Merge pull request SAML-Toolkits#621 from SAML-Toolkits/improve_validate_binary_sign_master

Improve validate binary sign [master]

Author: pitbulk

lib/Saml2/Error.php

@@ -25,6 +25,7 @@ class OneLogin_Saml2_Error extends Exception
     const SAML_SINGLE_LOGOUT_NOT_SUPPORTED = 12;
     const PRIVATE_KEY_NOT_FOUND = 13;
     const UNSUPPORTED_SETTINGS_OBJECT = 14;
+    const INVALID_PARAMETER = 15;
 
     /**
      * Constructor

lib/Saml2/Utils.php

@@ -730,6 +730,10 @@ protected static function buildWithBaseURLPath($info)
      */
     public static function extractOriginalQueryParam($name)
     {
+        if (!isset($_SERVER['QUERY_STRING']) || empty($_SERVER['QUERY_STRING'])) {
+            return '';
+        }
+
         $index = strpos($_SERVER['QUERY_STRING'], $name.'=');
         $substring = substr($_SERVER['QUERY_STRING'], $index + strlen($name) + 1);
         $end = strpos($substring, '&');
@@ -1511,12 +1515,41 @@ public static function validateBinarySign($messageType, $getData, $idpData, $ret
         }
 
         if ($retrieveParametersFromServer) {
+            if (!isset($_SERVER['QUERY_STRING']) || empty($_SERVER['QUERY_STRING'])) {
+                throw new OneLogin_Saml2_Error(
+                    "No query string provided",
+                    OneLogin_Saml2_Error::INVALID_PARAMETER
+                );
+            }
+            $keys = array("SAMLRequest", "SAMLResponse", "RelayState", "SigAlg", "Signature");
+            foreach ($keys as $key) {
+                if (substr_count($_SERVER['QUERY_STRING'], $key) > 1) {
+                    throw new OneLogin_Saml2_Error(
+                        "Duplicate parameter in query string",
+                        OneLogin_Saml2_Error::INVALID_PARAMETER
+                    );
+                }
+            }
+            if (substr_count($_SERVER['QUERY_STRING'], "SAMLRequest") > 0 && substr_count($_SERVER['QUERY_STRING'], "SAMLResponse") > 0) {
+                throw new OneLogin_Saml2_Error(
+                    "Both SAMLRequest and SAMLResponse provided",
+                    OneLogin_Saml2_Error::INVALID_PARAMETER
+                );
+            }
+
             $signedQuery = $messageType.'='.OneLogin_Saml2_Utils::extractOriginalQueryParam($messageType);
             if (isset($getData['RelayState'])) {
                 $signedQuery .= '&RelayState='.OneLogin_Saml2_Utils::extractOriginalQueryParam('RelayState');
             }
             $signedQuery .= '&SigAlg='.OneLogin_Saml2_Utils::extractOriginalQueryParam('SigAlg');
         } else {
+            if (isset($getData['SAMLRequest']) && isset($getData['SAMLResponse'])) {
+                throw new OneLogin_Saml2_Error(
+                    "Both SAMLRequest and SAMLResponse provided",
+                    OneLogin_Saml2_Error::INVALID_PARAMETER
+                );
+            }
+
             $signedQuery = $messageType.'='.urlencode($getData[$messageType]);
             if (isset($getData['RelayState'])) {
                 $signedQuery .= '&RelayState='.urlencode($getData['RelayState']);