
- Aug 22, 2016
-
-
Jaime Pérez authored
It is possible that the current script ($_SERVER['SCRIPT_FILENAME']) is inside SimpleSAMLphp's 'www' directory. However, even if that's the case, we should not enforce our base URL (as set in the 'baseurlpath' configuration option) if the request URI ($_SERVER['REQUEST_URI']) does not contain the relative path to the script. This is the case of AuthMemCookie, for example, where accessing a random URL protected by Apache, leads to the execution of a SimpleSAMLphp script, where SimpleSAML\Utils\HTTP::getSelfURL() must not try to be smart when guessing the current URL.
-
- Jul 15, 2016
-
-
Jaime Pérez authored
Recent fixes for URL guessing and building addressed bugs in the code that were preventing the 'baseurlpath' from being used properly. However, they introduced a new issue, as the code was assuming the current URL would always point to a SimpleSAMLphp script. This is not always true, of course, as any script can invoke our API and end up trying to get its own URL (for example, when calling requireAuth()). In order to fix this, we monitor mismatches between SimpleSAMLphp's installation path and the absolute, real path to the current script. When there's a mismatch, it means we are running a third-party script outside SimpleSAMLphp, and therefore we should NOT enforce 'baseurlpath'. This introduces an additional issue, as applications behind a reverse proxy may cause trouble to guess the right URL (we will use the URL as seen by SimpleSAMLphp in the server, which is not necessarily the same as the user sees with a reverse proxy in between). For the moment, we'll leave the responsibility to sort that issue out to implementors. It might be a good idea to add a page to the wiki explaining how to do this. This resolves #418.
-
- Jul 05, 2016
-
-
Jaime Pérez authored
Due to recent changes to fix the way we were building URLs (mixing what the 'baseurlpath' configuration option and the current URL, see #396), we introduced another bug by assuming file paths will always use slashes ('/'), which obviously is not true in Windows machines. This commit fixes SimpleSAML_Configuration::getBaseDir() and SimpleSAML\Utils\HTTP::getSelfURL() to take that into account. This closes #414.
-
- Jul 04, 2016
-
-
Jaime Pérez authored
Currently, if headers have already been sent, a redirection will fail and generate errors in the error log. The user will be presented with a page containing a link that he or she will need to click on. Checking if headers have already been sent we can avoid errors, and adding a simple javascript to the "onload" event in the body of the page, we can still redirect automatically. That way, only when headers have already been sent and the users have javascript disabled, they will get to see the page.
-
Jaime Pérez authored
Both SimpleSAML_SessionHandlerPHP::setCookie() and SimpleSAML\Utils\HTTP::setCookie() throw the SimpleSAML\Error\CannotSetCookie exception. Depending on why the error was generated, set the error code in the exception accordingly.
-
- Jul 02, 2016
-
-
Jaime Pérez authored
Make the SimpleSAML\Utils\HTTP::setCookie() method throw the new SimpleSAML\Error\CannotSetCookie exception.
-
Jaime Pérez authored
-
- Jun 27, 2016
-
-
Jaime Pérez authored
Recent commits have introduced a new way to obtain the self URL, honouring whatever is specified in 'baseurlpath'. However, this new code breaks when accessing SimpleSAMLphp through a path containing symbolic links in the file system, since the base directory refers always to the real path while the $_SERVER contents reflect what the web server sees (symlinks included). We use realpath() to convert a path with symlinks to a canonical path that we can compare.
-
- Jun 08, 2016
-
-
Jaime Perez Crespo authored
-
Jaime Perez Crespo authored
Fix build. There was a bug in SimpleSAML\Utils\HTTP::parseQueryString() that was producing an empty parameter with an empty value when the query string was empty.
-
Jaime Perez Crespo authored
Change the implementation of SimpleSAML\Utils\HTTP::getSelfURL() and getSelfURLNoQuery() to honor the 'baseurlpath' configuration option instead of simply using the environment. They were actually broken since they were using it to build the scheme, host and port, but completely ignoring the path, rendering wrong URLs in between what was configured in 'baseurlpath' and the real information in the environment. This resolves #396, but also affects #5. The changes to getSelfURLNoQuery() in #391 are unnecessary now, since we now basically getting the full URL and remove the query afterwards.
-
- Jun 07, 2016
-
-
Jaime Perez Crespo authored
-
Jaime Perez Crespo authored
Be graceful with the 'baseurlpath' configuration option. We should not fail when the trailing slash is missing, just add it.
-
- Jun 03, 2016
-
-
Jaime Perez Crespo authored
Fix an issue with some PHP environments (mostly related to FastCGI or php-fpm, common with nginx) where $_SERVER['SCRIPT_NAME'] is already populated with $_SERVER['PATH_INFO'] appended to it. In those cases, we should not blindly append PATH_INFO to SCRIPT_NAME, but check the latter first. This hopefully resolves #5 and closes #391.
-
- Jun 02, 2016
-
-
Jon Dufresne authored
Fixes #379
-
- Apr 20, 2016
-
-
Jaime Perez Crespo authored
Start using the new configuration exceptions, handling error situations that before led to blank pages or even worse.
-
- Apr 19, 2016
-
-
Jaime Perez Crespo authored
If $_SERVER does not contain the variables we need (i.e. when running tests) it makes no sense at all to try to guess the root URI, since there's no such a thing, probably.
-
- Apr 18, 2016
-
-
Jaime Perez Crespo authored
-
- Mar 03, 2016
-
-
Jaime Perez Crespo authored
Fix a couple formatting issues in SimpleSAML\Utils\HTTP. Start using SimpleSAML\Module and SimpleSAML\Logger in there.
-
Jaime Perez Crespo authored
Fix build for older PHP versions that don't allow passing return values as a reference to a function.
-
Jaime Perez Crespo authored
Bugfix: there's a couple of places in SimpleSAML\Utils\HTTP where we should use the host AND port if the latter is not the default one, but we are only using the host. These are the case for evaluating the 'trusted.url.domains' configuration options (we should allow the host and port we are reachable in, but not other ports in the same host) and the method that returns the host with path, which should include the port if that's not standard (the documentation of the method already says so).
-
Jaime Perez Crespo authored
Rename Utils\HTTP::getSelfHostWithoutPort() to Utils\HTTP::getSelfHostWithNonStandardPort(), change the logic, and reimplement Utils\HTTP::getSelfHost() to depend on use the former. Complete the tests to include the case of port 443 while using HTTPS.
-
- Mar 02, 2016
-
-
Andrés Blanco authored
-
- Jan 19, 2016
-
-
Tim van Dijen authored
Don't gather the proxy.auth setting if we don't use it
-
- Jan 15, 2016
-
-
restena-sw authored
-
restena-sw authored
-
- Nov 06, 2015
-
-
Jaime Perez Crespo authored
-
Jaime Perez Crespo authored
(being respectful with occurences that might change the behaviour, i.e. default database prefixes)
-
- Oct 21, 2015
-
-
Jaime Perez Crespo authored
-
- Jun 03, 2015
-
-
Enrico Cavalli authored
Raise InvalidArgumentException if $retryURL is not a string AND is not null
-
- Apr 23, 2015
-
-
Jaime Perez Crespo authored
Use InvalidArgumentException instead of SimpleSAML_Error_Exception when dealing with wrong input parameters.
-
Jaime Perez Crespo authored
Move SimpleSAML_Utilities:: checkCookie() to SimpleSAML\Utils\HTTP::checkSessionCookie() and deprecate the former.
-