Update changelog. Apply strict destination matching also on logout request and logout response

pitbulk · pitbulk · commit 96dd9ef647b7 · 2019-11-13T17:08:44.000+01:00
diff --git a/CHANGELOG b/CHANGELOG
@@ -2,6 +2,7 @@ CHANGELOG
 =========
 v.2.18.0
 * Support rejecting unsolicited SAMLResponses.
+* Support stric destination matching.
 * Reject SAMLResponse if requestID was provided to the validotr but the InResponseTo attributeof the SAMLResponse is missing
 * Check destination against the getSelfURLNoQuery as well on LogoutRequest and LogoutResponse as we do on Response
 * Improve getSelfRoutedURLNoQuery method
diff --git a/lib/Saml2/LogoutRequest.php b/lib/Saml2/LogoutRequest.php
@@ -365,15 +365,26 @@ public function isValid($retrieveParametersFromServer = false)
                 // Check destination
                 if ($dom->documentElement->hasAttribute('Destination')) {
                     $destination = $dom->documentElement->getAttribute('Destination');
-                    if (!empty($destination) && strpos($destination, $currentURL) !== 0) {
-                        $currentURLNoRouted = OneLogin_Saml2_Utils::getSelfURLNoQuery();
-
-                        if (strpos($destination, $currentURLNoRouted) !== 0) {
+                    if (empty($destination)) {
+                        if (!$security['relaxDestinationValidation']) {
                             throw new OneLogin_Saml2_ValidationError(
-                                "The LogoutRequest was received at $currentURL instead of $destination",
-                                OneLogin_Saml2_ValidationError::WRONG_DESTINATION
+                                "The LogoutRequest has an empty Destination value",
+                                OneLogin_Saml2_ValidationError::EMPTY_DESTINATION
                             );
                         }
+                    } else {
+                        $urlComparisonLength = $security['destinationStrictlyMatches'] ? strlen($destination) : strlen($currentURL);
+                        if (strncmp($destination, $currentURL, $urlComparisonLength) !== 0) {
+                            $currentURLNoRouted = OneLogin_Saml2_Utils::getSelfURLNoQuery();
+                            $urlComparisonLength = $security['destinationStrictlyMatches'] ? strlen($destination) : strlen($currentURLNoRouted);
+
+                            if (strncmp($destination, $currentURLNoRouted, $urlComparisonLength) !== 0) {
+                                throw new OneLogin_Saml2_ValidationError(
+                                    "The LogoutRequest was received at $currentURL instead of $destination",
+                                    OneLogin_Saml2_ValidationError::WRONG_DESTINATION
+                                );
+                            }
+                        }
                     }
                 }
 
diff --git a/lib/Saml2/LogoutResponse.php b/lib/Saml2/LogoutResponse.php
@@ -161,15 +161,26 @@ public function isValid($requestId = null, $retrieveParametersFromServer = false
                 // Check destination
                 if ($this->document->documentElement->hasAttribute('Destination')) {
                     $destination = $this->document->documentElement->getAttribute('Destination');
-                    if (!empty($destination) && strpos($destination, $currentURL) !== 0) {
-                        $currentURLNoRouted = OneLogin_Saml2_Utils::getSelfURLNoQuery();
-
-                        if (strpos($destination, $currentURLNoRouted) !== 0) {
+                    if (empty($destination)) {
+                        if (!$security['relaxDestinationValidation']) {
                             throw new OneLogin_Saml2_ValidationError(
-                                "The LogoutResponse was received at $currentURL instead of $destination",
-                                OneLogin_Saml2_ValidationError::WRONG_DESTINATION
+                                "The LogoutResponse has an empty Destination value",
+                                OneLogin_Saml2_ValidationError::EMPTY_DESTINATION
                             );
                         }
+                    } else {
+                        $urlComparisonLength = $security['destinationStrictlyMatches'] ? strlen($destination) : strlen($currentURL);
+                        if (strncmp($destination, $currentURL, $urlComparisonLength) !== 0) {
+                            $currentURLNoRouted = OneLogin_Saml2_Utils::getSelfURLNoQuery();
+                            $urlComparisonLength = $security['destinationStrictlyMatches'] ? strlen($destination) : strlen($currentURLNoRouted);
+
+                            if (strncmp($destination, $currentURLNoRouted, $urlComparisonLength) !== 0) {
+                                throw new OneLogin_Saml2_ValidationError(
+                                    "The LogoutResponse was received at $currentURL instead of $destination",
+                                    OneLogin_Saml2_ValidationError::WRONG_DESTINATION
+                                );
+                            }
+                        }
                     }
                 }
 
