Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Insufficient XML entity encoding in Metadata Status generation

Description

If querid, the StatusHandler returns an XML document, which includes, amongst other information, a list of configured metadata feeds including their URI. Some entities are nor correctly escaped, thus the resulting document is non well-formed anymore.

One of our feeds (specifically the KALMAR federation in Scandinavia) has some Characters in the URI (https://kalmar2.org/simplesaml/module.php/aggregator/?id=kalmarcentral&set=saml2&exclude=finland) that need to be escaped in XML representation. However in the XML document produced by the StatusHandler, these entities are not properly escaped.

We use the StatusHandler for monitoring shibd with Icinga, which now is broken for us, because the Icinga plugin cannot parse the XML document anymore.

Environment

CentOS 5.9 (amd64), Shibboleth 2.5.2, OpenSAML 2.5.3, xmltooling 1.5.3, xml-security-c 1.7.2, Xerces-C 3.1.1

Activity

Show:

Scott Cantor January 22, 2015 at 10:06 PM

Scott Cantor October 31, 2013 at 1:53 PM

Ok, it's really the release I can't take time for obviously. Right now I don't have an exposed API for XML encoding, but that will eventually be needed. In the meantime, you can borrow the short function in shibsp/remoting/impl/ddf.cpp

It should drop in, just do:

os << " source='";
xml_encode(os, m_source);
os << "'";

void xml_encode(ostream& os, const char* start)
{
size_t pos;
while (start && *start) {
pos = strcspn(start, "\"<>&");
if (pos > 0) {
os.write(start,pos);
start += pos;
}
else {
switch (*start) {
case '"': os << "&quot;"; break;
case '<': os << "&lt;"; break;
case '>': os << "&gt;"; break;
case '&': os << "&amp;"; break;
default: os << *start;
}
start++;
}
}
}

Oliver Schonefeld October 31, 2013 at 9:42 AM

A patch would help. If you could point me to an example, I might be able to craft one myself. A new release of OpenSAML is IMHO not required. IdP 3 is more important Thank you!

Scott Cantor October 24, 2013 at 2:00 PM

The patch is very simple if you need it, but otherwise you won't see a fix for a long time, I'm full time on the IdP because of project resource constraints.

Oliver Schonefeld October 24, 2013 at 10:54 AM

Actually, it's a problem in OpenSAML.

The class XMLMetadataProvider (in saml/saml2/metadata/impl/XMLMetadataProvider.cpp)
line 108-110 has:

m_source has to be XML escaped, otherwise invalid characters like ampersand may be
outputted verbatim to the XML document generated by SHIBD's StatusHandler.
Unfortunately, I'm not familiar with Xerces-C, OpenSAML or XML-Tooling, so
I cannot provide a patch.

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created October 23, 2013 at 4:51 PM
Updated March 20, 2015 at 12:40 AM
Resolved January 22, 2015 at 10:06 PM