Fix redirect protection. Absolute URLs failed and only relatives were accepted

pitbulk · pitbulk · commit 12b4e0bab794 · 2020-11-28T04:17:49.000+01:00
diff --git a/onelogin-saml-sso/php/functions.php b/onelogin-saml-sso/php/functions.php
@@ -41,7 +41,7 @@ function may_disable_saml() {
 	return false;
 }
 
-function get_domain() {
+function get_without() {
 	$protocols = array( 'http://', 'https://', 'http://www.', 'https://www.', 'www.' );
 	return str_replace($protocols, '', site_url());
 }
@@ -50,22 +50,24 @@ function redirect_to_relaystate_if_trusted($url) {
 	$trusted = false;
 	$trustedDomainsOpt = get_option('onelogin_saml_trusted_url_domains', "");
 	$trustedDomains = explode(",", trim($trustedDomainsOpt));
-	$trustedDomains[] = get_domain();
+	$trusted = !empty($trustedDomains) && checkIsExternalURLAllowed($url, $trustedDomains);
 
-	$trusted = checkURLAllowed($url, $trustedDomains);
+	if (!$trusted) {
+		$url = wp_validate_redirect($url, home_url());
+	}
 
 	if ($trusted) {
 		wp_redirect($url);
 	} else {
-		wp_redirect(home_url());
+		wp_redirect($url);
 	}
 }
 
-function checkURLAllowed($url, $trustedSites = [])
+function checkIsExternalURLAllowed($url, $trustedSites = [])
 {
-	// Allow Relative URL
+	// If seems Relative URL, convert into absolute and validate it
 	if ($url[0] === '/') {
-		return true;
+		$url = WP_Http::make_absolute_url($url, home_url());
 	}
 
 	if (!wp_http_validate_url($url)) {
@@ -94,10 +96,14 @@ function checkURLAllowed($url, $trustedSites = [])
 	) {
 		if (in_array($hostname.':'.$components['port'], $trustedSites, true)) {
 			return true;
+		} else {
+
 		}
 	}
 
-	return in_array($hostname, $trustedSites, true);
+	if (in_array($hostname, $trustedSites, true)) {
+		return true;
+	}
 }
 
 function saml_custom_login_footer() {

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ function may_disable_saml() {`
`41`	`41`	`return false;`
`42`	`42`	`}`
`43`	`43`
`44`		`-function get_domain() {`
	`44`	`+function get_without() {`
`45`	`45`	`$protocols = array( 'http://', 'https://', 'http://www.', 'https://www.', 'www.' );`
`46`	`46`	`return str_replace($protocols, '', site_url());`
`47`	`47`	`}`
`@@ -50,22 +50,24 @@ function redirect_to_relaystate_if_trusted($url) {`
`50`	`50`	`$trusted = false;`
`51`	`51`	`$trustedDomainsOpt = get_option('onelogin_saml_trusted_url_domains', "");`
`52`	`52`	`$trustedDomains = explode(",", trim($trustedDomainsOpt));`
`53`		`- $trustedDomains[] = get_domain();`
	`53`	`+ $trusted = !empty($trustedDomains) && checkIsExternalURLAllowed($url, $trustedDomains);`
`54`	`54`
`55`		`- $trusted = checkURLAllowed($url, $trustedDomains);`
	`55`	`+ if (!$trusted) {`
	`56`	`+ $url = wp_validate_redirect($url, home_url());`
	`57`	`+ }`
`56`	`58`
`57`	`59`	`if ($trusted) {`
`58`	`60`	`wp_redirect($url);`
`59`	`61`	`} else {`
`60`		`- wp_redirect(home_url());`
	`62`	`+ wp_redirect($url);`
`61`	`63`	`}`
`62`	`64`	`}`
`63`	`65`
`64`		`-function checkURLAllowed($url, $trustedSites = [])`
	`66`	`+function checkIsExternalURLAllowed($url, $trustedSites = [])`
`65`	`67`	`{`
`66`		`- // Allow Relative URL`
	`68`	`+ // If seems Relative URL, convert into absolute and validate it`
`67`	`69`	`if ($url[0] === '/') {`
`68`		`- return true;`
	`70`	`+ $url = WP_Http::make_absolute_url($url, home_url());`
`69`	`71`	`}`
`70`	`72`
`71`	`73`	`if (!wp_http_validate_url($url)) {`
`@@ -94,10 +96,14 @@ function checkURLAllowed($url, $trustedSites = [])`
`94`	`96`	`) {`
`95`	`97`	`if (in_array($hostname.':'.$components['port'], $trustedSites, true)) {`
`96`	`98`	`return true;`
	`99`	`+ } else {`
	`100`	`+`
`97`	`101`	`}`
`98`	`102`	`}`
`99`	`103`
`100`		`- return in_array($hostname, $trustedSites, true);`
	`104`	`+ if (in_array($hostname, $trustedSites, true)) {`
	`105`	`+ return true;`
	`106`	`+ }`
`101`	`107`	`}`
`102`	`108`
`103`	`109`	`function saml_custom_login_footer() {`