Security fix diffs for 2.x
Scott Cantor
cantor.2 at osu.edu
Mon Nov 23 20:53:11 UTC 2009
Ferenc Wagner wrote on 2009-11-23:
> So what do you think about the attached patch, intended to replace the
> relevant parts of the two diffs you quoted above? It gives plenty of
> "warning: 'void HTTPResponse_sanitizeURL(const char*)' defined but not
used"
> messages, but otherwise compiles fine.
You could eliminate those by just defining the function inside a reasonably
central source file, probably SAMLConfig.cpp
It should be fine otherwise, obviously, since the original function is just
static anyway. It's replacing one static call with another.
> If it looks reasonable, I'll produce a similar one for the SP as well.
> I wonder if it's acceptable to hardwire allowedSchemes there; would that
> result in a significant loss of functionality in general use?
No, not as long as it's doing case insensitive compares. Or you could create
a custom environment variable for the Debian version to read if it needs to
get overridden. You'd just set it into a global variable during
SAMLConfig::init
> And finally, have you got some test cases we could throw at the result
> to verify that the vulnerability indeed disappears?
I'd rather not provide them publically, but I can provide some privately.
-- Scott
More information about the Pkg-shibboleth-devel
mailing list