Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Hi, I worked on this issue for days before that I finally figured out what was causing it.
Note also that I'm reporting this for version 7.x-3.x-dev but the same can occur on the other branch 7.x-2.x-dev.
As synthesized in the title, the check performed by the function valid_url() for $_SERVER['HTTP_REFERER'] in simplesamlphp_auth_loginpage() causes a severe crash of the server (Apache for Windows in my case) when the validation is performed on complex urls (e.g. https://idp-server.example.com/idp/?SAMLRequest=fZJBTwIxEIX%2Fyqb33e4uC0...).
This can be easily tested/reproduced with the "Execute PHP Code" functionality of Devel, trying to print the result of valid_url() for the url I wrote in the e.g. above.
My current solution was to remove only this check in the if clause, but probably this is not the best solution.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | replace_valid_url-2639196-2.patch | 1.64 KB | vincent.verbruggen |
Comments
Comment #2
vincent.verbruggen CreditAttribution: vincent.verbruggen commentedHi StarCruiser,
I had the same problem when using an Identity Provider first flow or when the user already authenticated via another Service Provider.
You should validate the referer though, but not using Drupal's valid_url() since it might crash.
You could filter_var() instead.