Commit c9fcee0f authored by haemmer's avatar haemmer
Browse files

Added return URL check

parent 20f5a362
......@@ -4,7 +4,7 @@
******************************************************************************
SWITCH PHP WAYF,
Copyright 2009 SWITCH - Serving Swiss Universities
Version: 1.14
Version: 1.14b2
Contact: aai@switch.ch
Web site: http://www.switch.ch/aai/wayf
******************************************************************************
......@@ -14,7 +14,7 @@ Web site: http://www.switch.ch/aai/wayf
// Load general configuration and template file
/*------------------------------------------------*/
require_once('config.test.php');
require_once('config.php');
require_once('templates.php');
require_once('functions.php');
require_once('languages.php');
......@@ -76,6 +76,29 @@ if (isset($_GET['getArguments']) && isset($_GET['origin']) && isset($_GET['redir
exit;
}
/*------------------------------------------------*/
// Input validation
/*------------------------------------------------*/
if(isValidDSRequest()){
// Check that return URL in DS request is a valid URL
$returnURL = verifyAndStripReturnURL($_GET['return']);
if(!$returnURL){
// Show error
$message = sprintf(getLocalString('invalid_return_url'), htmlentities($_GET['return']));
printError($message);
exit;
}
// Check that return URL in DS request is verified
if(!isVerifiedReturnURL($_GET['entityID'], $returnURL)){
// Show error
$message = sprintf(getLocalString('unverified_return_url'), htmlentities($returnURL), htmlentities($_GET['entityID']));
printError($message);
exit;
}
}
/*------------------------------------------------*/
// Set and delete cookies
/*------------------------------------------------*/
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment