[shibboleth-sp2] 01/25: Fix username logging. Add per-session context for preventing spoofing false alarms.
Ferenc Wágner
wferi-guest at moszumanska.debian.org
Tue Jan 26 21:30:01 UTC 2016
This is an automated email from the git hooks/post-receive script.
wferi-guest pushed a commit to annotated tag 1.3.2
in repository shibboleth-sp2.
commit 0cbe77b6a289ee136b082b1bd0d1d85ca562e2d2
Author: Scott Cantor <cantor.2 at osu.edu>
Date: Wed Jan 9 18:56:29 2008 +0000
Fix username logging.
Add per-session context for preventing spoofing false alarms.
---
isapi_shib/isapi_shib.cpp | 28 ++++++++++++++++++++++++----
1 file changed, 24 insertions(+), 4 deletions(-)
diff --git a/isapi_shib/isapi_shib.cpp b/isapi_shib/isapi_shib.cpp
index 87591ce..f7169be 100644
--- a/isapi_shib/isapi_shib.cpp
+++ b/isapi_shib/isapi_shib.cpp
@@ -82,6 +82,11 @@ namespace {
set<string> m_aliases;
};
+ struct context_t {
+ char* m_user;
+ bool m_checked;
+ };
+
HINSTANCE g_hinstDLL;
ShibTargetConfig* g_Config = NULL;
map<string,site_t> g_Sites;
@@ -386,7 +391,14 @@ public:
if (site.m_name!=host && site.m_aliases.find(host)==site.m_aliases.end())
host=site.m_name.c_str();
- init(scheme, host, atoi(port), url, content_type, remote_addr, method);
+ init(scheme, host, atoi(port), url, content_type, remote_addr, method);
+ if (!pfc->pFilterContext) {
+ pfc->pFilterContext = pfc->AllocMem(pfc, sizeof(context_t), NULL);
+ if (static_cast<context_t*>(pfc->pFilterContext)) {
+ static_cast<context_t*>(pfc->pFilterContext)->m_user = NULL;
+ static_cast<context_t*>(pfc->pFilterContext)->m_checked = false;
+ }
+ }
}
~ShibTargetIsapiF() {}
@@ -400,7 +412,7 @@ public:
}
virtual void clearHeader(const string &name) {
- if (g_checkSpoofing) {
+ if (g_checkSpoofing && m_pfc->pFilterContext && !static_cast<context_t*>(m_pfc->pFilterContext)->m_checked) {
if (m_allhttp.empty())
GetServerVariable(m_pfc,"ALL_HTTP",m_allhttp,4096);
@@ -432,6 +444,12 @@ public:
}
virtual void setRemoteUser(const string &user) {
setHeader(string("remote-user"), user);
+ if (m_pfc->pFilterContext) {
+ if (user.empty())
+ static_cast<context_t*>(m_pfc->pFilterContext)->m_user = NULL;
+ else if (static_cast<context_t*>(m_pfc->pFilterContext)->m_user = (char*)m_pfc->AllocMem(m_pfc, sizeof(char) * (user.length() + 1), NULL))
+ strcpy(static_cast<context_t*>(m_pfc->pFilterContext)->m_user, user.c_str());
+ }
}
virtual string getRemoteUser(void) {
return getHeader(string("remote-user"));
@@ -507,7 +525,7 @@ extern "C" DWORD WINAPI HttpFilterProc(PHTTP_FILTER_CONTEXT pfc, DWORD notificat
// Is this a log notification?
if (notificationType==SF_NOTIFY_LOG) {
if (pfc->pFilterContext)
- ((PHTTP_FILTER_LOG)pvNotification)->pszClientUserName=static_cast<LPCSTR>(pfc->pFilterContext);
+ ((PHTTP_FILTER_LOG)pvNotification)->pszClientUserName=static_cast<context_t*>(pfc->pFilterContext)->m_user;
return SF_STATUS_REQ_NEXT_NOTIFICATION;
}
@@ -530,8 +548,10 @@ extern "C" DWORD WINAPI HttpFilterProc(PHTTP_FILTER_CONTEXT pfc, DWORD notificat
// "false" because we don't override the Shib settings
pair<bool,void*> res = stf.doCheckAuthN();
+ if (pfc->pFilterContext)
+ static_cast<context_t*>(pfc->pFilterContext)->m_checked = true;
if (res.first) return (DWORD)res.second;
-
+
// "false" because we don't override the Shib settings
res = stf.doExportAssertions();
if (res.first) return (DWORD)res.second;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git
More information about the Pkg-shibboleth-devel
mailing list