[shibboleth-sp2] 01/04: SSPCPP-756 Derive DynamicMetadataProvider from Abstract parent.
Etienne Dysli Metref
edm-guest at moszumanska.debian.org
Thu Nov 23 13:45:44 UTC 2017
This is an automated email from the git hooks/post-receive script.
edm-guest pushed a commit to branch master
in repository shibboleth-sp2.
commit 36bb7fdeb64b0736253b212aa4292a0191e3e6a7
Author: Rod Widdowson <rdw at steadingsoftware.com>
Date: Sun Nov 5 14:19:17 2017 +0000
SSPCPP-756 Derive DynamicMetadataProvider from Abstract parent.
https://issues.shibboleth.net/jira/browse/SSPCPP-756
This means refusing file://. We do as much as possible statically,
but defend against it dynamically as well (well known lookup with an
entityID of "file::/foo/bar")
---
shibsp/metadata/DynamicMetadataProvider.cpp | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/shibsp/metadata/DynamicMetadataProvider.cpp b/shibsp/metadata/DynamicMetadataProvider.cpp
index 8853acb..7b51db2 100644
--- a/shibsp/metadata/DynamicMetadataProvider.cpp
+++ b/shibsp/metadata/DynamicMetadataProvider.cpp
@@ -39,7 +39,7 @@
#include <saml/version.h>
#include <saml/binding/SAMLArtifact.h>
#include <saml/saml2/metadata/Metadata.h>
-#include <saml/saml2/metadata/DynamicMetadataProvider.h>
+#include <saml/saml2/metadata/AbstractDynamicMetadataProvider.h>
#include <xmltooling/logging.h>
#include <xmltooling/XMLToolingConfig.h>
@@ -61,7 +61,7 @@ using namespace xmltooling;
using namespace std;
namespace shibsp {
- class SHIBSP_DLLLOCAL DynamicMetadataProvider : public saml2md::DynamicMetadataProvider
+ class SHIBSP_DLLLOCAL DynamicMetadataProvider : public saml2md::AbstractDynamicMetadataProvider
{
public:
DynamicMetadataProvider(const xercesc::DOMElement* e=nullptr);
@@ -95,7 +95,7 @@ namespace shibsp {
};
DynamicMetadataProvider::DynamicMetadataProvider(const DOMElement* e)
- : saml2md::DynamicMetadataProvider(e),
+ : saml2md::AbstractDynamicMetadataProvider(true, e),
m_verifyHost(XMLHelper::getAttrBool(e, true, verifyHost)),
m_ignoreTransport(XMLHelper::getAttrBool(e, false, ignoreTransport)),
m_encoded(true), m_trust(nullptr)
@@ -107,6 +107,10 @@ DynamicMetadataProvider::DynamicMetadataProvider(const DOMElement* e)
m_subst = s.get();
m_encoded = XMLHelper::getAttrBool(child, true, encoded);
m_hashed = XMLHelper::getAttrString(child, nullptr, hashed);
+ if (!m_subst.empty() &&
+ XMLString::startsWithI(m_subst.c_str(), "file://")) {
+ throw ConfigurationException("DynamicMetadataProvider: <Subst> cannot be a file:// URL");
+ }
}
}
@@ -115,8 +119,13 @@ DynamicMetadataProvider::DynamicMetadataProvider(const DOMElement* e)
if (child && child->hasChildNodes() && child->hasAttributeNS(nullptr, match)) {
m_match = XMLHelper::getAttrString(child, nullptr, match);
auto_ptr_char repl(child->getFirstChild()->getNodeValue());
- if (repl.get() && *repl.get())
+ if (repl.get() && *repl.get()) {
m_regex = repl.get();
+ if (!m_regex.empty() &&
+ XMLString::startsWithI(m_regex.c_str(), "file://")) {
+ throw ConfigurationException("DynamicMetadataProvider: <Regex> cannot be a file:// URL");
+ }
+ }
}
}
@@ -192,8 +201,7 @@ saml2md::EntityDescriptor* DynamicMetadataProvider::resolve(const saml2md::Metad
}
if (XMLString::startsWithI(name.c_str(), "file://")) {
- MetadataProvider::Criteria baseCriteria(name.c_str());
- return saml2md::DynamicMetadataProvider::resolve(baseCriteria);
+ throw saml2md::MetadataException("Dynamic MetadataProvider: Resolved name cannot start with a file:// ");
}
// Establish networking properties based on calling application.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git
More information about the Pkg-shibboleth-devel
mailing list