Update php-saml to 3.1.0. Make the code compatible

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2010-2016 OneLogin, LLC
+Copyright (c) 2010-2019 OneLogin, LLC
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -11,6 +11,11 @@ This kind of WP hosting used to cache plugins and protect the wp-login.php view.
 You will need to contact them in order to disable the cache for this SAML plugin and also allow external HTTP POST to
 wp-login.php
 
+### Security Improvements on 3.0.0 ###
+
+Version 3.0.0 includes a security patch that will prevent DDOS by expansion of internally defined entities (XEE)
+That version also includes the use of php-saml 3.X so will be compatible with PHP 5.X and 7.X
+
 ### Security Improvements on 2.4.3 ###
 
 Version 2.4.3 includes a security patch that contains extra validations that will prevent some kind of elaborated signature wrapping attacks and other security improvements. Previous versions are vulnerable so we highly recommended to upgrade to >= 2.4.3.

onelogin-saml-sso/php/_toolkit_loader.php

@@ -27,16 +27,23 @@
 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  ********************************************************************************/
 
-$libDir = dirname(__FILE__) . '/lib/Saml2/';
-$extlibDir = dirname(__FILE__) . '/extlib/';
+// Load xmlseclibs
+if (!class_exists("\RobRichards\XMLSecLibs\XMLSecurityKey")) {
+	$xmlseclibsSrcDir = dirname(__FILE__).'/extlib/xmlseclibs/src';
 
-// Load first external libs
-require_once($extlibDir . 'xmlseclibs/xmlseclibs.php');
+	include_once $xmlseclibsSrcDir.'/XMLSecEnc.php';
+	include_once $xmlseclibsSrcDir.'/XMLSecurityDSig.php';
+	include_once $xmlseclibsSrcDir.'/XMLSecurityKey.php';
+	include_once $xmlseclibsSrcDir.'/Utils/XPath.php';
+}
+
+// Load php-saml
+$libDir = dirname(__FILE__).'/lib/Saml2/';
 
 $folderInfo = scandir($libDir);
 
 foreach ($folderInfo as $element) {
     if (is_file($libDir.$element) && (substr($element, -4) === '.php')) {
-        require_once($libDir.$element);
+        include_once $libDir.$element;
     }
 }

onelogin-saml-sso/php/configuration.php

@@ -5,10 +5,8 @@
 	exit;
 }
 
+require_once "_toolkit_loader.php";
 require_once "compatibility.php";
-require_once (dirname(__FILE__) . "/lib/Saml2/Constants.php");
-require_once (dirname(__FILE__) . "/extlib/xmlseclibs/xmlseclibs.php");
-
 
 	function onelogin_saml_configuration_render() {
 		$title = __("SSO/SAML Settings", 'onelogin-saml-sso');

onelogin-saml-sso/php/extlib/xmlseclibs/CHANGELOG.txt

@@ -1,9 +1,79 @@
 xmlseclibs.php
-??, ??? ????, 2.0.0
+|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+15, Nov 2018, 3.0.3
+Bug Fixes:
+- Fix casing of class name. (Willem Stuursma-Ruwen)
+- Fix Xpath casing. (Tim van Dijen)
+
+Improvements:
+- Make PCRE2 compliant. (Stefan Winter)
+- Add PHP 7.3 support. (Stefan Winter)
+
+27, Sep 2018, 3.0.2
+Security Improvements:
+- OpenSSL is now a requirement rather than suggestion. (Slaven Bacelic)
+- Filter input to avoid XPath injection. (Jaime Pérez)
+
+Bug Fixes:
+- Fix missing parentheses (Tim van Dijen)
+
+Improvements:
+- Use strict comparison operator to compare digest values. (Jaime Pérez)
+- Remove call to file_get_contents that doesn't even work. (Jaime Pérez)
+- Document potentially dangerous return value behaviour. (Thijs Kinkhorst)
+
+31, Aug 2017, 3.0.1
+Bug Fixes:
+- Fixed missing () in function call. (Dennis Væversted)
+
+Improvements:
+- Add OneLogin to supported software.
+- Add .gitattributes to remove unneeded files. (Filippo Tessarotto)
+- Fix bug in example code. (Dan Church)
+- Travis: add PHP 7.1, move hhvm to allowed failures. (Thijs Kinkhorst)
+- Drop failing extract-win-cert test (Thijs Kinkhorst). (Thijs Kinkhorst)
+- Add comments to warn about return values of verify(). (Thijs Kinkhorst)
+- Fix tests to properly check return code of verify(). (Thijs Kinkhorst)
+- Restore support for PHP >= 5.4. (Jaime Pérez)
+
+25, May 2017, 3.0.0
+Improvements:
+- Remove use of mcrypt (skymeyer)
+
+08, Sep 2016, 2.0.1
+Bug Fixes:
+- Strip whitespace characters when parsing X509Certificate. fixes #84
+  (klemen.bratec)
+- Certificate 'subject' values can be arrays. fixes #80 (Andreas Stangl)
+- HHVM signing node with ID attribute w/out namespace regenerates ID value.
+  fixes #88 (Milos Tomic)
+
+Improvements:
+- Fix typos and add some PHPDoc Blocks. (gfaust-qb)
+- Update lightSAML link. (Milos Tomic)
+- Update copyright dates.
+
+31, Jul 2015, 2.0.0
+Features:
+- Namespace support. Classes now in the RobRichards\XMLSecLibs\ namespace.
+
+Improvements:
+- Dropped support for PHP 5.2
+
+31, Jul 2015, 1.4.1
+Bug Fixes:
+- Allow for large digest values that may have line breaks. fixes #62
+
 Features:
 - Support for locating specific signature when multiple exist in 
   document. (griga3k)
 
+Improvements:
+- Add optional argument to XMLSecurityDSig to define the prefix to be used, 
+  also allowing for null to use no prefix, for the dsig namespace. fixes #13
+- Code cleanup
+- Depreciated XMLSecurityDSig::generate_GUID for XMLSecurityDSig::generateGUID
+
 23, Jun 2015, 1.4.0
 Features:
 - Support for PSR-0 standard.

onelogin-saml-sso/php/extlib/xmlseclibs/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2007-2013, Robert Richards <[email protected]>.
+Copyright (c) 2007-2018, Robert Richards <[email protected]>.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
@@ -28,4 +28,4 @@ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
+POSSIBILITY OF SUCH DAMAGE.

onelogin-saml-sso/php/extlib/xmlseclibs/README.md

@@ -0,0 +1,84 @@
+#xmlseclibs 
+
+xmlseclibs is a library written in PHP for working with XML Encryption and Signatures.
+
+The author of xmlseclibs is Rob Richards.
+
+# Branches
+Both the master and the 2.0 branches are actively maintained.
+* master: Removes mcrypt usage requiring 5.4+ (5.6.24+ recommended for security reasons)
+* 2.0: Contains namespace support requiring 5.3+
+* 1.4: Contains auto-loader support while also maintaining backwards compatiblity with the older 1.3 version using the xmlseclibs.php file. Supports PHP 5.2+
+
+# Requirements
+
+xmlseclibs requires PHP version 5.4 or greater. **5.6.24+ recommended for security reasons**
+
+
+## How to Install
+
+Install with [`composer.phar`](http://getcomposer.org).
+
+```sh
+php composer.phar require "robrichards/xmlseclibs"
+```
+
+
+## Use cases
+
+xmlseclibs is being used in many different software.
+
+* [SimpleSAMLPHP](https://github.com/simplesamlphp/simplesamlphp)
+* [LightSAML](https://github.com/lightsaml/lightsaml)
+* [OneLogin](https://github.com/onelogin/php-saml)
+
+## Basic usage
+
+The example below shows basic usage of xmlseclibs, with a SHA-256 signature.
+
+```php
+use RobRichards\XMLSecLibs\XMLSecurityDSig;
+use RobRichards\XMLSecLibs\XMLSecurityKey;
+
+// Load the XML to be signed
+$doc = new DOMDocument();
+$doc->load('./path/to/file/tobesigned.xml');
+
+// Create a new Security object 
+$objDSig = new XMLSecurityDSig();
+// Use the c14n exclusive canonicalization
+$objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
+// Sign using SHA-256
+$objDSig->addReference(
+    $doc, 
+    XMLSecurityDSig::SHA256, 
+    array('http://www.w3.org/2000/09/xmldsig#enveloped-signature')
+);
+
+// Create a new (private) Security key
+$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, array('type'=>'private'));
+/*
+If key has a passphrase, set it using
+$objKey->passphrase = '<passphrase>';
+*/
+// Load the private key
+$objKey->loadKey('./path/to/privatekey.pem', TRUE);
+
+// Sign the XML file
+$objDSig->sign($objKey);
+
+// Add the associated public key to the signature
+$objDSig->add509Cert(file_get_contents('./path/to/file/mycert.pem'));
+
+// Append the signature to the XML
+$objDSig->appendSignature($doc->documentElement);
+// Save the signed XML
+$doc->save('./path/to/signed.xml');
+```
+
+## How to Contribute
+
+* [Open Issues](https://github.com/robrichards/xmlseclibs/issues)
+* [Open Pull Requests](https://github.com/robrichards/xmlseclibs/pulls)
+
+Mailing List: https://groups.google.com/forum/#!forum/xmlseclibs

onelogin-saml-sso/php/extlib/xmlseclibs/src/Utils/XPath.php

@@ -0,0 +1,44 @@
+<?php
+
+namespace RobRichards\XMLSecLibs\Utils;
+
+class XPath
+{
+    const ALPHANUMERIC = '\w\d';
+    const NUMERIC = '\d';
+    const LETTERS = '\w';
+    const EXTENDED_ALPHANUMERIC = '\w\d\s\-_:\.';
+
+    const SINGLE_QUOTE = '\'';
+    const DOUBLE_QUOTE = '"';
+    const ALL_QUOTES = '[\'"]';
+
+
+    /**
+     * Filter an attribute value for save inclusion in an XPath query.
+     *
+     * @param string $value The value to filter.
+     * @param string $quotes The quotes used to delimit the value in the XPath query.
+     *
+     * @return string The filtered attribute value.
+     */
+    public static function filterAttrValue($value, $quotes = self::ALL_QUOTES)
+    {
+        return preg_replace('#'.$quotes.'#', '', $value);
+    }
+
+
+    /**
+     * Filter an attribute name for save inclusion in an XPath query.
+     *
+     * @param string $name The attribute name to filter.
+     * @param mixed $allow The set of characters to allow. Can be one of the constants provided by this class, or a
+     * custom regex excluding the '#' character (used as delimiter).
+     *
+     * @return string The filtered attribute name.
+     */
+    public static function filterAttrName($name, $allow = self::EXTENDED_ALPHANUMERIC)
+    {
+        return preg_replace('#[^'.$allow.']#', '', $name);
+    }
+}