SAML-Toolkits
diff --git a/‎CHANGELOG‎
Lines changed: 12 additions & 1 deletion b/‎CHANGELOG‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 7 additions & 1 deletion b/‎README.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎advanced_settings_example.php‎
Lines changed: 6 additions & 0 deletions b/‎advanced_settings_example.php‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/Saml2/LogoutRequest.php‎
Lines changed: 21 additions & 11 deletions b/‎src/Saml2/LogoutRequest.php‎
Lines changed: 21 additions & 11 deletions
diff --git a/‎src/Saml2/LogoutResponse.php‎
Lines changed: 19 additions & 10 deletions b/‎src/Saml2/LogoutResponse.php‎
Lines changed: 19 additions & 10 deletions
diff --git a/‎src/Saml2/Response.php‎
Lines changed: 5 additions & 4 deletions b/‎src/Saml2/Response.php‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎src/Saml2/Settings.php‎
Lines changed: 5 additions & 0 deletions b/‎src/Saml2/Settings.php‎
Lines changed: 5 additions & 0 deletions
@@ -1,7 +1,8 @@
 CHANGELOG
 =========
 v.3.4.0
-* Support rejecting unsolicited SAMLResponses. 
+* Support rejecting unsolicited SAMLResponses.
+* Support stric destination matching.
 * Reject SAMLResponse if requestID was provided to the validotr but the InResponseTo attributeof the SAMLResponse is missing
 * Check destination against the getSelfURLNoQuery as well on LogoutRequest and LogoutResponse as we do on Response
 * Improve getSelfRoutedURLNoQuery method
@@ -41,6 +42,16 @@ v.3.0.0
 * Remove mcrypt dependency. Compatible with PHP 7.2
 * xmlseclibs now is not part of the toolkit and need to be installed from original source
 
+v.2.18.0
+* Support rejecting unsolicited SAMLResponses.
+* Support stric destination matching.
+* Reject SAMLResponse if requestID was provided to the validotr but the InResponseTo attributeof the SAMLResponse is missing
+* Check destination against the getSelfURLNoQuery as well on LogoutRequest and LogoutResponse as we do on Response
+* Improve getSelfRoutedURLNoQuery method
+* Only add responseUrl to the settings if ResponseLocation present in the IdPMetadataParser
+* Remove use of $_GET on static method validateBinarySign
+* Fix error message when Assertion and NameId are both encrypted (not supported)
+
 v.2.17.1
 * Update xmlseclibs to 3.0.4
 * Remove Comparison atribute from RequestedAuthnContext when setting has empty value
 
@@ -10,7 +10,7 @@ and supported by OneLogin Inc.
 Warning
 -------
 
-Version 3.4.0 introduces the 'rejectUnsolicitedResponsesWithInResponseTo' setting parameter, by default disabled, that will allow invalidate unsolicited SAMLResponse. This version as well will reject SAMLResponse if requestId was provided to the validator but the SAMLResponse does not contain a InResponseTo attribute.
+Version 3.4.0 introduces the 'rejectUnsolicitedResponsesWithInResponseTo' setting parameter, by default disabled, that will allow invalidate unsolicited SAMLResponse. This version as well will reject SAMLResponse if requestId was provided to the validator but the SAMLResponse does not contain a InResponseTo attribute. And an additional setting parameter 'destinationStrictlyMatches', by default disabled, that will force that the Destination URL should strictly match to the address that process the SAMLResponse.
 
 Version 3.3.1 updates xmlseclibs to 3.0.4 (CVE-2019-3465), but php-saml was not directly affected since it implements additional checks that prevent to exploit that vulnerability.
 
@@ -482,6 +482,12 @@ $advancedSettings = array(
         // attribute will not be rejected for this fact.
         'relaxDestinationValidation' => false,
 
+        // If true, Destination URL should strictly match to the address to
+        // which the response has been sent.
+        // Notice that if 'relaxDestinationValidation' is true an empty Destintation
+        // will be accepted.
+        'destinationStrictlyMatches' => false,
+
         // If true, SAMLResponses with an InResponseTo value will be rejectd if not
         // AuthNRequest ID provided to the validation method.
         'rejectUnsolicitedResponsesWithInResponseTo' => false,
 
@@ -85,6 +85,12 @@
         // attribute will not be rejected for this fact.
         'relaxDestinationValidation' => false,
 
+        // If true, Destination URL should strictly match to the address to
+        // which the response has been sent.
+        // Notice that if 'relaxDestinationValidation' is true an empty Destintation
+        // will be accepted.
+        'destinationStrictlyMatches' => false,
+
         // If true, SAMLResponses with an InResponseTo value will be rejectd if not
         // AuthNRequest ID provided to the validation method.
         'rejectUnsolicitedResponsesWithInResponseTo' => false,
 
@@ -104,7 +104,7 @@ public function __construct(\OneLogin\Saml2\Settings $settings, $request = null,
                 $nameIdFormat = Constants::NAMEID_ENTITY;
             }
 
-            /* From saml-core-2.0-os 8.3.6, when the entity Format is used: 
+            /* From saml-core-2.0-os 8.3.6, when the entity Format is used:
                "The NameQualifier, SPNameQualifier, and SPProvidedID attributes MUST be omitted.
             */
             if (!empty($nameIdFormat) && $nameIdFormat == Constants::NAMEID_ENTITY) {
@@ -278,7 +278,7 @@ public static function getNameIdData($request, $key = null)
      * @param string|null        $key     The SP key
      *
      * @return string Name ID Value
-     * 
+     *
      * @throws Error
      * @throws Exception
      * @throws ValidationError
@@ -295,7 +295,7 @@ public static function getNameId($request, $key = null)
      * @param string|DOMDocument $request Logout Request Message
      *
      * @return string|null $issuer The Issuer
-     * 
+     *
      * @throws Exception
      */
     public static function getIssuer($request)
@@ -324,7 +324,7 @@ public static function getIssuer($request)
      * @param string|DOMDocument $request Logout Request Message
      *
      * @return array The SessionIndex value
-     * 
+     *
      * @throws Exception
      */
     public static function getSessionIndexes($request)
@@ -350,7 +350,7 @@ public static function getSessionIndexes($request)
      * @param bool $retrieveParametersFromServer True if we want to use parameters from $_SERVER to validate the signature
      *
      * @return bool If the Logout Request is or not valid
-     * 
+     *
      * @throws Exception
      * @throws ValidationError
      */
@@ -393,15 +393,25 @@ public function isValid($retrieveParametersFromServer = false)
                 // Check destination
                 if ($dom->documentElement->hasAttribute('Destination')) {
                     $destination = $dom->documentElement->getAttribute('Destination');
-                    if (!empty($destination) && strpos($destination, $currentURL) !== 0) {
-                        $currentURLNoRouted = Utils::getSelfURLNoQuery();
-
-                        if (strpos($destination, $currentURLNoRouted) !== 0) {
+                    if (empty($destination)) {
+                        if (!$security['relaxDestinationValidation']) {
                             throw new ValidationError(
-                                "The LogoutRequest was received at $currentURL instead of $destination",
-                                ValidationError::WRONG_DESTINATION
+                                "The LogoutRequest has an empty Destination value",
+                                ValidationError::EMPTY_DESTINATION
                             );
                         }
+                    } else {
+                        $urlComparisonLength = $security['destinationStrictlyMatches'] ? strlen($destination) : strlen($currentURL);
+                        if (strncmp($destination, $currentURL, $urlComparisonLength) !== 0) {
+                            $currentURLNoRouted = Utils::getSelfURLNoQuery();
+                            $urlComparisonLength = $security['destinationStrictlyMatches'] ? strlen($destination) : strlen($currentURLNoRouted);
+                            if (strncmp($destination, $currentURLNoRouted, $urlComparisonLength) !== 0) {
+                                throw new ValidationError(
+                                    "The LogoutRequest was received at $currentURL instead of $destination",
+                                    ValidationError::WRONG_DESTINATION
+                                );
+                            }
+                        }
                     }
                 }
 
 
@@ -65,10 +65,10 @@ class LogoutResponse
      *
      * @param Settings $settings Settings.
      * @param string|null             $response An UUEncoded SAML Logout response from the IdP.
-     * 
+     *
      * @throws Error
      * @throws Exception
-     * 
+     *
      */
     public function __construct(\OneLogin\Saml2\Settings $settings, $response = null)
     {
@@ -140,7 +140,7 @@ public function getStatus()
      * @param bool        $retrieveParametersFromServer True if we want to use parameters from $_SERVER to validate the signature
      *
      * @return bool Returns if the SAML LogoutResponse is or not valid
-     * 
+     *
      * @throws ValidationError
      */
     public function isValid($requestId = null, $retrieveParametersFromServer = false)
@@ -185,18 +185,27 @@ public function isValid($requestId = null, $retrieveParametersFromServer = false
 
                 $currentURL = Utils::getSelfRoutedURLNoQuery();
 
-                // Check destination
                 if ($this->document->documentElement->hasAttribute('Destination')) {
                     $destination = $this->document->documentElement->getAttribute('Destination');
-                    if (!empty($destination) && strpos($destination, $currentURL) !== 0) {
-                        $currentURLNoRouted = Utils::getSelfURLNoQuery();
-
-                        if (strpos($destination, $currentURLNoRouted) !== 0) {
+                    if (empty($destination)) {
+                        if (!$security['relaxDestinationValidation']) {
                             throw new ValidationError(
-                                "The LogoutResponse was received at $currentURL instead of $destination",
-                                ValidationError::WRONG_DESTINATION
+                                "The LogoutResponse has an empty Destination value",
+                                ValidationError::EMPTY_DESTINATION
                             );
                         }
+                    } else {
+                        $urlComparisonLength = $security['destinationStrictlyMatches'] ? strlen($destination) : strlen($currentURL);
+                        if (strncmp($destination, $currentURL, $urlComparisonLength) !== 0) {
+                            $currentURLNoRouted = Utils::getSelfURLNoQuery();
+                            $urlComparisonLength = $security['destinationStrictlyMatches'] ? strlen($destination) : strlen($currentURLNoRouted);
+                            if (strncmp($destination, $currentURLNoRouted, $urlComparisonLength) !== 0) {
+                                throw new ValidationError(
+                                    "The LogoutResponse was received at $currentURL instead of $destination",
+                                    ValidationError::WRONG_DESTINATION
+                                );
+                            }
+                        }
                     }
                 }
 
 
@@ -278,10 +278,11 @@ public function isValid($requestId = null)
                             );
                         }
                     } else {
-                        if (strpos($destination, $currentURL) !== 0) {
+                        $urlComparisonLength = $security['destinationStrictlyMatches'] ? strlen($destination) : strlen($currentURL);
+                        if (strncmp($destination, $currentURL, $urlComparisonLength) !== 0) {
                             $currentURLNoRouted = Utils::getSelfURLNoQuery();
-
-                            if (strpos($destination, $currentURLNoRouted) !== 0) {
+                            $urlComparisonLength = $security['destinationStrictlyMatches'] ? strlen($destination) : strlen($currentURLNoRouted);
+                            if (strncmp($destination, $currentURLNoRouted, $urlComparisonLength) !== 0) {
                                 throw new ValidationError(
                                     "The response was received at $currentURL instead of $destination",
                                     ValidationError::WRONG_DESTINATION
@@ -463,7 +464,7 @@ public function getId()
 
     /**
      * @return string|null the ID of the assertion in the Response
-     * 
+     *
      * @throws ValidationError
      */
     public function getAssertionId()
 
@@ -378,6 +378,11 @@ private function _addDefaultValues()
             $this->_security['relaxDestinationValidation'] = false;
         }
 
+        // Strict Destination match validation
+        if (!isset($this->_security['destinationStrictlyMatches'])) {
+            $this->_security['destinationStrictlyMatches'] = false;
+        }
+
         // InResponseTo
         if (!isset($this->_security['rejectUnsolicitedResponsesWithInResponseTo'])) {
             $this->_security['rejectUnsolicitedResponsesWithInResponseTo'] = false;