All work
- Eliminate uses of getTextContent in DOM helpersCPPXT-133Resolved issue: CPPXT-133Scott Cantor
- Additional nodes can be added to XML without breaking signatureCPPXT-128Resolved issue: CPPXT-128Scott Cantor
- ExplicitKeyTrustEngine doesn't handle EC in the OpenSSL caseCPPXT-114Resolved issue: CPPXT-114Scott Cantor
- PKIX revocation checking calls OpenSSL's X509_verify_cert in an unsupported way (breaks with OpenSSL 1.0.1p/1.0.2d and later)CPPXT-105Resolved issue: CPPXT-105Scott Cantor
- Use of LIBS in place of LDFLAGS in configure tests break custom buildsCPPXT-81Resolved issue: CPPXT-81Scott Cantor
- Credential::getCredentialContext method misspelledCPPXT-33Resolved issue: CPPXT-33Scott Cantor
Eliminate uses of getTextContent in DOM helpers
Description
Environment
Fresh CentOS 7
Activity
Scott Cantor July 11, 2018 at 6:23 PM
All uses of DOMNode::getTextContent have been replaced with calls to an XMLHelper version that deliberately assume trusted content with no merging needed, or explicitly merge adjacent nodes and the caller releases the data. The QName case now uses the untrusted method, which is needed for a couple of SOAP and SAML cases where external content might contain a QName.
The other fix is that the namespace lookup now throws on an error so an unbound prefix will fail to load at all, which was the specific bug in the metadata filter case.
peter July 11, 2018 at 2:54 PM
Nothing logged at all unless DEBUG for the right category.
peter July 11, 2018 at 2:53 PM
D'oh, sorry (s/Provider/Filter/).
Yes, each IDP get's listed at DEBUG with "filtering out role-less entity".
Scott Cantor July 11, 2018 at 2:52 PM
Sigh, not only is it not logging, this is actually a bug I should have fixed, there are XML helper routines relying on dangerous methods to extract text content even after the big fixes I made. This will need a bigger fix that hopefully will have a side effect of improving the logging in this case.
Scott Cantor July 11, 2018 at 2:44 PM
I know I removed the namespace deliberately, which is debateable (it's still in the example because it's used there). I'm wondering if there was something logged though, it should have noted the QName would be undefined. That I think is the core issue, it should be pretty loud about that.
The distributed default
shibboleth2.xmlconfig file is missing the XML namespace declaration bound to themd:prefix as used in an EntityRoleWhilteList MetadataFilter: That filter uses themdprefix in the values of itsRetainedRolechild elements (e.g.md:IDPSSODescriptor).That causes all IDPs to be filtered, with nothing being logged – not even with
OpenSAML.MetadataProvideron DEBUG – other than "applying metadatafilter" for each configured filter, making this a bit hard to find.
Adding the declaration makes metadata re-appear:
Only after fixing this for me I noticed that the distributed
example-shibboleth2.xmlalready has that prefix declared.