Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions .github/workflows/wp-plugin-ci-full.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ on:
# Allow manually triggering the workflow.
workflow_dispatch:

permissions:
contents: read

jobs:
phpcs:
name: Full code check
Expand All @@ -13,7 +16,9 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
persist-credentials: false

- name: Set up PHP
uses: shivammathur/setup-php@v2
Expand All @@ -30,7 +35,9 @@ jobs:
vendor/bin/phpcs -q -n --report=checkstyle $GITHUB_WORKSPACE | cs2pr

- name: Install latest version of dist-archive-command
run: wp package install wp-cli/dist-archive-command:v3.1.0
run: |
unset GITHUB_TOKEN
wp package install wp-cli/dist-archive-command:v3.1.0

- name: Build plugin
run: |
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/wp-plugin-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ on:
# Allow manually triggering the workflow.
workflow_dispatch:

permissions:
contents: read

jobs:
phpcs:
name: PHP CodeSniffer
Expand All @@ -13,10 +16,11 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
# Fetch all history so we can diff.
fetch-depth: 0
persist-credentials: false

- name: Set up PHP
uses: shivammathur/setup-php@v2
Expand Down
11 changes: 10 additions & 1 deletion options-admin.php
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,10 @@ function shibboleth_options_general() {
update_site_option( 'shibboleth_disable_local_auth', ! empty( $_POST['disable_local_auth'] ) );
}

if ( 'http' === shibboleth_getoption( 'shibboleth_attribute_access_method' ) && empty( shibboleth_getoption( 'shibboleth_spoof_key' ) ) ) {
add_settings_error( 'shibboleth', 'missing-spoof-key', __( 'Spoof Key is required when using the HTTP Headers attribute access method.', 'shibboleth' ), 'error' );
}

shibboleth_options_updated();
}

Expand Down Expand Up @@ -214,7 +218,7 @@ function shibboleth_options_general() {
'By default, attributes passed from your Shibboleth Service Provider will be accessed using standard environment variables.
For most users, leaving these defaults is perfectly fine. If you are running a special server configuration that results in environment variables
being sent with the prefix <code>REDIRECT_</code>, you should select the "Redirected Environment Variables" option. If you are running
your Shibboleth Service Provider on a reverse proxy, you should select the "HTTP Headers" option and, if at all possible, add a spoofkey below.
your Shibboleth Service Provider on a reverse proxy, you should select the "HTTP Headers" option and configure a spoof key below.
If you are running Shibboleth with a custom prefix, you should select the "Custom Prefix" option and complete the "Custom Attribute Access Prefix" field that appears below.',
'shibboleth'
)
Expand Down Expand Up @@ -243,6 +247,11 @@ function shibboleth_options_general() {
<tr id="spoofkey_row" <?php echo ( 'http' === $attribute_access ? '' : 'style="display:none;"' ); ?>>
<th scope="row"><label for="spoofkey"><?php esc_html_e( 'Spoof Key', 'shibboleth' ); ?></label></th>
<td>
<?php if ( 'http' === $attribute_access && empty( $spoofkey ) ) { ?>
<div class="notice notice-warning">
<p><?php esc_html_e( 'Spoof Key is required when using HTTP Headers. Authentication will fail until one is configured.', 'shibboleth' ); ?></p>
</div>
<?php } ?>
<input type="text" id="spoofkey" name="spoofkey" value="<?php echo esc_attr( $spoofkey ); ?>" size="50" <?php defined( 'SHIBBOLETH_SPOOF_KEY' ) && disabled( $spoofkey, SHIBBOLETH_SPOOF_KEY ); ?> /><br />
<p>
<?php
Expand Down
2 changes: 1 addition & 1 deletion phpcs.xml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
<arg name="parallel" value="20"/>

<!-- Check for PHP and WordPress cross-version compatibility. -->
<config name="minimum_supported_wp_version" value="4.0" />
<config name="minimum_supported_wp_version" value="4.3" />
<config name="testVersion" value="5.6-"/>
<rule ref="PHPCompatibilityWP"/>

Expand Down
14 changes: 11 additions & 3 deletions readme.txt
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
=== Shibboleth ===
Contributors: michaelryanmcneill, willnorris, mitchoyoshitaka, jrchamp, dericcrago, bshelton229, Alhrath, dandalpiaz, masteradhoc, junaidkbr
Tags: shibboleth, authentication, login, saml
Requires at least: 4.0
Tested up to: 6.9
Requires at least: 4.3
Tested up to: 7.0
Requires PHP: 5.6
Stable tag: 2.5.3
Stable tag: 2.5.4
License: Apache-2.0

Allows WordPress to externalize user authentication and account creation to a Shibboleth Service Provider.
Expand Down Expand Up @@ -179,6 +179,9 @@ Yes, the plugin allows for all settings to be controlled via constants in `wp-co
3. Assign users into WordPress roles based on arbitrary data provided by Shibboleth

== Upgrade Notice ==
= 2.5.4 =
This update increases the minimum WordPress version to 4.3. The plugin will fail to activate if you are running below the minimum version.

= 2.3 =
This update increases the minimum PHP version to 5.6 and the minimum WordPress version to 4.0. The plugin will fail to activate if you are running below those minimum versions.

Expand All @@ -195,6 +198,11 @@ Accessing Shibboleth attributes has changed. Typically, no additional configurat
Accessing Shibboleth attributes has changed. Typically, no additional configuration is necessary. Check the changelog if you have specialized server configurations, such as a Shibboleth Service Provider on a reverse proxy or a server configuration that prefixes environment variables with REDIRECT_.

== Changelog ==
= version 2.5.4 (2026-06-22) =
- Security: Always require Spoof Key for HTTP auth [#117](https://github.com/michaelryanmcneill/shibboleth/pull/117) (thanks @Nxploited)
- Documentation: Document the _no_account default role option [#116](https://github.com/michaelryanmcneill/shibboleth/pull/116) (thanks @beanscg, @dmrzzz)
- Bumped minimum WordPress version to 4.3 (mostly to appease plugin-check-action, but it does allow cleanup).

= version 2.5.3 (2026-02-23) =
- Security: Limit redirects to approved hosts [#112](https://github.com/michaelryanmcneill/shibboleth/issues/112) (thanks @Belippo, @Jefhumbe)

Expand Down
48 changes: 17 additions & 31 deletions shibboleth.php
Original file line number Diff line number Diff line change
Expand Up @@ -9,18 +9,18 @@
* Plugin URI: https://wordpress.org/plugins/shibboleth/
* Description: Easily externalize user authentication to a <a href="https://www.incommon.org/software/shibboleth/">Shibboleth</a> Service Provider
* Author: Michael McNeill, Jonathan Champ, Michael Erlewine, Will Norris
* Version: 2.5.3
* Version: 2.5.4
* Requires PHP: 5.6
* Requires at least: 4.0
* Requires at least: 4.3
* License: Apache-2.0
* Text Domain: shibboleth
*/

defined( 'ABSPATH' ) || exit;

define( 'SHIBBOLETH_MINIMUM_WP_VERSION', '4.0' );
define( 'SHIBBOLETH_MINIMUM_WP_VERSION', '4.3' );
define( 'SHIBBOLETH_MINIMUM_PHP_VERSION', '5.6' );
define( 'SHIBBOLETH_PLUGIN_VERSION', '2.5.3' );
define( 'SHIBBOLETH_PLUGIN_VERSION', '2.5.4' );

/**
* Determine if this is a new install or upgrade and, if so, run the
Expand Down Expand Up @@ -236,22 +236,16 @@ function shibboleth_activate_plugin() {
);
add_site_option( 'shibboleth_headers', $headers );

$roles = array(
'administrator' => array(
'header' => 'entitlement',
'value' => 'urn:mace:example.edu:entitlement:wordpress:admin',
),
'author' => array(
'header' => 'affiliation',
'value' => 'faculty',
),
);
add_site_option( 'shibboleth_roles', $roles );
add_site_option( 'shibboleth_roles', array() );

shibboleth_insert_htaccess();

shibboleth_migrate_old_data();

if ( empty( shibboleth_getoption( 'shibboleth_spoof_key' ) ) ) {
update_site_option( 'shibboleth_spoof_key', wp_generate_password( 64, true, true ) );
}

update_site_option( 'shibboleth_plugin_version', SHIBBOLETH_PLUGIN_VERSION );

if ( function_exists( 'restore_current_blog' ) ) {
Expand Down Expand Up @@ -447,9 +441,12 @@ function shibboleth_session_active( $auto_login = false ) {
}
}

// Deprecated: No spoofkey or spoofkey bypass is active. This is strongly discouraged!
$bypass = defined( 'SHIBBOLETH_BYPASS_SPOOF_CHECKING' ) && SHIBBOLETH_BYPASS_SPOOF_CHECKING;
if ( empty( $spoofkey ) || $bypass ) {
/**
* Deprecated: Spoof key bypass is active. This is strongly discouraged!
*
* @deprecated 2.5
*/
if ( defined( 'SHIBBOLETH_BYPASS_SPOOF_CHECKING' ) && SHIBBOLETH_BYPASS_SPOOF_CHECKING ) {
$active = true;
}

Expand Down Expand Up @@ -979,22 +976,11 @@ function shibboleth_create_new_user( $user_login, $user_email ) {
* @since 1.0
*/
function shibboleth_get_user_role() {
// wp_roles() requires WordPress version 4.3 or higher.
if ( function_exists( 'wp_roles' ) ) {
$roles = wp_roles();
} else {
global $wp_roles;

if ( isset( $wp_roles ) ) {
$roles = $wp_roles;
} else {
$roles = new WP_Roles();
}
}

$shib_roles = apply_filters( 'shibboleth_roles', shibboleth_getoption( 'shibboleth_roles', array() ) );
$user_role = shibboleth_getoption( 'shibboleth_default_role' );

$roles = wp_roles();

foreach ( $roles->role_names as $key => $name ) {
if ( empty( $shib_roles[ $key ]['header'] ) || empty( $shib_roles[ $key ]['value'] ) ) {
continue;
Expand Down
Loading