(As suggested, I'm moving the discussion to debian-lts@lists.debian.org, CC'ing the security team) > On 19/06/2023 18:17, Tobias Frost wrote: > > Hey, > > > > As I am currently preparing a fix for php-cas to tackle CVE-2022-39369 [1], and > > as the changes required are breaking changes, I'd like to discuss whether the > > vulnerability justifies a breaking change, or if the issue should be ignored instead. > > (Maybe feedback from interested customers can be collected, so that they can assess > > the impact on their side already.) > > > > I've packaged my backport of the patch and uploaded it to [3] as an (untested) preview. > > > > The breaking change: users of php-cas needs to perform additional steps when > > using the php module, as described in docs/updating of the upstream pull > > request fixing the issue: [2] > > > > phpCAS now requires an additional service base URL argument when > > constructing the client class, similar to other CAS client's serverName config. > > > > Upstream asses the situation as [4] > > > > This vulnerability may allow an attacker to gain access to a victim's account > > on a vulnerable CASified service without victim's knowledge, when the victim > > visits attacker's website while being logged in to the same CAS server. > > The patch applied to the package is this commit: https://salsa.debian.org/lts-team/packages/php-cas/-/commit/2c2b5f73da55f5c6d9f69e1ac11b3a1ee565d435 (also debdiff attached.) -- Cheers, tobi
diff -Nru php-cas-1.3.6/debian/changelog php-cas-1.3.6/debian/changelog --- php-cas-1.3.6/debian/changelog 2019-02-10 09:29:07.000000000 +0100 +++ php-cas-1.3.6/debian/changelog 2023-06-19 17:12:56.000000000 +0200 @@ -1,3 +1,10 @@ +php-cas (1.3.6-1+deb10u1) buster-security-UNRELEASED; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Backport patch for CVE-2022-39369. + + -- Tobias Frost <tobi@debian.org> Mon, 19 Jun 2023 17:12:56 +0200 + php-cas (1.3.6-1) unstable; urgency=medium * Update debian/watch diff -Nru php-cas-1.3.6/debian/patches/CVE-2022-39369.patch php-cas-1.3.6/debian/patches/CVE-2022-39369.patch --- php-cas-1.3.6/debian/patches/CVE-2022-39369.patch 1970-01-01 01:00:00.000000000 +0100 +++ php-cas-1.3.6/debian/patches/CVE-2022-39369.patch 2023-06-19 17:12:56.000000000 +0200 @@ -0,0 +1,954 @@ +From b759361d904a2cb2a3bcee9411fc348cfde5d163 Mon Sep 17 00:00:00 2001 +From: Phy <git@phy25.com> +Date: Mon, 31 Oct 2022 16:34:25 -0400 +Subject: [PATCH] Merge pull request from GHSA-8q72-6qq8-xv64 + +* Add ServerName classes and required service_name constructor argument + +This includes a refactoring of moving Client->_getClientUrl() method to a new class. + +Unit tests are also added and updated for the new constructor argument. + +* Add service_name argument to the static helper class and examples + +* Update docs for 1.6.0 release + +* Update versions for the 1.6.0 release + +* Rename ServerName class to ServiceBaseUrl and add protocol in allowedlist check + +* Update docs for the ServiceBaseUrl class and argument change + +* Minor typo fixes +--- + docs/ChangeLog | 31 ++- + docs/Upgrading | 34 +++ + docs/examples/config.example.php | 3 + + docs/examples/create_pgt_storage_db_table.php | 2 +- + docs/examples/example_advanced_saml11.php | 2 +- + docs/examples/example_custom_urls.php | 2 +- + docs/examples/example_gateway.php | 2 +- + docs/examples/example_hardening.php | 2 +- + docs/examples/example_html.php | 2 +- + docs/examples/example_lang.php | 2 +- + docs/examples/example_logout.php | 2 +- + .../examples/example_no_ssl_cn_validation.php | 2 +- + docs/examples/example_pgt_storage_db.php | 2 +- + docs/examples/example_pgt_storage_file.php | 2 +- + docs/examples/example_proxy_GET.php | 2 +- + docs/examples/example_proxy_POST.php | 2 +- + docs/examples/example_proxy_rebroadcast.php | 2 +- + docs/examples/example_proxy_serviceWeb.php | 2 +- + .../example_proxy_serviceWeb_chaining.php | 2 +- + docs/examples/example_renew.php | 2 +- + docs/examples/example_service.php | 2 +- + docs/examples/example_service_POST.php | 2 +- + .../examples/example_service_that_proxies.php | 2 +- + docs/examples/example_simple.php | 2 +- + source/CAS.php | 26 +- + source/CAS/Client.php | 109 ++++---- + .../ServiceBaseUrl/AllowedListDiscovery.php | 152 +++++++++++ + source/CAS/ServiceBaseUrl/Base.php | 98 +++++++ + source/CAS/ServiceBaseUrl/Interface.php | 61 +++++ + source/CAS/ServiceBaseUrl/Static.php | 69 +++++ + test/CAS/Tests/AuthenticationTest.php | 1 + + test/CAS/Tests/CallbackTest.php | 1 + + test/CAS/Tests/Cas20AttributesTest.php | 1 + + test/CAS/Tests/LogTest.php | 2 + + test/CAS/Tests/ProxyTicketValidationTest.php | 1 + + test/CAS/Tests/ServiceBaseUrlTest.php | 244 ++++++++++++++++++ + test/CAS/Tests/ServiceMailTest.php | 1 + + .../CAS/Tests/ServiceTicketValidationTest.php | 1 + + test/CAS/Tests/ServiceWebTest.php | 1 + + utils/version.properties | 2 +- + 40 files changed, 789 insertions(+), 91 deletions(-) + create mode 100644 source/CAS/ServiceBaseUrl/AllowedListDiscovery.php + create mode 100644 source/CAS/ServiceBaseUrl/Base.php + create mode 100644 source/CAS/ServiceBaseUrl/Interface.php + create mode 100644 source/CAS/ServiceBaseUrl/Static.php + create mode 100644 test/CAS/Tests/ServiceBaseUrlTest.php + +--- a/source/CAS/Client.php ++++ b/source/CAS/Client.php +@@ -896,6 +896,14 @@ + * @param bool $changeSessionID Allow phpCAS to change the session_id + * (Single Sign Out/handleLogoutRequests + * is based on that change) ++ * @param string|string[]|CAS_ServiceBaseUrl_Interface ++ * $service_base_url the base URL (protocol, host and the ++ * optional port) of the CAS client; pass ++ * in an array to use auto discovery with ++ * an allowlist; pass in ++ * CAS_ServiceBaseUrl_Interface for custom ++ * behavior. Added in 1.6.0. Similar to ++ * serverName config in other CAS clients. + * + * @return a newly created CAS_Client object + */ +@@ -905,6 +913,7 @@ + $server_hostname, + $server_port, + $server_uri, ++ $service_base_url, + $changeSessionID = true + ) { + // Argument validation +@@ -921,6 +930,8 @@ + if (gettype($changeSessionID) != 'boolean') + throw new CAS_TypeMismatchException($changeSessionID, '$changeSessionID', 'boolean'); + ++ $this->_setServiceBaseUrl($service_base_url); ++ + phpCAS::traceBegin(); + // true : allow to change the session_id(), false session_id won't be + // change and logout won't be handle because of that +@@ -1007,7 +1018,7 @@ + + if ( $this->_isCallbackMode() ) { + //callback mode: check that phpCAS is secured +- if ( !$this->_isHttps() ) { ++ if ( !$this->getServiceBaseUrl()->isHttps() ) { + phpCAS::error( + 'CAS proxies must be secured to use phpCAS; PGT\'s will not be received from the CAS server' + ); +@@ -2363,8 +2374,7 @@ + if ( empty($this->_callback_url) ) { + $final_uri = ''; + // remove the ticket if present in the URL +- $final_uri = 'https://'; +- $final_uri .= $this->_getClientUrl(); ++ $final_uri = $this->getServiceBaseUrl()->get(); + $request_uri = $_SERVER['REQUEST_URI']; + $request_uri = preg_replace('/\?.*$/', '', $request_uri); + $final_uri .= $request_uri; +@@ -3528,10 +3538,7 @@ + if ( empty($this->_url) ) { + $final_uri = ''; + // remove the ticket if present in the URL +- $final_uri = ($this->_isHttps()) ? 'https' : 'http'; +- $final_uri .= '://'; +- +- $final_uri .= $this->_getClientUrl(); ++ $final_uri = $this->getServiceBaseUrl()->get(); + $request_uri = explode('?', $_SERVER['REQUEST_URI'], 2); + $final_uri .= $request_uri[0]; + +@@ -3568,66 +3575,62 @@ + return $this->_server['base_url'] = $url; + } + +- + /** +- * Try to figure out the phpCas client URL with possible Proxys / Ports etc. ++ * The ServiceBaseUrl object that provides base URL during service URL ++ * discovery process. ++ * ++ * @var CAS_ServiceBaseUrl_Interface ++ * ++ * @hideinitializer ++ */ ++ private $_serviceBaseUrl = null; ++ ++ ++ /** ++ * Answer the CAS_ServiceBaseUrl_Interface object for this client. + * +- * @return string Server URL with domain:port ++ * @return CAS_ServiceBaseUrl_Interface + */ +- private function _getClientUrl() ++ public function getServiceBaseUrl() + { +- $server_url = ''; +- if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) { +- // explode the host list separated by comma and use the first host +- $hosts = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']); +- // see rfc7239#5.3 and rfc7230#2.7.1: port is in HTTP_X_FORWARDED_HOST if non default +- return $hosts[0]; +- } else if (!empty($_SERVER['HTTP_X_FORWARDED_SERVER'])) { +- $server_url = $_SERVER['HTTP_X_FORWARDED_SERVER']; +- } else { +- if (empty($_SERVER['SERVER_NAME'])) { +- $server_url = $_SERVER['HTTP_HOST']; +- } else { +- $server_url = $_SERVER['SERVER_NAME']; +- } ++ if (empty($this->_serviceBaseUrl)) { ++ phpCAS::error("ServiceBaseUrl object is not initialized"); + } +- if (!strpos($server_url, ':')) { +- if (empty($_SERVER['HTTP_X_FORWARDED_PORT'])) { +- $server_port = $_SERVER['SERVER_PORT']; +- } else { +- $ports = explode(',', $_SERVER['HTTP_X_FORWARDED_PORT']); +- $server_port = $ports[0]; +- } +- +- if ( ($this->_isHttps() && $server_port!=443) +- || (!$this->_isHttps() && $server_port!=80) +- ) { +- $server_url .= ':'; +- $server_url .= $server_port; +- } +- } +- return $server_url; ++ return $this->_serviceBaseUrl; + } + + /** +- * This method checks to see if the request is secured via HTTPS ++ * This method sets the service base URL used during service URL discovery process. ++ * ++ * This is required since phpCAS 1.6.0 to protect the integrity of the authentication. ++ * ++ * @since phpCAS 1.6.0 ++ * ++ * @param $name can be any of the following: ++ * - A base URL string. The service URL discovery will always use this (protocol, ++ * hostname and optional port number) without using any external host names. ++ * - An array of base URL strings. The service URL discovery will check against ++ * this list before using the auto discovered base URL. If there is no match, ++ * the first base URL in the array will be used as the default. This option is ++ * helpful if your PHP website is accessible through multiple domains without a ++ * canonical name, or through both HTTP and HTTPS. ++ * - A class that implements CAS_ServiceBaseUrl_Interface. If you need to customize ++ * the base URL discovery behavior, you can pass in a class that implements the ++ * interface. + * +- * @return bool true if https, false otherwise ++ * @return void + */ +- private function _isHttps() ++ private function _setServiceBaseUrl($name) + { +- if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO'])) { +- return ($_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https'); +- } elseif (!empty($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])) { +- return ($_SERVER['HTTP_X_FORWARDED_PROTOCOL'] === 'https'); +- } elseif ( isset($_SERVER['HTTPS']) +- && !empty($_SERVER['HTTPS']) +- && strcasecmp($_SERVER['HTTPS'], 'off') !== 0 +- ) { +- return true; ++ if (is_array($name)) { ++ $this->_serviceBaseUrl = new CAS_ServiceBaseUrl_AllowedListDiscovery($name); ++ } else if (is_string($name)) { ++ $this->_serviceBaseUrl = new CAS_ServiceBaseUrl_Static($name); ++ } else if ($name instanceof CAS_ServiceBaseUrl_Interface) { ++ $this->_serviceBaseUrl = $name; ++ } else { ++ throw new CAS_TypeMismatchException($name, '$name', 'array, string, or CAS_ServiceBaseUrl_Interface object'); + } +- return false; +- + } + + /** +--- /dev/null ++++ b/source/CAS/ServiceBaseUrl/AllowedListDiscovery.php +@@ -0,0 +1,152 @@ ++<?php ++ ++/** ++ * Licensed to Jasig under one or more contributor license ++ * agreements. See the NOTICE file distributed with this work for ++ * additional information regarding copyright ownership. ++ * ++ * Jasig licenses this file to you under the Apache License, ++ * Version 2.0 (the "License"); you may not use this file except in ++ * compliance with the License. You may obtain a copy of the License at: ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ * ++ * PHP Version 7 ++ * ++ * @file CAS/ServiceBaseUrl/AllowedListDiscovery.php ++ * @category Authentication ++ * @package PhpCAS ++ * @author Henry Pan <git@phy25.com> ++ * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0 ++ * @link https://wiki.jasig.org/display/CASC/phpCAS ++ */ ++ ++ ++/** ++ * Class that gets the service base URL of the PHP server by HTTP header ++ * discovery and allowlist check. This is used to generate service URL ++ * and PGT callback URL. ++ * ++ * @class CAS_ServiceBaseUrl_AllowedListDiscovery ++ * @category Authentication ++ * @package PhpCAS ++ * @author Henry Pan <git@phy25.com> ++ * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0 ++ * @link https://wiki.jasig.org/display/CASC/phpCAS ++ */ ++ ++class CAS_ServiceBaseUrl_AllowedListDiscovery ++extends CAS_ServiceBaseUrl_Base ++{ ++ private $_list = array(); ++ ++ public function __construct($list) { ++ if (is_array($list)) { ++ if (count($list) === 0) { ++ throw new CAS_InvalidArgumentException('$list should not be empty'); ++ } ++ foreach ($list as $value) { ++ $this->allow($value); ++ } ++ } else { ++ throw new CAS_TypeMismatchException($list, '$list', 'array'); ++ } ++ } ++ ++ /** ++ * Add a base URL to the allowed list. ++ * ++ * @param $url protocol, host name and port to add to the allowed list ++ * ++ * @return void ++ */ ++ public function allow($url) ++ { ++ $this->_list[] = $this->removeStandardPort($url); ++ } ++ ++ /** ++ * Check if the server name is allowed by configuration. ++ * ++ * @param $name server name to check ++ * ++ * @return bool whether the allowed list contains the server name ++ */ ++ protected function isAllowed($name) ++ { ++ return in_array($name, $this->_list); ++ } ++ ++ /** ++ * Discover the server name through HTTP headers. ++ * ++ * We read: ++ * - HTTP header X-Forwarded-Host ++ * - HTTP header X-Forwarded-Server and X-Forwarded-Port ++ * - HTTP header Host and SERVER_PORT ++ * - PHP SERVER_NAME (which can change based on the HTTP server used) ++ * ++ * The standard port will be omitted (80 for HTTP, 443 for HTTPS). ++ * ++ * @return string the discovered, unsanitized server protocol, hostname and port ++ */ ++ protected function discover() ++ { ++ $isHttps = $this->isHttps(); ++ $protocol = $isHttps ? 'https' : 'http'; ++ $protocol .= '://'; ++ if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) { ++ // explode the host list separated by comma and use the first host ++ $hosts = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST']); ++ // see rfc7239#5.3 and rfc7230#2.7.1: port is in HTTP_X_FORWARDED_HOST if non default ++ return $protocol . $hosts[0]; ++ } else if (!empty($_SERVER['HTTP_X_FORWARDED_SERVER'])) { ++ $server_url = $_SERVER['HTTP_X_FORWARDED_SERVER']; ++ } else { ++ if (empty($_SERVER['SERVER_NAME'])) { ++ $server_url = $_SERVER['HTTP_HOST']; ++ } else { ++ $server_url = $_SERVER['SERVER_NAME']; ++ } ++ } ++ if (!strpos($server_url, ':')) { ++ if (empty($_SERVER['HTTP_X_FORWARDED_PORT'])) { ++ $server_port = $_SERVER['SERVER_PORT']; ++ } else { ++ $ports = explode(',', $_SERVER['HTTP_X_FORWARDED_PORT']); ++ $server_port = $ports[0]; ++ } ++ ++ $server_url .= ':'; ++ $server_url .= $server_port; ++ } ++ return $protocol . $server_url; ++ } ++ ++ /** ++ * Get PHP server base URL. ++ * ++ * @return string the server protocol, hostname and port ++ */ ++ public function get() ++ { ++ phpCAS::traceBegin(); ++ $result = $this->removeStandardPort($this->discover()); ++ phpCAS::trace("Discovered server base URL: " . $result); ++ if ($this->isAllowed($result)) { ++ phpCAS::trace("Server base URL is allowed"); ++ phpCAS::traceEnd(true); ++ } else { ++ $result = $this->_list[0]; ++ phpCAS::trace("Server base URL is not allowed, using default: " . $result); ++ phpCAS::traceEnd(false); ++ } ++ return $result; ++ } ++} +--- /dev/null ++++ b/source/CAS/ServiceBaseUrl/Base.php +@@ -0,0 +1,98 @@ ++<?php ++ ++/** ++ * Licensed to Jasig under one or more contributor license ++ * agreements. See the NOTICE file distributed with this work for ++ * additional information regarding copyright ownership. ++ * ++ * Jasig licenses this file to you under the Apache License, ++ * Version 2.0 (the "License"); you may not use this file except in ++ * compliance with the License. You may obtain a copy of the License at: ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ * ++ * PHP Version 7 ++ * ++ * @file CAS/ServiceBaseUrl/Base.php ++ * @category Authentication ++ * @package PhpCAS ++ * @author Henry Pan <git@phy25.com> ++ * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0 ++ * @link https://wiki.jasig.org/display/CASC/phpCAS ++ */ ++ ++/** ++ * Base class of CAS/ServiceBaseUrl that implements isHTTPS method. ++ * ++ * @class CAS_ServiceBaseUrl_Base ++ * @category Authentication ++ * @package PhpCAS ++ * @author Henry Pan <git@phy25.com> ++ * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0 ++ * @link https://wiki.jasig.org/display/CASC/phpCAS ++ */ ++abstract class CAS_ServiceBaseUrl_Base ++implements CAS_ServiceBaseUrl_Interface ++{ ++ ++ /** ++ * Get PHP server name. ++ * ++ * @return string the server hostname and port of the server ++ */ ++ abstract public function get(); ++ ++ /** ++ * Check whether HTTPS is used. ++ * ++ * This is used to construct the protocol in the URL. ++ * ++ * @return bool true if HTTPS is used ++ */ ++ public function isHttps() { ++ if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO'])) { ++ return ($_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https'); ++ } elseif (!empty($_SERVER['HTTP_X_FORWARDED_PROTOCOL'])) { ++ return ($_SERVER['HTTP_X_FORWARDED_PROTOCOL'] === 'https'); ++ } elseif ( isset($_SERVER['HTTPS']) ++ && !empty($_SERVER['HTTPS']) ++ && strcasecmp($_SERVER['HTTPS'], 'off') !== 0 ++ ) { ++ return true; ++ } ++ return false; ++ } ++ ++ /** ++ * Remove standard HTTP and HTTPS port for discovery and allowlist input. ++ * ++ * @param $url URL as https://domain:port without trailing slash ++ * @return standardized URL, or the original URL ++ * @throws CAS_InvalidArgumentException if the URL does not include the protocol ++ */ ++ protected function removeStandardPort($url) { ++ if (strpos($url, "://") === false) { ++ throw new CAS_InvalidArgumentException( ++ "Configured base URL should include the protocol string: " . $url); ++ } ++ ++ $url = rtrim($url, '/'); ++ ++ if (strpos($url, "https://") === 0 && substr_compare($url, ':443', -4) === 0) { ++ return substr($url, 0, -4); ++ } ++ ++ if (strpos($url, "http://") === 0 && substr_compare($url, ':80', -3) === 0) { ++ return substr($url, 0, -3); ++ } ++ ++ return $url; ++ } ++ ++} +--- /dev/null ++++ b/source/CAS/ServiceBaseUrl/Interface.php +@@ -0,0 +1,61 @@ ++<?php ++ ++/** ++ * Licensed to Jasig under one or more contributor license ++ * agreements. See the NOTICE file distributed with this work for ++ * additional information regarding copyright ownership. ++ * ++ * Jasig licenses this file to you under the Apache License, ++ * Version 2.0 (the "License"); you may not use this file except in ++ * compliance with the License. You may obtain a copy of the License at: ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ * ++ * PHP Version 7 ++ * ++ * @file CAS/ServerHostname/Interface.php ++ * @category Authentication ++ * @package PhpCAS ++ * @author Henry Pan <git@phy25.com> ++ * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0 ++ * @link https://wiki.jasig.org/display/CASC/phpCAS ++ */ ++ ++/** ++ * An interface for classes that gets the server name of the PHP server. ++ * This is used to generate service URL and PGT callback URL. ++ * ++ * @class CAS_ServiceBaseUrl_Interface ++ * @category Authentication ++ * @package PhpCAS ++ * @author Henry Pan <git@phy25.com> ++ * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0 ++ * @link https://wiki.jasig.org/display/CASC/phpCAS ++ */ ++interface CAS_ServiceBaseUrl_Interface ++{ ++ ++ /** ++ * Get PHP HTTP protocol and server name. ++ * ++ * @return string protocol, server hostname, and optionally port, ++ * without trailing slash (https://localhost:8443) ++ */ ++ public function get(); ++ ++ /** ++ * Check whether HTTPS is used. ++ * ++ * This is used to construct the protocol in the URL. ++ * ++ * @return bool true if HTTPS is used ++ */ ++ public function isHttps(); ++ ++} +--- /dev/null ++++ b/source/CAS/ServiceBaseUrl/Static.php +@@ -0,0 +1,69 @@ ++<?php ++ ++/** ++ * Licensed to Jasig under one or more contributor license ++ * agreements. See the NOTICE file distributed with this work for ++ * additional information regarding copyright ownership. ++ * ++ * Jasig licenses this file to you under the Apache License, ++ * Version 2.0 (the "License"); you may not use this file except in ++ * compliance with the License. You may obtain a copy of the License at: ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ * ++ * PHP Version 7 ++ * ++ * @file CAS/ServiceBaseUrl/Static.php ++ * @category Authentication ++ * @package PhpCAS ++ * @author Henry Pan <git@phy25.com> ++ * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0 ++ * @link https://wiki.jasig.org/display/CASC/phpCAS ++ */ ++ ++ ++/** ++ * Class that gets the server name of the PHP server by statically set ++ * hostname and port. This is used to generate service URL and PGT ++ * callback URL. ++ * ++ * @class CAS_ServiceBaseUrl_Static ++ * @category Authentication ++ * @package PhpCAS ++ * @author Henry Pan <git@phy25.com> ++ * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0 ++ * @link https://wiki.jasig.org/display/CASC/phpCAS ++ */ ++ ++class CAS_ServiceBaseUrl_Static ++extends CAS_ServiceBaseUrl_Base ++{ ++ private $_name = null; ++ ++ public function __construct($name) { ++ if (is_string($name)) { ++ $this->_name = $this->removeStandardPort($name); ++ } else { ++ throw new CAS_TypeMismatchException($name, '$name', 'string'); ++ } ++ } ++ ++ /** ++ * Get the server name through static config. ++ * ++ * @return string the server hostname and port of the server configured ++ */ ++ public function get() ++ { ++ phpCAS::traceBegin(); ++ phpCAS::trace("Returning static server name: " . $this->_name); ++ phpCAS::traceEnd(true); ++ return $this->_name; ++ } ++} +\ No newline at end of file +--- /dev/null ++++ b/test/CAS/Tests/ServiceBaseUrlTest.php +@@ -0,0 +1,244 @@ ++<?php ++ ++/** ++ * Licensed to Jasig under one or more contributor license ++ * agreements. See the NOTICE file distributed with this work for ++ * additional information regarding copyright ownership. ++ * ++ * Jasig licenses this file to you under the Apache License, ++ * Version 2.0 (the "License"); you may not use this file except in ++ * compliance with the License. You may obtain a copy of the License at: ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ * ++ * PHP Version 7 ++ * ++ * @file CAS/Tests/ServiceBaseUrlTest.php ++ * @category Authentication ++ * @package PhpCAS ++ * @author Henry Pan <git@phy25.com> ++ * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0 ++ * @link https://wiki.jasig.org/display/CASC/phpCAS ++ */ ++ ++namespace PhpCas\Tests; ++ ++use PHPUnit\Framework\TestCase; ++ ++/** ++ * Test class for verifying the operation of the ServiceBaseUrl classes. ++ * ++ * @class ServiceBaseUrlTest ++ * @category Authentication ++ * @package PhpCAS ++ * @author Henry Pan <git@phy25.com> ++ * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0 ++ * @link https://wiki.jasig.org/display/CASC/phpCAS ++ */ ++class ServiceBaseUrlTest extends TestCase ++{ ++ /** ++ * @var CAS_Client ++ */ ++ protected $object; ++ ++ const DEFAULT_NAME = 'https://default.domain'; ++ ++ const DOMAIN_1 = 'http://domain1'; ++ ++ /** ++ * Sets up the fixture, for example, opens a network connection. ++ * This method is called before a test is executed. ++ */ ++ protected function setUp(): void ++ { ++ $this->object = new \CAS_ServiceBaseUrl_AllowedListDiscovery(array(self::DEFAULT_NAME, self::DOMAIN_1)); ++ } ++ ++ /** ++ * Tears down the fixture, for example, closes a network connection. ++ * This method is called after a test is executed. ++ */ ++ protected function tearDown(): void ++ { ++ ++ } ++ ++ /********************************************************* ++ * Tests of public (interface) methods ++ *********************************************************/ ++ ++ /** ++ * Verify that non allowlisted SERVER_NAME will return default name. ++ * ++ * @return void ++ */ ++ public function testNonAllowlistedServerName() ++ { ++ $_SERVER['SERVER_NAME'] = 'domain1:8080'; ++ ++ $this->assertSame(self::DEFAULT_NAME, $this->object->get()); ++ } ++ ++ /** ++ * Verify that non allowlisted HTTP_HOST will return default name. ++ * ++ * @return void ++ */ ++ public function testNonAllowlistedHttpHost() ++ { ++ $_SERVER['HTTP_HOST'] = 'domain1:8080'; ++ $_SERVER['SERVER_NAME'] = ''; ++ ++ $this->assertSame(self::DEFAULT_NAME, $this->object->get()); ++ } ++ ++ /** ++ * Verify that non allowlisted HTTP_X_FORWARDED_SERVER will return default name. ++ * ++ * @return void ++ */ ++ public function testNonAllowlistedXForwardedServer() ++ { ++ $_SERVER['HTTP_X_FORWARDED_SERVER'] = 'domain1'; ++ $_SERVER['HTTP_X_FORWARDED_PORT'] = '8080'; ++ ++ $this->assertSame(self::DEFAULT_NAME, $this->object->get()); ++ } ++ ++ /** ++ * Verify that non allowlisted HTTP_X_FORWARDED_SERVER will return. ++ * ++ * @return void ++ */ ++ public function testNonAllowlistedXForwardedHost() ++ { ++ $_SERVER['HTTP_X_FORWARDED_HOST'] = 'domain1:8080'; ++ ++ $this->assertSame(self::DEFAULT_NAME, $this->object->get()); ++ } ++ ++ /** ++ * Verify that allowlisted SERVER_NAME will return in standarized form. ++ * ++ * @return void ++ */ ++ public function testAllowlistedServerName() ++ { ++ $_SERVER['SERVER_NAME'] = 'domain1'; ++ $_SERVER['HTTP_X_FORWARDED_PORT'] = '80'; ++ ++ $this->assertSame(self::DOMAIN_1, $this->object->get()); ++ } ++ ++ /** ++ * Verify that allowlisted HTTP_HOST will return. ++ * ++ * @return void ++ */ ++ public function testAllowlistedHttpHost() ++ { ++ $_SERVER['HTTP_HOST'] = 'domain1'; ++ $_SERVER['SERVER_NAME'] = ''; ++ $_SERVER['HTTP_X_FORWARDED_PORT'] = '80'; ++ ++ $this->assertSame(self::DOMAIN_1, $this->object->get()); ++ } ++ ++ /** ++ * Verify that allowlisted HTTP_X_FORWARDED_SERVER will return. ++ * ++ * @return void ++ */ ++ public function testAllowlistedXForwardedServer() ++ { ++ $_SERVER['HTTP_X_FORWARDED_SERVER'] = 'domain1'; ++ $_SERVER['HTTP_X_FORWARDED_PORT'] = '80'; ++ ++ $this->assertSame(self::DOMAIN_1, $this->object->get()); ++ } ++ ++ /** ++ * Verify that allowlisted HTTP_X_FORWARDED_HOST will return. ++ * ++ * @return void ++ */ ++ public function testAllowlistedXForwardedHost() ++ { ++ $_SERVER['HTTP_X_FORWARDED_HOST'] = 'domain1'; ++ ++ $this->assertSame(self::DOMAIN_1, $this->object->get()); ++ } ++ ++ /** ++ * Verify that allowlisted HTTP_X_FORWARDED_HOST will return with a HTTP allowlist ++ * that needs to be standardized. ++ * ++ * @return void ++ */ ++ public function testAllowlistedXForwardedHostHttpStandardized() ++ { ++ $_SERVER['HTTP_X_FORWARDED_HOST'] = 'domain1'; ++ ++ $this->object = new \CAS_ServiceBaseUrl_AllowedListDiscovery(array(self::DEFAULT_NAME, "http://domain1:80/")); ++ $this->assertSame(self::DOMAIN_1, $this->object->get()); ++ } ++ ++ /** ++ * Verify that allowlisted HTTP_X_FORWARDED_HOST will return with a HTTP allowlist ++ * that needs to be standardized. ++ * ++ * @return void ++ */ ++ public function testAllowlistedXForwardedHostWithSslHttpsStandardized() ++ { ++ $_SERVER['HTTPS'] = 'on'; ++ $_SERVER['HTTP_X_FORWARDED_HOST'] = 'default.domain:443'; ++ ++ $this->object = new \CAS_ServiceBaseUrl_AllowedListDiscovery(array("https://default.domain:443/", self::DOMAIN_1)); ++ $this->assertSame(self::DEFAULT_NAME, $this->object->get()); ++ } ++ ++ /** ++ * Verify that allowlisted HTTP_X_FORWARDED_HOST will return with a HTTP allowlist ++ * that needs to be standardized. ++ * ++ * @return void ++ */ ++ public function testAllowlistedXForwardedHostHttpsStandardized() ++ { ++ $_SERVER['HTTP_X_FORWARDED_HOST'] = 'default.domain:443'; ++ ++ $this->object = new \CAS_ServiceBaseUrl_AllowedListDiscovery(array("https://default.domain:443/", "http://default.domain:443/")); ++ $this->assertSame("http://default.domain:443", $this->object->get()); ++ } ++ ++ /** ++ * Verify that static configuration always return the standardized base URL. ++ * ++ * @return void ++ */ ++ public function testStaticHappyPath() ++ { ++ $this->object = new \CAS_ServiceBaseUrl_Static("https://default.domain:443/"); ++ $this->assertSame(self::DEFAULT_NAME, $this->object->get()); ++ } ++ ++ /** ++ * Verify that static configuration always return the standardized base URL. ++ * ++ * @return void ++ */ ++ public function testStaticNoProtocol() ++ { ++ $this->expectException(\CAS_InvalidArgumentException::class); ++ $this->object = new \CAS_ServiceBaseUrl_Static("default.domain/"); ++ } ++ ++} +--- a/source/CAS.php ++++ b/source/CAS.php +@@ -327,6 +327,14 @@ + * @param string $server_hostname the hostname of the CAS server + * @param string $server_port the port the CAS server is running on + * @param string $server_uri the URI the CAS server is responding on ++ * @param string|string[]|CAS_ServiceBaseUrl_Interface ++ * $service_base_url the base URL (protocol, host and the ++ * optional port) of the CAS client; pass ++ * in an array to use auto discovery with ++ * an allowlist; pass in ++ * CAS_ServiceBaseUrl_Interface for custom ++ * behavior. Added in 1.6.0. Similar to ++ * serverName config in other CAS clients. + * @param bool $changeSessionID Allow phpCAS to change the session_id (Single + * Sign Out/handleLogoutRequests is based on that change) + * +@@ -336,7 +344,7 @@ + * and phpCAS::setDebug()). + */ + public static function client($server_version, $server_hostname, +- $server_port, $server_uri, $changeSessionID = true ++ $server_port, $server_uri, $service_base_url, $changeSessionID = true + ) { + phpCAS :: traceBegin(); + if (is_object(self::$_PHPCAS_CLIENT)) { +@@ -355,7 +363,7 @@ + // initialize the object $_PHPCAS_CLIENT + try { + self::$_PHPCAS_CLIENT = new CAS_Client( +- $server_version, false, $server_hostname, $server_port, $server_uri, ++ $server_version, false, $server_hostname, $server_port, $server_uri, $service_base_url, + $changeSessionID + ); + } catch (Exception $e) { +@@ -371,6 +379,14 @@ + * @param string $server_hostname the hostname of the CAS server + * @param string $server_port the port the CAS server is running on + * @param string $server_uri the URI the CAS server is responding on ++ * @param string|string[]|CAS_ServiceBaseUrl_Interface ++ * $service_base_url the base URL (protocol, host and the ++ * optional port) of the CAS client; pass ++ * in an array to use auto discovery with ++ * an allowlist; pass in ++ * CAS_ServiceBaseUrl_Interface for custom ++ * behavior. Added in 1.6.0. Similar to ++ * serverName config in other CAS clients. + * @param bool $changeSessionID Allow phpCAS to change the session_id (Single + * Sign Out/handleLogoutRequests is based on that change) + * +@@ -380,7 +396,7 @@ + * and phpCAS::setDebug()). + */ + public static function proxy($server_version, $server_hostname, +- $server_port, $server_uri, $changeSessionID = true ++ $server_port, $server_uri, $service_base_url, $changeSessionID = true + ) { + phpCAS :: traceBegin(); + if (is_object(self::$_PHPCAS_CLIENT)) { +@@ -399,7 +415,7 @@ + // initialize the object $_PHPCAS_CLIENT + try { + self::$_PHPCAS_CLIENT = new CAS_Client( +- $server_version, true, $server_hostname, $server_port, $server_uri, ++ $server_version, true, $server_hostname, $server_port, $server_uri, $service_base_url, + $changeSessionID + ); + } catch (Exception $e) { diff -Nru php-cas-1.3.6/debian/patches/series php-cas-1.3.6/debian/patches/series --- php-cas-1.3.6/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ php-cas-1.3.6/debian/patches/series 2023-06-19 17:12:56.000000000 +0200 @@ -0,0 +1 @@ +CVE-2022-39369.patch
Attachment:
signature.asc
Description: PGP signature