From b4daf21db8dba7dd6c3591286794ce5c9ccc7dc1 Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Sat, 27 May 2023 12:39:15 +0200 Subject: [PATCH] Assert that signed messages on the Redirect- and POST-bindings have a destination set --- src/SAML2/HTTPPost.php | 11 +++++++++++ src/SAML2/HTTPRedirect.php | 9 +++++++++ 2 files changed, 20 insertions(+) diff --git a/src/SAML2/HTTPPost.php b/src/SAML2/HTTPPost.php index f775aa8e8..b12cc4e22 100644 --- a/src/SAML2/HTTPPost.php +++ b/src/SAML2/HTTPPost.php @@ -87,6 +87,17 @@ public function receive(): Message $msg = Message::fromXML($document->firstChild); + /** + * 3.5.5.2 - SAML Bindings + * + * If the message is signed, the Destination XML attribute in the root SAML element of the protocol + * message MUST contain the URL to which the sender has instructed the user agent to deliver the + * message. + */ + if ($msg->isMessageConstructedWithSignature()) { + Assert::notNull($msg->getDestination()); // Validation of the value must be done upstream + } + if (array_key_exists('RelayState', $_POST)) { $msg->setRelayState($_POST['RelayState']); } diff --git a/src/SAML2/HTTPRedirect.php b/src/SAML2/HTTPRedirect.php index adff7293f..8a387bc42 100644 --- a/src/SAML2/HTTPRedirect.php +++ b/src/SAML2/HTTPRedirect.php @@ -141,6 +141,15 @@ public function receive(): Message return $message; } + /** + * 3.4.5.2 - SAML Bindings + * + * If the message is signed, the Destination XML attribute in the root SAML element of the protocol + * message MUST contain the URL to which the sender has instructed the user agent to deliver the + * message. + */ + Assert::notNull($message->getDestination()); // Validation of the value must be done upstream + if (!array_key_exists('SigAlg', $data)) { throw new \Exception('Missing signature algorithm.'); }