| public static checkURLAllowed ( string $url, array $trustedSites = null ) : string | ||
| $url | string | The URL to check. |
| $trustedSites | array | An optional white list of domains. If none specified, the 'trusted.url.domains' configuration directive will be used. |
| return | string | The normalized URL itself if it is allowed. An empty string if the $url parameter is empty as defined by the empty() function. |
public static function checkURLAllowed($url, array $trustedSites = null)
{
if (empty($url)) {
return '';
}
$url = self::normalizeURL($url);
// get the white list of domains
if ($trustedSites === null) {
$trustedSites = \SimpleSAML_Configuration::getInstance()->getValue('trusted.url.domains', array());
}
// validates the URL's host is among those allowed
if (is_array($trustedSites)) {
assert(is_array($trustedSites));
preg_match('@^https?://([^/]+)@i', $url, $matches);
$hostname = $matches[1];
$self_host = self::getSelfHostWithNonStandardPort();
$trustedRegex = \SimpleSAML_Configuration::getInstance()->getValue('trusted.url.regex', false);
$trusted = false;
if ($trustedRegex) {
// add self host to the white list
$trustedSites[] = preg_quote($self_host);
foreach ($trustedSites as $regex) {
// Add start and end delimiters.
$regex = "@^{$regex}\$@";
if (preg_match($regex, $hostname)) {
$trusted = true;
break;
}
}
} else {
// add self host to the white list
$trustedSites[] = $self_host;
$trusted = in_array($hostname, $trustedSites);
}
// throw exception due to redirection to untrusted site
if (!$trusted) {
throw new \SimpleSAML_Error_Exception('URL not allowed: ' . $url);
}
}
return $url;
}<?php
/**
* This SAML 2.0 endpoint can receive incoming LogoutRequests. It will also send LogoutResponses,
* and LogoutRequests and also receive LogoutResponses. It is implemeting SLO at the SAML 2.0 IdP.
*
* @author Andreas Åkre Solberg, UNINETT AS. <*****@*****.**>
* @package SimpleSAMLphp
*/
require_once '../../_include.php';
SimpleSAML\Logger::info('SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService');
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$idp = SimpleSAML_IdP::getById('saml2:' . $idpEntityId);
if (isset($_REQUEST['ReturnTo'])) {
$idp->doLogoutRedirect(\SimpleSAML\Utils\HTTP::checkURLAllowed((string) $_REQUEST['ReturnTo']));
} else {
try {
sspmod_saml_IdP_SAML2::receiveLogoutMessage($idp);
} catch (Exception $e) {
// TODO: look for a specific exception
/*
* This is dirty. Instead of checking the message of the exception, \SAML2\Binding::getCurrentBinding() should
* throw an specific exception when the binding is unknown, and we should capture that here
*/
if ($e->getMessage() === 'Unable to find the current binding.') {
throw new SimpleSAML_Error_Error('SLOSERVICEPARAMS', $e, 400);
} else {
throw $e;
// do not ignore other exceptions!
}
