Security fix diffs for 2.x

Scott Cantor cantor.2 at
Fri Nov 6 22:13:06 UTC 2009

The diffs related to the security fix for v2.3 of the SP are spread across
these changes.

The function implementing the fix was placed into xmltooling in this diff
(resulting in the soname bump to 1.3):

The fix was then applied to form generation logic in opensaml in this diff:

The soname bump to opensaml did not occur because of the fix, but because of
unrelated changes (getting rid of all those inlined functions) and because
the xmltooling soname was bumped anyway.

The SP diffs include the following:

The fix itself:

Akin to the 1.3 diffs, a pair of changes are also needed to ensure the SP
doesn't generate any redirects that the fix would reject:

I believe that's everything.

Returning to the question that was raised about altering the backport, the
most likely approach would be to inline the changes to xmltooling in place
of all the calls to reuse that change in opensaml and the SP, with the
opensaml version probably being altered to avoid the dependency on SP

It should be possible to avoid duplicating the code everywhere by
implementing the logic in static/globals that aren't exported but would be
declared by the internal.h header that's shared across all of the source
files in each project.

-- Scott

More information about the Pkg-shibboleth-devel mailing list