[SCM] Debian packaging for the Shibboleth Apache SP branch, lenny, updated. debian/1.3.1.dfsg1-3+lenny1-2-g7606805
Russ Allbery
rra at debian.org
Thu Nov 12 16:59:23 UTC 2009
The following commit has been merged in the lenny branch:
commit 7606805c0cf5ec8fe04db2638ce43916a96e9520
Author: Russ Allbery <rra at debian.org>
Date: Thu Nov 12 08:58:42 2009 -0800
Update security patch
The fastcgi updates were missed in the previous version of the patch.
Also revert all the targetconfig schema changes other than the minimum
required for the patch to work; the rest was cleanup.
diff --git a/fastcgi/shibauthorizer.cpp b/fastcgi/shibauthorizer.cpp
index db811b4..745855d 100644
--- a/fastcgi/shibauthorizer.cpp
+++ b/fastcgi/shibauthorizer.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2009 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -32,6 +32,7 @@
#include <fcgio.h>
using namespace shibtarget;
+using namespace saml;
using namespace std;
typedef enum {
@@ -40,10 +41,21 @@ typedef enum {
SHIB_RETURN_DONE
} shib_return_t;
+set<string> g_allowedSchemes;
+
class ShibTargetFCGIAuth : public ShibTarget
{
FCGX_Request* m_req;
string m_cookie;
+
+ void checkString(const string& s, const char* msg) {
+ string::const_iterator e = s.end();
+ for (string::const_iterator i=s.begin(); i!=e; ++i) {
+ if (iscntrl(*i))
+ throw runtime_error(msg);
+ }
+ }
+
public:
map<string,string> m_headers;
@@ -143,9 +155,12 @@ public:
const string& content_type="text/html",
const saml::Iterator<header_t>& headers=EMPTY(header_t)) {
+ checkString(content_type, "Detected control character in a response header.");
string hdr = m_cookie + "Connection: close\r\nContent-type: " + content_type + "\r\n";
while (headers.hasNext()) {
const header_t& h=headers.next();
+ checkString(h.first, "Detected control character in a response header.");
+ checkString(h.second, "Detected control character in a response header.");
hdr += h.first + ": " + h.second + "\r\n";
}
@@ -162,6 +177,9 @@ public:
}
virtual void* sendRedirect(const string& url) {
+ checkString(url, "Detected control character in an attempted redirect.");
+ if (g_allowedSchemes.find(url.substr(0, url.find(':'))) == g_allowedSchemes.end())
+ throw runtime_error("Invalid scheme in attempted redirect.");
cout << "Status: 302 Please Wait" << "\r\n"
<< "Location: " << url << "\r\n"
<< m_cookie << "\r\n"
@@ -227,12 +245,36 @@ int main(void)
cerr << "failed to load Shibboleth configuration" << endl;
exit(1);
}
+
+ IConfig* conf=g_Config->getINI();
+ Locker locker(conf);
+ const IPropertySet* props=conf->getPropertySet("Local");
+ if (props) {
+ pair<bool,const char*> str=props->getString("allowedSchemes");
+ if (str.first) {
+ string schemes=str.second;
+ unsigned int j=0;
+ for (unsigned int i=0; i < schemes.length(); i++) {
+ if (schemes.at(i)==' ') {
+ g_allowedSchemes.insert(schemes.substr(j, i-j));
+ j = i+1;
+ }
+ }
+ g_allowedSchemes.insert(schemes.substr(j, schemes.length()-j));
+ }
+ }
+ if (g_allowedSchemes.empty()) {
+ g_allowedSchemes.insert("https");
+ g_allowedSchemes.insert("http");
+ }
}
catch (exception& e) {
cerr << "exception while initializing Shibboleth configuration: " << e.what() << endl;
exit(1);
}
+
+
// Load "authoritative" URL fields.
char* var = getenv("SHIBSP_SERVER_NAME");
if (var)
diff --git a/fastcgi/shibresponder.cpp b/fastcgi/shibresponder.cpp
index 86c374c..f1b7dcf 100644
--- a/fastcgi/shibresponder.cpp
+++ b/fastcgi/shibresponder.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2009 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -32,6 +32,7 @@
#include <fcgio.h>
using namespace shibtarget;
+using namespace saml;
using namespace std;
typedef enum {
@@ -40,6 +41,8 @@ typedef enum {
SHIB_RETURN_DONE
} shib_return_t;
+set<string> g_allowedSchemes;
+
class ShibTargetFCGI : public ShibTarget
{
FCGX_Request* m_req;
@@ -47,6 +50,14 @@ class ShibTargetFCGI : public ShibTarget
string m_cookie;
map<string, string> m_headers;
+ void checkString(const string& s, const char* msg) {
+ string::const_iterator e = s.end();
+ for (string::const_iterator i=s.begin(); i!=e; ++i) {
+ if (iscntrl(*i))
+ throw runtime_error(msg);
+ }
+ }
+
public:
ShibTargetFCGI(FCGX_Request* req, char* post_data, const char* scheme=NULL, const char* hostname=NULL, int port=0)
: m_req(req), m_body(post_data) {
@@ -146,9 +157,12 @@ public:
const string& content_type="text/html",
const saml::Iterator<header_t>& headers=EMPTY(header_t)) {
+ checkString(content_type, "Detected control character in a response header.");
string hdr = string ("Connection: close\r\nContent-type: ") + content_type + "\r\n" + m_cookie;
while (headers.hasNext()) {
const header_t& h=headers.next();
+ checkString(h.first, "Detected control character in a response header.");
+ checkString(h.second, "Detected control character in a response header.");
hdr += h.first + ": " + h.second + "\r\n";
}
@@ -164,6 +178,9 @@ public:
}
virtual void* sendRedirect(const string& url) {
+ checkString(url, "Detected control character in an attempted redirect.");
+ if (g_allowedSchemes.find(url.substr(0, url.find(':'))) == g_allowedSchemes.end())
+ throw runtime_error("Invalid scheme in attempted redirect.");
cout << "Status: 302 Please Wait" << "\r\n" << "Location: " << url << "\r\n" << m_cookie << "\r\n"
<< "<HTML><BODY>Redirecting...</BODY></HTML>";
return (void*)SHIB_RETURN_DONE;
@@ -260,6 +277,29 @@ int main(void)
cerr << "failed to load Shibboleth configuration" << endl;
exit(1);
}
+
+ IConfig* conf=g_Config->getINI();
+ Locker locker(conf);
+ const IPropertySet* props=conf->getPropertySet("Local");
+ if (props) {
+ pair<bool,const char*> str=props->getString("allowedSchemes");
+ if (str.first) {
+ string schemes=str.second;
+ unsigned int j=0;
+ for (unsigned int i=0; i < schemes.length(); i++) {
+ if (schemes.at(i)==' ') {
+ g_allowedSchemes.insert(schemes.substr(j, i-j));
+ j = i+1;
+ }
+ }
+ g_allowedSchemes.insert(schemes.substr(j, schemes.length()-j));
+ }
+ }
+ if (g_allowedSchemes.empty()) {
+ g_allowedSchemes.insert("https");
+ g_allowedSchemes.insert("http");
+ }
+
}
catch (exception& e) {
cerr << "exception while initializing Shibboleth configuration:" << e.what() << endl;
diff --git a/schemas/shibboleth-targetconfig-1.0.xsd b/schemas/shibboleth-targetconfig-1.0.xsd
index e1b6e44..9df00f2 100644
--- a/schemas/shibboleth-targetconfig-1.0.xsd
+++ b/schemas/shibboleth-targetconfig-1.0.xsd
@@ -7,7 +7,7 @@
elementFormDefault="qualified"
attributeFormDefault="unqualified"
blockDefault="substitution"
- version="1.3.5">
+ version="1.3.1">
<import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="cs-sstc-schema-assertion-1.1.xsd"/>
<import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/>
@@ -38,7 +38,7 @@
<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="type" type="conf:string" use="required"/>
- <attribute name="uri" type="anyURI"/>
+ <attribute name="uri" type="anyURI" use="optional"/>
<anyAttribute namespace="##any" processContents="lax"/>
</complexType>
@@ -62,8 +62,8 @@
<element name="CredentialsProvider" type="conf:PluggableType" minOccurs="0" maxOccurs="unbounded"/>
<element ref="conf:AttributeFactory" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
- <attribute name="logger" type="anyURI"/>
- <attribute name="clockSkew" type="unsignedInt"/>
+ <attribute name="logger" type="anyURI" use="optional"/>
+ <attribute name="clockSkew" type="unsignedInt" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
@@ -79,7 +79,7 @@
<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="path" type="anyURI" use="required"/>
- <attribute name="fatal" type="boolean"/>
+ <attribute name="fatal" type="boolean" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
</element>
@@ -123,8 +123,8 @@
<element name="Argument" type="conf:string" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attributeGroup ref="conf:SessionCacheProperties"/>
- <attribute name="mysqlTimeout" type="unsignedInt" default="14400"/>
- <attribute name="storeAttributes" type="boolean" default="false"/>
+ <attribute name="mysqlTimeout" type="unsignedInt" use="optional" default="14400"/>
+ <attribute name="storeAttributes" type="boolean" use="optional" default="false"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
</element>
@@ -151,19 +151,19 @@
</choice>
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
- <attribute name="logger" type="anyURI"/>
+ <attribute name="logger" type="anyURI" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
<attributeGroup name="SessionCacheProperties">
- <attribute name="cleanupInterval" type="unsignedInt" default="300"/>
- <attribute name="cacheTimeout" type="unsignedInt" default="28800"/>
- <attribute name="AAConnectTimeout" type="unsignedInt" default="15"/>
- <attribute name="AATimeout" type="unsignedInt" default="30"/>
- <attribute name="defaultLifetime" type="unsignedInt" default="1800"/>
- <attribute name="retryInterval" type="unsignedInt" default="300"/>
- <attribute name="strictValidity" type="boolean" default="true"/>
- <attribute name="propagateErrors" type="boolean" default="false"/>
+ <attribute name="cleanupInterval" type="unsignedInt" use="optional" default="300"/>
+ <attribute name="cacheTimeout" type="unsignedInt" use="optional" default="28800"/>
+ <attribute name="AAConnectTimeout" type="unsignedInt" use="optional" default="15"/>
+ <attribute name="AATimeout" type="unsignedInt" use="optional" default="30"/>
+ <attribute name="defaultLifetime" type="unsignedInt" use="optional" default="1800"/>
+ <attribute name="retryInterval" type="unsignedInt" use="optional" default="300"/>
+ <attribute name="strictValidity" type="boolean" use="optional" default="true"/>
+ <attribute name="propagateErrors" type="boolean" use="optional" default="false"/>
</attributeGroup>
<complexType name="LocalConfigurationType">
@@ -186,13 +186,12 @@
</element>
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
- <attribute name="logger" type="anyURI"/>
- <attribute name="localRelayState" type="boolean" default="false"/>
- <attribute name="unsetHeaderValue" type="conf:string"/>
- <attribute name="checkSpoofing" type="boolean"/>
- <attribute name="spoofKey" type="conf:string"/>
- <attribute name="catchAll" type="boolean"/>
- <attribute name="allowedSchemes" type="conf:listOfStrings"/>
+ <attribute name="logger" type="anyURI" use="optional"/>
+ <attribute name="localRelayState" type="boolean" use="optional" default="false"/>
+ <attribute name="unsetHeaderValue" type="conf:string" use="optional"/>
+ <attribute name="checkSpoofing" type="boolean" use="optional"/>
+ <attribute name="catchAll" type="boolean" use="optional"/>
+ <attribute name="allowedSchemes" type="conf:listOfStrings"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
@@ -206,15 +205,14 @@
</sequence>
<attribute name="id" type="unsignedInt" use="required"/>
<attribute name="name" type="conf:string" use="required"/>
- <attribute name="port" type="unsignedInt"/>
- <attribute name="sslport" type="unsignedInt"/>
- <attribute name="scheme" type="conf:string"/>
+ <attribute name="port" type="unsignedInt" use="optional"/>
+ <attribute name="sslport" type="unsignedInt" use="optional"/>
+ <attribute name="scheme" type="conf:string" use="optional"/>
</complexType>
</element>
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
- <attribute name="normalizeRequest" type="boolean"/>
- <attribute name="safeHeaderNames" type="boolean"/>
+ <attribute name="normalizeRequest" type="boolean" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
</element>
@@ -258,11 +256,11 @@
</element>
<attributeGroup name="ContentSettings">
- <attribute name="authType" type="conf:string"/>
- <attribute name="requireSession" type="boolean"/>
- <attribute name="requireSessionWith" type="conf:string"/>
- <attribute name="exportAssertion" type="boolean"/>
- <attribute name="redirectToSSL" type="unsignedInt"/>
+ <attribute name="authType" type="conf:string" use="optional"/>
+ <attribute name="requireSession" type="boolean" use="optional"/>
+ <attribute name="requireSessionWith" type="conf:string" use="optional"/>
+ <attribute name="exportAssertion" type="boolean" use="optional"/>
+ <attribute name="redirectToSSL" type="unsignedInt" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</attributeGroup>
<element name="AccessControlProvider" type="conf:PluggableType"/>
@@ -304,7 +302,7 @@
<element ref="conf:PathRegex"/>
</choice>
</sequence>
- <attribute name="scheme">
+ <attribute name="scheme" use="optional">
<simpleType>
<restriction base="string">
<enumeration value="http"/>
@@ -316,8 +314,8 @@
</simpleType>
</attribute>
<attribute name="name" type="conf:string" use="required"/>
- <attribute name="port" type="unsignedInt"/>
- <attribute name="applicationId" type="conf:string"/>
+ <attribute name="port" type="unsignedInt" use="optional"/>
+ <attribute name="applicationId" type="conf:string" use="optional"/>
<attributeGroup ref="conf:ContentSettings"/>
</complexType>
</element>
@@ -356,7 +354,7 @@
</choice>
</sequence>
<attribute name="name" type="conf:string" use="required"/>
- <attribute name="applicationId" type="conf:string"/>
+ <attribute name="applicationId" type="conf:string" use="optional"/>
<attributeGroup ref="conf:ContentSettings"/>
</complexType>
</element>
@@ -398,7 +396,7 @@
</sequence>
<attribute name="id" type="conf:string" fixed="default"/>
<attribute name="providerId" type="anyURI" use="required"/>
- <attribute name="homeURL" type="anyURI"/>
+ <attribute name="homeURL" type="anyURI" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
</element>
@@ -422,8 +420,8 @@
</choice>
</sequence>
<attribute name="id" type="conf:string" use="required"/>
- <attribute name="providerId" type="anyURI"/>
- <attribute name="homeURL" type="anyURI"/>
+ <attribute name="providerId" type="anyURI" use="optional"/>
+ <attribute name="homeURL" type="anyURI" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
</element>
@@ -448,20 +446,20 @@
<element ref="md:SingleLogoutService"/>
<element name="ExtensionService" type="conf:PluggableType"/>
</choice>
- <!-- deprecated --> <attribute name="wayfURL" type="anyURI"/>
- <!-- deprecated --> <attribute name="shireURL" type="anyURI"/>
- <!-- deprecated --> <attribute name="shireSSL" type="boolean"/>
- <attribute name="handlerURL" type="anyURI"/>
- <attribute name="handlerSSL" type="boolean" default="true"/>
- <attribute name="cookieName" type="conf:string"/>
- <attribute name="cookieProps" type="conf:string"/>
- <attribute name="idpHistory" type="boolean" default="true"/>
- <attribute name="idpHistoryDays" type="unsignedInt"/>
- <attribute name="lifetime" type="unsignedInt"/>
- <attribute name="timeout" type="unsignedInt"/>
- <attribute name="checkAddress" type="boolean"/>
- <attribute name="consistentAddress" type="boolean" default="true"/>
- <attribute name="checkReplay" type="boolean" default="true"/>
+ <!-- deprecated --> <attribute name="wayfURL" type="anyURI" use="optional"/>
+ <!-- deprecated --> <attribute name="shireURL" type="anyURI" use="optional"/>
+ <!-- deprecated --> <attribute name="shireSSL" type="boolean" use="optional"/>
+ <attribute name="handlerURL" type="anyURI" use="optional"/>
+ <attribute name="handlerSSL" type="boolean" use="optional" default="true"/>
+ <attribute name="cookieName" type="conf:string" use="optional"/>
+ <attribute name="cookieProps" type="conf:string" use="optional"/>
+ <attribute name="idpHistory" type="boolean" use="optional" default="true"/>
+ <attribute name="idpHistoryDays" type="unsignedInt" use="optional"/>
+ <attribute name="lifetime" type="unsignedInt" use="optional"/>
+ <attribute name="timeout" type="unsignedInt" use="optional"/>
+ <attribute name="checkAddress" type="boolean" use="optional"/>
+ <attribute name="consistentAddress" type="boolean" use="optional" default="true"/>
+ <attribute name="checkReplay" type="boolean" use="optional" default="true"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
</element>
@@ -475,11 +473,11 @@
</sequence>
<attribute name="Location" type="anyURI" use="required"/>
<attribute name="Binding" type="anyURI" use="required"/>
- <attribute name="wayfURL" type="anyURI"/>
- <attribute name="wayfBinding" type="anyURI"/>
- <attribute name="checkCDC" type="anyURI"/>
- <attribute name="isDefault" type="boolean"/>
- <attribute name="id" type="conf:string"/>
+ <attribute name="wayfURL" type="anyURI" use="optional"/>
+ <attribute name="wayfBinding" type="anyURI" use="optional"/>
+ <attribute name="checkCDC" type="anyURI" use="optional"/>
+ <attribute name="isDefault" type="boolean" use="optional"/>
+ <attribute name="id" type="conf:string" use="optional"/>
<anyAttribute namespace="##any" processContents="lax"/>
</complexType>
</element>
@@ -492,28 +490,28 @@
<sequence>
<any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
- <!-- deprecated --> <attribute name="shire" type="anyURI"/>
- <attribute name="session" type="anyURI"/>
- <attribute name="metadata" type="anyURI"/>
+ <!-- deprecated --> <attribute name="shire" type="anyURI" use="optional"/>
+ <attribute name="session" type="anyURI" use="optional"/>
+ <attribute name="metadata" type="anyURI" use="optional"/>
<attribute name="rm" type="anyURI" use="required"/>
- <attribute name="access" type="anyURI"/>
- <attribute name="ssl" type="anyURI"/>
- <attribute name="supportContact" type="conf:string"/>
- <attribute name="logoLocation" type="anyURI"/>
- <attribute name="styleSheet" type="anyURI"/>
+ <attribute name="access" type="anyURI" use="optional"/>
+ <attribute name="ssl" type="anyURI" use="optional"/>
+ <attribute name="supportContact" type="conf:string" use="optional"/>
+ <attribute name="logoLocation" type="anyURI" use="optional"/>
+ <attribute name="styleSheet" type="anyURI" use="optional"/>
<anyAttribute namespace="##any" processContents="lax"/>
</complexType>
</element>
<attributeGroup name="CredentialUseGroup">
- <attribute name="TLS" type="conf:string"/>
- <attribute name="Signing" type="conf:string"/>
- <attribute name="signRequest" type="boolean" default="false"/>
- <attribute name="signatureAlg" type="anyURI"/>
- <attribute name="digestAlg" type="anyURI"/>
- <attribute name="signedResponse" type="boolean" default="false"/>
- <attribute name="signedAssertions" type="boolean" default="false"/>
- <attribute name="authType">
+ <attribute name="TLS" type="conf:string" use="optional"/>
+ <attribute name="Signing" type="conf:string" use="optional"/>
+ <attribute name="signRequest" type="boolean" use="optional" default="false"/>
+ <attribute name="signatureAlg" type="anyURI" use="optional"/>
+ <attribute name="digestAlg" type="anyURI" use="optional"/>
+ <attribute name="signedResponse" type="boolean" use="optional" default="false"/>
+ <attribute name="signedAssertions" type="boolean" use="optional" default="false"/>
+ <attribute name="authType" use="optional">
<simpleType>
<restriction base="string">
<enumeration value="basic"/>
@@ -523,8 +521,8 @@
</restriction>
</simpleType>
</attribute>
- <attribute name="authUsername"/>
- <attribute name="authPassword"/>
+ <attribute name="authUsername" use="optional"/>
+ <attribute name="authPassword" use="optional"/>
</attributeGroup>
<element name="CredentialUse">
--
Debian packaging for the Shibboleth Apache SP
More information about the Pkg-shibboleth-devel
mailing list