public static checkURLAllowed ( string $url, array $trustedSites = null ) : string | ||
$url | string | The URL to check. |
$trustedSites | array | An optional white list of domains. If none specified, the 'trusted.url.domains' configuration directive will be used. |
Résultat | string | The normalized URL itself if it is allowed. An empty string if the $url parameter is empty as defined by the empty() function. |
public static function checkURLAllowed($url, array $trustedSites = null)
{
if (empty($url)) {
return '';
}
$url = self::normalizeURL($url);
// get the white list of domains
if ($trustedSites === null) {
$trustedSites = \SimpleSAML_Configuration::getInstance()->getValue('trusted.url.domains', array());
}
// validates the URL's host is among those allowed
if (is_array($trustedSites)) {
assert(is_array($trustedSites));
preg_match('@^https?://([^/]+)@i', $url, $matches);
$hostname = $matches[1];
$self_host = self::getSelfHostWithNonStandardPort();
$trustedRegex = \SimpleSAML_Configuration::getInstance()->getValue('trusted.url.regex', false);
$trusted = false;
if ($trustedRegex) {
// add self host to the white list
$trustedSites[] = preg_quote($self_host);
foreach ($trustedSites as $regex) {
// Add start and end delimiters.
$regex = "@^{$regex}\$@";
if (preg_match($regex, $hostname)) {
$trusted = true;
break;
}
}
} else {
// add self host to the white list
$trustedSites[] = $self_host;
$trusted = in_array($hostname, $trustedSites);
}
// throw exception due to redirection to untrusted site
if (!$trusted) {
throw new \SimpleSAML_Error_Exception('URL not allowed: ' . $url);
}
}
return $url;
}
<?php /** * This SAML 2.0 endpoint can receive incoming LogoutRequests. It will also send LogoutResponses, * and LogoutRequests and also receive LogoutResponses. It is implemeting SLO at the SAML 2.0 IdP. * * @author Andreas Åkre Solberg, UNINETT AS. <*****@*****.**> * @package SimpleSAMLphp */ require_once '../../_include.php'; SimpleSAML\Logger::info('SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService'); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); $idp = SimpleSAML_IdP::getById('saml2:' . $idpEntityId); if (isset($_REQUEST['ReturnTo'])) { $idp->doLogoutRedirect(\SimpleSAML\Utils\HTTP::checkURLAllowed((string) $_REQUEST['ReturnTo'])); } else { try { sspmod_saml_IdP_SAML2::receiveLogoutMessage($idp); } catch (Exception $e) { // TODO: look for a specific exception /* * This is dirty. Instead of checking the message of the exception, \SAML2\Binding::getCurrentBinding() should * throw an specific exception when the binding is unknown, and we should capture that here */ if ($e->getMessage() === 'Unable to find the current binding.') { throw new SimpleSAML_Error_Error('SLOSERVICEPARAMS', $e, 400); } else { throw $e; // do not ignore other exceptions! }