Check destination against the getSelfURLNoQuery as well on LogoutRequest and LogoutResponse as we do on Response

pitbulk · pitbulk · commit 25d942f2944c · 2019-11-08T18:41:53.000+01:00
diff --git a/src/Saml2/LogoutRequest.php b/src/Saml2/LogoutRequest.php
@@ -393,11 +393,15 @@ public function isValid($retrieveParametersFromServer = false)
                 // Check destination
                 if ($dom->documentElement->hasAttribute('Destination')) {
                     $destination = $dom->documentElement->getAttribute('Destination');
-                    if (!empty($destination) && strpos($destination, $currentURL) === false) {
-                        throw new ValidationError(
-                            "The LogoutRequest was received at $currentURL instead of $destination",
-                            ValidationError::WRONG_DESTINATION
-                        );
+                    if (!empty($destination) && strpos($destination, $currentURL) !== 0) {
+                        $currentURLNoRouted = Utils::getSelfURLNoQuery();
+
+                        if (strpos($destination, $currentURLNoRouted) !== 0) {
+                            throw new ValidationError(
+                                "The LogoutRequest was received at $currentURL instead of $destination",
+                                ValidationError::WRONG_DESTINATION
+                            );
+                        }
                     }
                 }
 
diff --git a/src/Saml2/LogoutResponse.php b/src/Saml2/LogoutResponse.php
@@ -188,11 +188,15 @@ public function isValid($requestId = null, $retrieveParametersFromServer = false
                 // Check destination
                 if ($this->document->documentElement->hasAttribute('Destination')) {
                     $destination = $this->document->documentElement->getAttribute('Destination');
-                    if (!empty($destination) && strpos($destination, $currentURL) === false) {
-                        throw new ValidationError(
-                            "The LogoutResponse was received at $currentURL instead of $destination",
-                            ValidationError::WRONG_DESTINATION
-                        );
+                    if (!empty($destination) && strpos($destination, $currentURL) !== 0) {
+                        $currentURLNoRouted = Utils::getSelfURLNoQuery();
+
+                        if (strpos($destination, $currentURLNoRouted) !== 0) {
+                            throw new ValidationError(
+                                "The LogoutResponse was received at $currentURL instead of $destination",
+                                ValidationError::WRONG_DESTINATION
+                            );
+                        }
                     }
                 }
 
