#define PACKAGE_NAME "xmltooling"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "xmltooling 1.3"
+#define PACKAGE_STRING "xmltooling 1.3.1"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "xmltooling"
/* Define to the version of this package. */
-#define PACKAGE_VERSION "1.3"
+#define PACKAGE_VERSION "1.3.1"
/* Define to the necessary symbol if this constant uses a non-standard name on
your system. */
/* #undef TM_IN_SYS_TIME */
/* Version number of package */
-#define VERSION "1.3"
+#define VERSION "1.3.1"
/* Define if you wish to disable XML-Security-dependent features. */
/* #undef XMLTOOLING_NO_XMLSEC */
AC_PREREQ([2.50])
-AC_INIT([xmltooling], [1.3], [mace-opensaml-users@internet2.edu], [xmltooling])
+AC_INIT([xmltooling], [1.3.1], [mace-opensaml-users@internet2.edu], [xmltooling])
AM_CONFIG_HEADER(config.h)
AM_CONFIG_HEADER(xmltooling/config_pub.h)
-AM_INIT_AUTOMAKE([xmltooling], [1.3])
+AM_INIT_AUTOMAKE([xmltooling], [1.3.1])
sinclude(doxygen.m4)
sinclude(acx_pthread.m4)
-VERSION 1.3
+VERSION 1.3.1
Issues addressed by this release:
---------------------------------
-https://bugs.internet2.edu/jira/browse/CPPXT/fixforversion/10253
+https://bugs.internet2.edu/jira/browse/CPPXT/fixforversion/10269
Documentation:
--------------
void XMLObject::releaseThisandParentDOM() const
{
- if (getDOM()) {
- releaseDOM();
- releaseParentDOM(true);
- }
+ releaseDOM();
+ releaseParentDOM(true);
}
void XMLObject::releaseThisAndChildrenDOM() const
{
- if (getDOM()) {
- releaseChildrenDOM(true);
- releaseDOM();
- }
+ releaseChildrenDOM(true);
+ releaseDOM();
}
AbstractXMLObject::AbstractXMLObject(const XMLCh* nsURI, const XMLCh* localName, const XMLCh* prefix, const QName* schemaType)
libxmltooling_lite_la_SOURCES = \
${common_sources}
libxmltooling_lite_la_CPPFLAGS = -DXMLTOOLING_LITE
-libxmltooling_lite_la_LDFLAGS = -version-info 4:0:0
+libxmltooling_lite_la_LDFLAGS = -version-info 4:1:0
if BUILD_XMLSEC
-libxmltooling_la_LDFLAGS = $(XMLSEC_LIBS) -version-info 4:0:0
+libxmltooling_la_LDFLAGS = $(XMLSEC_LIBS) -version-info 4:1:0
libxmltooling_la_SOURCES = \
${common_sources} \
${xmlsec_sources}
#include "encryption/Encryption.h"
#include "encryption/Encrypter.h"
#include "impl/UnknownElement.h"
+#include "io/HTTPResponse.h"
#include "security/TrustEngine.h"
#include "security/OpenSSLCryptoX509CRL.h"
#include "security/CredentialResolver.h"
# include <log4cpp/OstreamAppender.hh>
#endif
#include <xercesc/util/PlatformUtils.hpp>
+#include <xercesc/util/XMLUniDefs.hpp>
#ifndef XMLTOOLING_NO_XMLSEC
# include <curl/curl.h>
# include <openssl/err.h>
m_pathResolver = new PathResolver();
m_urlEncoder = new URLEncoder();
+ HTTPResponse::getAllowedSchemes().push_back("https");
+ HTTPResponse::getAllowedSchemes().push_back("http");
+
// Register xml:id as an ID attribute.
static const XMLCh xmlid[] = UNICODE_LITERAL_2(i,d);
AttributeExtensibleXMLObject::registerIDAttribute(QName(xmlconstants::XML_NS, xmlid));
#include "HTTPResponse.h"
using namespace xmltooling;
-using std::istream;
+using namespace std;
GenericResponse::GenericResponse()
{
{
}
+vector<string> HTTPResponse::m_allowedSchemes;
+
+vector<string>& HTTPResponse::getAllowedSchemes()
+{
+ return m_allowedSchemes;
+}
+
+void HTTPResponse::sanitizeURL(const char* url)
+{
+ const char* ch;
+ for (ch=url; *ch; ++ch) {
+ if (iscntrl(*ch))
+ throw IOException("URL contained a control character.");
+ }
+
+ ch = strchr(url, ':');
+ if (!ch)
+ throw IOException("URL is malformed.");
+ string s(url, ch - url);
+ for (vector<string>::const_iterator i = m_allowedSchemes.begin(); i != m_allowedSchemes.end(); ++i) {
+#ifdef HAVE_STRCASECMP
+ if (!strcasecmp(s.c_str(), i->c_str()))
+#else
+ if (!stricmp(s.c_str(), i->c_str()))
+#endif
+ return;
+ }
+
+ throw IOException("URL contains invalid scheme ($1).", params(1, s.c_str()));
+}
+
HTTPResponse::HTTPResponse()
{
}
void HTTPResponse::setCookie(const char* name, const char* value)
{
- std::string cookie(name);
+ string cookie(name);
cookie = cookie + '=' + value;
setResponseHeader("Set-Cookie", cookie.c_str());
}
+void HTTPResponse::setResponseHeader(const char* name, const char* value)
+{
+ for (const char* ch=name; *ch; ++ch) {
+ if (iscntrl(*ch))
+ throw IOException("Response header name contained a control character.");
+ }
+
+ for (const char* ch=value; *ch; ++ch) {
+ if (iscntrl(*ch))
+ throw IOException("Value for response header ($1) contained a control character.", params(1,name));
+ }
+}
+
+long HTTPResponse::sendRedirect(const char* url)
+{
+ sanitizeURL(url);
+ return XMLTOOLING_HTTP_STATUS_MOVED;
+}
+
long HTTPResponse::sendError(istream& inputStream)
{
return sendResponse(inputStream, XMLTOOLING_HTTP_STATUS_ERROR);
#include <xmltooling/io/GenericResponse.h>
+#include <string>
+#include <vector>
+
namespace xmltooling {
-
+
+#if defined (_MSC_VER)
+ #pragma warning( push )
+ #pragma warning( disable : 4251 )
+#endif
+
/**
* Interface to HTTP response.
*
* @param name header name
* @param value value to set, or NULL to clear
*/
- virtual void setResponseHeader(const char* name, const char* value)=0;
+ virtual void setResponseHeader(const char* name, const char* value);
/**
* Sets a client cookie.
/**
* Redirect the client to the specified URL and complete the response.
- * Any headers previously set will be sent ahead of the redirect.
*
+ * <p>Any headers previously set will be sent ahead of the redirect.
+ *
+ * <p>The URL will be validated with the sanitizeURL method below.
+ *
* @param url location to redirect client
* @return a result code to return from the calling MessageEncoder
*/
- virtual long sendRedirect(const char* url)=0;
+ virtual long sendRedirect(const char* url);
/** Some common HTTP status codes. */
enum status_t {
using GenericResponse::sendResponse;
long sendResponse(std::istream& inputStream);
+
+ /**
+ * Returns a modifiable array of schemes to permit in sanitized URLs.
+ *
+ * <p>Updates to this array must be externally synchronized with any use
+ * of this class or its subclasses.
+ *
+ * @return a mutable array of strings containing the schemes to permit
+ */
+ static std::vector<std::string>& getAllowedSchemes();
+
+ /**
+ * Manually check for unsafe URLs vulnerable to injection attacks.
+ *
+ * @param url location to check
+ */
+ static void sanitizeURL(const char* url);
+
+ private:
+ static std::vector<std::string> m_allowedSchemes;
};
+
+#if defined (_MSC_VER)
+ #pragma warning( pop )
+#endif
};
#endif /* __xmltooling_httpres_h__ */
* Encapsulates OpenSSL-capable SOAP transport layer.
*/
-#ifndef __xmltooling_opensslsoaptrans_h__
+#if !defined(__xmltooling_opensslsoaptrans_h__) && !defined(XMLTOOLING_NO_XMLSEC)
#define __xmltooling_opensslsoaptrans_h__
#include <xmltooling/soap/SOAPTransport.h>
g_CURLPool = NULL;
}
-SOAPTransport::SOAPTransport()
-{
-}
-
-SOAPTransport::~SOAPTransport()
-{
-}
-
-bool SOAPTransport::setProviderOption(const char* provider, const char* option, const char* value)
-{
- return false;
-}
-
-HTTPSOAPTransport::HTTPSOAPTransport()
-{
-}
-
-HTTPSOAPTransport::~HTTPSOAPTransport()
-{
-}
-
OpenSSLSOAPTransport::OpenSSLSOAPTransport()
{
}
#include "internal.h"
#include "exceptions.h"
#include "logging.h"
+#include "soap/HTTPSOAPTransport.h"
#include "soap/SOAP.h"
#include "soap/SOAPClient.h"
#include "util/XMLHelper.h"
using namespace xercesc;
using namespace std;
+SOAPTransport::SOAPTransport()
+{
+}
+
+SOAPTransport::~SOAPTransport()
+{
+}
+
+bool SOAPTransport::setProviderOption(const char* provider, const char* option, const char* value)
+{
+ return false;
+}
+
+HTTPSOAPTransport::HTTPSOAPTransport()
+{
+}
+
+HTTPSOAPTransport::~HTTPSOAPTransport()
+{
+}
+
SOAPClient::SOAPClient(bool validate) : m_validate(validate), m_transport(NULL)
{
}
/*
- * Copyright 2001-2007 Internet2
+ * Copyright 2001-2009 Internet2
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#define XMLTOOLING_VERSION_MAJOR 1
#define XMLTOOLING_VERSION_MINOR 3
-#define XMLTOOLING_VERSION_REVISION 0
+#define XMLTOOLING_VERSION_REVISION 1
/** DO NOT MODIFY BELOW THIS LINE */
>\r
</File>\r
<File\r
- RelativePath=".\soap\OpenSSLSOAPTransport.h"\r
- >\r
- </File>\r
- <File\r
RelativePath=".\soap\SOAP.h"\r
>\r
</File>\r
//\r
\r
VS_VERSION_INFO VERSIONINFO\r
- FILEVERSION 1,3,0,0\r
- PRODUCTVERSION 2,2,1,0\r
+ FILEVERSION 1,3,1,0\r
+ PRODUCTVERSION 2,3,0,0\r
FILEFLAGSMASK 0x3fL\r
#ifdef _DEBUG\r
FILEFLAGS 0x1L\r
#else\r
VALUE "FileDescription", "OpenSAML XMLTooling Library\0"\r
#endif\r
- VALUE "FileVersion", "1, 3, 0, 0\0"\r
+ VALUE "FileVersion", "1, 3, 1, 0\0"\r
#ifdef XMLTOOLING_LITE\r
#ifdef _DEBUG\r
VALUE "InternalName", "xmltooling-lite1_3D\0"\r
#endif\r
#endif\r
VALUE "PrivateBuild", "\0"\r
- VALUE "ProductName", "OpenSAML 2.2.1\0"\r
- VALUE "ProductVersion", "2, 2, 1, 0\0"\r
+ VALUE "ProductName", "OpenSAML 2.3\0"\r
+ VALUE "ProductVersion", "2, 3, 0, 0\0"\r
VALUE "SpecialBuild", "\0"\r
END\r
END\r
projects / shibboleth / xmltooling.git / commitdiff