-
-
Notifications
You must be signed in to change notification settings - Fork 503
Expand file tree
/
Copy pathValidator.php
More file actions
57 lines (51 loc) · 1.94 KB
/
Validator.php
File metadata and controls
57 lines (51 loc) · 1.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
<?php
namespace OneLogin\Saml2;
use DOMDocument;
/**
* Class Validador
*
* This class provides methods to validate SAML messages.
*/
class Validator
{
/**
* Security settings.
*
* @var array
*/
public static array $security;
/**
* Checks the Destination attribute of a SAML message.
*
* @param DOMDocument $document The SAML message as a DOMDocument.
* @param string $currentURL The current URL where the message was received.
* @param string $method The method being validated (e.g., "AuthnRequest", "Response").
*
* @throws ValidationError If the Destination is invalid.
*/
public static function checkDestination(DOMDocument $document, string $currentURL, string $method)
{
$destination = $document->documentElement->getAttribute('Destination');
$destination = trim($destination);
if (empty($destination)) {
if (!self::$security['relaxDestinationValidation']) {
throw new ValidationError(
"The $method has an empty Destination value",
ValidationError::EMPTY_DESTINATION
);
}
} else {
$urlComparisonLength = self::$security['destinationStrictlyMatches'] ? strlen($destination) : strlen($currentURL);
if (strncmp($destination, $currentURL, $urlComparisonLength) !== 0) {
$currentURLNoRouted = Utils::getSelfURLNoQuery();
$urlComparisonLength = self::$security['destinationStrictlyMatches'] ? strlen($destination) : strlen($currentURLNoRouted);
if (strncmp($destination, $currentURLNoRouted, $urlComparisonLength) !== 0) {
throw new ValidationError(
"The $method was received at $currentURL instead of $destination",
ValidationError::WRONG_DESTINATION
);
}
}
}
}
}