Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions inc/sso/class-sso.php
Original file line number Diff line number Diff line change
Expand Up @@ -648,7 +648,7 @@ private function get_sso_return_url(string $fallback = ''): string {
parse_str($parsed, $query_params);

if ( ! empty($query_params['return_url']) ) {
$return_url = $query_params['return_url'];
$return_url = esc_url_raw($query_params['return_url']);
}
}
}
Expand Down Expand Up @@ -807,7 +807,7 @@ public function handle_already_logged_in_on_login_page(): void {
}

// Check if this is an SSO flow (sso param or return_url param present)
$sso_action = $this->input('sso', '');
$sso_action = $this->input($this->get_url_path(), '');
$return_url = $this->get_sso_return_url();

// Check for SSO flow - either sso param or return_url pointing to different domain
Expand Down
39 changes: 39 additions & 0 deletions tests/WP_Ultimo/SSO/SSO_Test.php
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ protected function tearDown(): void {
unset($_REQUEST['return_type']);
unset($_REQUEST['broker']);
unset($_REQUEST['sso_verify']);
unset($_REQUEST['return_url']);
unset($_REQUEST['redirect_to']);
unset($_COOKIE['wu_sso_denied']);

parent::tearDown();
Expand Down Expand Up @@ -128,6 +130,43 @@ function () {
$this->assertSame('mysso-grant', $sso->get_url_path('grant'));
}

/**
* Test nested return_url values are extracted from redirect_to.
*/
public function test_get_sso_return_url_extracts_nested_return_url_from_redirect_to(): void {
$sso = SSO::get_instance();
$return_url = 'https://customer.example.com/wp/wp-admin/';

$_REQUEST['redirect_to'] = add_query_arg(
'return_url',
$return_url,
home_url('/wp-login.php')
);

$method = new \ReflectionMethod($sso, 'get_sso_return_url');
$method->setAccessible(true);

$this->assertSame($return_url, $method->invoke($sso));
}

/**
* Test nested return_url values are sanitized when extracted from redirect_to.
*/
public function test_get_sso_return_url_sanitizes_nested_return_url_from_redirect_to(): void {
$sso = SSO::get_instance();

$_REQUEST['redirect_to'] = add_query_arg(
'return_url',
'javascript:alert(1)',
home_url('/wp-login.php')
);

$method = new \ReflectionMethod($sso, 'get_sso_return_url');
$method->setAccessible(true);

$this->assertSame('', $method->invoke($sso));
}

// ------------------------------------------------------------------
// encode / decode
// ------------------------------------------------------------------
Expand Down
Loading