[shibboleth-sp2] 117/119: Detect subrequests and internal redirects.

Ferenc Wágner wferi-guest at moszumanska.debian.org
Tue Jan 26 21:29:56 UTC 2016 

This is an automated email from the git hooks/post-receive script.

wferi-guest pushed a commit to annotated tag 1.3.1
in repository shibboleth-sp2.

commit 37378253c16086ae2c0c8a69158828f60629cdad
Author: Scott Cantor <cantor.2 at osu.edu>
Date:   Tue Dec 4 04:33:14 2007 +0000

    Detect subrequests and internal redirects.
---
 nsapi_shib/nsapi_shib.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/nsapi_shib/nsapi_shib.cpp b/nsapi_shib/nsapi_shib.cpp
index c986ef0..38b87b4 100644
--- a/nsapi_shib/nsapi_shib.cpp
+++ b/nsapi_shib/nsapi_shib.cpp
@@ -210,7 +210,7 @@ public:
     method = pblock_findval("auth-type", rq->vars);
     if (method && !strcmp(method, "shibboleth"))
         m_firsttime = false;
-    if (!m_firsttime)
+    if (!m_firsttime || rq->orig_rq)
         log(LogLevelDebug, "nsapi_shib function running more than once");
   }
   ~ShibTargetNSAPI() {
@@ -259,7 +259,7 @@ public:
     }
   }
   virtual void clearHeader(const string &name) {
-    if (m_firsttime && g_checkSpoofing && m_allhttp.empty()) {
+    if (g_checkSpoofing && m_firsttime && !m_rq->orig_rq && m_allhttp.empty()) {
       // Populate the set of client-supplied headers for spoof checking.
       const pb_entry* entry;
       for (int i=0; i<m_rq->headers->hsize; ++i) {
@@ -277,13 +277,13 @@ public:
       }
     }
     if (name=="REMOTE_USER") {
-        if (m_firsttime && g_checkSpoofing && m_allhttp.count("HTTP_REMOTE_USER") > 0)
+        if (g_checkSpoofing && m_firsttime && !m_rq->orig_rq && m_allhttp.count("HTTP_REMOTE_USER") > 0)
             throw SAMLException("Attempt to spoof header ($1) was detected.", params(1, name.c_str()));
         param_free(pblock_remove("auth-user",m_rq->vars));
         param_free(pblock_remove("remote-user",m_rq->headers));
     }
     else {
-        if (m_firsttime && g_checkSpoofing) {
+        if (g_checkSpoofing && m_firsttime && !m_rq->orig_rq) {
             // Map to the expected CGI variable name.
             string transformed("HTTP_");
             const char* pch = name.c_str();

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git

More information about the Pkg-shibboleth-devel mailing list