[shibboleth-sp2] 22/82: SSPCPP-604 IIS7 Spoof header check
Etienne Dysli Metref
edm-guest at moszumanska.debian.org
Thu Nov 16 08:16:21 UTC 2017
This is an automated email from the git hooks/post-receive script.
edm-guest pushed a commit to branch master
in repository shibboleth-sp2.
commit 9fc5180fd4d341ffddfe569c891536150940c3f4
Author: Rod Widdowson <rdw at steadingsoftware.com>
Date: Fri Apr 21 13:49:28 2017 +0100
SSPCPP-604 IIS7 Spoof header check
https://issues.shibboleth.net/jira/browse/SSPCPP-694
Loosely based on ISAPI and Mod Shib. Review welcomed.
---
iis7_shib/NativeRequest.cpp | 15 +++++++++++++--
iis7_shib/ShibHttpModule.cpp | 13 +++++++++----
iis7_shib/headers/IIS7_shib.hpp | 2 ++
iis7_shib/headers/NativeRequest.hpp | 5 +++--
4 files changed, 27 insertions(+), 8 deletions(-)
diff --git a/iis7_shib/NativeRequest.cpp b/iis7_shib/NativeRequest.cpp
index f236098..8e2ffd3 100644
--- a/iis7_shib/NativeRequest.cpp
+++ b/iis7_shib/NativeRequest.cpp
@@ -34,7 +34,8 @@
using namespace Config;
-NativeRequest::NativeRequest(_In_ IHttpContext *pHttpContext, _In_ IHttpEventProvider *pEventProvider) : AbstractSPRequest(SHIBSP_LOGCAT ".NATIVE"),
+_Use_decl_annotations_
+NativeRequest::NativeRequest(IHttpContext *pHttpContext, IHttpEventProvider *pEventProvider, bool checkUser) : AbstractSPRequest(SHIBSP_LOGCAT ".NATIVE"),
m_ctx(pHttpContext), m_request(pHttpContext->GetRequest()), m_response(pHttpContext->GetResponse()),
m_firsttime(true), m_useHeaders(g_bUseHeaders), m_useVariables(g_bUseVariables), m_gotBody(false), m_event(pEventProvider)
{
@@ -128,13 +129,23 @@ NativeRequest::NativeRequest(_In_ IHttpContext *pHttpContext, _In_ IHttpEventPro
else {
throwError("Get remote user", hr);
}
+
+ if (checkUser && m_useHeaders && !g_spoofKey.empty()) {
+ const string hdr = getSecureHeader(SpoofHeaderName);
+ if (hdr == g_spoofKey) {
+ m_firsttime = false;
+ }
+ if (!m_firsttime) {
+ log(SPDebug, "shib_check_user running more than once");
+ }
+ }
}
void NativeRequest::setHeader(const char* name, const char* value)
{
if (m_useHeaders) {
const string hdr = g_bSafeHeaderNames ? makeSafeHeader(name) : (string(name) + ':');
- const HRESULT hr (m_request->SetHeader(hdr.c_str(), value, static_cast<USHORT>(strlen(value)), true));
+ const HRESULT hr (m_request->SetHeader(hdr.c_str(), value, static_cast<USHORT>(strlen(value)), TRUE));
if (FAILED(hr)) {
throwError("setHeader (Header)", hr);
}
diff --git a/iis7_shib/ShibHttpModule.cpp b/iis7_shib/ShibHttpModule.cpp
index 5295718..0734e07 100644
--- a/iis7_shib/ShibHttpModule.cpp
+++ b/iis7_shib/ShibHttpModule.cpp
@@ -38,7 +38,7 @@ ShibHttpModule::DoHandler(
threadid += lexical_cast<string>(_getpid()) + "] native_shib";
xmltooling::NDC ndc(threadid.c_str());
- NativeRequest handler(pHttpContext, pProvider);
+ NativeRequest handler(pHttpContext, pProvider, false);
pair<bool, long> res = handler.getServiceProvider().doHandler(handler);
@@ -61,15 +61,20 @@ ShibHttpModule::DoFilter(
xmltooling::NDC ndc(threadid.c_str());
// TODO Different class?
- NativeRequest filter(pHttpContext, pProvider);
+ NativeRequest filter(pHttpContext, pProvider, true);
pair<bool, long> res = filter.getServiceProvider().doAuthentication(filter);
if (res.first) {
return static_cast<REQUEST_NOTIFICATION_STATUS>(res.second);
}
- if (!g_spoofKey.empty()) {
- pHttpContext->GetRequest()->SetHeader("ShibSpoofCheck:", const_cast<PCSTR>(g_spoofKey.c_str()), static_cast<USHORT>(g_spoofKey.length()), TRUE);
+ if (!g_spoofKey.empty() && filter.isUseHeaders()) {
+ const string hdr = g_bSafeHeaderNames ? filter.makeSafeHeader(g_spoofKey.c_str()) : (string(g_spoofKey.c_str()) + ':');
+ const HRESULT hr(pHttpContext->GetRequest()->SetHeader(hdr.c_str(), g_spoofKey.c_str(), static_cast<USHORT>(g_spoofKey.length()), TRUE));
+ if (FAILED(hr)) {
+ (void)pHttpContext->GetResponse()->SetStatus(static_cast<USHORT>(filter.XMLTOOLING_HTTP_STATUS_ERROR), "Fatal Server Error", 0, hr);
+ return RQ_NOTIFICATION_FINISH_REQUEST;
+ }
}
res = filter.getServiceProvider().doExport(filter);
if (res.first) {
diff --git a/iis7_shib/headers/IIS7_shib.hpp b/iis7_shib/headers/IIS7_shib.hpp
index f6dc545..cd05d90 100644
--- a/iis7_shib/headers/IIS7_shib.hpp
+++ b/iis7_shib/headers/IIS7_shib.hpp
@@ -66,6 +66,8 @@ namespace Config {
static const XMLCh Alias[] = UNICODE_LITERAL_5(A, l, i, a, s);
static const XMLCh Site[] = UNICODE_LITERAL_4(S, i, t, e);
+ static const char* SpoofHeaderName = "ShibSpoofCheck";
+
struct site_t {
site_t(const DOMElement* e)
: m_name(XMLHelper::getAttrString(e, "", name)),
diff --git a/iis7_shib/headers/NativeRequest.hpp b/iis7_shib/headers/NativeRequest.hpp
index 446a516..7e925df 100644
--- a/iis7_shib/headers/NativeRequest.hpp
+++ b/iis7_shib/headers/NativeRequest.hpp
@@ -42,7 +42,9 @@ private:
string m_allhttp;
public:
- NativeRequest(_In_ IHttpContext *pHttpContext, _In_ IHttpEventProvider *pEventProvider);
+ NativeRequest(_In_ IHttpContext *pHttpContext, _In_ IHttpEventProvider *pEventProvider, _In_ bool checkUser);
+ string makeSafeHeader(const char* rawname) const;
+ bool isUseHeaders() { return m_useHeaders; }
protected:
//
@@ -80,7 +82,6 @@ protected:
long sendRedirect(const char* url);
private:
- string makeSafeHeader(const char* rawname) const;
void logFatal(const string& operation, HRESULT hr) const;
void throwError(const string& operation, HRESULT hr) const;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git
More information about the Pkg-shibboleth-devel
mailing list