simplesamlphp
diff --git a/‎src/SAML2/HTTPRedirect.php‎
Lines changed: 94 additions & 11 deletions b/‎src/SAML2/HTTPRedirect.php‎
Lines changed: 94 additions & 11 deletions
@@ -120,14 +120,37 @@ public function send(AbstractMessage $message): ResponseInterface
      */
     public function receive(ServerRequestInterface $request): AbstractMessage
     {
-        $query = $request->getQueryParams();
-
-        if (array_key_exists('SAMLRequest', $query)) {
-            $message = $query['SAMLRequest'];
-            $signedQuery = 'SAMLRequest=' . urlencode($query['SAMLRequest']);
-        } elseif (array_key_exists('SAMLResponse', $query)) {
-            $message = $query['SAMLResponse'];
-            $signedQuery = 'SAMLResponse=' . urlencode($query['SAMLResponse']);
+        $query = $this->parseQuery();
+        $signedQuery = $query['SignedQuery'];
+
+        /**
+         * Get the SAMLRequest/SAMLResponse from the exact same signed data that will be verified later in
+         * validateSignature into $res using the actual SignedQuery
+         */
+        $res = [];
+        foreach (explode('&', $signedQuery) as $e) {
+            $tmp = explode('=', $e, 2);
+            $name = $tmp[0];
+            if (count($tmp) === 2) {
+                $value = $tmp[1];
+            } else {
+                /* No value for this parameter. */
+                $value = '';
+            }
+            $name = urldecode($name);
+            $res[$name] = urldecode($value);
+        }
+
+        /**
+         * Put the SAMLRequest/SAMLResponse from the actual query string into $message,
+         * and assert that the result from parseQuery() in $query and the parsing of the SignedQuery in $res agree
+         */
+        if (array_key_exists('SAMLRequest', $res)) {
+            Assert::same($res['SAMLRequest'], $query['SAMLRequest'], 'Parse failure.');
+            $message = $res['SAMLRequest'];
+        } elseif (array_key_exists('SAMLResponse', $res)) {
+            Assert::same($res['SAMLResponse'], $query['SAMLResponse'], 'Parse failure.');
+            $message = $res['SAMLResponse'];
         } else {
             throw new Exception('Missing SAMLRequest or SAMLResponse parameter.');
         }
@@ -151,7 +174,6 @@ public function receive(ServerRequestInterface $request): AbstractMessage
         $message = MessageFactory::fromXML($document->documentElement);
 
         if (array_key_exists('RelayState', $query)) {
-            $signedQuery .= '&RelayState=' . urlencode($query['RelayState']);
             $this->setRelayState($query['RelayState']);
         }
 
@@ -170,8 +192,6 @@ public function receive(ServerRequestInterface $request): AbstractMessage
 
         if (!array_key_exists('SigAlg', $query)) {
             throw new Exception('Missing signature algorithm.');
-        } else {
-            $signedQuery .= '&SigAlg=' . urlencode($query['SigAlg']);
         }
 
         $container = ContainerSingleton::getInstance();
@@ -188,4 +208,67 @@ public function receive(ServerRequestInterface $request): AbstractMessage
 
         return $message;
     }
+
+
+    /**
+     * Helper function to parse query data.
+     *
+     * This function returns the query string split into key=>value pairs.
+     * It also adds a new parameter, SignedQuery, which contains the data that is
+     * signed.
+     *
+     * @return array The query data that is signed.
+     * @throws \Exception
+     */
+    private static function parseQuery() : array
+    {
+        /*
+         * Parse the query string. We need to do this ourself, so that we get access
+         * to the raw (urlencoded) values. This is required because different software
+         * can urlencode to different values.
+         */
+        $data = [];
+        $relayState = '';
+        $sigAlg = '';
+        $sigQuery = '';
+
+        foreach (explode('&', $_SERVER['QUERY_STRING']) as $e) {
+            $tmp = explode('=', $e, 2);
+            $name = $tmp[0];
+            if (count($tmp) === 2) {
+                $value = $tmp[1];
+            } else {
+                /* No value for this parameter. */
+                $value = '';
+            }
+
+            $name = urldecode($name);
+            // Prevent keys from being set more than once
+            if (array_key_exists($name, $data)) {
+                throw new Exception('Duplicate parameter.');
+            }
+            $data[$name] = urldecode($value);
+
+            switch ($name) {
+                case 'SAMLRequest':
+                case 'SAMLResponse':
+                    $sigQuery = $name . '=' . $value;
+                    break;
+                case 'RelayState':
+                    $relayState = '&RelayState=' . $value;
+                    break;
+                case 'SigAlg':
+                    $sigAlg = '&SigAlg=' . $value;
+                    break;
+            }
+        }
+
+        if (array_key_exists('SAMLRequest', $data) && array_key_exists('SAMLResponse', $data)) {
+                throw new Exception('Both SAMLRequest and SAMLResponse provided.');
+        }
+
+        $data['SignedQuery'] = $sigQuery . $relayState . $sigAlg;
+
+        return $data;
+    }
 }