All work
- Shibboleth SP - Windows - possible Privilege EscalationSSPCPP-961Resolved issue: SSPCPP-961Rod Widdowson
- Template AttributeResolver doesn't allow Unicode content in templateSSPCPP-940Resolved issue: SSPCPP-940Scott Cantor
- IIS Module not setting Cache-ControlSSPCPP-938Resolved issue: SSPCPP-938Scott Cantor
- Header smuggling bug due to mishandling in IIS7 moduleSSPCPP-934Resolved issue: SSPCPP-934Scott Cantor
- Check for missing DataSealer during cookie recoverySSPCPP-927Resolved issue: SSPCPP-927Scott Cantor
- Crash in SAML logout handler when no metadata presentSSPCPP-924Resolved issue: SSPCPP-924Scott Cantor
- Error templates allow query-based override of variablesSSPCPP-922Resolved issue: SSPCPP-922Scott Cantor
- External overrides break when custom handlers are usedSSPCPP-920Resolved issue: SSPCPP-920Scott Cantor
- native.logger includes a lot of categories specific to shibdSSPCPP-919Resolved issue: SSPCPP-919Scott Cantor
- Fixes to flags on modules and pluginsSSPCPP-917Resolved issue: SSPCPP-917Scott Cantor
- Recreating MDQ cache directory fails with warningSSPCPP-916Resolved issue: SSPCPP-916Scott Cantor
- Macport build fails on Big SurSSPCPP-911Resolved issue: SSPCPP-911Scott Cantor
- Unhandled Exception in iis7_shib.dllSSPCPP-904Resolved issue: SSPCPP-904Rod Widdowson
- Using an attributePrefix of "HTTP_" should be guardedSSPCPP-898Resolved issue: SSPCPP-898Scott Cantor
- Logout notifications are depending on access to SP sessionSSPCPP-891Resolved issue: SSPCPP-891Scott Cantor
- request from MDQ metadata provider does not include correct Accept headerSSPCPP-887Resolved issue: SSPCPP-887Scott Cantor
- Access discoveryURL via RequestMap within handlersSSPCPP-886Resolved issue: SSPCPP-886Scott Cantor
- Empty entityID in shibboleth2.xml causes seg faultSSPCPP-882Resolved issue: SSPCPP-882Scott Cantor
- Auto-registered SessionInitiators not usable via requireSessionWithSSPCPP-879Resolved issue: SSPCPP-879Scott Cantor
- Possible XML namespace issue in SPSSPCPP-877Resolved issue: SSPCPP-877Scott Cantor
- Specfile has unnecessary "fix-up" logic that should be removedSSPCPP-874Resolved issue: SSPCPP-874Scott Cantor
- BOOST assert with misconfigured ExternalAuthSSPCPP-872Resolved issue: SSPCPP-872Scott Cantor
- IIS url rewrite rule break authorizationSSPCPP-868Resolved issue: SSPCPP-868Rod Widdowson
- Attribute Resolver handler should propagate StatusCode to callerSSPCPP-865Resolved issue: SSPCPP-865Scott Cantor
- Improve the error message 'Blocked unacceptable redirect location'SSPCPP-861Resolved issue: SSPCPP-861Scott Cantor
- New IIS module does not honor handlerSSL property.SSPCPP-858Resolved issue: SSPCPP-858Rod Widdowson
- Non-default handler URL fails with IIS 7 moduleSSPCPP-856Resolved issue: SSPCPP-856Scott Cantor
- Upgrade to v3 comments out unscoped-affiliation in an unmodified attribute-map.xmlSSPCPP-852Resolved issue: SSPCPP-852Scott Cantor
- Can't change from default binding templateSSPCPP-848Resolved issue: SSPCPP-848Scott Cantor
- Crash on malformed DateTime stringsSSPCPP-845Resolved issue: SSPCPP-845Scott Cantor
- Warn on duplicated handler locationsSSPCPP-840Resolved issue: SSPCPP-840Scott Cantor
- gpgkey for Shibboleth package repos should not be on download.opensuse.orgSSPCPP-838Resolved issue: SSPCPP-838Scott Cantor
- Shibboleth 3 RPM fails to build with FastCGI supportSSPCPP-834Resolved issue: SSPCPP-834Scott Cantor
- seckeygen.sh not executableSSPCPP-833Resolved issue: SSPCPP-833Scott Cantor
- Attribute Resolver handler should propagate IdP errors to callerSSPCPP-739Resolved issue: SSPCPP-739Scott Cantor
Spring is still falling through to remote access of XML files
Description
Environment
is related to
Confluence content
Activity
Scott Cantor April 18, 2023 at 5:25 PM
They won’t fix it for compatibility reasons but after a quick test, it’s landing in the same try/catch frame if I raise a runtime exception, so I just converted to use a BeanDefinitionStoreException and cleaned up our custom class so it eliminates the duplication I had to do before.
Scott Cantor April 18, 2023 at 3:04 PM
They neglected to allow the overridden method to raise an exception so there’s no way to short-circuit what it’s doing. If I raise a runtime error I don’t know what that will do so I don’t prefer to go down that road and have to re-test. If they ever fix it, we’ll revisit.
Scott Cantor April 18, 2023 at 2:53 PM
We should be using a new enough Spring version now that they may have added a protected method I can hook to avoid some of the duplication I did.
Scott Cantor December 8, 2022 at 4:57 PM
Fix for the immediate issue in Spring and a canary test added to the new library. I will backport this to spring-extensions.
Scott Cantor December 8, 2022 at 3:31 PM
The problem isn’t that they don’t use an EntityResolver but that their ResourceEntityResolver class defaults to falling into http/s resolution.
Filed a Spring bug in case they decide to care, https://github.com/spring-projects/spring-framework/issues/29662
The problem is compounded by a gem of a comment inside JAXP in Java that basically says “if the ER returns null, should we really do it ourselves or return null?” Of course you know what they did. The only way around that is to throw an exception inside the EntityResolver.
Thus, the fix I found was to clone yet another Spring class and cut out the bad bits and add a log and throw.
I will add a canary test for this as well.
We’re still finding cases where Spring is falling through to remote access of XML files, schemas primarily, when it doesn’t have a way to find them locally. We have never to this point found a way to block it but it’s past time to solve this once and for all or file a bug with Spring, as this is a security risk.