[shibboleth-sp2] 58/89: Add an externalInput flag to lock down handlers in certain cases.
Ferenc Wágner
wferi at moszumanska.debian.org
Thu Sep 1 09:24:09 UTC 2016
This is an automated email from the git hooks/post-receive script.
wferi pushed a commit to branch master
in repository shibboleth-sp2.
commit 382f348ecb047213e8fb7c5da59e71e44a378548
Author: Scott Cantor <cantor.2 at osu.edu>
Date: Tue Jun 14 15:36:24 2016 -0400
Add an externalInput flag to lock down handlers in certain cases.
---
adfs/adfs.cpp | 8 +++++++-
schemas/shibboleth-2.0-native-sp-config.xsd | 3 ++-
shibsp/handler/impl/SAML2SessionInitiator.cpp | 18 ++++++++++++------
3 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/adfs/adfs.cpp b/adfs/adfs.cpp
index f567320..7c38074 100644
--- a/adfs/adfs.cpp
+++ b/adfs/adfs.cpp
@@ -368,7 +368,13 @@ pair<bool,long> ADFSSessionInitiator::run(SPRequest& request, string& entityID,
recoverRelayState(app, request, request, target, false);
app.limitRedirect(request, target.c_str());
- acClass = getString("authnContextClassRef", request);
+ // Default is to allow externally supplied settings.
+ pair<bool,bool> externalInput = getBool("externalInput");
+ unsigned int settingMask = HANDLER_PROPERTY_MAP | HANDLER_PROPERTY_FIXED;
+ if (!externalInput.first || externalInput.second)
+ settingMask |= HANDLER_PROPERTY_REQUEST;
+
+ acClass = getString("authnContextClassRef", request, settingMask);
}
else {
// Check for a hardwired target value in the map or handler.
diff --git a/schemas/shibboleth-2.0-native-sp-config.xsd b/schemas/shibboleth-2.0-native-sp-config.xsd
index e50534a..e643c9a 100644
--- a/schemas/shibboleth-2.0-native-sp-config.xsd
+++ b/schemas/shibboleth-2.0-native-sp-config.xsd
@@ -608,7 +608,8 @@
<attribute name="target" type="anyURI"/>
<attribute name="discoveryPolicy" type="conf:string"/>
<attribute name="signing" type="conf:bindingBoolean"/>
- <attribute name="encryption" type="conf:bindingBoolean"/>
+ <attribute name="encryption" type="conf:bindingBoolean"/>
+ <attribute name="externalInput" type="boolean"/>
<anyAttribute namespace="##any" processContents="lax"/>
</attributeGroup>
diff --git a/shibsp/handler/impl/SAML2SessionInitiator.cpp b/shibsp/handler/impl/SAML2SessionInitiator.cpp
index 91ae5a4..94148a1 100644
--- a/shibsp/handler/impl/SAML2SessionInitiator.cpp
+++ b/shibsp/handler/impl/SAML2SessionInitiator.cpp
@@ -287,19 +287,25 @@ pair<bool,long> SAML2SessionInitiator::run(SPRequest& request, string& entityID,
recoverRelayState(app, request, request, target, false);
app.limitRedirect(request, target.c_str());
- pair<bool,bool> flag = getBool("isPassive", request);
+ // Default is to allow externally supplied settings.
+ pair<bool,bool> externalInput = getBool("externalInput");
+ unsigned int settingMask = HANDLER_PROPERTY_MAP | HANDLER_PROPERTY_FIXED;
+ if (!externalInput.first || externalInput.second)
+ settingMask |= HANDLER_PROPERTY_REQUEST;
+
+ pair<bool,bool> flag = getBool("isPassive", request, settingMask);
isPassive = (flag.first && flag.second);
if (!isPassive) {
- flag = getBool("forceAuthn", request);
+ flag = getBool("forceAuthn", request, settingMask);
forceAuthn = (flag.first && flag.second);
}
// Populate via parameter, map, or property.
- acClass = getString("authnContextClassRef", request);
- acComp = getString("authnContextComparison", request);
- nidFormat = getString("NameIDFormat", request);
- spQual = getString("SPNameQualifier", request);
+ acClass = getString("authnContextClassRef", request, settingMask);
+ acComp = getString("authnContextComparison", request, settingMask);
+ nidFormat = getString("NameIDFormat", request, settingMask);
+ spQual = getString("SPNameQualifier", request, settingMask);
}
else {
// Check for a hardwired target value in the map or handler.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git
More information about the Pkg-shibboleth-devel
mailing list