Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:dirkmueller:acdc:sp5-rebuild
shibboleth-sp
fix-DSA-4872.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fix-DSA-4872.patch of Package shibboleth-sp
diff --git a/configs/native.logger b/configs/native.logger index 49a5d5ac..e9a43a57 100644 --- a/configs/native.logger +++ b/configs/native.logger @@ -8,23 +8,14 @@ log4j.category.XMLTooling.KeyInfoResolver=WARN log4j.category.Shibboleth.IPRange=WARN log4j.category.Shibboleth.PropertySet=WARN -# raise for low-level tracing of SOAP client HTTP/SSL behavior -log4j.category.XMLTooling.libcurl=WARN - # useful categories to tune independently: # -# tracing of SAML messages and security policies -#log4j.category.OpenSAML.MessageDecoder=DEBUG -#log4j.category.OpenSAML.MessageEncoder=DEBUG -#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG # interprocess message remoting #log4j.category.Shibboleth.Listener=DEBUG # mapping of requests to applicationId #log4j.category.Shibboleth.RequestMapper=DEBUG # high level session cache operations #log4j.category.Shibboleth.SessionCache=DEBUG -# persistent storage and caching -#log4j.category.XMLTooling.StorageService=DEBUG # define the appender diff --git a/configs/win-native.logger b/configs/win-native.logger index f60c6f0d..b95924b2 100644 --- a/configs/win-native.logger +++ b/configs/win-native.logger @@ -8,23 +8,14 @@ log4j.category.XMLTooling.KeyInfoResolver=WARN log4j.category.Shibboleth.IPRange=WARN log4j.category.Shibboleth.PropertySet=WARN -# raise for low-level tracing of SOAP client HTTP/SSL behavior -log4j.category.XMLTooling.libcurl=WARN - # useful categories to tune independently: # -# tracing of SAML messages and security policies -#log4j.category.OpenSAML.MessageDecoder=DEBUG -#log4j.category.OpenSAML.MessageEncoder=DEBUG -#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG # interprocess message remoting #log4j.category.Shibboleth.Listener=DEBUG # mapping of requests to applicationId #log4j.category.Shibboleth.RequestMapper=DEBUG # high level session cache operations #log4j.category.Shibboleth.SessionCache=DEBUG -# persistent storage and caching -#log4j.category.XMLTooling.StorageService=DEBUG # define the appender diff --git a/iis7_shib/IIS7Request.cpp b/iis7_shib/IIS7Request.cpp index 658fb3d0..0f1cbd92 100644 --- a/iis7_shib/IIS7Request.cpp +++ b/iis7_shib/IIS7Request.cpp @@ -268,6 +268,15 @@ string IIS7Request::getRemoteAddr() const string IIS7Request::getSecureHeader(const char* name) const { + if (m_useVariables) { + PCSTR p; + DWORD len; + HRESULT hr = m_ctx->GetServerVariable(name, &p, &len); + if (SUCCEEDED(hr)) { + return (nullptr == p) ? "" : p; + } + return ""; + } PCSTR p = m_request->GetHeader(g_bSafeHeaderNames ? makeSafeHeader(name).c_str() : name); return (nullptr == p) ? "" : p; } diff --git a/shibsp/handler/impl/SAML2Logout.cpp b/shibsp/handler/impl/SAML2Logout.cpp index f07eef17..f9d3abd3 100644 --- a/shibsp/handler/impl/SAML2Logout.cpp +++ b/shibsp/handler/impl/SAML2Logout.cpp @@ -646,8 +646,8 @@ pair<bool,long> SAML2Logout::sendResponse( } } if (!ep || !encoder) { - auto_ptr_char id(dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID()); - m_log.error("unable to locate compatible SLO service for provider (%s)", id.get()); + auto_ptr_char id(role ? dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID() : nullptr); + m_log.error("unable to locate compatible SLO service for provider (%s)", id.get() ? id.get() : "unknown"); MetadataException ex("Unable to locate endpoint at IdP ($entityID) to send LogoutResponse."); annotateException(&ex, role); // throws it } @@ -667,7 +667,8 @@ pair<bool,long> SAML2Logout::sendResponse( } Issuer* issuer = IssuerBuilder::buildIssuer(); logout->setIssuer(issuer); - issuer->setName(application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role->getParent()))->getXMLString("entityID").second); + issuer->setName(application.getRelyingParty(role ? dynamic_cast<EntityDescriptor*>(role->getParent()) : + nullptr)->getXMLString("entityID").second); fillStatus(*logout, code, subcode, msg); XMLCh* msgid = SAMLConfig::getConfig().generateIdentifier(); logout->setID(msgid); @@ -675,7 +676,7 @@ pair<bool,long> SAML2Logout::sendResponse( logout->setIssueInstant(time(nullptr)); if (logoutEvent) { - logoutEvent->m_peer = dynamic_cast<EntityDescriptor*>(role->getParent()); + logoutEvent->m_peer = role ? dynamic_cast<EntityDescriptor*>(role->getParent()) : nullptr; logoutEvent->m_saml2Response = logout.get(); application.getServiceProvider().getTransactionLog()->write(*logoutEvent); } diff --git a/shibsp/handler/impl/SAML2NameIDMgmt.cpp b/shibsp/handler/impl/SAML2NameIDMgmt.cpp index ae93adf9..2301debe 100644 --- a/shibsp/handler/impl/SAML2NameIDMgmt.cpp +++ b/shibsp/handler/impl/SAML2NameIDMgmt.cpp @@ -286,7 +286,8 @@ pair<bool,long> SAML2NameIDMgmt::doRequest(const Application& application, HTTPR ); } - EntityDescriptor* entity = policy->getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : nullptr; + EntityDescriptor* entity = policy->getIssuerMetadata() ? + dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : nullptr; scoped_ptr<XMLObject> decryptedID; NameID* nameid = mgmtRequest->getNameID(); @@ -485,8 +486,8 @@ pair<bool,long> SAML2NameIDMgmt::sendResponse( } } if (!ep || !encoder) { - auto_ptr_char id(dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID()); - m_log.error("unable to locate compatible NIM service for provider (%s)", id.get()); + auto_ptr_char id(role ? dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID() : nullptr); + m_log.error("unable to locate compatible NIM service for provider (%s)", id.get() ? id.get() : "unknown"); MetadataException ex("Unable to locate endpoint at IdP ($entityID) to send ManageNameIDResponse."); annotateException(&ex, role); // throws it } @@ -506,7 +507,8 @@ pair<bool,long> SAML2NameIDMgmt::sendResponse( } Issuer* issuer = IssuerBuilder::buildIssuer(); nim->setIssuer(issuer); - issuer->setName(application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role->getParent()))->getXMLString("entityID").second); + issuer->setName(application.getRelyingParty(role ? dynamic_cast<EntityDescriptor*>(role->getParent()) : + nullptr)->getXMLString("entityID").second); fillStatus(*nim, code, subcode, msg); auto_ptr_char dest(nim->getDestination()); diff --git a/shibsp/impl/StorageServiceSessionCache.cpp b/shibsp/impl/StorageServiceSessionCache.cpp index 2bc74108..a8d5c64b 100644 --- a/shibsp/impl/StorageServiceSessionCache.cpp +++ b/shibsp/impl/StorageServiceSessionCache.cpp @@ -1148,6 +1148,12 @@ bool SSCache::recover(const Application& app, const char* key, const char* data) else { // We're out of process, so we can recover the session. #ifndef SHIBSP_LITE + const DataSealer* sealer = XMLToolingConfig::getConfig().getDataSealer(); + if (!sealer) { + m_log.warn("can't attempt recovery of session (%s), no DataSealer configured", key); + return false; + } + m_log.debug("checking for revocation of session (%s)", key); try { if (m_storage_lite->readString("Revoked", key) > 0) { @@ -1174,7 +1180,7 @@ bool SSCache::recover(const Application& app, const char* key, const char* data) try { dup = strdup(data); XMLToolingConfig::getConfig().getURLEncoder()->decode(dup); - unwrapped = XMLToolingConfig::getConfig().getDataSealer()->unwrap(dup); + unwrapped = sealer->unwrap(dup); free(dup); stringstream str(unwrapped); diff --git a/shibsp/impl/XMLServiceProvider.cpp b/shibsp/impl/XMLServiceProvider.cpp index c20492b4..9b58543c 100644 --- a/shibsp/impl/XMLServiceProvider.cpp +++ b/shibsp/impl/XMLServiceProvider.cpp @@ -883,15 +883,31 @@ Remoted* XMLConfig::lookupListener(const char* address) const if (i != m_listenerMap.end()) return i->second.first ? i->second.first : i->second.second; + locker.release()->unlock(); // free up the listener map + + // Start iterating at slash boundaries. + const char* slash = strstr(address, "/"); + while (slash) { + string appId(address, slash - address); + if (getApplication(appId.c_str())) { + SharedLock sublocker(m_listenerLock, true); // relock and check again + i = m_listenerMap.find(address); + if (i != m_listenerMap.end()) + return i->second.first ? i->second.first : i->second.second; + } + slash = strstr(slash + 1, "/"); + } + + // Try a search based on the colons, which handles no embedded slashes in the address. const char* colons = strstr(address, "::"); if (colons) { string appId(address, colons - address); - locker.release()->unlock(); // free up the listener map - getApplication(appId.c_str()); - SharedLock sublocker(m_listenerLock, true); // relock and check again - i = m_listenerMap.find(address); - if (i != m_listenerMap.end()) - return i->second.first ? i->second.first : i->second.second; + if (getApplication(appId.c_str())) { + SharedLock sublocker(m_listenerLock, true); // relock and check again + i = m_listenerMap.find(address); + if (i != m_listenerMap.end()) + return i->second.first ? i->second.first : i->second.second; + } } return nullptr; } --- shibboleth-sp-3.1.0.orig/shibsp/impl/XMLRequestMapper.cpp +++ shibboleth-sp-3.1.0/shibsp/impl/XMLRequestMapper.cpp @@ -371,7 +371,7 @@ const Override* Override::locate(const H // path parameter starts with the entire request path and // we can skip the leading slash as irrelevant. const char* path = request.getRequestURI(); - if (*path == '/') + if (path && *path == '/') path++; // Now we copy the path, chop the query string, and possibly lower case it.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor