Security fix diffs for 2.x

Ferenc Wagner wferi at
Tue Nov 24 20:20:32 UTC 2009

"Scott Cantor" <cantor.2 at> writes:

> Ferenc Wagner wrote on 2009-11-23:
>> That's what I tried first, then realized that it won't work with a
>> static function.
> I guess I'd have to see the warning, I can't think why a static function
> can't be declared in a header and defined in only one of the object files
> without being externally visible.

That's just the nature of static, see for example 4. on 

>> Reading your answer it eventually dawned on me that you meant static
>> class members, not static free functions.  I'll remove the static
>> declaration and go the original route; this will add a new external
>> symbol but who cares.
> Not on Unix, anyway, no. I don't see why it needs to be external though.

C and C++ just don't provide the middle ground, as far as I know.  But
now I wonder why the implementations in SAMLConfig.cpp and SPConfig.cpp
wouldn't clash...  Shouldn't one be renamed at least?  I fear these
won't be usable together, but can't check it right now.

> The fix itself:

I've got problems with the shibsp/impl/XMLServiceProvider.cpp changes.
The first hunk fails, but I hope it does not matter, because the third
hunk is the new parser, and the second seems to be something unrelated.
Unless it's another security fix, this changeset could be dropped
altogether.  Is it?

On the practical side, it seems harder to find a good place for the
function definitions in the SP, because shibsp/internal.h is not
included by mod_apache, isapi, nsapi, and fastcgi, so they can't find
the declaration by default.  I've made up a new header for this purpose
alone, hope it makes sense, please check the attached patch.

More information about the Pkg-shibboleth-devel mailing list