Bugfix: enable strict mode for base64_decode

Author: tvdijen

src/SAML2/HTTPArtifact.php

@@ -124,7 +124,9 @@ public function receive(ServerRequestInterface $request): AbstractMessage
     {
         $query = $request->getQueryParams();
         if (array_key_exists('SAMLart', $query)) {
-            $artifact = base64_decode($query['SAMLart']);
+            Assert::stringPlausibleBase64($query['SAMLart'], 'Error while base64 decoding SAML message.', Exception::class);
+            $artifact = base64_decode($query['SAMLart'], true); // Error handling already dealt with by assertion
+
             $endpointIndex = bin2hex(substr($artifact, 2, 2));
             $sourceId = bin2hex(substr($artifact, 4, 20));
         } else {

src/SAML2/HTTPPost.php

@@ -90,7 +90,8 @@ public function receive(ServerRequestInterface $request): AbstractMessage
             throw new Exception('Missing SAMLRequest or SAMLResponse parameter.');
         }
 
-        $msgStr = base64_decode($msgStr);
+        Assert::stringPlausibleBase64($msgStr, 'Error while base64 decoding SAML message.', Exception::class);
+        $msgStr = base64_decode($msgStr, true); // Error handling already dealt with by assertion
         $msgStr = DOMDocumentFactory::fromString($msgStr)->saveXML();
 
         $document = DOMDocumentFactory::fromString($msgStr);

src/SAML2/HTTPRedirect.php

@@ -139,10 +139,8 @@ public function receive(ServerRequestInterface $request): AbstractMessage
             throw new Exception(sprintf('Unknown SAMLEncoding: %s', $query['SAMLEncoding']));
         }
 
-        $message = base64_decode($message);
-        if ($message === false) {
-            throw new Exception('Error while base64 decoding SAML message.');
-        }
+        Assert::stringPlausibleBase64($message, 'Error while base64 decoding SAML message.', Exception::class);
+        $message = base64_decode($message, true); // Error handling already dealt with by assertion
 
         $message = gzinflate($message);
         if ($message === false) {

tests/SAML2/HTTPRedirectTest.php

@@ -174,7 +174,7 @@ public function testSignedRequestValidation(): void
         $signedQuery = 'SAMLRequest=' . urlencode($q['SAMLRequest']);
         $signedQuery .= '&RelayState=' . urlencode($q['RelayState']);
         $signedQuery .= '&SigAlg=' . urlencode($q['SigAlg']);
-        $this->assertTrue($verifier->verify($signedQuery, base64_decode($q['Signature'])));
+        $this->assertTrue($verifier->verify($signedQuery, base64_decode($q['Signature'], true)));
 
         // validate with another cert, should fail
         $verifier = (new SignatureAlgorithmFactory())->getAlgorithm(
@@ -185,7 +185,7 @@ public function testSignedRequestValidation(): void
         $signedQuery = 'SAMLRequest=' . urlencode($q['SAMLRequest']);
         $signedQuery .= '&RelayState=' . urlencode($q['RelayState']);
         $signedQuery .= '&SigAlg=' . urlencode($q['SigAlg']);
-        $this->assertFalse($verifier->verify($signedQuery, base64_decode($q['Signature'])));
+        $this->assertFalse($verifier->verify($signedQuery, base64_decode($q['Signature'], true)));
     }
 
 
@@ -263,7 +263,7 @@ public function testInvalidRequestData(): void
         $request = $request->withQueryParams($q);
 
         $this->expectException(Exception::class);
-        $this->expectExceptionMessage('Error while inflating');
+        $this->expectExceptionMessage('Error while base64 decoding SAML message.');
         $hr = new HTTPRedirect();
         @$hr->receive($request);
     }