Assert that signed messages on the Redirect- and POST-bindings have a…

… destination set
simplesamlphp · May 27, 2023 · 566f034 · 566f034
1 parent fb314a6
commit 566f034
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/src/SAML2/HTTPPost.php b/src/SAML2/HTTPPost.php
@@ -97,6 +97,17 @@ public function receive(ServerRequestInterface $request): AbstractMessage
 
         $msg = MessageFactory::fromXML($document->documentElement);
 
+        /**
+         * 3.5.5.2 - SAML Bindings
+         *
+         * If the message is signed, the Destination XML attribute in the root SAML element of the protocol
+         * message MUST contain the URL to which the sender has instructed the user agent to deliver the
+         * message.
+         */
+        if ($msg->isSigned()) {
+            Assert::notNull($msg->getDestination()); // Validation of the value must be done upstream
+        }
+
         if (array_key_exists('RelayState', $query)) {
             $msg->setRelayState($query['RelayState']);
         }

diff --git a/src/SAML2/HTTPRedirect.php b/src/SAML2/HTTPRedirect.php
@@ -162,6 +162,15 @@ public function receive(ServerRequestInterface $request): AbstractMessage
             return $message;
         }
 
+        /**
+         * 3.4.5.2 - SAML Bindings
+         *
+         * If the message is signed, the Destination XML attribute in the root SAML element of the protocol
+         * message MUST contain the URL to which the sender has instructed the user agent to deliver the
+         * message.
+         */
+        Assert::notNull($message->getDestination()); // Validation of the value must be done upstream
+
         if (!array_key_exists('SigAlg', $query)) {
             throw new Exception('Missing signature algorithm.');
         } else {