Security fix diffs for 2.x

Ferenc Wagner wferi at
Mon Nov 23 20:39:20 UTC 2009

"Scott Cantor" <cantor.2 at> writes:

> The function implementing the fix was placed into xmltooling in this diff
> The fix was then applied to form generation logic in opensaml in this diff:
> Returning to the question that was raised about altering the backport, the
> most likely approach would be to inline the changes to xmltooling in place
> of all the calls to reuse that change in opensaml and the SP, with the
> opensaml version probably being altered to avoid the dependency on SP
> configuration.
> It should be possible to avoid duplicating the code everywhere by
> implementing the logic in static/globals that aren't exported but would be
> declared by the internal.h header that's shared across all of the source
> files in each project.

Hi Scott,

So what do you think about the attached patch, intended to replace the
relevant parts of the two diffs you quoted above?  It gives plenty of
"warning: 'void HTTPResponse_sanitizeURL(const char*)' defined but not used"
messages, but otherwise compiles fine.

If it looks reasonable, I'll produce a similar one for the SP as well.
I wonder if it's acceptable to hardwire allowedSchemes there; would that
result in a significant loss of functionality in general use?

And finally, have you got some test cases we could throw at the result
to verify that the vulnerability indeed disappears?

More information about the Pkg-shibboleth-devel mailing list