Bump php-saml to 3.1.1

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2024-05-04 01:53:42 +02:00 · 2019-05-27 09:31:39 +02:00 · 2019-05-27 09:31:39 +02:00 · d5f816634b
parent 751a83ca78
commit d5f816634b
10 changed files with 48 additions and 21 deletions
--- a/3rdparty/vendor/composer/installed.json
+++ b/3rdparty/vendor/composer/installed.json
@ -46,22 +46,22 @@
    },
    {
        "name": "onelogin/php-saml",
-        "version": "v3.0.0",
-        "version_normalized": "3.0.0.0",
+        "version": "3.1.1",
+        "version_normalized": "3.1.1.0",
        "source": {
            "type": "git",
            "url": "https://github.com/onelogin/php-saml.git",
-            "reference": "920c2240e48c9a74aad4129720f48fbf3d5fee47"
+            "reference": "c9026b26395a65184550055d9a01bdf9dbd30861"
        },
        "dist": {
            "type": "zip",
-            "url": "https://api.github.com/repos/onelogin/php-saml/zipball/920c2240e48c9a74aad4129720f48fbf3d5fee47",
-            "reference": "920c2240e48c9a74aad4129720f48fbf3d5fee47",
+            "url": "https://api.github.com/repos/onelogin/php-saml/zipball/c9026b26395a65184550055d9a01bdf9dbd30861",
+            "reference": "c9026b26395a65184550055d9a01bdf9dbd30861",
            "shasum": ""
        },
        "require": {
            "php": ">=5.4",
-            "robrichards/xmlseclibs": "^3.0"
+            "robrichards/xmlseclibs": ">=3.0.3"
        },
        "require-dev": {
            "pdepend/pdepend": "^2.5.0",
@ -76,7 +76,7 @@
            "ext-gettext": "Install gettext and php5-gettext libs to handle translations",
            "ext-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)"
        },
-        "time": "2018-10-02T16:02:37+00:00",
+        "time": "2019-03-11T09:41:32+00:00",
        "type": "library",
        "installation-source": "dist",
        "autoload": {
--- a/3rdparty/vendor/onelogin/php-saml/CHANGELOG
+++ b/3rdparty/vendor/onelogin/php-saml/CHANGELOG
@ -1,7 +1,10 @@
 CHANGELOG
 =========
+v.3.1.0
+* Security improvement suggested by Nils Engelbertz to prevent DDOS by expansion of internally defined entities (XEE)
+* Fix setting_example.php servicename parameter 

-v.3.0.0 (pending)
+v.3.0.0
 * Remove mcrypt dependency. Compatible with PHP 7.2
 * xmlseclibs now is not part of the toolkit and need to be installed from original source

--- a/3rdparty/vendor/onelogin/php-saml/README.md
+++ b/3rdparty/vendor/onelogin/php-saml/README.md
@ -10,6 +10,8 @@ and supported by OneLogin Inc.
 Warning
 -------

+Update php-saml to 3.1.0, this version includes a security patch related to XEE attacks.
+
 This version is compatible with PHP 7.X and does not include xmlseclibs (you will need to install it via composer, dependency described in composer.json)

 Security Guidelines
@ -247,7 +249,7 @@ $settings = array(
    // or unencrypted messages if it expects them to be signed or encrypted.
    // Also it will reject the messages if the SAML standard is not strictly
    // followed: Destination, NameId, Conditions ... are validated too.
-    'strict' => false,
+    'strict' => true,

    // Enable debug mode (to print errors).
    'debug' => false,
--- a/3rdparty/vendor/onelogin/php-saml/composer.json
+++ b/3rdparty/vendor/onelogin/php-saml/composer.json
@ -16,7 +16,7 @@
    },
    "require": {
        "php": ">=5.4",
-        "robrichards/xmlseclibs": "^3.0"
+        "robrichards/xmlseclibs": ">=3.0.3"
    },
    "require-dev": {
        "phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.5 || ^7.1",
--- a/3rdparty/vendor/onelogin/php-saml/settings_example.php
+++ b/3rdparty/vendor/onelogin/php-saml/settings_example.php
@ -5,7 +5,7 @@ $settings = array(
    // or unencrypted messages if it expects them signed or encrypted
    // Also will reject the messages if not strictly follow the SAML
    // standard: Destination, NameId, Conditions ... are validated too.
-    'strict' => false,
+    'strict' => true,

    // Enable debug mode (to print errors)
    'debug' => false,
@ -34,7 +34,7 @@ $settings = array(
        // attributeConsumingService. nameFormat, attributeValue and
        // friendlyName can be omitted. Otherwise remove this section.
        "attributeConsumingService"=> array(
-                "ServiceName" => "SP test",
+                "serviceName" => "SP test",
                "serviceDescription" => "Test Service",
                "requestedAttributes" => array(
                    array(
--- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php
+++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php
@ -527,7 +527,7 @@ class Auth
     */
    public function login($returnTo = null, array $parameters = array(), $forceAuthn = false, $isPassive = false, $stay = false, $setNameIdPolicy = true)
    {
-        $authnRequest = new AuthnRequest($this->_settings, $forceAuthn, $isPassive, $setNameIdPolicy);
+        $authnRequest = $this->buildAuthnRequest($this->_settings, $forceAuthn, $isPassive, $setNameIdPolicy);

        $this->_lastRequest = $authnRequest->getXML();
        $this->_lastRequestID = $authnRequest->getId();
@ -642,6 +642,21 @@ class Auth
        return $this->_lastRequestID;
    }

+    /**
+     * Creates an AuthnRequest
+     *
+     * @param Settings $settings        Setting data
+     * @param bool     $forceAuthn      When true the AuthNRequest will set the ForceAuthn='true'
+     * @param bool     $isPassive       When true the AuthNRequest will set the Ispassive='true'
+     * @param bool     $setNameIdPolicy When true the AuthNRequest will set a nameIdPolicy element
+     *
+     * @return AuthnRequest The AuthnRequest object
+     */
+    public function buildAuthnRequest($settings, $forceAuthn, $isPassive, $setNameIdPolicy)
+    {
+        return new AuthnRequest($settings, $forceAuthn, $isPassive, $setNameIdPolicy);
+    }
+
    /**
     * Generates the Signature for a SAML Request
     *
--- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php
+++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php
@ -184,7 +184,7 @@ LOGOUTREQUEST;
     *
     * @return string ID
     *
-     * @throws OneLogin_Saml2_Error
+     * @throws Error
     */
    public static function getID($request)
    {
--- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php
+++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php
@ -144,7 +144,7 @@ class Response
                );
            }

-            $status = $this->checkStatus();
+            $this->checkStatus();

            $singleAssertion = $this->validateNumAssertions();
            if (!$singleAssertion) {
--- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php
+++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php
@ -82,14 +82,20 @@ class Utils
        assert($dom instanceof DOMDocument);
        assert(is_string($xml));

-        if (strpos($xml, '<!ENTITY') !== false) {
-            throw new Exception('Detected use of ENTITY in XML, disabled to prevent XXE/XEE attacks');
-        }
-
        $oldEntityLoader = libxml_disable_entity_loader(true);
+
        $res = $dom->loadXML($xml);
+
        libxml_disable_entity_loader($oldEntityLoader);

+        foreach ($dom->childNodes as $child) {
+            if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
+                throw new Exception(
+                    'Detected use of DOCTYPE/ENTITY in XML, disabled to prevent XXE/XEE attacks'
+                );
+            }
+        }
+
        if (!$res) {
            return false;
        } else {
--- a/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json
+++ b/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json
@ -1,6 +1,7 @@
 {
    "php-saml": {
-        "version": "3.0.0",
-        "released": "02/11/2018"
+        "version": "3.1.1",
+        "released": "20/02/2019"
    }
 }
+