diff --git a/open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5225.patch b/open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5225.patch index b517e6b85b..2f70683f6c 100644 --- a/open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5225.patch +++ b/open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5225.patch @@ -2,10 +2,10 @@ diff --git a/www/errorreport.php b/www/errorreport.php index a95631083..81c10a238 100644 --- a/www/errorreport.php +++ b/www/errorreport.php -@@ -17,2 +17,2 @@ $reportId = (string) $_REQUEST['reportId']; +@@ -17,6 +17,10 @@ $reportId = (string) $_REQUEST['reportId']; $email = (string) $_REQUEST['email']; $text = htmlspecialchars((string) $_REQUEST['text']); - + +if (!preg_match('/^[0-9a-f]{8}$/', $reportId)) { + throw new SimpleSAML_Error_Exception('Invalid reportID'); +} diff --git a/open_xdmod/modules/xdmod/assets/simplesamlphp-SSPSA_201907-01_HTTP.patch b/open_xdmod/modules/xdmod/assets/simplesamlphp-SSPSA_201907-01_HTTP.patch index fafd5e5049..10feeeef52 100644 --- a/open_xdmod/modules/xdmod/assets/simplesamlphp-SSPSA_201907-01_HTTP.patch +++ b/open_xdmod/modules/xdmod/assets/simplesamlphp-SSPSA_201907-01_HTTP.patch @@ -1,7 +1,7 @@ 120a121,141 > } -> -> +> +> > /** > * Verify that a given URL is valid. > * @@ -25,7 +25,7 @@ > if (!self::isValidURL($url)) { > throw new \SimpleSAML_Error_Exception('Invalid destination URL.'); 151a176 -> +> 328c353 < if (filter_var($url, FILTER_VALIDATE_URL) === false) { --- diff --git a/open_xdmod/modules/xdmod/assets/simplesamlphp-SSPSA_201907-01_postredirect.patch b/open_xdmod/modules/xdmod/assets/simplesamlphp-SSPSA_201907-01_postredirect.patch index 9ca4a5bc9d..590357475b 100644 --- a/open_xdmod/modules/xdmod/assets/simplesamlphp-SSPSA_201907-01_postredirect.patch +++ b/open_xdmod/modules/xdmod/assets/simplesamlphp-SSPSA_201907-01_postredirect.patch @@ -2,4 +2,4 @@ > if (!\SimpleSAML\Utils\HTTP::isValidURL($postData['url'])) { > throw new \SimpleSAML\Error\Exception('Invalid destination URL.'); > } -> +>