Security fix diffs for 2.x

Scott Cantor cantor.2 at
Mon Nov 23 20:53:11 UTC 2009

Ferenc Wagner wrote on 2009-11-23:
> So what do you think about the attached patch, intended to replace the
> relevant parts of the two diffs you quoted above?  It gives plenty of
> "warning: 'void HTTPResponse_sanitizeURL(const char*)' defined but not
> messages, but otherwise compiles fine.

You could eliminate those by just defining the function inside a reasonably
central source file, probably SAMLConfig.cpp

It should be fine otherwise, obviously, since the original function is just
static anyway. It's replacing one static call with another.
> If it looks reasonable, I'll produce a similar one for the SP as well.
> I wonder if it's acceptable to hardwire allowedSchemes there; would that
> result in a significant loss of functionality in general use?

No, not as long as it's doing case insensitive compares. Or you could create
a custom environment variable for the Debian version to read if it needs to
get overridden. You'd just set it into a global variable during

> And finally, have you got some test cases we could throw at the result
> to verify that the vulnerability indeed disappears?

I'd rather not provide them publically, but I can provide some privately.

-- Scott

More information about the Pkg-shibboleth-devel mailing list