File fix-DSA-4872.patch of Package shibboleth-sp.20486
diff --git a/configs/native.logger b/configs/native.logger
index 49a5d5ac..e9a43a57 100644
--- a/configs/native.logger
+++ b/configs/native.logger
@@ -8,23 +8,14 @@ log4j.category.XMLTooling.KeyInfoResolver=WARN
log4j.category.Shibboleth.IPRange=WARN
log4j.category.Shibboleth.PropertySet=WARN
-# raise for low-level tracing of SOAP client HTTP/SSL behavior
-log4j.category.XMLTooling.libcurl=WARN
-
# useful categories to tune independently:
#
-# tracing of SAML messages and security policies
-#log4j.category.OpenSAML.MessageDecoder=DEBUG
-#log4j.category.OpenSAML.MessageEncoder=DEBUG
-#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
# interprocess message remoting
#log4j.category.Shibboleth.Listener=DEBUG
# mapping of requests to applicationId
#log4j.category.Shibboleth.RequestMapper=DEBUG
# high level session cache operations
#log4j.category.Shibboleth.SessionCache=DEBUG
-# persistent storage and caching
-#log4j.category.XMLTooling.StorageService=DEBUG
# define the appender
diff --git a/configs/win-native.logger b/configs/win-native.logger
index f60c6f0d..b95924b2 100644
--- a/configs/win-native.logger
+++ b/configs/win-native.logger
@@ -8,23 +8,14 @@ log4j.category.XMLTooling.KeyInfoResolver=WARN
log4j.category.Shibboleth.IPRange=WARN
log4j.category.Shibboleth.PropertySet=WARN
-# raise for low-level tracing of SOAP client HTTP/SSL behavior
-log4j.category.XMLTooling.libcurl=WARN
-
# useful categories to tune independently:
#
-# tracing of SAML messages and security policies
-#log4j.category.OpenSAML.MessageDecoder=DEBUG
-#log4j.category.OpenSAML.MessageEncoder=DEBUG
-#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
# interprocess message remoting
#log4j.category.Shibboleth.Listener=DEBUG
# mapping of requests to applicationId
#log4j.category.Shibboleth.RequestMapper=DEBUG
# high level session cache operations
#log4j.category.Shibboleth.SessionCache=DEBUG
-# persistent storage and caching
-#log4j.category.XMLTooling.StorageService=DEBUG
# define the appender
diff --git a/iis7_shib/IIS7Request.cpp b/iis7_shib/IIS7Request.cpp
index 658fb3d0..0f1cbd92 100644
--- a/iis7_shib/IIS7Request.cpp
+++ b/iis7_shib/IIS7Request.cpp
@@ -268,6 +268,15 @@ string IIS7Request::getRemoteAddr() const
string IIS7Request::getSecureHeader(const char* name) const
{
+ if (m_useVariables) {
+ PCSTR p;
+ DWORD len;
+ HRESULT hr = m_ctx->GetServerVariable(name, &p, &len);
+ if (SUCCEEDED(hr)) {
+ return (nullptr == p) ? "" : p;
+ }
+ return "";
+ }
PCSTR p = m_request->GetHeader(g_bSafeHeaderNames ? makeSafeHeader(name).c_str() : name);
return (nullptr == p) ? "" : p;
}
diff --git a/shibsp/handler/impl/SAML2Logout.cpp b/shibsp/handler/impl/SAML2Logout.cpp
index f07eef17..f9d3abd3 100644
--- a/shibsp/handler/impl/SAML2Logout.cpp
+++ b/shibsp/handler/impl/SAML2Logout.cpp
@@ -646,8 +646,8 @@ pair<bool,long> SAML2Logout::sendResponse(
}
}
if (!ep || !encoder) {
- auto_ptr_char id(dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID());
- m_log.error("unable to locate compatible SLO service for provider (%s)", id.get());
+ auto_ptr_char id(role ? dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID() : nullptr);
+ m_log.error("unable to locate compatible SLO service for provider (%s)", id.get() ? id.get() : "unknown");
MetadataException ex("Unable to locate endpoint at IdP ($entityID) to send LogoutResponse.");
annotateException(&ex, role); // throws it
}
@@ -667,7 +667,8 @@ pair<bool,long> SAML2Logout::sendResponse(
}
Issuer* issuer = IssuerBuilder::buildIssuer();
logout->setIssuer(issuer);
- issuer->setName(application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role->getParent()))->getXMLString("entityID").second);
+ issuer->setName(application.getRelyingParty(role ? dynamic_cast<EntityDescriptor*>(role->getParent()) :
+ nullptr)->getXMLString("entityID").second);
fillStatus(*logout, code, subcode, msg);
XMLCh* msgid = SAMLConfig::getConfig().generateIdentifier();
logout->setID(msgid);
@@ -675,7 +676,7 @@ pair<bool,long> SAML2Logout::sendResponse(
logout->setIssueInstant(time(nullptr));
if (logoutEvent) {
- logoutEvent->m_peer = dynamic_cast<EntityDescriptor*>(role->getParent());
+ logoutEvent->m_peer = role ? dynamic_cast<EntityDescriptor*>(role->getParent()) : nullptr;
logoutEvent->m_saml2Response = logout.get();
application.getServiceProvider().getTransactionLog()->write(*logoutEvent);
}
diff --git a/shibsp/handler/impl/SAML2NameIDMgmt.cpp b/shibsp/handler/impl/SAML2NameIDMgmt.cpp
index ae93adf9..2301debe 100644
--- a/shibsp/handler/impl/SAML2NameIDMgmt.cpp
+++ b/shibsp/handler/impl/SAML2NameIDMgmt.cpp
@@ -286,7 +286,8 @@ pair<bool,long> SAML2NameIDMgmt::doRequest(const Application& application, HTTPR
);
}
- EntityDescriptor* entity = policy->getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : nullptr;
+ EntityDescriptor* entity = policy->getIssuerMetadata() ?
+ dynamic_cast<EntityDescriptor*>(policy->getIssuerMetadata()->getParent()) : nullptr;
scoped_ptr<XMLObject> decryptedID;
NameID* nameid = mgmtRequest->getNameID();
@@ -485,8 +486,8 @@ pair<bool,long> SAML2NameIDMgmt::sendResponse(
}
}
if (!ep || !encoder) {
- auto_ptr_char id(dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID());
- m_log.error("unable to locate compatible NIM service for provider (%s)", id.get());
+ auto_ptr_char id(role ? dynamic_cast<EntityDescriptor*>(role->getParent())->getEntityID() : nullptr);
+ m_log.error("unable to locate compatible NIM service for provider (%s)", id.get() ? id.get() : "unknown");
MetadataException ex("Unable to locate endpoint at IdP ($entityID) to send ManageNameIDResponse.");
annotateException(&ex, role); // throws it
}
@@ -506,7 +507,8 @@ pair<bool,long> SAML2NameIDMgmt::sendResponse(
}
Issuer* issuer = IssuerBuilder::buildIssuer();
nim->setIssuer(issuer);
- issuer->setName(application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role->getParent()))->getXMLString("entityID").second);
+ issuer->setName(application.getRelyingParty(role ? dynamic_cast<EntityDescriptor*>(role->getParent()) :
+ nullptr)->getXMLString("entityID").second);
fillStatus(*nim, code, subcode, msg);
auto_ptr_char dest(nim->getDestination());
diff --git a/shibsp/impl/StorageServiceSessionCache.cpp b/shibsp/impl/StorageServiceSessionCache.cpp
index 2bc74108..a8d5c64b 100644
--- a/shibsp/impl/StorageServiceSessionCache.cpp
+++ b/shibsp/impl/StorageServiceSessionCache.cpp
@@ -1148,6 +1148,12 @@ bool SSCache::recover(const Application& app, const char* key, const char* data)
else {
// We're out of process, so we can recover the session.
#ifndef SHIBSP_LITE
+ const DataSealer* sealer = XMLToolingConfig::getConfig().getDataSealer();
+ if (!sealer) {
+ m_log.warn("can't attempt recovery of session (%s), no DataSealer configured", key);
+ return false;
+ }
+
m_log.debug("checking for revocation of session (%s)", key);
try {
if (m_storage_lite->readString("Revoked", key) > 0) {
@@ -1174,7 +1180,7 @@ bool SSCache::recover(const Application& app, const char* key, const char* data)
try {
dup = strdup(data);
XMLToolingConfig::getConfig().getURLEncoder()->decode(dup);
- unwrapped = XMLToolingConfig::getConfig().getDataSealer()->unwrap(dup);
+ unwrapped = sealer->unwrap(dup);
free(dup);
stringstream str(unwrapped);
diff --git a/shibsp/impl/XMLServiceProvider.cpp b/shibsp/impl/XMLServiceProvider.cpp
index c20492b4..9b58543c 100644
--- a/shibsp/impl/XMLServiceProvider.cpp
+++ b/shibsp/impl/XMLServiceProvider.cpp
@@ -883,15 +883,31 @@ Remoted* XMLConfig::lookupListener(const char* address) const
if (i != m_listenerMap.end())
return i->second.first ? i->second.first : i->second.second;
+ locker.release()->unlock(); // free up the listener map
+
+ // Start iterating at slash boundaries.
+ const char* slash = strstr(address, "/");
+ while (slash) {
+ string appId(address, slash - address);
+ if (getApplication(appId.c_str())) {
+ SharedLock sublocker(m_listenerLock, true); // relock and check again
+ i = m_listenerMap.find(address);
+ if (i != m_listenerMap.end())
+ return i->second.first ? i->second.first : i->second.second;
+ }
+ slash = strstr(slash + 1, "/");
+ }
+
+ // Try a search based on the colons, which handles no embedded slashes in the address.
const char* colons = strstr(address, "::");
if (colons) {
string appId(address, colons - address);
- locker.release()->unlock(); // free up the listener map
- getApplication(appId.c_str());
- SharedLock sublocker(m_listenerLock, true); // relock and check again
- i = m_listenerMap.find(address);
- if (i != m_listenerMap.end())
- return i->second.first ? i->second.first : i->second.second;
+ if (getApplication(appId.c_str())) {
+ SharedLock sublocker(m_listenerLock, true); // relock and check again
+ i = m_listenerMap.find(address);
+ if (i != m_listenerMap.end())
+ return i->second.first ? i->second.first : i->second.second;
+ }
}
return nullptr;
}
--- shibboleth-sp-3.1.0.orig/shibsp/impl/XMLRequestMapper.cpp
+++ shibboleth-sp-3.1.0/shibsp/impl/XMLRequestMapper.cpp
@@ -371,7 +371,7 @@ const Override* Override::locate(const H
// path parameter starts with the entire request path and
// we can skip the leading slash as irrelevant.
const char* path = request.getRequestURI();
- if (*path == '/')
+ if (path && *path == '/')
path++;
// Now we copy the path, chop the query string, and possibly lower case it.
