diff options
author | Roeland Jago Douma <roeland@famdouma.nl> | 2019-05-27 10:31:39 +0300 |
---|---|---|
committer | Roeland Jago Douma <roeland@famdouma.nl> | 2019-05-27 10:31:39 +0300 |
commit | d5f816634b2abd68918a313d3bc4a9cd2a7c9ad6 (patch) | |
tree | e2700ae760a33c00cfdc11ee7319d65559e61bad /3rdparty | |
parent | 751a83ca7820178862ac9ce2e16adce3a6f2333d (diff) |
Bump php-saml to 3.1.1
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to '3rdparty')
10 files changed, 48 insertions, 21 deletions
diff --git a/3rdparty/vendor/composer/installed.json b/3rdparty/vendor/composer/installed.json index db0275ab..5a8d6c52 100644 --- a/3rdparty/vendor/composer/installed.json +++ b/3rdparty/vendor/composer/installed.json @@ -46,22 +46,22 @@ }, { "name": "onelogin/php-saml", - "version": "v3.0.0", - "version_normalized": "3.0.0.0", + "version": "3.1.1", + "version_normalized": "3.1.1.0", "source": { "type": "git", "url": "https://github.com/onelogin/php-saml.git", - "reference": "920c2240e48c9a74aad4129720f48fbf3d5fee47" + "reference": "c9026b26395a65184550055d9a01bdf9dbd30861" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/onelogin/php-saml/zipball/920c2240e48c9a74aad4129720f48fbf3d5fee47", - "reference": "920c2240e48c9a74aad4129720f48fbf3d5fee47", + "url": "https://api.github.com/repos/onelogin/php-saml/zipball/c9026b26395a65184550055d9a01bdf9dbd30861", + "reference": "c9026b26395a65184550055d9a01bdf9dbd30861", "shasum": "" }, "require": { "php": ">=5.4", - "robrichards/xmlseclibs": "^3.0" + "robrichards/xmlseclibs": ">=3.0.3" }, "require-dev": { "pdepend/pdepend": "^2.5.0", @@ -76,7 +76,7 @@ "ext-gettext": "Install gettext and php5-gettext libs to handle translations", "ext-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)" }, - "time": "2018-10-02T16:02:37+00:00", + "time": "2019-03-11T09:41:32+00:00", "type": "library", "installation-source": "dist", "autoload": { diff --git a/3rdparty/vendor/onelogin/php-saml/CHANGELOG b/3rdparty/vendor/onelogin/php-saml/CHANGELOG index 31fe880f..384a1c90 100644 --- a/3rdparty/vendor/onelogin/php-saml/CHANGELOG +++ b/3rdparty/vendor/onelogin/php-saml/CHANGELOG @@ -1,7 +1,10 @@ CHANGELOG ========= +v.3.1.0 +* Security improvement suggested by Nils Engelbertz to prevent DDOS by expansion of internally defined entities (XEE) +* Fix setting_example.php servicename parameter -v.3.0.0 (pending) +v.3.0.0 * Remove mcrypt dependency. Compatible with PHP 7.2 * xmlseclibs now is not part of the toolkit and need to be installed from original source diff --git a/3rdparty/vendor/onelogin/php-saml/README.md b/3rdparty/vendor/onelogin/php-saml/README.md index 15402b6c..8c0582ad 100644 --- a/3rdparty/vendor/onelogin/php-saml/README.md +++ b/3rdparty/vendor/onelogin/php-saml/README.md @@ -10,6 +10,8 @@ and supported by OneLogin Inc. Warning ------- +Update php-saml to 3.1.0, this version includes a security patch related to XEE attacks. + This version is compatible with PHP 7.X and does not include xmlseclibs (you will need to install it via composer, dependency described in composer.json) Security Guidelines @@ -247,7 +249,7 @@ $settings = array( // or unencrypted messages if it expects them to be signed or encrypted. // Also it will reject the messages if the SAML standard is not strictly // followed: Destination, NameId, Conditions ... are validated too. - 'strict' => false, + 'strict' => true, // Enable debug mode (to print errors). 'debug' => false, diff --git a/3rdparty/vendor/onelogin/php-saml/composer.json b/3rdparty/vendor/onelogin/php-saml/composer.json index bab318e9..118f2cfb 100644 --- a/3rdparty/vendor/onelogin/php-saml/composer.json +++ b/3rdparty/vendor/onelogin/php-saml/composer.json @@ -16,7 +16,7 @@ }, "require": { "php": ">=5.4", - "robrichards/xmlseclibs": "^3.0" + "robrichards/xmlseclibs": ">=3.0.3" }, "require-dev": { "phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.5 || ^7.1", diff --git a/3rdparty/vendor/onelogin/php-saml/settings_example.php b/3rdparty/vendor/onelogin/php-saml/settings_example.php index c9f41088..b29195de 100644 --- a/3rdparty/vendor/onelogin/php-saml/settings_example.php +++ b/3rdparty/vendor/onelogin/php-saml/settings_example.php @@ -5,7 +5,7 @@ $settings = array( // or unencrypted messages if it expects them signed or encrypted // Also will reject the messages if not strictly follow the SAML // standard: Destination, NameId, Conditions ... are validated too. - 'strict' => false, + 'strict' => true, // Enable debug mode (to print errors) 'debug' => false, @@ -34,7 +34,7 @@ $settings = array( // attributeConsumingService. nameFormat, attributeValue and // friendlyName can be omitted. Otherwise remove this section. "attributeConsumingService"=> array( - "ServiceName" => "SP test", + "serviceName" => "SP test", "serviceDescription" => "Test Service", "requestedAttributes" => array( array( diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php index 636c0342..3ba03d48 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php @@ -527,7 +527,7 @@ class Auth */ public function login($returnTo = null, array $parameters = array(), $forceAuthn = false, $isPassive = false, $stay = false, $setNameIdPolicy = true) { - $authnRequest = new AuthnRequest($this->_settings, $forceAuthn, $isPassive, $setNameIdPolicy); + $authnRequest = $this->buildAuthnRequest($this->_settings, $forceAuthn, $isPassive, $setNameIdPolicy); $this->_lastRequest = $authnRequest->getXML(); $this->_lastRequestID = $authnRequest->getId(); @@ -643,6 +643,21 @@ class Auth } /** + * Creates an AuthnRequest + * + * @param Settings $settings Setting data + * @param bool $forceAuthn When true the AuthNRequest will set the ForceAuthn='true' + * @param bool $isPassive When true the AuthNRequest will set the Ispassive='true' + * @param bool $setNameIdPolicy When true the AuthNRequest will set a nameIdPolicy element + * + * @return AuthnRequest The AuthnRequest object + */ + public function buildAuthnRequest($settings, $forceAuthn, $isPassive, $setNameIdPolicy) + { + return new AuthnRequest($settings, $forceAuthn, $isPassive, $setNameIdPolicy); + } + + /** * Generates the Signature for a SAML Request * * @param string $samlRequest The SAML Request diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php index 2e9258c8..4cd7efb0 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php @@ -184,7 +184,7 @@ LOGOUTREQUEST; * * @return string ID * - * @throws OneLogin_Saml2_Error + * @throws Error */ public static function getID($request) { diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php index 7ad31b0f..90c3d5cc 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php @@ -144,7 +144,7 @@ class Response ); } - $status = $this->checkStatus(); + $this->checkStatus(); $singleAssertion = $this->validateNumAssertions(); if (!$singleAssertion) { diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php index f88298af..73d16959 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php @@ -82,14 +82,20 @@ class Utils assert($dom instanceof DOMDocument); assert(is_string($xml)); - if (strpos($xml, '<!ENTITY') !== false) { - throw new Exception('Detected use of ENTITY in XML, disabled to prevent XXE/XEE attacks'); - } - $oldEntityLoader = libxml_disable_entity_loader(true); + $res = $dom->loadXML($xml); + libxml_disable_entity_loader($oldEntityLoader); + foreach ($dom->childNodes as $child) { + if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) { + throw new Exception( + 'Detected use of DOCTYPE/ENTITY in XML, disabled to prevent XXE/XEE attacks' + ); + } + } + if (!$res) { return false; } else { diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json b/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json index ebdf4ece..a0e37fac 100644 --- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json +++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json @@ -1,6 +1,7 @@ { "php-saml": { - "version": "3.0.0", - "released": "02/11/2018" + "version": "3.1.1", + "released": "20/02/2019" } } + |