regex in ensureSafeRelayState() fails for drupal sites in subpaths

// The SAML toolkit set a default RelayState to itself // (saml/log(in|out)) when starting the process, which will just cause // an unnecessary intermediary redirect before AccessDeniedSubscriber // routes us to the same place. Or, if the Drupal site has multiple // domains and the user still isn't logged in on the domain in the // RelayState, we'll have a redirect loop between us and the IdP. if ($safe && !preg_match('|//[^/]+/saml/log|', $relay_state)) { $safe_url = $relay_state; }

Comments & Activities

Issue created by @michael.roosz
Comment about 1 year ago →
System Message

roderik → committed af648d83 on 8.x-3.x
Issue #3384262 by michael.roosz, roderik: fix regex in...
Status changed to Fixed about 1 year ago6:10pm 16 September 2023
Comment about 1 year ago →
🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU
Urgh. Thanks for reporting. Pushed fix without testing, because it really "should work" (famous last words).

The mention of ensureSafeRelayState() made me think this mistake was introduced recently but it actually is this way since 2021; I introduced it right before releasing 8.x-3.0-rc1 (no specific issue number).
Comment about 1 year ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.