https://issues.shibboleth.net/jira/browse/SSPCPP-255

[shibboleth/cpp-sp.git] / apache / mod_apache.cpp

diff --git a/apache/mod_apache.cpp b/apache/mod_apache.cpp
index 65066d9..e6ca506 100644 (file)
--- a/apache/mod_apache.cpp
+++ b/apache/mod_apache.cpp
@@ -69,6 +69,7 @@ namespace {
     char* g_szSchemaDir = NULL;
     ShibTargetConfig* g_Config = NULL;
     string g_unsetHeaderValue,g_spoofKey;
+    set<string> g_allowedSchemes;
     bool g_checkSpoofing = true;
     bool g_catchAll = true;
     static const char* g_UserDataKey = "_shib_check_user_";
@@ -459,9 +460,12 @@ public:
     const string& content_type="text/html",
        const Iterator<header_t>& headers=EMPTY(header_t)
     ) {
+    checkString(content_type, "Detected control character in a response header.");
     m_req->content_type = ap_psprintf(m_req->pool, content_type.c_str());
     while (headers.hasNext()) {
         const header_t& h=headers.next();
+        checkString(h.first, "Detected control character in a response header.");
+        checkString(h.second, "Detected control character in a response header.");
         ap_table_set(m_req->headers_out, h.first.c_str(), h.second.c_str());
     }
     ap_send_http_header(m_req);
@@ -469,6 +473,9 @@ public:
     return (void*)((code==200) ? DONE : code);
   }
   virtual void* sendRedirect(const string& url) {
+    checkString(url, "Detected control character in an attempted redirect.");
+    if (g_allowedSchemes.find(url.substr(0, url.find(':'))) == g_allowedSchemes.end())
+        throw FatalProfileException("Invalid scheme in attempted redirect.");
     ap_table_set(m_req->headers_out, "Location", url.c_str());
     return (void*)REDIRECT;
   }
@@ -481,6 +488,15 @@ public:
   shib_server_config* m_sc;
   shib_request_config* m_rc;
   set<string> m_allhttp;
+
+private:
+  void checkString(const string& s, const char* msg) {
+    string::const_iterator e = s.end();
+    for (string::const_iterator i=s.begin(); i!=e; ++i) {
+        if (iscntrl(*i))
+            throw FatalProfileException(msg);
+    }
+  }
 };
 
 /********************************************************************************/
@@ -1137,14 +1153,30 @@ extern "C" void shib_child_init(apr_pool_t* p, server_rec* s)
         saml::Locker locker(conf);
         const IPropertySet* props=conf->getPropertySet("Local");
         if (props) {
-            pair<bool,const char*> unsetValue=props->getString("unsetHeaderValue");
-            if (unsetValue.first)
-                g_unsetHeaderValue = unsetValue.second;
+            pair<bool,const char*> str=props->getString("unsetHeaderValue");
+            if (str.first)
+                g_unsetHeaderValue = str.second;
+            str=props->getString("allowedSchemes");
+            if (str.first) {
+                string schemes=str.second;
+                unsigned int j=0;
+                for (unsigned int i=0;  i < schemes.length();  i++) {
+                    if (schemes.at(i)==' ') {
+                        g_allowedSchemes.insert(schemes.substr(j, i-j));
+                        j = i+1;
+                    }
+                }
+                g_allowedSchemes.insert(schemes.substr(j, schemes.length()-j));
+            }
             pair<bool,bool> flag=props->getBool("checkSpoofing");
             g_checkSpoofing = !flag.first || flag.second;
             flag=props->getBool("catchAll");
             g_catchAll = !flag.first || flag.second;
         }
+        if (g_allowedSchemes.empty()) {
+            g_allowedSchemes.insert("https");
+            g_allowedSchemes.insert("http");
+        }
     }
     catch (exception&) {
         ap_log_error(APLOG_MARK,APLOG_CRIT|APLOG_NOERRNO,SH_AP_R(s),"shib_child_init() failed to initialize system");