Update php-saml to 4.3.1

Author: pitbulk

onelogin-saml-sso/php/lib/Saml2/Auth.php

@@ -165,13 +165,13 @@ class Auth
     /**
      * Initializes the SP SAML instance.
      *
-     * @param array|null $settings         Setting data
-     * @param bool       $spValidationOnly Validate or not the IdP data
+     * @param array|null $settings Setting data
+     * @param bool $spValidationOnly if true, The library will only validate the SAML SP settings,
      *
      * @throws Exception
      * @throws Error
      */
-    public function __construct(array $settings = null, $spValidationOnly = false)
+    public function __construct(?array $settings = null, bool $spValidationOnly = false)
     {
         $this->_settings = new Settings($settings, $spValidationOnly);
     }

onelogin-saml-sso/php/lib/Saml2/Response.php

@@ -272,7 +272,10 @@ public function isValid($requestId = null)
 
                 // Check destination
                 if ($this->document->documentElement->hasAttribute('Destination')) {
-                    $destination = trim($this->document->documentElement->getAttribute('Destination'));
+                    $destination = $this->document->documentElement->getAttribute('Destination');
+                    if (isset($destination)) {
+                        $destination = trim($destination);
+                    }
                     if (empty($destination)) {
                         if (!$security['relaxDestinationValidation']) {
                             throw new ValidationError(
@@ -298,25 +301,24 @@ public function isValid($requestId = null)
                 // Check audience
                 $validAudiences = $this->getAudiences();
                 if (!empty($validAudiences) && !in_array($spEntityId, $validAudiences, true)) {
+                    $validAudiencesStr = implode(',', $validAudiences);
                     throw new ValidationError(
-                        sprintf(
-                            "Invalid audience for this Response (expected '%s', got '%s')",
-                            $spEntityId,
-                            implode(',', $validAudiences)
-                        ),
+                        "Invalid audience for this Response (expected '".$spEntityId."', got '".$validAudiencesStr."')",
                         ValidationError::WRONG_AUDIENCE
                     );
                 }
 
                 // Check the issuers
                 $issuers = $this->getIssuers();
                 foreach ($issuers as $issuer) {
-                    $trimmedIssuer = trim($issuer);
-                    if (empty($trimmedIssuer) || $trimmedIssuer !== $idPEntityId) {
-                        throw new ValidationError(
-                            "Invalid issuer in the Assertion/Response (expected '$idPEntityId', got '$trimmedIssuer')",
-                            ValidationError::WRONG_ISSUER
-                        );
+                    if (isset($issuer)) {
+                        $trimmedIssuer = trim($issuer);
+                        if (empty($trimmedIssuer) || $trimmedIssuer !== $idPEntityId) {
+                            throw new ValidationError(
+                                "Invalid issuer in the Assertion/Response (expected '".$idPEntityId."', got '".$trimmedIssuer."')",
+                                ValidationError::WRONG_ISSUER
+                            );
+                        }
                     }
                 }
 
@@ -546,7 +548,10 @@ public function getAudiences()
 
         $entries = $this->_queryAssertion('/saml:Conditions/saml:AudienceRestriction/saml:Audience');
         foreach ($entries as $entry) {
-            $value = trim($entry->textContent);
+            $value = $entry->textContent;
+            if (isset($value)) {
+                $value = trim($value);
+            }
             if (!empty($value)) {
                 $audiences[] = $value;
             }
@@ -651,7 +656,7 @@ public function getNameIdData()
                         $spEntityId = $spData['entityId'];
                         if ($spEntityId != $nameId->getAttribute($attr)) {
                             throw new ValidationError(
-                                "The SPNameQualifier value mistmatch the SP entityID value.",
+                                "The SPNameQualifier value mismatch the SP entityID value.",
                                 ValidationError::SP_NAME_QUALIFIER_NAME_MISMATCH
                             );
                         }
@@ -1261,13 +1266,19 @@ public function getErrorException()
     /**
      * After execute a validation process, if fails this method returns the cause
      *
+     * @param bool $escape Apply or not htmlentities to the message.
+     *
      * @return null|string Error reason
      */
-    public function getError()
+    public function getError($escape = true)
     {
         $errorMsg = null;
         if (isset($this->_error)) {
-            $errorMsg = htmlentities($this->_error->getMessage());
+            if ($escape) {
+                $errorMsg = htmlentities($this->_error->getMessage());
+            } else {
+                $errorMsg = $this->_error->getMessage();
+            }
         }
         return $errorMsg;
     }

onelogin-saml-sso/php/lib/Saml2/Settings.php

@@ -120,7 +120,7 @@ class Settings
      * @throws Error If any settings parameter is invalid
      * @throws Exception If Settings is incorrectly supplied
      */
-    public function __construct(array $settings = null, $spValidationOnly = false)
+    public function __construct(?array $settings = null,bool $spValidationOnly = false)
     {
         $this->_spValidationOnly = $spValidationOnly;
         $this->_loadPaths();

onelogin-saml-sso/php/lib/Saml2/Utils.php

@@ -763,7 +763,7 @@ public static function extractOriginalQueryParam($name)
      */
     public static function generateUniqueID()
     {
-        return 'ONELOGIN_' . sha1(uniqid((string)mt_rand(), true));
+        return 'ONELOGIN_' . sha1(random_bytes(20));
     }
 
     /**
@@ -961,7 +961,7 @@ public static function getExpireTime($cacheDuration = null, $validUntil = null)
      *
      * @return DOMNodeList The queried nodes
      */
-    public static function query(DOMDocument $dom, $query, DOMElement $context = null)
+    public static function query(DOMDocument $dom, $query, ?DOMElement $context = null)
     {
         $xpath = new DOMXPath($dom);
         $xpath->registerNamespace('samlp', Constants::NS_SAMLP);

onelogin-saml-sso/php/lib/Saml2/ValidationError.php

@@ -90,8 +90,12 @@ public function __construct($msg, $code = 0, $args = array())
         if (!isset($args)) {
             $args = array();
         }
-        $params = array_merge(array($msg), $args);
-        $message = call_user_func_array('sprintf', $params);
+        if (!empty($args)) {
+            $params = array_merge(array($msg), $args);
+            $message = call_user_func_array('sprintf', $params);
+        } else {
+            $message = $msg;
+        }
 
         parent::__construct($message, $code);
     }

onelogin-saml-sso/php/lib/Saml2/version.json

@@ -1,6 +1,6 @@
 {
     "php-saml": {
-        "version": "3.8.1",
+        "version": "4.3.1",
         "released": "09/12/2025"
     }
 }