Commit ad118607 authored by haemmer's avatar haemmer
Browse files

It is now checked whether the Service Provider exists in metadata

parent f3c67c01
...@@ -90,14 +90,26 @@ if(isValidDSRequest()){ ...@@ -90,14 +90,26 @@ if(isValidDSRequest()){
exit; exit;
} }
// Check return URL in DS request if checks are enabled if (isset($enableDSReturnParamCheck) && $enableDSReturnParamCheck){
$returnURLOK = verifyReturnURL($_GET['entityID'], $returnURL); // Check SP
if(!$returnURLOK){ if(!isset($SProviders[$_GET['entityID']])){
// Show error // Show error
$message = sprintf(getLocalString('unverified_return_url'), htmlentities($returnURL), htmlentities($_GET['entityID'])); $message = sprintf(getLocalString('unknown_sp'), htmlentities($_GET['entityID']));
printError($message); printError($message);
exit; exit;
}
// Check return URL in DS request if checks are enabled
$returnURLOK = verifyReturnURL($_GET['entityID'], $returnURL);
if(!$returnURLOK){
// Show error
$message = sprintf(getLocalString('unverified_return_url'), htmlentities($returnURL), htmlentities($_GET['entityID']));
printError($message);
exit;
}
} }
} }
/*------------------------------------------------*/ /*------------------------------------------------*/
......
...@@ -395,23 +395,11 @@ function getIPAdressHint() { ...@@ -395,23 +395,11 @@ function getIPAdressHint() {
} }
return '-'; return '-';
} }
/******************************************************************************/ /******************************************************************************/
// Returns true if URL could be verified or if no check is necessary, false otherwise // Returns true if URL could be verified or if no check is necessary, false otherwise
function verifyReturnURL($entityID, $returnURL) { function verifyReturnURL($entityID, $returnURL) {
global $SProviders, $enableDSReturnParamCheck, $useACURLsForReturnParamCheck; global $SProviders, $useACURLsForReturnParamCheck;
// Skip check if is is deactivated
if (
!isset($enableDSReturnParamCheck)
|| !$enableDSReturnParamCheck
){
return true;
}
// SP is unknown, therefore return false
if (!isset($SProviders[$entityID])){
return false;
}
// If SP has a <idpdisc:DiscoveryResponse>, check return param // If SP has a <idpdisc:DiscoveryResponse>, check return param
if (isset($SProviders[$entityID]['DSURL'])){ if (isset($SProviders[$entityID]['DSURL'])){
...@@ -419,7 +407,14 @@ function verifyReturnURL($entityID, $returnURL) { ...@@ -419,7 +407,14 @@ function verifyReturnURL($entityID, $returnURL) {
} }
// If fall back check is enabled, check return param // If fall back check is enabled, check return param
if ($useACURLsForReturnParamCheck){ if (isset($useACURLsForReturnParamCheck) && $useACURLsForReturnParamCheck){
// Return true if no assertion consumer URL is defined to check against
// Should never happend
if (!isset($SProviders[$entityID]['ACURL'])){
return false;
}
$returnURLHostName = getHostNameFromURI($returnURL); $returnURLHostName = getHostNameFromURI($returnURL);
foreach($SProviders[$entityID]['ACURL'] as $ACURL){ foreach($SProviders[$entityID]['ACURL'] as $ACURL){
if (getHostNameFromURI($ACURL) == $returnURLHostName){ if (getHostNameFromURI($ACURL) == $returnURLHostName){
......
...@@ -45,6 +45,7 @@ $langStrings['en'] = array ( ...@@ -45,6 +45,7 @@ $langStrings['en'] = array (
'most_used' => 'Most often used Home Organisations', 'most_used' => 'Most often used Home Organisations',
'invalid_return_url' => 'The return URL <tt>\'%s\'</tt> is not a valid URL.', 'invalid_return_url' => 'The return URL <tt>\'%s\'</tt> is not a valid URL.',
'unverified_return_url' => 'The return URL <tt>\'%s\'</tt> could not be verified for Service Provider <tt>\'%s\'</tt>.', 'unverified_return_url' => 'The return URL <tt>\'%s\'</tt> could not be verified for Service Provider <tt>\'%s\'</tt>.',
'unknown_sp' => 'The Service Provider <tt>\'%s\'</tt> could not be found in metadata and is therefore unknown.',
); );
...@@ -88,6 +89,7 @@ $langStrings['de'] = array ( ...@@ -88,6 +89,7 @@ $langStrings['de'] = array (
'most_used' => 'Meist genutzte Home Organisationen', 'most_used' => 'Meist genutzte Home Organisationen',
'invalid_return_url' => 'Die return URL <tt>\'%s\'</tt> ist keine g&uuml;tige URL.', 'invalid_return_url' => 'Die return URL <tt>\'%s\'</tt> ist keine g&uuml;tige URL.',
'unverified_return_url' => 'Die return URL <tt>\'%s\'</tt> ist nicht g&uuml;tige f&uuml;r den Service Provider <tt>\'%s\'</tt>.', 'unverified_return_url' => 'Die return URL <tt>\'%s\'</tt> ist nicht g&uuml;tige f&uuml;r den Service Provider <tt>\'%s\'</tt>.',
'unknown_sp' => 'Der Service Provider <tt>\'%s\'</tt> konnte nicht in den Metadaten gefunden werden und ist deshalb unbekannt.',
); );
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment