|
26 | 26 | declare(strict_types=1); |
27 | 27 |
|
28 | 28 | /* Load simpleSAMLphp, configuration and metadata */ |
| 29 | + |
| 30 | +use SimpleSAML\Module\casserver\Cas\ServiceValidator; |
| 31 | +use SimpleSAML\Module\casserver\Cas\TicketValidator; |
| 32 | + |
29 | 33 | $casconfig = \SimpleSAML\Configuration::getConfig('module_casserver.php'); |
30 | 34 |
|
31 | 35 | if (!$casconfig->getOptionalValue('enable_logout', false)) { |
|
36 | 40 | throw new \Exception($message); |
37 | 41 | } |
38 | 42 |
|
39 | | -$skipLogoutPage = $casconfig->getOptionalValue('skip_logout_page', false); |
40 | | - |
41 | | -if ($skipLogoutPage && !array_key_exists('url', $_GET)) { |
42 | | - $message = 'Required URL query parameter [url] not provided. (CAS Server)'; |
| 43 | +$isCasV3 = array_key_exists('service', $_GET); |
| 44 | +$url = $_GET['service'] ?? $_GET['url'] ?? null; |
| 45 | +// Skip logout is enabled for valid casv3 service logouts, or if enabled for casv2 |
| 46 | +$skipLogoutPage = $isCasV3 || $casconfig->getOptionalBoolean('skip_logout_page', false); |
43 | 47 |
|
| 48 | +if ($skipLogoutPage && !$url) { |
| 49 | + $message = 'Required URL query parameter ["service" or "url"] not provided. (CAS Server)'; |
44 | 50 | \SimpleSAML\Logger::debug('casserver:' . $message); |
45 | | - |
46 | 51 | throw new \Exception($message); |
47 | 52 | } |
48 | | -/* Load simpleSAMLphp metadata */ |
49 | 53 |
|
| 54 | +$serviceValidator = new ServiceValidator($casconfig); |
| 55 | +if (isset($url)) { |
| 56 | + $serviceCasConfig = $serviceValidator->checkServiceURL(TicketValidator::sanitize($url)); |
| 57 | + if (!isset($serviceCasConfig)) { |
| 58 | + // If invalid logout url sent, act like no url sent and show logout page |
| 59 | + \SimpleSAML\Logger::info("Invalid logout url '$url'. Ignoring"); |
| 60 | + $url = null; |
| 61 | + $skipLogoutPage = false; |
| 62 | + } |
| 63 | +} |
50 | 64 | $as = new \SimpleSAML\Auth\Simple($casconfig->getValue('authsource')); |
51 | 65 |
|
52 | 66 | $session = \SimpleSAML\Session::getSession(); |
|
64 | 78 |
|
65 | 79 | if ($as->isAuthenticated()) { |
66 | 80 | \SimpleSAML\Logger::debug('casserver: performing a real logout'); |
67 | | - |
68 | | - if ($casconfig->getOptionalValue('skip_logout_page', false)) { |
69 | | - $as->logout($_GET['url']); |
70 | | - } else { |
71 | | - $as->logout( |
72 | | - $httpUtils->addURLParameters( |
73 | | - \SimpleSAML\Module::getModuleURL('casserver/loggedOut.php'), |
74 | | - array_key_exists('url', $_GET) ? ['url' => $_GET['url']] : [], |
75 | | - ), |
76 | | - ); |
77 | | - } |
| 81 | + // Browser will be returned to this url and we will handle any $url checking |
| 82 | + $as->logout($httpUtils->getSelfURL()); |
78 | 83 | } else { |
79 | 84 | \SimpleSAML\Logger::debug('casserver: no session to log out of, performing redirect'); |
80 | 85 |
|
81 | | - if ($casconfig->getOptionalValue('skip_logout_page', false)) { |
82 | | - $httpUtils->redirectTrustedURL($httpUtils->addURLParameters($_GET['url'], [])); |
| 86 | + if ($skipLogoutPage) { |
| 87 | + $httpUtils->redirectTrustedURL($url); |
83 | 88 | } else { |
84 | | - $httpUtils->redirectTrustedURL( |
85 | | - $httpUtils->addURLParameters( |
86 | | - \SimpleSAML\Module::getModuleURL('casserver/loggedOut.php'), |
87 | | - array_key_exists('url', $_GET) ? ['url' => $_GET['url']] : [], |
88 | | - ), |
89 | | - ); |
| 89 | + session_cache_limiter('nocache'); |
| 90 | + $globalConfig = \SimpleSAML\Configuration::getInstance(); |
| 91 | + $t = new \SimpleSAML\XHTML\Template($globalConfig, 'casserver:loggedOut.twig'); |
| 92 | + if (!empty($url)) { |
| 93 | + $t->data['url'] = $_GET['url']; |
| 94 | + } |
| 95 | + $t->send(); |
90 | 96 | } |
91 | 97 | } |
0 commit comments