In order to mitigate against the brute force attacks against Gitlab accounts, we are moving to all edu-ID Logins. We would like to remind you to link your account with your edu-id. Login will be possible only by edu-ID after November 30, 2021. Here you can find the instructions for linking your account.

If you don't have a SWITCH edu-ID, you can create one with this guide here

kind regards

Commit ad118607 authored by haemmer's avatar haemmer
Browse files

It is now checked whether the Service Provider exists in metadata

parent f3c67c01
......@@ -90,14 +90,26 @@ if(isValidDSRequest()){
exit;
}
// Check return URL in DS request if checks are enabled
$returnURLOK = verifyReturnURL($_GET['entityID'], $returnURL);
if(!$returnURLOK){
// Show error
$message = sprintf(getLocalString('unverified_return_url'), htmlentities($returnURL), htmlentities($_GET['entityID']));
printError($message);
exit;
if (isset($enableDSReturnParamCheck) && $enableDSReturnParamCheck){
// Check SP
if(!isset($SProviders[$_GET['entityID']])){
// Show error
$message = sprintf(getLocalString('unknown_sp'), htmlentities($_GET['entityID']));
printError($message);
exit;
}
// Check return URL in DS request if checks are enabled
$returnURLOK = verifyReturnURL($_GET['entityID'], $returnURL);
if(!$returnURLOK){
// Show error
$message = sprintf(getLocalString('unverified_return_url'), htmlentities($returnURL), htmlentities($_GET['entityID']));
printError($message);
exit;
}
}
}
/*------------------------------------------------*/
......
......@@ -395,23 +395,11 @@ function getIPAdressHint() {
}
return '-';
}
/******************************************************************************/
// Returns true if URL could be verified or if no check is necessary, false otherwise
function verifyReturnURL($entityID, $returnURL) {
global $SProviders, $enableDSReturnParamCheck, $useACURLsForReturnParamCheck;
// Skip check if is is deactivated
if (
!isset($enableDSReturnParamCheck)
|| !$enableDSReturnParamCheck
){
return true;
}
// SP is unknown, therefore return false
if (!isset($SProviders[$entityID])){
return false;
}
global $SProviders, $useACURLsForReturnParamCheck;
// If SP has a <idpdisc:DiscoveryResponse>, check return param
if (isset($SProviders[$entityID]['DSURL'])){
......@@ -419,7 +407,14 @@ function verifyReturnURL($entityID, $returnURL) {
}
// If fall back check is enabled, check return param
if ($useACURLsForReturnParamCheck){
if (isset($useACURLsForReturnParamCheck) && $useACURLsForReturnParamCheck){
// Return true if no assertion consumer URL is defined to check against
// Should never happend
if (!isset($SProviders[$entityID]['ACURL'])){
return false;
}
$returnURLHostName = getHostNameFromURI($returnURL);
foreach($SProviders[$entityID]['ACURL'] as $ACURL){
if (getHostNameFromURI($ACURL) == $returnURLHostName){
......
......@@ -45,6 +45,7 @@ $langStrings['en'] = array (
'most_used' => 'Most often used Home Organisations',
'invalid_return_url' => 'The return URL <tt>\'%s\'</tt> is not a valid URL.',
'unverified_return_url' => 'The return URL <tt>\'%s\'</tt> could not be verified for Service Provider <tt>\'%s\'</tt>.',
'unknown_sp' => 'The Service Provider <tt>\'%s\'</tt> could not be found in metadata and is therefore unknown.',
);
......@@ -88,6 +89,7 @@ $langStrings['de'] = array (
'most_used' => 'Meist genutzte Home Organisationen',
'invalid_return_url' => 'Die return URL <tt>\'%s\'</tt> ist keine g&uuml;tige URL.',
'unverified_return_url' => 'Die return URL <tt>\'%s\'</tt> ist nicht g&uuml;tige f&uuml;r den Service Provider <tt>\'%s\'</tt>.',
'unknown_sp' => 'Der Service Provider <tt>\'%s\'</tt> konnte nicht in den Metadaten gefunden werden und ist deshalb unbekannt.',
);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment