LSauthMethod::CAS: fix support of phpCAS >= 1.6.0 and patched Debian Buster 1.3.6-1+deb10u1 version

src/includes/class/class.LSauthMethod_CAS.php

@@ -41,13 +41,29 @@ class LSauthMethod_CAS extends LSauthMethod {
         phpCAS::setDebug(PHP_CAS_DEBUG_FILE);
       }
       self :: log_debug('LSauthMethod_CAS : initialise phpCAS :: client with CAS server URL https://'.LSAUTH_CAS_SERVER_HOSTNAME.':'.LSAUTH_CAS_SERVER_PORT.(defined('LSAUTH_CAS_SERVER_URI')?LSAUTH_CAS_SERVER_URI: ''));
-      phpCAS::client (
+
+
+      $phpcas_client_init_args = array(
         constant(LSAUTH_CAS_VERSION),
         LSAUTH_CAS_SERVER_HOSTNAME,
         LSAUTH_CAS_SERVER_PORT,
         (defined('LSAUTH_CAS_SERVER_URI')?LSAUTH_CAS_SERVER_URI: ''),
-        false
       );
+      // Determine phpCAS version to correctly handle the $service_base_url parameter added in 1.6.0.
+      // Note: this parameter is also required for Debian Buster 1.3.6-1+deb10u1 package, because
+      // to fix CVE-2022-39369, this version was patched and this parameter have been added. Check
+      // if CAS_Client::getServiceBaseUrl() exists to detect this case.
+      if (
+        intval(str_replace('.', '000', phpCAS::getVersion()).'000') >= 100060000000
+        || method_exists('CAS_Client', 'getServiceBaseUrl')
+      )
+        $phpcas_client_init_args[] = LSurl :: get_public_absolute_url('/');
+
+      // Parameter $changeSessionID or $start_session: always need to be false
+      $phpcas_client_init_args[] = false;
+
+      // Call phpCAS::client() to initialize phpCAS client
+      call_user_func_array(array('phpCAS', 'client'), $phpcas_client_init_args);
 
       // Configure CAS server SSL validation
       $cas_server_ssl_validation_configured = false;