[shibboleth-sp2] 01/01: Patch to 1.2.1d
Ferenc Wágner
wferi-guest at moszumanska.debian.org
Tue Jan 26 21:29:39 UTC 2016
This is an automated email from the git hooks/post-receive script.
wferi-guest pushed a commit to annotated tag 1.2.1d
in repository shibboleth-sp2.
commit ac49c8b5d0be1130e20fa813148fa14af2abad6c
Author: Scott Cantor <cantor.2 at osu.edu>
Date: Mon Oct 2 22:25:22 2006 +0000
Patch to 1.2.1d
---
apache/mod_apache.cpp | 72 +++++++++++++++++++++++++++++++++++++++++++++--
doc/INSTALL-WIN32.txt | 4 +--
doc/INSTALL.txt | 4 +--
doc/NEWS.txt | 10 +++----
doc/README.txt | 4 +--
isapi_shib/isapi_shib.cpp | 16 +++++++++++
shibboleth.spec.in | 9 ++++--
7 files changed, 101 insertions(+), 18 deletions(-)
diff --git a/apache/mod_apache.cpp b/apache/mod_apache.cpp
index 5c1f692..6882ee5 100644
--- a/apache/mod_apache.cpp
+++ b/apache/mod_apache.cpp
@@ -174,6 +174,16 @@ static int shib_error_page(request_rec* r, const IApplication* app, const char*
return SERVER_ERROR;
}
+static char _x2c(const char *what)
+{
+ register char digit;
+
+ digit = (what[0] >= 'A' ? ((what[0] & 0xdf) - 'A')+10 : (what[0] - '0'));
+ digit *= 16;
+ digit += (what[1] >= 'A' ? ((what[1] & 0xdf) - 'A')+10 : (what[1] - '0'));
+ return(digit);
+}
+
static char* shib_get_targeturl(request_rec* r, const char* scheme=NULL)
{
// On 1.3, this is always canonical, but on 2.0, UseCanonicalName comes into play.
@@ -200,15 +210,43 @@ extern "C" int shib_check_user(request_rec* r)
const char* targeturl=shib_get_targeturl(r,sc->szScheme);
+ // Fix for bug 574, secadv 20061002
+ // Unescape unparsed URI up to query string delimiter by looking for %XX escapes.
+ // Adapted from Apache's util.c, ap_unescape_url function.
+ string safe_uri;
+ const char* uri = r->unparsed_uri;
+ if (uri) {
+ while (*uri) {
+ if (*uri == '?') {
+ safe_uri += uri;
+ break;
+ }
+ else if (*uri != '%') {
+ safe_uri += *uri;
+ }
+ else {
+ ++uri;
+ if (!isxdigit(*uri) || !isxdigit(*(uri+1))) {
+ ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,SH_AP_R(r),
+ "shib_check_user: bad request, contained unsupported encoded characters");
+ return SERVER_ERROR;
+ }
+ safe_uri += _x2c(uri);
+ ++uri;
+ }
+ ++uri;
+ }
+ }
+
// We lock the configuration system for the duration.
IConfig* conf=g_Config->getINI();
Locker locker(conf);
-
+
// Map request to application and content settings.
IRequestMapper* mapper=conf->getRequestMapper();
Locker locker2(mapper);
IRequestMapper::Settings settings=mapper->getSettingsFromParsedURL(
- (sc-> szScheme ? sc-> szScheme : ap_http_method(r)), ap_get_server_name(r), ap_get_server_port(r), r->unparsed_uri
+ (sc-> szScheme ? sc-> szScheme : ap_http_method(r)), ap_get_server_name(r), ap_get_server_port(r), safe_uri.c_str()
);
pair<bool,const char*> application_id=settings.first->getString("applicationId");
const IApplication* application=conf->getApplication(application_id.second);
@@ -543,6 +581,34 @@ extern "C" int shib_post_handler(request_rec* r)
threadid << "[" << getpid() << "] shib_post_handler" << '\0';
saml::NDC ndc(threadid.str().c_str());
+ // Fix for bug 574, secadv 20061002
+ // Unescape unparsed URI up to query string delimiter by looking for %XX escapes.
+ // Adapted from Apache's util.c, ap_unescape_url function.
+ string safe_uri;
+ const char* uri = r->unparsed_uri;
+ if (uri) {
+ while (*uri) {
+ if (*uri == '?') {
+ safe_uri += uri;
+ break;
+ }
+ else if (*uri != '%') {
+ safe_uri += *uri;
+ }
+ else {
+ ++uri;
+ if (!isxdigit(*uri) || !isxdigit(*(uri+1))) {
+ ap_log_rerror(APLOG_MARK,APLOG_ERR|APLOG_NOERRNO,SH_AP_R(r),
+ "shib_check_user: bad request, contained unsupported encoded characters");
+ return SERVER_ERROR;
+ }
+ safe_uri += _x2c(uri);
+ ++uri;
+ }
+ ++uri;
+ }
+ }
+
// We lock the configuration system for the duration.
IConfig* conf=g_Config->getINI();
Locker locker(conf);
@@ -551,7 +617,7 @@ extern "C" int shib_post_handler(request_rec* r)
IRequestMapper* mapper=conf->getRequestMapper();
Locker locker2(mapper);
IRequestMapper::Settings settings=mapper->getSettingsFromParsedURL(
- (sc->szScheme ? sc->szScheme : ap_http_method(r)), ap_get_server_name(r), ap_get_server_port(r), r->unparsed_uri
+ (sc->szScheme ? sc->szScheme : ap_http_method(r)), ap_get_server_name(r), ap_get_server_port(r), safe_uri.c_str()
);
pair<bool,const char*> application_id=settings.first->getString("applicationId");
const IApplication* application=conf->getApplication(application_id.second);
diff --git a/doc/INSTALL-WIN32.txt b/doc/INSTALL-WIN32.txt
index 665dfea..44c758e 100644
--- a/doc/INSTALL-WIN32.txt
+++ b/doc/INSTALL-WIN32.txt
@@ -1,5 +1,5 @@
-11/15/04
-Version 1.2.1, shib Library version "5", shibtarget Library Version "4"
+10/02/06
+Version 1.2.1d, shib Library version "5", shibtarget Library Version "4"
This release works with SAML library version "4".
diff --git a/doc/INSTALL.txt b/doc/INSTALL.txt
index 098da6d..389869c 100644
--- a/doc/INSTALL.txt
+++ b/doc/INSTALL.txt
@@ -1,5 +1,5 @@
-11/15/04
-Version 1.2.1
+10/02/06
+Version 1.2.1d
Binary distributions of the Shibboleth code are available.
Information on obtaining and installing binaries can be found at
diff --git a/doc/NEWS.txt b/doc/NEWS.txt
index dd56cd5..8c3c897 100644
--- a/doc/NEWS.txt
+++ b/doc/NEWS.txt
@@ -1,10 +1,8 @@
-11/15/04
-Version 1.2.1
+10/02/06
+Version 1.2.1d
-This release is a fully compatible minor update
-to the Shibboleth 1.2.1 release. It addesses problems
-and small functional gaps identified since the release
-of the previous version.
+This release is a fully compatible security patch
+for the Shibboleth 1.2.1 release.
New Features
-------------------
diff --git a/doc/README.txt b/doc/README.txt
index 5c4a996..83b40ce 100644
--- a/doc/README.txt
+++ b/doc/README.txt
@@ -1,5 +1,5 @@
-11/15/04
-Version 1.2.1
+10/02/06
+Version 1.2.1d
Welcome to Internet2's Shibboleth
diff --git a/isapi_shib/isapi_shib.cpp b/isapi_shib/isapi_shib.cpp
index f1e43a7..f7a5d75 100644
--- a/isapi_shib/isapi_shib.cpp
+++ b/isapi_shib/isapi_shib.cpp
@@ -357,6 +357,14 @@ IRequestMapper::Settings map_request(
dynabuf url(256);
GetHeader(pn,pfc,"url",url,256,false);
+ // Fix for encoding bug, a bit draconian, but people should upgrade anyway.
+ if (!url.empty()) {
+ const char* percent = strchr(url,'%');
+ const char* question = strchr(url,'?');
+ if (percent && (!question || question > percent))
+ throw SAMLException("Bad request, contained encoded characters in path.");
+ }
+
// Port may come from IIS or from site def.
dynabuf port(11);
if (site.m_port.empty() || !g_bNormalizeRequest)
@@ -820,6 +828,14 @@ IRequestMapper::Settings map_request(
dynabuf url(256);
GetServerVariable(lpECB,"URL",url,255);
+ // Fix for encoding bug, a bit draconian, but people should upgrade anyway.
+ if (!url.empty()) {
+ const char* percent = strchr(url,'%');
+ const char* question = strchr(url,'?');
+ if (percent && (!question || question > percent))
+ throw SAMLException("Bad request, contained encoded characters in path.");
+ }
+
// Port may come from IIS or from site def.
dynabuf port(11);
if (site.m_port.empty() || !g_bNormalizeRequest)
diff --git a/shibboleth.spec.in b/shibboleth.spec.in
index 9585192..139c72b 100644
--- a/shibboleth.spec.in
+++ b/shibboleth.spec.in
@@ -1,13 +1,13 @@
Name: shibboleth
Summary: Open source system to enable inter-institutional resource sharing
Version: @-VERSION-@
-Release: 2
+Release: 3
#Copyright: University Corporation for Advanced Internet Development, Inc.
Group: System Environment/Libraries
License: Apache style
URL: http://shibboleth.internet2.edu/
-Source0: http://wayf.internet2.edu/shibboleth/%{name}-%{version}.tar.gz
-Source1: http://wayf.internet2.edu/shibboleth/%{name}-%{version}.tar.gz.asc
+Source0: http://shibboleth.internet2.edu/downloads/%{name}-%{version}.tar.gz
+Source1: http://shibboleth.internet2.edu/downloads/%{name}-%{version}.tar.gz.asc
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: openssl-devel, curl-devel >= 7.10.6, xerces-c-devel >= 2.6.1
@@ -101,5 +101,8 @@ make check
%{_libdir}/libshib-target.so
%changelog
+* Mon Oct 2 2006 Scott Cantor <cantor.2 at osu.edu> - 1.2-3
+Catching up spec file for patch releases.
+
* Tue Oct 19 2004 Derek Atkins <derek at ihtfp.com> - 1.2-1
- Create SPEC file based on various versions in existence.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git
More information about the Pkg-shibboleth-devel
mailing list