Commit ad118607 authored by haemmer's avatar haemmer

It is now checked whether the Service Provider exists in metadata

parent f3c67c01
......@@ -90,14 +90,26 @@ if(isValidDSRequest()){
exit;
}
// Check return URL in DS request if checks are enabled
$returnURLOK = verifyReturnURL($_GET['entityID'], $returnURL);
if(!$returnURLOK){
// Show error
$message = sprintf(getLocalString('unverified_return_url'), htmlentities($returnURL), htmlentities($_GET['entityID']));
printError($message);
exit;
if (isset($enableDSReturnParamCheck) && $enableDSReturnParamCheck){
// Check SP
if(!isset($SProviders[$_GET['entityID']])){
// Show error
$message = sprintf(getLocalString('unknown_sp'), htmlentities($_GET['entityID']));
printError($message);
exit;
}
// Check return URL in DS request if checks are enabled
$returnURLOK = verifyReturnURL($_GET['entityID'], $returnURL);
if(!$returnURLOK){
// Show error
$message = sprintf(getLocalString('unverified_return_url'), htmlentities($returnURL), htmlentities($_GET['entityID']));
printError($message);
exit;
}
}
}
/*------------------------------------------------*/
......
......@@ -395,23 +395,11 @@ function getIPAdressHint() {
}
return '-';
}
/******************************************************************************/
// Returns true if URL could be verified or if no check is necessary, false otherwise
function verifyReturnURL($entityID, $returnURL) {
global $SProviders, $enableDSReturnParamCheck, $useACURLsForReturnParamCheck;
// Skip check if is is deactivated
if (
!isset($enableDSReturnParamCheck)
|| !$enableDSReturnParamCheck
){
return true;
}
// SP is unknown, therefore return false
if (!isset($SProviders[$entityID])){
return false;
}
global $SProviders, $useACURLsForReturnParamCheck;
// If SP has a <idpdisc:DiscoveryResponse>, check return param
if (isset($SProviders[$entityID]['DSURL'])){
......@@ -419,7 +407,14 @@ function verifyReturnURL($entityID, $returnURL) {
}
// If fall back check is enabled, check return param
if ($useACURLsForReturnParamCheck){
if (isset($useACURLsForReturnParamCheck) && $useACURLsForReturnParamCheck){
// Return true if no assertion consumer URL is defined to check against
// Should never happend
if (!isset($SProviders[$entityID]['ACURL'])){
return false;
}
$returnURLHostName = getHostNameFromURI($returnURL);
foreach($SProviders[$entityID]['ACURL'] as $ACURL){
if (getHostNameFromURI($ACURL) == $returnURLHostName){
......
......@@ -45,6 +45,7 @@ $langStrings['en'] = array (
'most_used' => 'Most often used Home Organisations',
'invalid_return_url' => 'The return URL <tt>\'%s\'</tt> is not a valid URL.',
'unverified_return_url' => 'The return URL <tt>\'%s\'</tt> could not be verified for Service Provider <tt>\'%s\'</tt>.',
'unknown_sp' => 'The Service Provider <tt>\'%s\'</tt> could not be found in metadata and is therefore unknown.',
);
......@@ -88,6 +89,7 @@ $langStrings['de'] = array (
'most_used' => 'Meist genutzte Home Organisationen',
'invalid_return_url' => 'Die return URL <tt>\'%s\'</tt> ist keine g&uuml;tige URL.',
'unverified_return_url' => 'Die return URL <tt>\'%s\'</tt> ist nicht g&uuml;tige f&uuml;r den Service Provider <tt>\'%s\'</tt>.',
'unknown_sp' => 'Der Service Provider <tt>\'%s\'</tt> konnte nicht in den Metadaten gefunden werden und ist deshalb unbekannt.',
);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment