Allow standard ports when evaluating trusted URLs.

If a standard port is specified, then ignore it. Otherwise, include the port in the check so that non-standard ports must be whitelisted explicitly.
simplesamlphp · Jan 16, 2017 · abb3a2b · abb3a2b
1 parent ef5677f
commit abb3a2b
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/lib/SimpleSAML/Utils/HTTP.php b/lib/SimpleSAML/Utils/HTTP.php
@@ -323,8 +323,15 @@ public static function checkURLAllowed($url, array $trustedSites = null)
         // validates the URL's host is among those allowed
         if (is_array($trustedSites)) {
             assert(is_array($trustedSites));
-            preg_match('@^https?://([^/]+)@i', $url, $matches);
-            $hostname = $matches[1];
+            preg_match('@^http(s?)://([^/:]+)((?::\d+)?)@i', $url, $matches);
+            $hostname = $matches[2];
+
+            // allow URLs with standard ports specified (non-standard ports must then be allowed explicitly)
+            if (!empty($matches[3]) &&
+                (($matches[1] === '' && $matches[3] !== ':80') || ($matches[1]) === 's' && $matches[3] !== ':443')
+            ) {
+                $hostname = $hostname.$matches[3];
+            }
 
             $self_host = self::getSelfHostWithNonStandardPort();