regex in ensureSafeRelayState() fails for drupal sites in subpaths

Created on 30 August 2023, 10 months ago

Updated 16 September 2023, 10 months ago

in ensureSafeRelayState() / SamlController.php
this regex

            // The SAML toolkit set a default RelayState to itself
            // (saml/log(in|out)) when starting the process, which will just cause
            // an unnecessary intermediary redirect before AccessDeniedSubscriber
            // routes us to the same place. Or, if the Drupal site has multiple
            // domains and the user still isn't logged in on the domain in the
            // RelayState, we'll have a redirect loop between us and the IdP.
            if ($safe && !preg_match('|//[^/]+/saml/log|', $relay_state)) {
                $safe_url = $relay_state;
            }

fails when drupal is running on a sub path, for example:
https://example.com/drupal-site/

the regex does not match (but should):
https://example.com/drupal-site/saml/logout

🐛 Bug report

Status

Fixed

Version

3.9

Component

Code

Created by

michael.roosz

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @michael.roosz
Comment 10 months ago →
System Message

roderik → committed af648d83 on 8.x-3.x
Issue #3384262 by michael.roosz, roderik: fix regex in...
Status changed to Fixed 10 months ago6:10pm 16 September 2023
Comment 10 months ago →
🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU
Urgh. Thanks for reporting. Pushed fix without testing, because it really "should work" (famous last words).

The mention of ensureSafeRelayState() made me think this mistake was introduced recently but it actually is this way since 2021; I introduced it right before releasing 8.x-3.0-rc1 (no specific issue number).
Comment 9 months ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024