Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/nextcloud/user_saml.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/3rdparty
diff options
context:
space:
mode:
authorRoeland Jago Douma <roeland@famdouma.nl>2019-05-27 10:31:39 +0300
committerRoeland Jago Douma <roeland@famdouma.nl>2019-05-27 10:31:39 +0300
commitd5f816634b2abd68918a313d3bc4a9cd2a7c9ad6 (patch)
treee2700ae760a33c00cfdc11ee7319d65559e61bad /3rdparty
parent751a83ca7820178862ac9ce2e16adce3a6f2333d (diff)
Bump php-saml to 3.1.1
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to '3rdparty')
-rw-r--r--3rdparty/vendor/composer/installed.json14
-rw-r--r--3rdparty/vendor/onelogin/php-saml/CHANGELOG5
-rw-r--r--3rdparty/vendor/onelogin/php-saml/README.md4
-rw-r--r--3rdparty/vendor/onelogin/php-saml/composer.json2
-rw-r--r--3rdparty/vendor/onelogin/php-saml/settings_example.php4
-rw-r--r--3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php17
-rw-r--r--3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php2
-rw-r--r--3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php2
-rw-r--r--3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php14
-rw-r--r--3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json5
10 files changed, 48 insertions, 21 deletions
diff --git a/3rdparty/vendor/composer/installed.json b/3rdparty/vendor/composer/installed.json
index db0275ab..5a8d6c52 100644
--- a/3rdparty/vendor/composer/installed.json
+++ b/3rdparty/vendor/composer/installed.json
@@ -46,22 +46,22 @@
},
{
"name": "onelogin/php-saml",
- "version": "v3.0.0",
- "version_normalized": "3.0.0.0",
+ "version": "3.1.1",
+ "version_normalized": "3.1.1.0",
"source": {
"type": "git",
"url": "https://github.com/onelogin/php-saml.git",
- "reference": "920c2240e48c9a74aad4129720f48fbf3d5fee47"
+ "reference": "c9026b26395a65184550055d9a01bdf9dbd30861"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/onelogin/php-saml/zipball/920c2240e48c9a74aad4129720f48fbf3d5fee47",
- "reference": "920c2240e48c9a74aad4129720f48fbf3d5fee47",
+ "url": "https://api.github.com/repos/onelogin/php-saml/zipball/c9026b26395a65184550055d9a01bdf9dbd30861",
+ "reference": "c9026b26395a65184550055d9a01bdf9dbd30861",
"shasum": ""
},
"require": {
"php": ">=5.4",
- "robrichards/xmlseclibs": "^3.0"
+ "robrichards/xmlseclibs": ">=3.0.3"
},
"require-dev": {
"pdepend/pdepend": "^2.5.0",
@@ -76,7 +76,7 @@
"ext-gettext": "Install gettext and php5-gettext libs to handle translations",
"ext-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)"
},
- "time": "2018-10-02T16:02:37+00:00",
+ "time": "2019-03-11T09:41:32+00:00",
"type": "library",
"installation-source": "dist",
"autoload": {
diff --git a/3rdparty/vendor/onelogin/php-saml/CHANGELOG b/3rdparty/vendor/onelogin/php-saml/CHANGELOG
index 31fe880f..384a1c90 100644
--- a/3rdparty/vendor/onelogin/php-saml/CHANGELOG
+++ b/3rdparty/vendor/onelogin/php-saml/CHANGELOG
@@ -1,7 +1,10 @@
CHANGELOG
=========
+v.3.1.0
+* Security improvement suggested by Nils Engelbertz to prevent DDOS by expansion of internally defined entities (XEE)
+* Fix setting_example.php servicename parameter
-v.3.0.0 (pending)
+v.3.0.0
* Remove mcrypt dependency. Compatible with PHP 7.2
* xmlseclibs now is not part of the toolkit and need to be installed from original source
diff --git a/3rdparty/vendor/onelogin/php-saml/README.md b/3rdparty/vendor/onelogin/php-saml/README.md
index 15402b6c..8c0582ad 100644
--- a/3rdparty/vendor/onelogin/php-saml/README.md
+++ b/3rdparty/vendor/onelogin/php-saml/README.md
@@ -10,6 +10,8 @@ and supported by OneLogin Inc.
Warning
-------
+Update php-saml to 3.1.0, this version includes a security patch related to XEE attacks.
+
This version is compatible with PHP 7.X and does not include xmlseclibs (you will need to install it via composer, dependency described in composer.json)
Security Guidelines
@@ -247,7 +249,7 @@ $settings = array(
// or unencrypted messages if it expects them to be signed or encrypted.
// Also it will reject the messages if the SAML standard is not strictly
// followed: Destination, NameId, Conditions ... are validated too.
- 'strict' => false,
+ 'strict' => true,
// Enable debug mode (to print errors).
'debug' => false,
diff --git a/3rdparty/vendor/onelogin/php-saml/composer.json b/3rdparty/vendor/onelogin/php-saml/composer.json
index bab318e9..118f2cfb 100644
--- a/3rdparty/vendor/onelogin/php-saml/composer.json
+++ b/3rdparty/vendor/onelogin/php-saml/composer.json
@@ -16,7 +16,7 @@
},
"require": {
"php": ">=5.4",
- "robrichards/xmlseclibs": "^3.0"
+ "robrichards/xmlseclibs": ">=3.0.3"
},
"require-dev": {
"phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.5 || ^7.1",
diff --git a/3rdparty/vendor/onelogin/php-saml/settings_example.php b/3rdparty/vendor/onelogin/php-saml/settings_example.php
index c9f41088..b29195de 100644
--- a/3rdparty/vendor/onelogin/php-saml/settings_example.php
+++ b/3rdparty/vendor/onelogin/php-saml/settings_example.php
@@ -5,7 +5,7 @@ $settings = array(
// or unencrypted messages if it expects them signed or encrypted
// Also will reject the messages if not strictly follow the SAML
// standard: Destination, NameId, Conditions ... are validated too.
- 'strict' => false,
+ 'strict' => true,
// Enable debug mode (to print errors)
'debug' => false,
@@ -34,7 +34,7 @@ $settings = array(
// attributeConsumingService. nameFormat, attributeValue and
// friendlyName can be omitted. Otherwise remove this section.
"attributeConsumingService"=> array(
- "ServiceName" => "SP test",
+ "serviceName" => "SP test",
"serviceDescription" => "Test Service",
"requestedAttributes" => array(
array(
diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php
index 636c0342..3ba03d48 100644
--- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php
+++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php
@@ -527,7 +527,7 @@ class Auth
*/
public function login($returnTo = null, array $parameters = array(), $forceAuthn = false, $isPassive = false, $stay = false, $setNameIdPolicy = true)
{
- $authnRequest = new AuthnRequest($this->_settings, $forceAuthn, $isPassive, $setNameIdPolicy);
+ $authnRequest = $this->buildAuthnRequest($this->_settings, $forceAuthn, $isPassive, $setNameIdPolicy);
$this->_lastRequest = $authnRequest->getXML();
$this->_lastRequestID = $authnRequest->getId();
@@ -643,6 +643,21 @@ class Auth
}
/**
+ * Creates an AuthnRequest
+ *
+ * @param Settings $settings Setting data
+ * @param bool $forceAuthn When true the AuthNRequest will set the ForceAuthn='true'
+ * @param bool $isPassive When true the AuthNRequest will set the Ispassive='true'
+ * @param bool $setNameIdPolicy When true the AuthNRequest will set a nameIdPolicy element
+ *
+ * @return AuthnRequest The AuthnRequest object
+ */
+ public function buildAuthnRequest($settings, $forceAuthn, $isPassive, $setNameIdPolicy)
+ {
+ return new AuthnRequest($settings, $forceAuthn, $isPassive, $setNameIdPolicy);
+ }
+
+ /**
* Generates the Signature for a SAML Request
*
* @param string $samlRequest The SAML Request
diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php
index 2e9258c8..4cd7efb0 100644
--- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php
+++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php
@@ -184,7 +184,7 @@ LOGOUTREQUEST;
*
* @return string ID
*
- * @throws OneLogin_Saml2_Error
+ * @throws Error
*/
public static function getID($request)
{
diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php
index 7ad31b0f..90c3d5cc 100644
--- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php
+++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php
@@ -144,7 +144,7 @@ class Response
);
}
- $status = $this->checkStatus();
+ $this->checkStatus();
$singleAssertion = $this->validateNumAssertions();
if (!$singleAssertion) {
diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php
index f88298af..73d16959 100644
--- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php
+++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php
@@ -82,14 +82,20 @@ class Utils
assert($dom instanceof DOMDocument);
assert(is_string($xml));
- if (strpos($xml, '<!ENTITY') !== false) {
- throw new Exception('Detected use of ENTITY in XML, disabled to prevent XXE/XEE attacks');
- }
-
$oldEntityLoader = libxml_disable_entity_loader(true);
+
$res = $dom->loadXML($xml);
+
libxml_disable_entity_loader($oldEntityLoader);
+ foreach ($dom->childNodes as $child) {
+ if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
+ throw new Exception(
+ 'Detected use of DOCTYPE/ENTITY in XML, disabled to prevent XXE/XEE attacks'
+ );
+ }
+ }
+
if (!$res) {
return false;
} else {
diff --git a/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json b/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json
index ebdf4ece..a0e37fac 100644
--- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json
+++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json
@@ -1,6 +1,7 @@
{
"php-saml": {
- "version": "3.0.0",
- "released": "02/11/2018"
+ "version": "3.1.1",
+ "released": "20/02/2019"
}
}
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-22 17:36:47 +0300