From 2631ae77840b15a8e7191ae66a1fb8e4eba9216b Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Tue, 9 Apr 2024 00:27:36 +0200 Subject: [PATCH] Harden email-address class against multiple mailto-uri's (seen in the wild in eduGAIN) --- src/SAML2/XML/md/EmailAddress.php | 2 +- tests/SAML2/XML/md/EmailAddressTest.php | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/src/SAML2/XML/md/EmailAddress.php b/src/SAML2/XML/md/EmailAddress.php index dca06b7fd..f5373954c 100644 --- a/src/SAML2/XML/md/EmailAddress.php +++ b/src/SAML2/XML/md/EmailAddress.php @@ -56,7 +56,7 @@ protected function validateContent(string $content): void */ protected function sanitizeContent(string $content): string { - return trim(preg_replace('/^mailto:/i', '', $content)); + return trim(preg_replace('/^(mailto:)+/i', '', $content)); } diff --git a/tests/SAML2/XML/md/EmailAddressTest.php b/tests/SAML2/XML/md/EmailAddressTest.php index 206c00e13..638eb35c5 100644 --- a/tests/SAML2/XML/md/EmailAddressTest.php +++ b/tests/SAML2/XML/md/EmailAddressTest.php @@ -54,11 +54,11 @@ public static function setUpBeforeClass(): void */ public function testMarshalling(): void { - $name = new EmailAddress('john.doe@example.org'); + $email = new EmailAddress('john.doe@example.org'); $this->assertEquals( self::$xmlRepresentation->saveXML(self::$xmlRepresentation->documentElement), - strval($name), + strval($email), ); } @@ -89,4 +89,17 @@ public function testUnmarshallingWithInvalidEmail(): void EmailAddress::fromXML($document->documentElement); } + + + /** + * Test that creating an EmailAddress from XML succeeds when multiple mailto: prefixes are in place. + */ + public function testUnmarshallingWithMultipleMailtoUri(): void + { + $document = clone self::$xmlRepresentation; + $document->documentElement->textContent = 'mailto:mailto:mailto:john.doe@example.org'; + + $email = EmailAddress::fromXML($document->documentElement); + $this->assertEquals('mailto:john.doe@example.org', $email->getContent()); + } }