Escape error messages in debug mode

LukasReschke · LukasReschke · commit 21ca26715d53 · 2017-09-28T13:22:22.000+02:00
While one could argue that turning on debug mode is itself something you shouldn't do in production at least for some providers this seems to be the case.

Since the error messages can contain user-influenced input this can lead to XSS in the worst scenario.

Signed-off-by: Lukas Reschke &lt;lukas@statuscode.ch&gt;
diff --git a/lib/Saml2/LogoutRequest.php b/lib/Saml2/LogoutRequest.php
@@ -380,7 +380,7 @@ public function isValid($retrieveParametersFromServer = false)
             $this->_error = $e->getMessage();
             $debug = $this->_settings->isDebugActive();
             if ($debug) {
-                echo $this->_error;
+                echo htmlentities($this->_error);
             }
             return false;
         }
diff --git a/lib/Saml2/LogoutResponse.php b/lib/Saml2/LogoutResponse.php
@@ -188,7 +188,7 @@ public function isValid($requestId = null, $retrieveParametersFromServer = false
             $this->_error = $e->getMessage();
             $debug = $this->_settings->isDebugActive();
             if ($debug) {
-                echo $this->_error;
+                echo htmlentities($this->_error);
             }
             return false;
         }
diff --git a/lib/Saml2/Response.php b/lib/Saml2/Response.php
@@ -402,7 +402,7 @@ public function isValid($requestId = null)
             $this->_error = $e->getMessage();
             $debug = $this->_settings->isDebugActive();
             if ($debug) {
-                echo $this->_error;
+                echo htmlentities($this->_error);
             }
             return false;
         }
diff --git a/lib/Saml2/Utils.php b/lib/Saml2/Utils.php
@@ -134,7 +134,7 @@ public static function validateXML($xml, $schema, $debug = false)
 
             if ($debug) {
                 foreach ($xmlErrors as $error) {
-                    echo $error->message."\n";
+                    echo htmlentities($error->message."\n");
                 }
             }
 

Original file line number	Diff line number	Diff line change
`@@ -380,7 +380,7 @@ public function isValid($retrieveParametersFromServer = false)`
`380`	`380`	`$this->_error = $e->getMessage();`
`381`	`381`	`$debug = $this->_settings->isDebugActive();`
`382`	`382`	`if ($debug) {`
`383`		`- echo $this->_error;`
	`383`	`+ echo htmlentities($this->_error);`
`384`	`384`	`}`
`385`	`385`	`return false;`
`386`	`386`	`}`
Original file line number	Diff line number	Diff line change
`@@ -188,7 +188,7 @@ public function isValid($requestId = null, $retrieveParametersFromServer = false`
`188`	`188`	`$this->_error = $e->getMessage();`
`189`	`189`	`$debug = $this->_settings->isDebugActive();`
`190`	`190`	`if ($debug) {`
`191`		`- echo $this->_error;`
	`191`	`+ echo htmlentities($this->_error);`
`192`	`192`	`}`
`193`	`193`	`return false;`
`194`	`194`	`}`
Original file line number	Diff line number	Diff line change
`@@ -402,7 +402,7 @@ public function isValid($requestId = null)`
`402`	`402`	`$this->_error = $e->getMessage();`
`403`	`403`	`$debug = $this->_settings->isDebugActive();`
`404`	`404`	`if ($debug) {`
`405`		`- echo $this->_error;`
	`405`	`+ echo htmlentities($this->_error);`
`406`	`406`	`}`
`407`	`407`	`return false;`
`408`	`408`	`}`
Original file line number	Diff line number	Diff line change
`@@ -134,7 +134,7 @@ public static function validateXML($xml, $schema, $debug = false)`
`134`	`134`
`135`	`135`	`if ($debug) {`
`136`	`136`	`foreach ($xmlErrors as $error) {`
`137`		`- echo $error->message."\n";`
	`137`	`+ echo htmlentities($error->message."\n");`
`138`	`138`	`}`
`139`	`139`	`}`
`140`	`140`