[shibboleth-sp2] 116/119: Detect multiple executions of NSAPI function so spoof check doesn't run twice.

[Ferenc Wágner]

This is an automated email from the git hooks/post-receive script.

wferi-guest pushed a commit to annotated tag 1.3.1
in repository shibboleth-sp2.

commit 8bfac06b499e0781722c81cb6dde7a8e04c7651a
Author: Scott Cantor <cantor.2 at osu.edu>
Date:   Mon Dec 3 20:36:32 2007 +0000

    Detect multiple executions of NSAPI function so spoof check doesn't run twice.
---
 nsapi_shib/nsapi_shib.cpp | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/nsapi_shib/nsapi_shib.cpp b/nsapi_shib/nsapi_shib.cpp
index 2fd66d9..c986ef0 100644
--- a/nsapi_shib/nsapi_shib.cpp
+++ b/nsapi_shib/nsapi_shib.cpp
@@ -67,7 +67,7 @@ namespace {
     string g_ServerName;
     string g_ServerScheme;
     string g_unsetHeaderValue;
-    bool g_checkSpoofing = true;
+    bool g_checkSpoofing = false;
     bool g_catchAll = true;
 }
 
@@ -173,11 +173,7 @@ extern "C" NSAPI_PUBLIC int nsapi_shib_init(pblock* pb, Session* sn, Request* rq
 class ShibTargetNSAPI : public ShibTarget
 {
 public:
-  ShibTargetNSAPI(pblock* pb, Session* sn, Request* rq) {
-    m_pb = pb;
-    m_sn = sn;
-    m_rq = rq;
-
+  ShibTargetNSAPI(pblock* pb, Session* sn, Request* rq) : m_pb(pb), m_sn(sn), m_rq(rq), m_firsttime(true) {
     // Get everything but hostname...
     const char* uri=pblock_findval("uri", rq->reqpb);
     const char* qstr=pblock_findval("query", rq->reqpb);
@@ -205,10 +201,17 @@ public:
     char* content_type = "";
     request_header("content-type", &content_type, sn, rq);
       
-    const char *remote_ip = pblock_findval("ip", sn->client);
-    const char *method = pblock_findval("method", rq->reqpb);
+    const char* remote_ip = pblock_findval("ip", sn->client);
+    const char* method = pblock_findval("method", rq->reqpb);
 
     init(scheme, host, port, url.c_str(), content_type, remote_ip, method);
+    
+    // See if this is the first time we've run.
+    method = pblock_findval("auth-type", rq->vars);
+    if (method && !strcmp(method, "shibboleth"))
+        m_firsttime = false;
+    if (!m_firsttime)
+        log(LogLevelDebug, "nsapi_shib function running more than once");
   }
   ~ShibTargetNSAPI() {
   }
@@ -256,7 +259,7 @@ public:
     }
   }
   virtual void clearHeader(const string &name) {
-    if (g_checkSpoofing && m_allhttp.empty()) {
+    if (m_firsttime && g_checkSpoofing && m_allhttp.empty()) {
       // Populate the set of client-supplied headers for spoof checking.
       const pb_entry* entry;
       for (int i=0; i<m_rq->headers->hsize; ++i) {
@@ -274,13 +277,13 @@ public:
       }
     }
     if (name=="REMOTE_USER") {
-        if (g_checkSpoofing && m_allhttp.count("HTTP_REMOTE_USER") > 0)
+        if (m_firsttime && g_checkSpoofing && m_allhttp.count("HTTP_REMOTE_USER") > 0)
             throw SAMLException("Attempt to spoof header ($1) was detected.", params(1, name.c_str()));
         param_free(pblock_remove("auth-user",m_rq->vars));
         param_free(pblock_remove("remote-user",m_rq->headers));
     }
     else {
-        if (g_checkSpoofing) {
+        if (m_firsttime && g_checkSpoofing) {
             // Map to the expected CGI variable name.
             string transformed("HTTP_");
             const char* pch = name.c_str();
@@ -357,6 +360,7 @@ public:
   Session* m_sn;
   Request* m_rq;
   set<string> m_allhttp;
+  bool m_firsttime;
 };
 
 /********************************************************************************/

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git