Merge pull request from GHSA-8q72-6qq8-xv64

* Add ServerName classes and required service_name constructor argument This includes a refactoring of moving Client->_getClientUrl() method to a new class. Unit tests are also added and updated for the new constructor argument. * Add service_name argument to the static helper class and examples * Update docs for 1.6.0 release * Update versions for the 1.6.0 release * Rename ServerName class to ServiceBaseUrl and add protocol in allowedlist check * Update docs for the ServiceBaseUrl class and argument change * Minor typo fixes
apereo · Oct 31, 2022 · b759361 · b759361 · jichangfeng · Nov 4, 2022
1 parent 49160be
commit b759361
Show file tree

Hide file tree

Showing 40 changed files with 789 additions and 91 deletions.
diff --git a/docs/ChangeLog b/docs/ChangeLog
@@ -1,11 +1,18 @@
+Changes in version 1.6.0
+
+Bug Fixes:
+ * Introduce required service_name constructor argument to fix
+   service hostname discovery exploitation vulnerability (Henry Pan)
+ * Set user agent [#421] (Fydon)
+
 Changes in version 1.5.0
 
 Bug Fixes:
  * Fix undefined variables [#417] (Dawid Polak)
  * Fix client when getting ticket and it's null [#415] (Quentin Belot)
  * Allow autoloader to detect trait_exists() [#394] (Jean-Luc Herren)
  * Use curl_setopt_array instead of loop in CurlRequest [#391] (François Freitag)
- 
+
 Improvement:
  * Disable printf when verbosity flag is not set to true [#396] (Michał Kleszczyński)
  * Disabling error printing based on verbosity flag [#393] (Michał Kleszczyński)
@@ -21,18 +28,18 @@ Bug Fixes:
    * Fix use of deprecated setDebug() in examples [#360] (Joachim Fritschi)
    * Fix session_set_save_handler error [#365] (Joachim Fritschi)
    * Fix wrong server_port documentation [#369] (Joachim Fritschi)
-      
+
 Improvement:
    * support samesite cookies attribute (#370) (Mickael)
    * Remove PHP5 support [#366] (Joachim Fritschi)
- 
- 
+
+
 Changes in version 1.3.9
 
 Bug Fixes:
    * Fix regression of #248: Support of longer session tickets (#349) (Alan Nelson)
    * Fix private call generating php warning and no logout handling (#352) (Julien Gribonvald)
-   
+
 Improvement:
    * Add support for logging via a PSR-3 logger [#329] (Jon Dufresne)
    * Improve attribute handling [#317] (Tobias Schiebeck)
@@ -46,7 +53,7 @@ Changes in version 1.3.8
 
 Bug Fixes:
    * Fix pear package [#297] (Phil Fenstermacher)
-   
+
 Improvement:
    * Adding support for PROXY CALLBACK using POST parameters instead of GET [#312]
 
@@ -57,8 +64,8 @@ Bug Fixes:
 
 Improvement:
    * add method to get list of supported protocols (#293) Julien Boulen
-   
-  
+
+
 Changes in version 1.3.6
 
 Security Fixes:
@@ -68,7 +75,7 @@ Bug Fixes:
    * Fix bad condition [#252] (Brice Vercoustre)
    * Hash ticket strings to generate valid-length session-ids [#224, #244, #248] (Adam Franco)
    * Fix "phpCAS" class capitalization in code [#273, #277] (phy25)
-   
+
 Improvement:
    * Remove fallback for __autoload [#247] (marinaglancy)
    * More robust check for Windows OS in File.php [#275] (xamount)
@@ -125,8 +132,8 @@ Improvement:
    * Add time to trace [#158] (cwsterling)
    * Add php5.6 tests, move to faster docker env [#169] (Florian Holzhauer)
    * Introduce a setVerbose() toggle to prevent debug info leaking in production [#152 #147] (Joachim Fritschi)
- 
- 
+
+
 Changes in version 1.3.3
 Security Fixes:
    * CVE-2014-4172 Urlencode all tickets [#125] (Marvin Addison)
@@ -140,7 +147,7 @@ Bug Fixes:
    * Fix missing Server_Admin variable for nginex [#121](arianf)
    * Fix error in TypeMismatchException [#123 ](Develle)
    * Fix bug in https test [#126] (Florent Baldino)
-   
+
 
 Improvement:
    * Fix grammar of documentation [#61] (frett)

diff --git a/docs/Upgrading b/docs/Upgrading
@@ -1,3 +1,37 @@
+################################
+### Upgrading 1.5.0 -> 1.6.0 ###
+################################
+
+phpCAS now requires an additional service base URL argument when constructing
+the client class, similar to other CAS client's serverName config. It accepts
+any argument of:
+
+1. A service base URL string. The service URL discovery will always use this
+   server name (protocol, hostname and port number) without using any external
+   host names.
+2. An array of service base URL strings. The service URL discovery will check
+   against this list before using the auto discovered base URL. If there is no
+   match, the first base URL in the array will be used as the default. This
+   option is helpful if your PHP website is accessible through multiple domains
+   without a canonical name, or through both HTTP and HTTPS.
+3. A class that implements CAS_ServiceBaseUrl_Interface. If you need to
+   customize the base URL discovery behavior, you can pass in a class that
+   implements the interface.
+
+For option 1 and 2, protocol, hostname and port should all appear without a
+trailing slash, e.g. http://example.org:8080. You can omit the default port for
+the protocol, which means use https://example.org instead of
+https://example.org:443 (if you use HTTPS).
+
+For security reasons, we no longer allow service base URL discovery without an
+allowed list check by default. For more information, refer to the security
+advisory.
+
+This version also changed the CURL User Agent string that phpCAS uses when
+sending validation requests to the CAS server. It will appear as phpCAS/1.6.0
+with the version number reflecting the library version.
+
+
 ################################
 ### Upgrading 1.3.3 -> 1.3.4 ###
 ################################

diff --git a/docs/examples/config.example.php b/docs/examples/config.example.php
@@ -43,6 +43,9 @@
 // Assumes the cas server is load balanced across multiple hosts
 $cas_real_hosts = array('cas-real-1.example.com', 'cas-real-2.example.com');
 
+// Client config for the required domain name, should be protocol, hostname and port
+$client_service_name = 'http://127.0.0.1';
+
 // Client config for cookie hardening
 $client_domain = '127.0.0.1';
 $client_path = 'phpcas';

diff --git a/docs/examples/create_pgt_storage_db_table.php b/docs/examples/create_pgt_storage_db_table.php
@@ -28,7 +28,7 @@
 
 // Dummy client because we need a 'client' object
 $client = new CAS_Client(
-    CAS_VERSION_2_0, true, $cas_host, $cas_port, $cas_context, false
+    CAS_VERSION_2_0, true, $cas_host, $cas_port, $cas_context, $client_service_name, false
 );
 
 // Set the torage object

diff --git a/docs/examples/example_advanced_saml11.php b/docs/examples/example_advanced_saml11.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context);
+phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_custom_urls.php b/docs/examples/example_custom_urls.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_gateway.php b/docs/examples/example_gateway.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_hardening.php b/docs/examples/example_hardening.php
@@ -28,7 +28,7 @@
 session_set_cookie_params($client_lifetime, $client_path, $client_domain, $client_secure, $client_httpOnly);
 
 // Initialize phpCAS
-phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context);
+phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_html.php b/docs/examples/example_html.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_lang.php b/docs/examples/example_lang.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_logout.php b/docs/examples/example_logout.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_no_ssl_cn_validation.php b/docs/examples/example_no_ssl_cn_validation.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_pgt_storage_db.php b/docs/examples/example_pgt_storage_db.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_pgt_storage_file.php b/docs/examples/example_pgt_storage_file.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_proxy_GET.php b/docs/examples/example_proxy_GET.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_proxy_POST.php b/docs/examples/example_proxy_POST.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_proxy_rebroadcast.php b/docs/examples/example_proxy_rebroadcast.php
@@ -26,7 +26,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_proxy_serviceWeb.php b/docs/examples/example_proxy_serviceWeb.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_proxy_serviceWeb_chaining.php b/docs/examples/example_proxy_serviceWeb_chaining.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_renew.php b/docs/examples/example_renew.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_service.php b/docs/examples/example_service.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_service_POST.php b/docs/examples/example_service_POST.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_service_that_proxies.php b/docs/examples/example_service_that_proxies.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/docs/examples/example_simple.php b/docs/examples/example_simple.php
@@ -25,7 +25,7 @@
 phpCAS::setVerbose(true);
 
 // Initialize phpCAS
-phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, $client_service_name);
 
 // For production use set the CA certificate that is the issuer of the cert
 // on the CAS server and uncomment the line below

diff --git a/source/CAS.php b/source/CAS.php
@@ -327,6 +327,14 @@ class phpCAS
      * @param string                   $server_hostname the hostname of the CAS server
      * @param int                      $server_port     the port the CAS server is running on
      * @param string                   $server_uri      the URI the CAS server is responding on
+     * @param string|string[]|CAS_ServiceBaseUrl_Interface
+     *                                 $service_base_url the base URL (protocol, host and the
+     *                                                  optional port) of the CAS client; pass
+     *                                                  in an array to use auto discovery with
+     *                                                  an allowlist; pass in
+     *                                                  CAS_ServiceBaseUrl_Interface for custom
+     *                                                  behavior. Added in 1.6.0. Similar to
+     *                                                  serverName config in other CAS clients.
      * @param bool                     $changeSessionID Allow phpCAS to change the session_id
      *                                                  (Single Sign Out/handleLogoutRequests
      *                                                  is based on that change)
@@ -338,7 +346,8 @@ class phpCAS
      * and phpCAS::setDebug()).
      */
     public static function client($server_version, $server_hostname,
-        $server_port, $server_uri, $changeSessionID = true, \SessionHandlerInterface $sessionHandler = null
+        $server_port, $server_uri, $service_base_url,
+        $changeSessionID = true, \SessionHandlerInterface $sessionHandler = null
     ) {
         phpCAS :: traceBegin();
         if (is_object(self::$_PHPCAS_CLIENT)) {
@@ -357,7 +366,7 @@ public static function client($server_version, $server_hostname,
         // initialize the object $_PHPCAS_CLIENT
         try {
             self::$_PHPCAS_CLIENT = new CAS_Client(
-                $server_version, false, $server_hostname, $server_port, $server_uri,
+                $server_version, false, $server_hostname, $server_port, $server_uri, $service_base_url,
                 $changeSessionID, $sessionHandler
             );
         } catch (Exception $e) {
@@ -373,6 +382,14 @@ public static function client($server_version, $server_hostname,
      * @param string                   $server_hostname the hostname of the CAS server
      * @param string                   $server_port     the port the CAS server is running on
      * @param string                   $server_uri      the URI the CAS server is responding on
+     * @param string|string[]|CAS_ServiceBaseUrl_Interface
+     *                                 $service_base_url the base URL (protocol, host and the
+     *                                                  optional port) of the CAS client; pass
+     *                                                  in an array to use auto discovery with
+     *                                                  an allowlist; pass in
+     *                                                  CAS_ServiceBaseUrl_Interface for custom
+     *                                                  behavior. Added in 1.6.0. Similar to
+     *                                                  serverName config in other CAS clients.
      * @param bool                     $changeSessionID Allow phpCAS to change the session_id
      *                                                  (Single Sign Out/handleLogoutRequests
      *                                                  is based on that change)
@@ -384,7 +401,8 @@ public static function client($server_version, $server_hostname,
      * and phpCAS::setDebug()).
      */
     public static function proxy($server_version, $server_hostname,
-        $server_port, $server_uri, $changeSessionID = true, \SessionHandlerInterface $sessionHandler = null
+        $server_port, $server_uri, $service_base_url,
+        $changeSessionID = true, \SessionHandlerInterface $sessionHandler = null
     ) {
         phpCAS :: traceBegin();
         if (is_object(self::$_PHPCAS_CLIENT)) {
@@ -403,7 +421,7 @@ public static function proxy($server_version, $server_hostname,
         // initialize the object $_PHPCAS_CLIENT
         try {
             self::$_PHPCAS_CLIENT = new CAS_Client(
-                $server_version, true, $server_hostname, $server_port, $server_uri,
+                $server_version, true, $server_hostname, $server_port, $server_uri, $service_base_url,
                 $changeSessionID, $sessionHandler
             );
         } catch (Exception $e) {