Skip to content
Snippets Groups Projects
  1. Oct 16, 2017
  2. Oct 10, 2017
    • Jaime Pérez Crespo's avatar
      bugfix: Make sure no JS code can be injected into redirected URLs · 5f074e97
      Jaime Pérez Crespo authored
      In order to fix this, we first sanitize any URL given to SimpleSAML\Utils\HTTP::checkURLAllowed() so that we make sure we have a true URL without spurious characters. Secondly, we stop using an "onload" event in the body of the redirect page to trigger the redirect automatically. Instead, we use a "meta refresh" redirection.
      
      This double remediation is because there were two issues here: one, we were printing user input inside a chunk of javascript code. The other exploits the fact that the header() function silently breaks when a null character is part of the URL given to a "Location" header. In that case, the HTTP 302 Redirection doesn't happen, and then the browser loads the HTML and goes through it, running the injected javascript.
      
      This fixes #699.
      5f074e97
  3. Sep 07, 2017
    • Jaime Pérez Crespo's avatar
      Add a new method SimpleSAML\Auth\getProcessedURL(). · 918a1fb4
      Jaime Pérez Crespo authored
      This method allows us to parse a URL and "rebase" it based on the $config['application']['baseURL'] configuration option. Thanks to this, applications will be able to configure a canonical base URL for the application, effectively translating any URL that might be built incorrectly (e.g. not using HTTPS because that is offloaded to a reverse proxy).
      918a1fb4
  4. Sep 01, 2017
  5. Mar 30, 2017
  6. Jan 19, 2017
  7. Jan 16, 2017
  8. Aug 22, 2016
    • Jaime Pérez's avatar
      bugfix: Do not try to apply SSP's base URL if REQUEST_URI does not match. · 2155d1ec
      Jaime Pérez authored
      It is possible that the current script ($_SERVER['SCRIPT_FILENAME']) is inside SimpleSAMLphp's 'www' directory. However, even if that's the case, we should not enforce our base URL (as set in the 'baseurlpath' configuration option) if the request URI ($_SERVER['REQUEST_URI']) does not contain the relative path to the script. This is the case of AuthMemCookie, for example, where accessing a random URL protected by Apache, leads to the execution of a SimpleSAMLphp script, where SimpleSAML\Utils\HTTP::getSelfURL() must not try to be smart when guessing the current URL.
      2155d1ec
  9. Jul 15, 2016
    • Jaime Pérez's avatar
      bugfix: Restore the capability to get our self URL when invoked from a third-party script. · e8ee8c83
      Jaime Pérez authored
      Recent fixes for URL guessing and building addressed bugs in the code that were preventing the 'baseurlpath' from being used properly. However, they introduced a new issue, as the code was assuming the current URL would always point to a SimpleSAMLphp script. This is not always true, of course, as any script can invoke our API and end up trying to get its own URL (for example, when calling requireAuth()).
      
      In order to fix this, we monitor mismatches between SimpleSAMLphp's installation path and the absolute, real path to the current script. When there's a mismatch, it means we are running a third-party script outside SimpleSAMLphp, and therefore we should NOT enforce 'baseurlpath'. This introduces an additional issue, as applications behind a reverse proxy may cause trouble to guess the right URL (we will use the URL as seen by SimpleSAMLphp in the server, which is not necessarily the same as the user sees with a reverse proxy in between). For the moment, we'll leave the responsibility to sort that issue out to implementors. It might be a good idea to add a page to the wiki explaining how to do this.
      
      This resolves #418.
      e8ee8c83
  10. Jul 05, 2016
    • Jaime Pérez's avatar
      bugfix: Restore support for windows machines. · 93793d93
      Jaime Pérez authored
      Due to recent changes to fix the way we were building URLs (mixing what the 'baseurlpath' configuration option and the current URL, see #396), we introduced another bug by assuming file paths will always use slashes ('/'), which obviously is not true in Windows machines. This commit fixes SimpleSAML_Configuration::getBaseDir() and SimpleSAML\Utils\HTTP::getSelfURL() to take that into account.
      
      This closes #414.
      93793d93
  11. Jul 04, 2016
    • Jaime Pérez's avatar
      Enhance redirections and make them more resilient. · 3f2621e3
      Jaime Pérez authored
      Currently, if headers have already been sent, a redirection will fail and generate errors in the error log. The user will be presented with a page containing a link that he or she will need to click on. Checking if headers have already been sent we can avoid errors, and adding a simple javascript to the "onload" event in the body of the page, we can still redirect automatically. That way, only when headers have already been sent and the users have javascript disabled, they will get to see the page.
      3f2621e3
    • Jaime Pérez's avatar
      Start using the error codes in SimpleSAML\Error\CannotSetCookie. · f50f0297
      Jaime Pérez authored
      Both SimpleSAML_SessionHandlerPHP::setCookie() and SimpleSAML\Utils\HTTP::setCookie() throw the SimpleSAML\Error\CannotSetCookie exception. Depending on why the error was generated, set the error code in the exception accordingly.
      f50f0297
  12. Jul 02, 2016
  13. Jun 27, 2016
    • Jaime Pérez's avatar
      bugfix: Resolve issue with incorrect self URL when using symlinks. · c72b6203
      Jaime Pérez authored
      Recent commits have introduced a new way to obtain the self URL, honouring whatever is specified in 'baseurlpath'. However, this new code breaks when accessing SimpleSAMLphp through a path containing symbolic links in the file system, since the base directory refers always to the real path while the $_SERVER contents reflect what the web server sees (symlinks included). We use realpath() to convert a path with symlinks to a canonical path that we can compare.
      c72b6203
  14. Jun 08, 2016
  15. Jun 07, 2016
  16. Jun 03, 2016
  17. Jun 02, 2016
  18. Apr 20, 2016
  19. Apr 19, 2016
  20. Apr 18, 2016
  21. Mar 03, 2016
  22. Mar 02, 2016
  23. Jan 19, 2016
  24. Jan 15, 2016
  25. Nov 06, 2015
  26. Oct 21, 2015
  27. Jun 03, 2015
  28. Apr 23, 2015
Loading