diff --git a/Classes/Controller/FesamlController.php b/Classes/Controller/FesamlController.php index 9cbc08d..34a03ab 100644 --- a/Classes/Controller/FesamlController.php +++ b/Classes/Controller/FesamlController.php @@ -128,15 +128,17 @@ public function controlAction() $sp_object = json_decode(Utilities::fetchFromTable(Constants::COLUMN_OBJECT_SP,Constants::TABLE_SAML),true); $this->idp_name = $idp_object[Constants::COLUMN_IDP_NAME]; - $this->acs_url = $idp_object[Constants::COLUMN_IDP_NAME]; + $this->idp_entity_id =$idp_object[Constants::COLUMN_IDP_ENTITY_ID]; $this->saml_login_url = $idp_object[Constants::COLUMN_IDP_LOGIN_URL]; $this->x509_certificate = $idp_object[Constants::COLUMN_IDP_CERTIFICATE]; - $this->idp_entity_id =$idp_object[Constants::COLUMN_IDP_ENTITY_ID]; $this->force_authn = false; - $this->sp_entity_id = $sp_object[Constants::COLUMN_SP_ENTITY_ID]; + + $this->acs_url = $sp_object[Constants::COLUMN_SP_ACS_URL]; + $this->sp_entity_id = $sp_object[Constants::COLUMN_SP_ENTITY_ID]; $this->signedAssertion = true; $this->signedResponse = true; + $this->destination = $this->saml_login_url; } diff --git a/Helper/Actions/HttpAction.php b/Helper/Actions/HttpAction.php index ece2e8d..cb8a60c 100644 --- a/Helper/Actions/HttpAction.php +++ b/Helper/Actions/HttpAction.php @@ -75,8 +75,14 @@ public function sendHTTPPostRequest($samlRequest,$sendRelayState,$sloUrl) $base64EncodedXML = base64_encode($signedXML); //post request ob_clean(); - printf(" + printf(" + + + Please wait...
@@ -110,7 +116,7 @@ public function sendHTTPPostResponse($samlResponse,$sendRelayState,$ssoUrl) $base64EncodedXML = base64_encode($signedXML); //post request ob_clean(); - printf(" Please wait... @@ -121,4 +127,4 @@ public function sendHTTPPostResponse($samlResponse,$sendRelayState,$ssoUrl) ",$ssoUrl,$base64EncodedXML,htmlentities($sendRelayState)); } -} \ No newline at end of file +} diff --git a/Helper/Actions/TestResultActions.php b/Helper/Actions/TestResultActions.php index 14259ea..d628d6e 100644 --- a/Helper/Actions/TestResultActions.php +++ b/Helper/Actions/TestResultActions.php @@ -150,7 +150,7 @@ private function processCertErrors() */ private function processTemplateContent() { - $this->commonBody = str_replace("{{email}}",implode("/",$this->nameId),$this->commonBody); + $this->commonBody = str_replace("{{email}}",strip_tags(implode("/",$this->nameId)),$this->commonBody); $tableContent = !array_filter($this->attrs) ? "No Attributes Received." : $this->getTableContent(); $this->commonBody = str_replace("{{tablecontent}}",$tableContent,$this->commonBody); $this->template = str_replace("{{commonbody}}",$this->commonBody,$this->template); @@ -168,7 +168,7 @@ private function getTableContent() { if(!in_array(null, $value)) $tableContent .= str_replace("{{key}}",$key,str_replace("{{value}}", - implode("
",$value),$this->tableContent)); + strip_tags(implode("
",$value)),$this->tableContent)); } return $tableContent; } @@ -181,4 +181,4 @@ private function processTemplateFooter() { $this->template = str_replace("{{footer}}",$this->footer,$this->template); } -} \ No newline at end of file +} diff --git a/Helper/Assertion.php b/Helper/Assertion.php index 46fbb66..782127a 100644 --- a/Helper/Assertion.php +++ b/Helper/Assertion.php @@ -289,11 +289,11 @@ private function parseAuthnContext(\DOMElement $authnStatementEl) } // Constraint from XSD: MUST have one of the three - if (empty($this->authnContextClassRef) && empty($this->authnContextDecl) && empty($this->authnContextDeclRef)) { - throw new Exception( - 'Missing either or or ' - ); - } +// if (empty($this->authnContextClassRef) && empty($this->authnContextDecl) && empty($this->authnContextDeclRef)) { +// throw new Exception( +// 'Missing either or or ' +// ); +// } $this->AuthenticatingAuthority = SAMLUtilities::extractStrings( $authnContextEl, diff --git a/Helper/Utilities.php b/Helper/Utilities.php index f5a160c..0ae6807 100644 --- a/Helper/Utilities.php +++ b/Helper/Utilities.php @@ -233,54 +233,21 @@ public static function fetchUserFromUsername($username) } - /** - * Exception Page HTML Content - * @param $message - */ - public static function showErrorMessage($message) - { - echo ' - - - - - We\'ve got some trouble | 500 - Webservice currently unavailable - - - -
-

Oops!! Something went wrong.

-

An unexpected condition was encountered.

-

- '.$message.' -

-
- - '; - exit; - } - - public static function showErrorFlashMessage($message, $header="ERROR"){ - $message = GeneralUtility::makeInstance(FlashMessage::class,$message,$header,FlashMessage::ERROR); - $flashMessageService = GeneralUtility::makeInstance(FlashMessageService::class); - $out = GeneralUtility::makeInstance(ListRenderer ::class)->render([$message]); - echo $out; - } - - public static function showSuccessFlashMessage($message, $header="OK"){ - $message = GeneralUtility::makeInstance(FlashMessage::class, $message, $header, FlashMessage::OK); - $out = GeneralUtility::makeInstance(ListRenderer ::class)->render([$message]); - echo $out; - } - - public static function clearFlashMessages(){ - $flashMessageService = GeneralUtility::makeInstance(FlashMessageService::class); - $messageQueue = $flashMessageService->getMessageQueueByIdentifier(); - $messageQueue->clear(); - } - - public static function log_php_error($msg="",$obj){ - error_log($msg.": ".print_r($obj,true)); - } + public static function showErrorFlashMessage($message, $header="ERROR"){ + $message = GeneralUtility::makeInstance(FlashMessage::class,$message,$header,FlashMessage::ERROR); + $flashMessageService = GeneralUtility::makeInstance(FlashMessageService::class); + $out = GeneralUtility::makeInstance(ListRenderer ::class)->render([$message]); + echo $out; + } + + public static function showSuccessFlashMessage($message, $header="OK"){ + $message = GeneralUtility::makeInstance(FlashMessage::class, $message, $header, FlashMessage::OK); + $out = GeneralUtility::makeInstance(ListRenderer ::class)->render([$message]); + echo $out; + } + + public static function log_php_error($msg="",$obj){ + error_log($msg.": ".print_r($obj,true)); + } } diff --git a/Helper/lib/XMLSecLibs/Utils/XPath.php b/Helper/lib/XMLSecLibs/Utils/XPath.php new file mode 100644 index 0000000..700fbb0 --- /dev/null +++ b/Helper/lib/XMLSecLibs/Utils/XPath.php @@ -0,0 +1,44 @@ +. + * Copyright (c) 2007-2019, Robert Richards . * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -42,7 +43,7 @@ * POSSIBILITY OF SUCH DAMAGE. * * @author Robert Richards - * @copyright 2007-2017 Robert Richards + * @copyright 2007-2019 Robert Richards * @license http://www.opensource.org/licenses/bsd-license.php BSD License */ @@ -470,7 +471,7 @@ public static function staticLocateKeyInfo($objBaseKey=null, $node=null) } $id = substr($uri, 1); - $query = "//xmlsecenc:EncryptedKey[@Id='$id']"; + $query = '//xmlsecenc:EncryptedKey[@Id="'.XPath::filterAttrValue($id, XPath::DOUBLE_QUOTE).'"]'; $keyElement = $xpath->query($query)->item(0); if (!$keyElement) { throw new Exception("Unable to locate EncryptedKey with @Id='$id'."); diff --git a/Helper/lib/XMLSecLibs/XMLSecurityDSig.php b/Helper/lib/XMLSecLibs/XMLSecurityDSig.php index d56b7b6..86c9b40 100644 --- a/Helper/lib/XMLSecLibs/XMLSecurityDSig.php +++ b/Helper/lib/XMLSecLibs/XMLSecurityDSig.php @@ -6,11 +6,12 @@ use DOMNode; use DOMXPath; use Exception; +use Miniorange\Helper\lib\XMLSecLibs\Utils\XPath as XPath; /** * xmlseclibs.php * - * Copyright (c) 2007-2017, Robert Richards . + * Copyright (c) 2007-2019, Robert Richards . * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -43,7 +44,7 @@ * POSSIBILITY OF SUCH DAMAGE. * * @author Robert Richards - * @copyright 2007-2017 Robert Richards + * @copyright 2007-2019 Robert Richards * @license http://www.opensource.org/licenses/bsd-license.php BSD License */ @@ -193,6 +194,11 @@ public function locateSignature($objDoc, $pos=0) $query = ".//secdsig:Signature"; $nodeset = $xpath->query($query, $objDoc); $this->sigNode = $nodeset->item($pos); + $query = "./secdsig:SignedInfo"; + $nodeset = $xpath->query($query, $this->sigNode); + if ($nodeset->length > 1) { + throw new Exception("Invalid structure - Too many SignedInfo elements found"); + } return $this->sigNode; } return null; @@ -302,6 +308,9 @@ public function canonicalizeSignedInfo() $xpath = $this->getXPathObj(); $query = "./secdsig:SignedInfo"; $nodeset = $xpath->query($query, $this->sigNode); + if ($nodeset->length > 1) { + throw new Exception("Invalid structure - Too many SignedInfo elements found"); + } if ($signInfoNode = $nodeset->item(0)) { $query = "./secdsig:CanonicalizationMethod"; $nodeset = $xpath->query($query, $signInfoNode); @@ -366,7 +375,7 @@ public function validateDigest($refNode, $data) $digValue = $this->calculateDigest($digestAlgorithm, $data, false); $query = 'string(./secdsig:DigestValue)'; $digestValue = $xpath->evaluate($query, $refNode); - return ($digValue == base64_decode($digestValue)); + return ($digValue === base64_decode($digestValue)); } /** @@ -439,7 +448,7 @@ public function processTransforms($refNode, $objData, $includeCommentNodes = tru if ($node->localName == 'XPath') { $arXPath = array(); $arXPath['query'] = '(.//. | .//@* | .//namespace::*)['.$node->nodeValue.']'; - $arXpath['namespaces'] = array(); + $arXPath['namespaces'] = array(); $nslist = $xpath->query('./namespace::*', $node); foreach ($nslist AS $nsnode) { if ($nsnode->localName != "xml") { @@ -485,14 +494,15 @@ public function processRefNode($refNode) $xPath = new DOMXPath($refNode->ownerDocument); if ($this->idNS && is_array($this->idNS)) { - foreach ($this->idNS AS $nspf => $ns) { + foreach ($this->idNS as $nspf => $ns) { $xPath->registerNamespace($nspf, $ns); } } - $iDlist = '@Id="'.$identifier.'"'; + $iDlist = '@Id="'.XPath::filterAttrValue($identifier, XPath::DOUBLE_QUOTE).'"'; if (is_array($this->idKeys)) { - foreach ($this->idKeys AS $idKey) { - $iDlist .= " or @$idKey='$identifier'"; + foreach ($this->idKeys as $idKey) { + $iDlist .= " or @".XPath::filterAttrName($idKey).'="'. + XPath::filterAttrValue($identifier, XPath::DOUBLE_QUOTE).'"'; } } $query = '//*['.$iDlist.']'; @@ -500,8 +510,6 @@ public function processRefNode($refNode) } else { $dataObject = $refNode->ownerDocument; } - } else { - $dataObject = file_get_contents($arUrl); } } else { /* This reference identifies the root node with an empty URI. This should @@ -554,7 +562,7 @@ public function getRefIDs() $refids = array(); $xpath = $this->getXPathObj(); - $query = "./secdsig:SignedInfo/secdsig:Reference"; + $query = "./secdsig:SignedInfo[1]/secdsig:Reference"; $nodeset = $xpath->query($query, $this->sigNode); if ($nodeset->length == 0) { throw new Exception("Reference nodes not found"); @@ -578,7 +586,7 @@ public function validateReference() } } $xpath = $this->getXPathObj(); - $query = "./secdsig:SignedInfo/secdsig:Reference"; + $query = "./secdsig:SignedInfo[1]/secdsig:Reference"; $nodeset = $xpath->query($query, $this->sigNode); if ($nodeset->length == 0) { throw new Exception("Reference nodes not found"); diff --git a/Helper/lib/XMLSecLibs/XMLSecurityKey.php b/Helper/lib/XMLSecLibs/XMLSecurityKey.php index c3e0e3e..63b38de 100644 --- a/Helper/lib/XMLSecLibs/XMLSecurityKey.php +++ b/Helper/lib/XMLSecLibs/XMLSecurityKey.php @@ -7,7 +7,7 @@ /** * xmlseclibs.php * - * Copyright (c) 2007-2017, Robert Richards . + * Copyright (c) 2007-2019, Robert Richards . * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -40,7 +40,7 @@ * POSSIBILITY OF SUCH DAMAGE. * * @author Robert Richards - * @copyright 2007-2017 Robert Richards + * @copyright 2007-2019 Robert Richards * @license http://www.opensource.org/licenses/bsd-license.php BSD License */ @@ -575,17 +575,26 @@ public function decryptData($data) */ public function signData($data) { - switch ($this->cryptParams['library']) { case 'openssl': return $this->signOpenSSL($data); case (self::HMAC_SHA1): - return hash_hmac("sha1", $data, $this->key, true); } } + /** * Verifies the data (string) against the given signature using the extension assigned to the type in the constructor. + * + * Returns in case of openSSL: + * 1 on succesful signature verification, + * 0 when signature verification failed, + * -1 if an error occurred during processing. + * + * NOTE: be very careful when checking the return value, because in PHP, + * -1 will be cast to True when in boolean context. So always check the + * return value in a strictly typed way, e.g. "$obj->verify(...) === 1". + * * @param string $data * @param string $signature * @return bool|int diff --git a/ext_emconf.php b/ext_emconf.php index 7da4661..3d4f878 100644 --- a/ext_emconf.php +++ b/ext_emconf.php @@ -14,7 +14,7 @@ 'uploadfolder' => 0, 'createDirs' => '', 'clearCacheOnLoad' => 0, - 'version' => '1.4.2', + 'version' => '1.4.3', 'constraints' => [ 'depends' => [ 'typo3' => '8.7.0-10.6.0',