From 778e20c5524f414d5c42b9923e1f5dbd2521c21a Mon Sep 17 00:00:00 2001 From: cantor Date: Fri, 6 Nov 2009 19:33:34 +0000 Subject: [PATCH] Tagging 1.3.1 release. git-svn-id: https://svn.middleware.georgetown.edu/cpp-xmltooling/tags/1.3.1@681 de75baf8-a10c-0410-a50a-987c0e22f00f --- config_win32.h | 6 ++-- configure.ac | 4 +-- doc/README.txt | 4 +-- xmltooling/AbstractXMLObject.cpp | 12 +++---- xmltooling/Makefile.am | 4 +-- xmltooling/XMLToolingConfig.cpp | 5 +++ xmltooling/io/HTTPResponse.cpp | 54 ++++++++++++++++++++++++++++-- xmltooling/io/HTTPResponse.h | 43 +++++++++++++++++++++--- xmltooling/soap/OpenSSLSOAPTransport.h | 2 +- xmltooling/soap/impl/CURLSOAPTransport.cpp | 21 ------------ xmltooling/soap/impl/SOAPClient.cpp | 22 ++++++++++++ xmltooling/version.h | 4 +-- xmltooling/xmltooling-lite.vcproj | 4 --- xmltooling/xmltooling.rc | 10 +++--- 14 files changed, 139 insertions(+), 56 deletions(-) diff --git a/config_win32.h b/config_win32.h index 20e9b0a..220f1ac 100644 --- a/config_win32.h +++ b/config_win32.h @@ -90,13 +90,13 @@ #define PACKAGE_NAME "xmltooling" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "xmltooling 1.3" +#define PACKAGE_STRING "xmltooling 1.3.1" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "xmltooling" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.3" +#define PACKAGE_VERSION "1.3.1" /* Define to the necessary symbol if this constant uses a non-standard name on your system. */ @@ -109,7 +109,7 @@ /* #undef TM_IN_SYS_TIME */ /* Version number of package */ -#define VERSION "1.3" +#define VERSION "1.3.1" /* Define if you wish to disable XML-Security-dependent features. */ /* #undef XMLTOOLING_NO_XMLSEC */ diff --git a/configure.ac b/configure.ac index 7e0d730..73bbd57 100644 --- a/configure.ac +++ b/configure.ac @@ -1,8 +1,8 @@ AC_PREREQ([2.50]) -AC_INIT([xmltooling], [1.3], [mace-opensaml-users@internet2.edu], [xmltooling]) +AC_INIT([xmltooling], [1.3.1], [mace-opensaml-users@internet2.edu], [xmltooling]) AM_CONFIG_HEADER(config.h) AM_CONFIG_HEADER(xmltooling/config_pub.h) -AM_INIT_AUTOMAKE([xmltooling], [1.3]) +AM_INIT_AUTOMAKE([xmltooling], [1.3.1]) sinclude(doxygen.m4) sinclude(acx_pthread.m4) diff --git a/doc/README.txt b/doc/README.txt index dcc7238..ff13ca5 100644 --- a/doc/README.txt +++ b/doc/README.txt @@ -1,8 +1,8 @@ -VERSION 1.3 +VERSION 1.3.1 Issues addressed by this release: --------------------------------- -https://bugs.internet2.edu/jira/browse/CPPXT/fixforversion/10253 +https://bugs.internet2.edu/jira/browse/CPPXT/fixforversion/10269 Documentation: -------------- diff --git a/xmltooling/AbstractXMLObject.cpp b/xmltooling/AbstractXMLObject.cpp index 491aaa8..0ebd079 100644 --- a/xmltooling/AbstractXMLObject.cpp +++ b/xmltooling/AbstractXMLObject.cpp @@ -42,18 +42,14 @@ XMLObject::~XMLObject() void XMLObject::releaseThisandParentDOM() const { - if (getDOM()) { - releaseDOM(); - releaseParentDOM(true); - } + releaseDOM(); + releaseParentDOM(true); } void XMLObject::releaseThisAndChildrenDOM() const { - if (getDOM()) { - releaseChildrenDOM(true); - releaseDOM(); - } + releaseChildrenDOM(true); + releaseDOM(); } AbstractXMLObject::AbstractXMLObject(const XMLCh* nsURI, const XMLCh* localName, const XMLCh* prefix, const QName* schemaType) diff --git a/xmltooling/Makefile.am b/xmltooling/Makefile.am index 374cf1b..cb1380f 100644 --- a/xmltooling/Makefile.am +++ b/xmltooling/Makefile.am @@ -198,10 +198,10 @@ common_sources = \ libxmltooling_lite_la_SOURCES = \ ${common_sources} libxmltooling_lite_la_CPPFLAGS = -DXMLTOOLING_LITE -libxmltooling_lite_la_LDFLAGS = -version-info 4:0:0 +libxmltooling_lite_la_LDFLAGS = -version-info 4:1:0 if BUILD_XMLSEC -libxmltooling_la_LDFLAGS = $(XMLSEC_LIBS) -version-info 4:0:0 +libxmltooling_la_LDFLAGS = $(XMLSEC_LIBS) -version-info 4:1:0 libxmltooling_la_SOURCES = \ ${common_sources} \ ${xmlsec_sources} diff --git a/xmltooling/XMLToolingConfig.cpp b/xmltooling/XMLToolingConfig.cpp index 9a43921..cadf7bc 100644 --- a/xmltooling/XMLToolingConfig.cpp +++ b/xmltooling/XMLToolingConfig.cpp @@ -27,6 +27,7 @@ #include "encryption/Encryption.h" #include "encryption/Encrypter.h" #include "impl/UnknownElement.h" +#include "io/HTTPResponse.h" #include "security/TrustEngine.h" #include "security/OpenSSLCryptoX509CRL.h" #include "security/CredentialResolver.h" @@ -56,6 +57,7 @@ # include #endif #include +#include #ifndef XMLTOOLING_NO_XMLSEC # include # include @@ -352,6 +354,9 @@ bool XMLToolingInternalConfig::init() m_pathResolver = new PathResolver(); m_urlEncoder = new URLEncoder(); + HTTPResponse::getAllowedSchemes().push_back("https"); + HTTPResponse::getAllowedSchemes().push_back("http"); + // Register xml:id as an ID attribute. static const XMLCh xmlid[] = UNICODE_LITERAL_2(i,d); AttributeExtensibleXMLObject::registerIDAttribute(QName(xmlconstants::XML_NS, xmlid)); diff --git a/xmltooling/io/HTTPResponse.cpp b/xmltooling/io/HTTPResponse.cpp index ab2255a..63a3dfc 100644 --- a/xmltooling/io/HTTPResponse.cpp +++ b/xmltooling/io/HTTPResponse.cpp @@ -24,7 +24,7 @@ #include "HTTPResponse.h" using namespace xmltooling; -using std::istream; +using namespace std; GenericResponse::GenericResponse() { @@ -34,6 +34,37 @@ GenericResponse::~GenericResponse() { } +vector HTTPResponse::m_allowedSchemes; + +vector& HTTPResponse::getAllowedSchemes() +{ + return m_allowedSchemes; +} + +void HTTPResponse::sanitizeURL(const char* url) +{ + const char* ch; + for (ch=url; *ch; ++ch) { + if (iscntrl(*ch)) + throw IOException("URL contained a control character."); + } + + ch = strchr(url, ':'); + if (!ch) + throw IOException("URL is malformed."); + string s(url, ch - url); + for (vector::const_iterator i = m_allowedSchemes.begin(); i != m_allowedSchemes.end(); ++i) { +#ifdef HAVE_STRCASECMP + if (!strcasecmp(s.c_str(), i->c_str())) +#else + if (!stricmp(s.c_str(), i->c_str())) +#endif + return; + } + + throw IOException("URL contains invalid scheme ($1).", params(1, s.c_str())); +} + HTTPResponse::HTTPResponse() { } @@ -49,11 +80,30 @@ void HTTPResponse::setContentType(const char* type) void HTTPResponse::setCookie(const char* name, const char* value) { - std::string cookie(name); + string cookie(name); cookie = cookie + '=' + value; setResponseHeader("Set-Cookie", cookie.c_str()); } +void HTTPResponse::setResponseHeader(const char* name, const char* value) +{ + for (const char* ch=name; *ch; ++ch) { + if (iscntrl(*ch)) + throw IOException("Response header name contained a control character."); + } + + for (const char* ch=value; *ch; ++ch) { + if (iscntrl(*ch)) + throw IOException("Value for response header ($1) contained a control character.", params(1,name)); + } +} + +long HTTPResponse::sendRedirect(const char* url) +{ + sanitizeURL(url); + return XMLTOOLING_HTTP_STATUS_MOVED; +} + long HTTPResponse::sendError(istream& inputStream) { return sendResponse(inputStream, XMLTOOLING_HTTP_STATUS_ERROR); diff --git a/xmltooling/io/HTTPResponse.h b/xmltooling/io/HTTPResponse.h index 6c38321..912c0f8 100644 --- a/xmltooling/io/HTTPResponse.h +++ b/xmltooling/io/HTTPResponse.h @@ -25,8 +25,16 @@ #include +#include +#include + namespace xmltooling { - + +#if defined (_MSC_VER) + #pragma warning( push ) + #pragma warning( disable : 4251 ) +#endif + /** * Interface to HTTP response. * @@ -50,7 +58,7 @@ namespace xmltooling { * @param name header name * @param value value to set, or NULL to clear */ - virtual void setResponseHeader(const char* name, const char* value)=0; + virtual void setResponseHeader(const char* name, const char* value); /** * Sets a client cookie. @@ -62,12 +70,15 @@ namespace xmltooling { /** * Redirect the client to the specified URL and complete the response. - * Any headers previously set will be sent ahead of the redirect. * + *

Any headers previously set will be sent ahead of the redirect. + * + *

The URL will be validated with the sanitizeURL method below. + * * @param url location to redirect client * @return a result code to return from the calling MessageEncoder */ - virtual long sendRedirect(const char* url)=0; + virtual long sendRedirect(const char* url); /** Some common HTTP status codes. */ enum status_t { @@ -83,7 +94,31 @@ namespace xmltooling { using GenericResponse::sendResponse; long sendResponse(std::istream& inputStream); + + /** + * Returns a modifiable array of schemes to permit in sanitized URLs. + * + *

Updates to this array must be externally synchronized with any use + * of this class or its subclasses. + * + * @return a mutable array of strings containing the schemes to permit + */ + static std::vector& getAllowedSchemes(); + + /** + * Manually check for unsafe URLs vulnerable to injection attacks. + * + * @param url location to check + */ + static void sanitizeURL(const char* url); + + private: + static std::vector m_allowedSchemes; }; + +#if defined (_MSC_VER) + #pragma warning( pop ) +#endif }; #endif /* __xmltooling_httpres_h__ */ diff --git a/xmltooling/soap/OpenSSLSOAPTransport.h b/xmltooling/soap/OpenSSLSOAPTransport.h index eb38ef0..21a2045 100644 --- a/xmltooling/soap/OpenSSLSOAPTransport.h +++ b/xmltooling/soap/OpenSSLSOAPTransport.h @@ -20,7 +20,7 @@ * Encapsulates OpenSSL-capable SOAP transport layer. */ -#ifndef __xmltooling_opensslsoaptrans_h__ +#if !defined(__xmltooling_opensslsoaptrans_h__) && !defined(XMLTOOLING_NO_XMLSEC) #define __xmltooling_opensslsoaptrans_h__ #include diff --git a/xmltooling/soap/impl/CURLSOAPTransport.cpp b/xmltooling/soap/impl/CURLSOAPTransport.cpp index 460a62e..af06fbb 100644 --- a/xmltooling/soap/impl/CURLSOAPTransport.cpp +++ b/xmltooling/soap/impl/CURLSOAPTransport.cpp @@ -271,27 +271,6 @@ void xmltooling::termSOAPTransports() g_CURLPool = NULL; } -SOAPTransport::SOAPTransport() -{ -} - -SOAPTransport::~SOAPTransport() -{ -} - -bool SOAPTransport::setProviderOption(const char* provider, const char* option, const char* value) -{ - return false; -} - -HTTPSOAPTransport::HTTPSOAPTransport() -{ -} - -HTTPSOAPTransport::~HTTPSOAPTransport() -{ -} - OpenSSLSOAPTransport::OpenSSLSOAPTransport() { } diff --git a/xmltooling/soap/impl/SOAPClient.cpp b/xmltooling/soap/impl/SOAPClient.cpp index 8eaeaed..1978e28 100644 --- a/xmltooling/soap/impl/SOAPClient.cpp +++ b/xmltooling/soap/impl/SOAPClient.cpp @@ -23,6 +23,7 @@ #include "internal.h" #include "exceptions.h" #include "logging.h" +#include "soap/HTTPSOAPTransport.h" #include "soap/SOAP.h" #include "soap/SOAPClient.h" #include "util/XMLHelper.h" @@ -36,6 +37,27 @@ using namespace xmltooling; using namespace xercesc; using namespace std; +SOAPTransport::SOAPTransport() +{ +} + +SOAPTransport::~SOAPTransport() +{ +} + +bool SOAPTransport::setProviderOption(const char* provider, const char* option, const char* value) +{ + return false; +} + +HTTPSOAPTransport::HTTPSOAPTransport() +{ +} + +HTTPSOAPTransport::~HTTPSOAPTransport() +{ +} + SOAPClient::SOAPClient(bool validate) : m_validate(validate), m_transport(NULL) { } diff --git a/xmltooling/version.h b/xmltooling/version.h index 63af4d6..a777851 100644 --- a/xmltooling/version.h +++ b/xmltooling/version.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2007 Internet2 + * Copyright 2001-2009 Internet2 * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -39,7 +39,7 @@ #define XMLTOOLING_VERSION_MAJOR 1 #define XMLTOOLING_VERSION_MINOR 3 -#define XMLTOOLING_VERSION_REVISION 0 +#define XMLTOOLING_VERSION_REVISION 1 /** DO NOT MODIFY BELOW THIS LINE */ diff --git a/xmltooling/xmltooling-lite.vcproj b/xmltooling/xmltooling-lite.vcproj index ca08327..8968c23 100644 --- a/xmltooling/xmltooling-lite.vcproj +++ b/xmltooling/xmltooling-lite.vcproj @@ -692,10 +692,6 @@ > - - diff --git a/xmltooling/xmltooling.rc b/xmltooling/xmltooling.rc index 5b6d55f..2a4385a 100644 --- a/xmltooling/xmltooling.rc +++ b/xmltooling/xmltooling.rc @@ -28,8 +28,8 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,3,0,0 - PRODUCTVERSION 2,2,1,0 + FILEVERSION 1,3,1,0 + PRODUCTVERSION 2,3,0,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -51,7 +51,7 @@ BEGIN #else VALUE "FileDescription", "OpenSAML XMLTooling Library\0" #endif - VALUE "FileVersion", "1, 3, 0, 0\0" + VALUE "FileVersion", "1, 3, 1, 0\0" #ifdef XMLTOOLING_LITE #ifdef _DEBUG VALUE "InternalName", "xmltooling-lite1_3D\0" @@ -81,8 +81,8 @@ BEGIN #endif #endif VALUE "PrivateBuild", "\0" - VALUE "ProductName", "OpenSAML 2.2.1\0" - VALUE "ProductVersion", "2, 2, 1, 0\0" + VALUE "ProductName", "OpenSAML 2.3\0" + VALUE "ProductVersion", "2, 3, 0, 0\0" VALUE "SpecialBuild", "\0" END END -- 2.1.4