PHP HTTP::checkURLAllowed方法代码示例

<?php

/**
 * This SAML 2.0 endpoint can receive incoming LogoutRequests. It will also send LogoutResponses,
 * and LogoutRequests and also receive LogoutResponses. It is implemeting SLO at the SAML 2.0 IdP.
 *
 * @author Andreas Åkre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
 * @package SimpleSAMLphp
 */
require_once '../../_include.php';
SimpleSAML\Logger::info('SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService');
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$idp = SimpleSAML_IdP::getById('saml2:' . $idpEntityId);
if (isset($_REQUEST['ReturnTo'])) {
    $idp->doLogoutRedirect(\SimpleSAML\Utils\HTTP::checkURLAllowed((string) $_REQUEST['ReturnTo']));
} else {
    try {
        sspmod_saml_IdP_SAML2::receiveLogoutMessage($idp);
    } catch (Exception $e) {
        // TODO: look for a specific exception
        /*
         * This is dirty. Instead of checking the message of the exception, \SAML2\Binding::getCurrentBinding() should
         * throw an specific exception when the binding is unknown, and we should capture that here
         */
        if ($e->getMessage() === 'Unable to find the current binding.') {
            throw new SimpleSAML_Error_Error('SLOSERVICEPARAMS', $e, 400);
        } else {
            throw $e;
            // do not ignore other exceptions!
        }

 /**
  * Test SimpleSAML\Utils\HTTP::checkURLAllowed(), with the regex as a
  * subdomain of an evil domain.
  */
 public function testCheckURLAllowedWithRegexWithoutDelimiters()
 {
     $original = $_SERVER;
     \SimpleSAML_Configuration::loadFromArray(array('trusted.url.domains' => array('app\\.example\\.com'), 'trusted.url.regex' => true), '[ARRAY]', 'simplesaml');
     $_SERVER['REQUEST_URI'] = '/module.php';
     $this->setExpectedException('SimpleSAML_Error_Exception');
     HTTP::checkURLAllowed('https://app.example.com.evil.com');
     $_SERVER = $original;
 }

 /**
  * Initializes this discovery service.
  *
  * The constructor does the parsing of the request. If this is an invalid request, it will throw an exception.
  *
  * @param array  $metadataSets Array with metadata sets we find remote entities in.
  * @param string $instance The name of this instance of the discovery service.
  *
  * @throws Exception If the request is invalid.
  */
 public function __construct(array $metadataSets, $instance)
 {
     assert('is_string($instance)');
     // initialize standard classes
     $this->config = SimpleSAML_Configuration::getInstance();
     $this->metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
     $this->session = SimpleSAML_Session::getSessionFromRequest();
     $this->instance = $instance;
     $this->metadataSets = $metadataSets;
     $this->log('Accessing discovery service.');
     // standard discovery service parameters
     if (!array_key_exists('entityID', $_GET)) {
         throw new Exception('Missing parameter: entityID');
     } else {
         $this->spEntityId = $_GET['entityID'];
     }
     if (!array_key_exists('returnIDParam', $_GET)) {
         $this->returnIdParam = 'entityID';
     } else {
         $this->returnIdParam = $_GET['returnIDParam'];
     }
     $this->log('returnIdParam initially set to [' . $this->returnIdParam . ']');
     if (!array_key_exists('return', $_GET)) {
         throw new Exception('Missing parameter: return');
     } else {
         $this->returnURL = \SimpleSAML\Utils\HTTP::checkURLAllowed($_GET['return']);
     }
     $this->isPassive = false;
     if (array_key_exists('isPassive', $_GET)) {
         if ($_GET['isPassive'] === 'true') {
             $this->isPassive = true;
         }
     }
     $this->log('isPassive initially set to [' . ($this->isPassive ? 'TRUE' : 'FALSE') . ']');
     if (array_key_exists('IdPentityID', $_GET)) {
         $this->setIdPentityID = $_GET['IdPentityID'];
     }
     if (array_key_exists('IDPList', $_REQUEST)) {
         $this->scopedIDPList = $_REQUEST['IDPList'];
     }
 }

<?php

/**
 * This page serves as a dummy login page.
 *
 * Note that we don't actually validate the user in this example. This page
 * just serves to make the example work out of the box.
 *
 * @package SimpleSAMLphp
 */
if (!isset($_REQUEST['ReturnTo'])) {
    die('Missing ReturnTo parameter.');
}
$returnTo = \SimpleSAML\Utils\HTTP::checkURLAllowed($_REQUEST['ReturnTo']);
/*
 * The following piece of code would never be found in a real authentication page. Its
 * purpose in this example is to make this example safer in the case where the
 * administrator of * the IdP leaves the exampleauth-module enabled in a production
 * environment.
 *
 * What we do here is to extract the $state-array identifier, and check that it belongs to
 * the exampleauth:External process.
 */
if (!preg_match('@State=(.*)@', $returnTo, $matches)) {
    die('Invalid ReturnTo URL for this example.');
}
SimpleSAML_Auth_State::loadState(urldecode($matches[1]), 'exampleauth:External');
/*
 * The loadState-function will not return if the second parameter does not
 * match the parameter passed to saveState, so by now we know that we arrived here
 * through the exampleauth:External authentication page.

<?php

/**
 * Endpoint for logging in with an authentication source.
 *
 * @package simpleSAMLphp
 */
if (!is_string($_REQUEST['ReturnTo'])) {
    throw new SimpleSAML_Error_BadRequest('Missing ReturnTo parameter.');
}
if (!is_string($_REQUEST['AuthId'])) {
    throw new SimpleSAML_Error_BadRequest('Missing AuthId parameter.');
}
/*
 * Setting up the options for the requireAuth() call later..
 */
$options = array('ReturnTo' => \SimpleSAML\Utils\HTTP::checkURLAllowed($_REQUEST['ReturnTo']));
/*
 * Allows a saml:idp query string parameter specify the IdP entity ID to be used
 * as used by the DiscoJuice embedded client.
 */
if (!empty($_REQUEST['saml:idp'])) {
    $options['saml:idp'] = $_REQUEST['saml:idp'];
}
$as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']);
$as->requireAuth($options);
\SimpleSAML\Utils\HTTP::redirectTrustedURL($options['ReturnTo']);

 /**
  * @deprecated This method will be removed in SSP 2.0. Please use \SimpleSAML\Utils\HTTP::checkURLAllowed() instead.
  */
 public static function checkURLAllowed($url, array $trustedSites = NULL)
 {
     return \SimpleSAML\Utils\HTTP::checkURLAllowed($url, $trustedSites);
 }

<?php

require_once '../../_include.php';
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$idp = SimpleSAML_IdP::getById('saml2:' . $idpEntityId);
SimpleSAML_Logger::info('SAML2.0 - IdP.initSLO: Accessing SAML 2.0 IdP endpoint init Single Logout');
if (!isset($_GET['RelayState'])) {
    throw new SimpleSAML_Error_Error('NORELAYSTATE');
}
$idp->doLogoutRedirect(\SimpleSAML\Utils\HTTP::checkURLAllowed((string) $_GET['RelayState']));
assert('FALSE');

 public static function receiveLogoutMessage(SimpleSAML_IdP $idp)
 {
     // if a redirect is to occur based on wreply, we will redirect to url as
     // this implies an override to normal sp notification.
     if (isset($_GET['wreply']) && !empty($_GET['wreply'])) {
         $idp->doLogoutRedirect(\SimpleSAML\Utils\HTTP::checkURLAllowed($_GET['wreply']));
         assert(FALSE);
     }
     $state = array('Responder' => array('sspmod_adfs_IdP_ADFS', 'sendLogoutResponse'));
     $assocId = NULL;
     // TODO: verify that this is really no problem for:
     //       a) SSP, because there's no caller SP...
     //       b) ADFS SP because caller will be called back...
     $idp->handleLogoutRequest($state, $assocId);
 }

<?php

/**
 * Endpoint for logging out in with an authentication source.
 *
 * @package simpleSAMLphp
 */
if (!isset($_REQUEST['ReturnTo']) || !is_string($_REQUEST['ReturnTo'])) {
    throw new SimpleSAML_Error_BadRequest('Missing ReturnTo parameter.');
}
if (!isset($_REQUEST['AuthId']) || !is_string($_REQUEST['AuthId'])) {
    throw new SimpleSAML_Error_BadRequest('Missing AuthId parameter.');
}
$as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']);
$as->logout(\SimpleSAML\Utils\HTTP::checkURLAllowed($_REQUEST['ReturnTo']));

    assert('array_key_exists("saml:sp:AuthId", $state)');
    if ($state['saml:sp:AuthId'] !== $sourceId) {
        throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
    }
    // check that the issuer is the one we are expecting
    assert('array_key_exists("ExpectedIssuer", $state)');
    if ($state['ExpectedIssuer'] !== $idp) {
        $idpMetadata = $source->getIdPMetadata($idp);
        $idplist = $idpMetadata->getArrayize('IDPList', array());
        if (!in_array($state['ExpectedIssuer'], $idplist)) {
            throw new SimpleSAML_Error_Exception('The issuer of the response does not match to the identity provider we sent the request to.');
        }
    }
} else {
    // this is an unsolicited response
    $state = array('saml:sp:isUnsolicited' => true, 'saml:sp:AuthId' => $sourceId, 'saml:sp:RelayState' => \SimpleSAML\Utils\HTTP::checkURLAllowed($spMetadata->getString('RelayState', $response->getRelayState())));
}
SimpleSAML_Logger::debug('Received SAML2 Response from ' . var_export($idp, true) . '.');
if (empty($idpMetadata)) {
    $idpMetadata = $source->getIdPmetadata($idp);
}
try {
    $assertions = sspmod_saml_Message::processResponse($spMetadata, $idpMetadata, $response);
} catch (sspmod_saml_Error $e) {
    // the status of the response wasn't "success"
    $e = $e->toException();
    SimpleSAML_Auth_State::throwException($state, $e);
}
$authenticatingAuthority = null;
$nameId = null;
$sessionIndex = null;

<?php

require_once '_include.php';
$config = SimpleSAML_Configuration::getInstance();
if (array_key_exists('link_href', $_REQUEST)) {
    $link = \SimpleSAML\Utils\HTTP::checkURLAllowed($_REQUEST['link_href']);
} else {
    $link = 'index.php';
}
if (array_key_exists('link_text', $_REQUEST)) {
    $text = $_REQUEST['link_text'];
} else {
    $text = '{logout:default_link_text}';
}
$t = new SimpleSAML_XHTML_Template($config, 'logout.php');
$t->data['link'] = $link;
$t->data['text'] = $text;
$t->show();
exit;

}
if (!array_key_exists('PATH_INFO', $_SERVER)) {
    throw new SimpleSAML_Error_BadRequest('Missing authentication source ID in assertion consumer service URL');
}
$sourceId = $_SERVER['PATH_INFO'];
$end = strpos($sourceId, '/', 1);
if ($end === FALSE) {
    $end = strlen($sourceId);
}
$sourceId = substr($sourceId, 1, $end - 1);
$source = SimpleSAML_Auth_Source::getById($sourceId, 'sspmod_saml_Auth_Source_SP');
SimpleSAML_Logger::debug('Received SAML1 response');
$target = (string) $_REQUEST['TARGET'];
if (preg_match('@^https?://@i', $target)) {
    // Unsolicited response
    $state = array('saml:sp:isUnsolicited' => TRUE, 'saml:sp:AuthId' => $sourceId, 'saml:sp:RelayState' => \SimpleSAML\Utils\HTTP::checkURLAllowed($target));
} else {
    $state = SimpleSAML_Auth_State::loadState($_REQUEST['TARGET'], 'saml:sp:sso');
    // Check that the authentication source is correct.
    assert('array_key_exists("saml:sp:AuthId", $state)');
    if ($state['saml:sp:AuthId'] !== $sourceId) {
        throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
    }
    assert('isset($state["saml:idp"])');
}
$spMetadata = $source->getMetadata();
if (array_key_exists('SAMLart', $_REQUEST)) {
    if (!isset($state['saml:idp'])) {
        /* Unsolicited response. */
        throw new SimpleSAML_Error_Exception('IdP initiated authentication not supported with the SAML 1.1 SAMLart protocol.');
    }

<?php

if (isset($_REQUEST['retryURL'])) {
    $retryURL = (string) $_REQUEST['retryURL'];
    $retryURL = \SimpleSAML\Utils\HTTP::checkURLAllowed($retryURL);
} else {
    $retryURL = null;
}
$globalConfig = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($globalConfig, 'core:no_cookie.tpl.php');
$t->data['retryURL'] = $retryURL;
$t->show();