Security fix diffs for 2.x

Ferenc Wagner wferi at
Mon Nov 23 23:28:33 UTC 2009

"Scott Cantor" <cantor.2 at> writes:

> Ferenc Wagner wrote on 2009-11-23:
>> So what do you think about the attached patch, intended to replace the
>> relevant parts of the two diffs you quoted above?  It gives plenty of
>> "warning: 'void HTTPResponse_sanitizeURL(const char*)' defined but not used"
>> messages, but otherwise compiles fine.
> You could eliminate those by just defining the function inside a reasonably
> central source file, probably SAMLConfig.cpp

That's what I tried first, then realized that it won't work with a
static function.  Reading your answer it eventually dawned on me that
you meant static class members, not static free functions.  I'll remove
the static declaration and go the original route; this will add a new
external symbol but who cares.

>> If it looks reasonable, I'll produce a similar one for the SP as well.
>> I wonder if it's acceptable to hardwire allowedSchemes there; would that
>> result in a significant loss of functionality in general use?
> No, not as long as it's doing case insensitive compares. Or you could create
> a custom environment variable for the Debian version to read if it needs to
> get overridden. You'd just set it into a global variable during
> SAMLConfig::init

Yes, but I think it isn't worth the trouble: people should simply use
the backported 2.3 instead for anything serious.

>> And finally, have you got some test cases we could throw at the result
>> to verify that the vulnerability indeed disappears?
> I'd rather not provide them publically, but I can provide some privately.

Fair enough.  If you prefer to do the tests yourself, that's also fine
with me, just describe the required setup.  Otherwise I'll come back at
you when the fixed packages are built.

More information about the Pkg-shibboleth-devel mailing list