https://issues.shibboleth.net/jira/browse/SSPCPP-255

diff --git a/configure.ac b/configure.ac
index 32b5c4d..7265638 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -258,6 +258,20 @@ LITE_LIBS="-lxmltooling-lite"
 XMLSEC_LIBS="-lxmltooling"
 AC_CHECK_HEADER([xmltooling/base.h],,
                 AC_MSG_ERROR([unable to find xmltooling header files]))
+                
+
+# save and append master libs
+save_LIBS="$LIBS"
+LIBS="$XMLSEC_LIBS $LIBS"
+
+AC_TRY_LINK(
+    [#include <xmltooling/io/HTTPResponse.h>],
+    [xmltooling::HTTPResponse::sanitizeURL("http://test")],
+    [AC_DEFINE(HAVE_XMLTOOLING,1,[Define if xmltooling library was found])],
+    [AC_MSG_ERROR([unable to link with XMLTooling, or version was too old])])
+
+# restore master libs
+LIBS="$save_LIBS"
 
 # Establish location of xmltooling catalog.
 XMLTOOLINGXMLDIR=""

diff --git a/schemas/shibboleth-2.0-native-sp-config.xsd b/schemas/shibboleth-2.0-native-sp-config.xsd
index 1e766d8..7b54585 100644 (file)
--- a/schemas/shibboleth-2.0-native-sp-config.xsd
+++ b/schemas/shibboleth-2.0-native-sp-config.xsd
@@ -88,6 +88,7 @@
                        <attribute name="logger" type="anyURI"/>
                        <attribute name="clockSkew" type="unsignedInt"/>
             <attribute name="unsafeChars" type="conf:string"/>
+            <attribute name="allowedSchemes" type="conf:listOfStrings"/>
                        <anyAttribute namespace="##other" processContents="lax"/>
                </complexType>
        </element>

diff --git a/shibsp/handler/impl/AbstractHandler.cpp b/shibsp/handler/impl/AbstractHandler.cpp
index dab28d8..d1c8d58 100644 (file)
--- a/shibsp/handler/impl/AbstractHandler.cpp
+++ b/shibsp/handler/impl/AbstractHandler.cpp
@@ -589,6 +589,8 @@ long AbstractHandler::sendPostResponse(
     const Application& application, HTTPResponse& httpResponse, const char* url, DDF& postData
     ) const
 {
+    HTTPResponse::sanitizeURL(url);
+
     const PropertySet* props=application.getPropertySet("Sessions");
     pair<bool,const char*> postTemplate = props->getString("postTemplate");
     if (!postTemplate.first)

diff --git a/shibsp/impl/XMLServiceProvider.cpp b/shibsp/impl/XMLServiceProvider.cpp
index 79c62ed..ae94a16 100644 (file)
--- a/shibsp/impl/XMLServiceProvider.cpp
+++ b/shibsp/impl/XMLServiceProvider.cpp
@@ -69,6 +69,7 @@
 # include <saml/saml2/metadata/MetadataProvider.h>
 # include <saml/util/SAMLConstants.h>
 # include <xmltooling/security/CredentialResolver.h>
+# include <xmltooling/security/SecurityHelper.h>
 # include <xmltooling/security/TrustEngine.h>
 # include <xmltooling/util/ReplayCache.h>
 # include <xmltooling/util/StorageService.h>
@@ -116,7 +117,11 @@ namespace {
             index = props->getInt("artifactEndpointIndex");
             if (!index.first)
                 index = getArtifactEndpointIndex();
-            return new SAML2ArtifactType0004(SAMLConfig::getConfig().hashSHA1(props->getString("entityID").second),index.first ? index.second : 1);
+            pair<bool,const char*> entityID = props->getString("entityID");
+            return new SAML2ArtifactType0004(
+                SecurityHelper::doHash("SHA1", entityID.second, strlen(entityID.second), false),
+                index.first ? index.second : 1
+                );
         }
 
         MetadataProvider* getMetadataProvider(bool required=true) const {
@@ -1318,6 +1323,20 @@ XMLConfigImpl::XMLConfigImpl(const DOMElement* e, bool first, const XMLConfig* o
             if (unsafe.first)
                 TemplateEngine::unsafe_chars = unsafe.second;
 
+            unsafe = getString("allowedSchemes");
+            if (unsafe.first) {
+                HTTPResponse::getAllowedSchemes().clear();
+                string schemes=unsafe.second;
+                unsigned int j_sch=0;
+                for (unsigned int i_sch=0;  i_sch < schemes.length();  i_sch++) {
+                    if (schemes.at(i_sch)==' ') {
+                        HTTPResponse::getAllowedSchemes().push_back(schemes.substr(j_sch, i_sch-j_sch));
+                        j_sch = i_sch + 1;
+                    }
+                }
+                HTTPResponse::getAllowedSchemes().push_back(schemes.substr(j_sch, schemes.length()-j_sch));
+            }
+
             // Extensions
             doExtensions(e, "global", log);
             if (conf.isEnabled(SPConfig::OutOfProcess))