regex in ensureSafeRelayState() fails for drupal sites in subpaths

Created on 30 August 2023, over 1 year ago
Updated 16 September 2023, over 1 year ago

in ensureSafeRelayState() / SamlController.php
this regex

            // The SAML toolkit set a default RelayState to itself
            // (saml/log(in|out)) when starting the process, which will just cause
            // an unnecessary intermediary redirect before AccessDeniedSubscriber
            // routes us to the same place. Or, if the Drupal site has multiple
            // domains and the user still isn't logged in on the domain in the
            // RelayState, we'll have a redirect loop between us and the IdP.
            if ($safe && !preg_match('|//[^/]+/saml/log|', $relay_state)) {
                $safe_url = $relay_state;
            }

fails when drupal is running on a sub path, for example:
https://example.com/drupal-site/

the regex does not match (but should):
https://example.com/drupal-site/saml/logout

🐛 Bug report
Status

Fixed

Version

3.9

Component

Code

Created by

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024