Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package opensaml for openSUSE:Factory
checked in at 2025-03-27 22:33:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/opensaml (Old)
and /work/SRC/openSUSE:Factory/.opensaml.new.2696 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "opensaml"
Thu Mar 27 22:33:54 2025 rev:14 rq:1261099 version:3.3.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/opensaml/opensaml.changes 2024-11-13
15:29:10.691510061 +0100
+++ /work/SRC/openSUSE:Factory/.opensaml.new.2696/opensaml.changes
2025-03-27 22:34:31.482128199 +0100
@@ -1,0 +2,7 @@
+Thu Mar 27 13:00:50 UTC 2025 - Marius Grossu <marius.gro...@suse.com>
+
+- Update to 3.3.1:
+ * [CPPOST-126] - Simple signature verification fails to detect parameter
smuggling
+ (bsc#1239889)
+
+-------------------------------------------------------------------
Old:
----
opensaml-3.3.0.tar.bz2
opensaml-3.3.0.tar.bz2.asc
New:
----
opensaml-3.3.1.tar.bz2
opensaml-3.3.1.tar.bz2.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ opensaml.spec ++++++
--- /var/tmp/diff_new_pack.qGCnrq/_old 2025-03-27 22:34:32.046151545 +0100
+++ /var/tmp/diff_new_pack.qGCnrq/_new 2025-03-27 22:34:32.050151711 +0100
@@ -1,7 +1,7 @@
#
# spec file for package opensaml
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
%define libvers 13
%define pkgdocdir %{_docdir}/%{name}
Name: opensaml
-Version: 3.3.0
+Version: 3.3.1
Release: 0
Summary: Security Assertion Markup Language library
License: Apache-2.0
++++++ opensaml-3.3.0.tar.bz2 -> opensaml-3.3.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/opensaml-3.3.0/Makefile.in
new/opensaml-3.3.1/Makefile.in
--- old/opensaml-3.3.0/Makefile.in 2024-09-10 14:02:28.000000000 +0200
+++ new/opensaml-3.3.1/Makefile.in 2025-03-11 16:27:31.000000000 +0100
@@ -230,7 +230,7 @@
$(top_srcdir)/build-aux/install-sh \
$(top_srcdir)/build-aux/ltmain.sh \
$(top_srcdir)/build-aux/missing build-aux/compile \
- build-aux/config.guess build-aux/config.sub \
+ build-aux/config.guess build-aux/config.sub build-aux/depcomp \
build-aux/install-sh build-aux/ltmain.sh build-aux/missing
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/opensaml-3.3.0/configure new/opensaml-3.3.1/configure
--- old/opensaml-3.3.0/configure 2024-09-10 14:02:28.000000000 +0200
+++ new/opensaml-3.3.1/configure 2025-03-10 20:29:36.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.72 for opensaml 3.3.0.
+# Generated by GNU Autoconf 2.72 for opensaml 3.3.1.
#
# Report bugs to <https://issues.shibboleth.net/>.
#
@@ -614,8 +614,8 @@
# Identity of this package.
PACKAGE_NAME='opensaml'
PACKAGE_TARNAME='opensaml'
-PACKAGE_VERSION='3.3.0'
-PACKAGE_STRING='opensaml 3.3.0'
+PACKAGE_VERSION='3.3.1'
+PACKAGE_STRING='opensaml 3.3.1'
PACKAGE_BUGREPORT='https://issues.shibboleth.net/'
PACKAGE_URL=''
@@ -1469,7 +1469,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-'configure' configures opensaml 3.3.0 to adapt to many kinds of systems.
+'configure' configures opensaml 3.3.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1540,7 +1540,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of opensaml 3.3.0:";;
+ short | recursive ) echo "Configuration of opensaml 3.3.1:";;
esac
cat <<\_ACEOF
@@ -1701,7 +1701,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-opensaml configure 3.3.0
+opensaml configure 3.3.1
generated by GNU Autoconf 2.72
Copyright (C) 2023 Free Software Foundation, Inc.
@@ -2185,7 +2185,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by opensaml $as_me 3.3.0, which was
+It was created by opensaml $as_me 3.3.1, which was
generated by GNU Autoconf 2.72. Invocation command line was
$ $0$ac_configure_args_raw
@@ -3877,7 +3877,7 @@
# Define the identity of the package.
PACKAGE='opensaml'
- VERSION='3.3.0'
+ VERSION='3.3.1'
printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -22672,7 +22672,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by opensaml $as_me 3.3.0, which was
+This file was extended by opensaml $as_me 3.3.1, which was
generated by GNU Autoconf 2.72. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -22740,7 +22740,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-opensaml config.status 3.3.0
+opensaml config.status 3.3.1
configured by $0, generated by GNU Autoconf 2.72,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/opensaml-3.3.0/configure.ac
new/opensaml-3.3.1/configure.ac
--- old/opensaml-3.3.0/configure.ac 2024-09-09 22:11:20.000000000 +0200
+++ new/opensaml-3.3.1/configure.ac 2025-03-10 20:21:59.000000000 +0100
@@ -1,5 +1,5 @@
AC_PREREQ([2.50])
-AC_INIT([opensaml],[3.3.0],[https://issues.shibboleth.net/],[opensaml])
+AC_INIT([opensaml],[3.3.1],[https://issues.shibboleth.net/],[opensaml])
AC_CONFIG_SRCDIR(saml)
AC_CONFIG_AUX_DIR(build-aux)
AC_CONFIG_MACRO_DIR(m4)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/opensaml-3.3.0/opensaml.spec
new/opensaml-3.3.1/opensaml.spec
--- old/opensaml-3.3.0/opensaml.spec 2024-09-10 14:02:47.000000000 +0200
+++ new/opensaml-3.3.1/opensaml.spec 2025-03-11 16:27:41.000000000 +0100
@@ -1,5 +1,5 @@
Name: opensaml
-Version: 3.3.0
+Version: 3.3.1
Release: 1
Summary: OpenSAML SAML library
Group: Development/Libraries/C and C++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/opensaml-3.3.0/saml/Makefile.am
new/opensaml-3.3.1/saml/Makefile.am
--- old/opensaml-3.3.0/saml/Makefile.am 2024-09-09 22:29:30.000000000 +0200
+++ new/opensaml-3.3.1/saml/Makefile.am 2025-03-10 20:22:32.000000000 +0100
@@ -183,7 +183,7 @@
# this is different from the project version
# http://sources.redhat.com/autobook/autobook/autobook_91.html
-libsaml_la_LDFLAGS = -version-info 13:0:0
+libsaml_la_LDFLAGS = -version-info 13:1:0
libsaml_la_CPPFLAGS = \
$(BOOST_CPPFLAGS)
libsaml_la_CXXFLAGS = \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/opensaml-3.3.0/saml/Makefile.in
new/opensaml-3.3.1/saml/Makefile.in
--- old/opensaml-3.3.0/saml/Makefile.in 2024-09-10 14:02:28.000000000 +0200
+++ new/opensaml-3.3.1/saml/Makefile.in 2025-03-11 16:24:57.000000000 +0100
@@ -750,7 +750,7 @@
# this is different from the project version
# http://sources.redhat.com/autobook/autobook/autobook_91.html
-libsaml_la_LDFLAGS = -version-info 13:0:0
+libsaml_la_LDFLAGS = -version-info 13:1:0
libsaml_la_CPPFLAGS = \
$(BOOST_CPPFLAGS)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/opensaml-3.3.0/saml/binding/impl/SimpleSigningRule.cpp
new/opensaml-3.3.1/saml/binding/impl/SimpleSigningRule.cpp
--- old/opensaml-3.3.0/saml/binding/impl/SimpleSigningRule.cpp 2020-03-06
17:38:05.000000000 +0100
+++ new/opensaml-3.3.1/saml/binding/impl/SimpleSigningRule.cpp 2025-03-12
14:37:28.000000000 +0100
@@ -29,6 +29,7 @@
#include "binding/SecurityPolicy.h"
#include "binding/SecurityPolicyRule.h"
#include "saml2/core/Assertions.h"
+#include "saml2/core/Protocols.h"
#include "saml2/metadata/Metadata.h"
#include "saml2/metadata/MetadataCredentialCriteria.h"
#include "saml2/metadata/MetadataProvider.h"
@@ -41,6 +42,7 @@
#include <xmltooling/signature/KeyInfo.h>
#include <xmltooling/signature/Signature.h>
#include <xmltooling/util/ParserPool.h>
+#include <xmltooling/util/URLEncoder.h>
using namespace opensaml::saml2md;
using namespace opensaml;
@@ -66,7 +68,8 @@
private:
// Appends a raw parameter=value pair to the string.
- static bool appendParameter(string& s, const char* data, const char*
name);
+ static bool appendParameter(const GenericRequest& request, string& s,
const char* data, const char* name);
+ static const char* getMessageParameterName(const XMLObject* message);
bool m_errorFatal;
};
@@ -79,21 +82,48 @@
static const XMLCh errorFatal[] = UNICODE_LITERAL_10(e,r,r,o,r,F,a,t,a,l);
};
-bool SimpleSigningRule::appendParameter(string& s, const char* data, const
char* name)
+bool SimpleSigningRule::appendParameter(const GenericRequest& request, string&
s, const char* data, const char* name)
{
- const char* start = strstr(data,name);
+ // Make sure only a single instance of the parameter specified is found in
the decoded query.
+ vector<const char*> valueHolder;
+ if (request.getParameters(name, valueHolder) > 1) {
+ throw SecurityPolicyException("Multiple $1 parameters present.",
params(1, name));
+ }
+
+ string param_name(name);
+ param_name += '=';
+
+ const char* start = strstr(data, param_name.c_str());
if (!start)
return false;
+ if (start > data && *(start - 1) != '&')
+ throw SecurityPolicyException("Detected attempt to smuggle a prefixed
$1 parameter.", params(1, name));
+
if (!s.empty())
s += '&';
- const char* end = strchr(start,'&');
+
+ const char* end = strchr(start, '&');
if (end)
- s.append(start, end-start);
+ s.append(start, end - start);
else
s.append(start);
+
return true;
}
+const char* SimpleSigningRule::getMessageParameterName(const XMLObject*
message)
+{
+ if (dynamic_cast<const saml2p::StatusResponseType*>(message)) {
+ return "SAMLResponse";
+ }
+ else if (dynamic_cast<const saml2p::RequestAbstractType*>(message)) {
+ return "SAMLRequest";
+ }
+ else {
+ return nullptr;
+ }
+}
+
SimpleSigningRule::SimpleSigningRule(const DOMElement* e)
: SecurityPolicyRule(e), m_errorFatal(XMLHelper::getAttrBool(e, false,
errorFatal))
{
@@ -119,34 +149,50 @@
}
const HTTPRequest* httpRequest = dynamic_cast<const HTTPRequest*>(request);
- if (!request || !httpRequest)
+ if (!request || !httpRequest) {
return false;
+ }
- const char* signature = request->getParameter("Signature");
- if (!signature)
+ // Make sure Signature only shows up once.
+ vector<const char*> valueHolder;
+ request->getParameters("Signature", valueHolder);
+ if (valueHolder.empty()) {
return false;
-
+ }
+ else if (valueHolder.size() > 1) {
+ throw SecurityPolicyException("Multiple Signature parameters
present.");
+ }
+ const char* signature = valueHolder[0];
+
+ // The multiple parameter copy check for the GET case is applied down
below in appendParameter.
const char* sigAlgorithm = request->getParameter("SigAlg");
if (!sigAlgorithm) {
log.warn("SigAlg parameter not found, no way to verify the signature");
return false;
}
+ const char* messageParameterName = getMessageParameterName(&message);
+ if (!messageParameterName) {
+ log.debug("ignoring unrecognized message type");
+ return false;
+ }
+
string input;
const char* pch;
if (!strcmp(httpRequest->getMethod(), "GET")) {
// We have to construct a string containing the signature input by
accessing the
// request directly. We can't use the decoded parameters because we
need the raw
- // data and URL-encoding isn't canonical.
+ // data and URL-encoding isn't canonical. We have to ensure only one
copy a given
+ // parameter appears in the string in its decoded form, to ensure that
other layers
+ // of the code only saw/see the same value we see here.
// NOTE: SimpleSign for GET means Redirect binding, which means we
verify over the
// base64-encoded message directly.
pch = httpRequest->getQueryString();
- if (!appendParameter(input, pch, "SAMLRequest="))
- appendParameter(input, pch, "SAMLResponse=");
- appendParameter(input, pch, "RelayState=");
- appendParameter(input, pch, "SigAlg=");
+ appendParameter(*request, input, pch, messageParameterName);
+ appendParameter(*request, input, pch, "RelayState");
+ appendParameter(*request, input, pch, "SigAlg");
}
else {
// With POST, the input string is concatenated from the decoded form
controls.
@@ -158,24 +204,14 @@
// why XMLSignature exists, and why this isn't really "simpler").
XMLSize_t x;
- pch = httpRequest->getParameter("SAMLRequest");
+ pch = httpRequest->getParameter(messageParameterName);
if (pch) {
XMLByte* decoded=Base64::decode(reinterpret_cast<const
XMLByte*>(pch),&x);
if (!decoded) {
log.warn("unable to decode base64 in POST binding message");
return false;
}
- input = string("SAMLRequest=") + reinterpret_cast<const
char*>(decoded);
- XMLString::release((char**)&decoded);
- }
- else {
- pch = httpRequest->getParameter("SAMLResponse");
- XMLByte* decoded=Base64::decode(reinterpret_cast<const
XMLByte*>(pch),&x);
- if (!decoded) {
- log.warn("unable to decode base64 in POST binding message");
- return false;
- }
- input = string("SAMLResponse=") + reinterpret_cast<const
char*>(decoded);
+ input = string(messageParameterName) + "=" +
reinterpret_cast<const char*>(decoded);
XMLString::release((char**)&decoded);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/opensaml-3.3.0/saml/saml.rc
new/opensaml-3.3.1/saml/saml.rc
--- old/opensaml-3.3.0/saml/saml.rc 2024-09-09 22:32:25.000000000 +0200
+++ new/opensaml-3.3.1/saml/saml.rc 2025-03-10 20:24:04.000000000 +0100
@@ -28,8 +28,8 @@
//
VS_VERSION_INFO VERSIONINFO
- FILEVERSION 3,3,0,0
- PRODUCTVERSION 3,3,0,0
+ FILEVERSION 3,3,1,0
+ PRODUCTVERSION 3,3,1,0
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
@@ -47,13 +47,13 @@
VALUE "Comments", "\0"
VALUE "CompanyName", "Shibboleth Consortium\0"
VALUE "FileDescription", "OpenSAML Library\0"
- VALUE "FileVersion", "3, 3, 0, 0\0"
+ VALUE "FileVersion", "3, 3, 1, 0\0"
#ifdef _DEBUG
VALUE "InternalName", "saml3_3D\0"
#else
VALUE "InternalName", "saml3_3\0"
#endif
- VALUE "LegalCopyright", "Copyright 2001-2024 Various\0"
+ VALUE "LegalCopyright", "Copyright 2001-2025 Various\0"
VALUE "LegalTrademarks", "\0"
#ifdef _DEBUG
VALUE "OriginalFilename", "saml3_3.dll\0"
@@ -61,8 +61,8 @@
VALUE "OriginalFilename", "saml3_3.dll\0"
#endif
VALUE "PrivateBuild", "\0"
- VALUE "ProductName", "OpenSAML 3.3.0\0"
- VALUE "ProductVersion", "3, 3, 0, 0\0"
+ VALUE "ProductName", "OpenSAML 3.3.1\0"
+ VALUE "ProductVersion", "3, 3, 1, 0\0"
VALUE "SpecialBuild", "\0"
END
END
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/opensaml-3.3.0/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp
new/opensaml-3.3.1/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp
--- old/opensaml-3.3.0/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp
2020-03-06 17:38:05.000000000 +0100
+++ new/opensaml-3.3.1/saml/saml2/binding/impl/SAML2ArtifactDecoder.cpp
2025-03-12 14:37:28.000000000 +0100
@@ -95,6 +95,8 @@
const char* state = httpRequest->getParameter("RelayState");
if (state)
relayState = state;
+ if (httpRequest->getParameter("Signature"))
+ throw BindingException("Request contained unexpected Signature
parameter.");
if (!m_artifactResolver || !policy.getMetadataProvider() ||
!policy.getRole())
throw BindingException("Artifact binding requires ArtifactResolver and
MetadataProvider implementations be supplied.");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/opensaml-3.3.0/saml/saml2/binding/impl/SAML2ECPDecoder.cpp
new/opensaml-3.3.1/saml/saml2/binding/impl/SAML2ECPDecoder.cpp
--- old/opensaml-3.3.0/saml/saml2/binding/impl/SAML2ECPDecoder.cpp
2020-03-06 17:38:05.000000000 +0100
+++ new/opensaml-3.3.1/saml/saml2/binding/impl/SAML2ECPDecoder.cpp
2025-03-12 14:37:28.000000000 +0100
@@ -86,7 +86,8 @@
const HTTPRequest* httpRequest = dynamic_cast<const
HTTPRequest*>(&genericRequest);
if (httpRequest) {
string s = httpRequest->getContentType();
- if (s.find("application/vnd.paos+xml") == string::npos) {
+ if (s.find("application/vnd.paos+xml") == string::npos ||
+ s.find("application/x-www-form-urlencoded") != string::npos) {
log.warn("ignoring incorrect content type (%s)", s.c_str() ?
s.c_str() : "none");
throw BindingException("Invalid content type for PAOS message.");
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/opensaml-3.3.0/saml/saml2/binding/impl/SAML2POSTDecoder.cpp
new/opensaml-3.3.1/saml/saml2/binding/impl/SAML2POSTDecoder.cpp
--- old/opensaml-3.3.0/saml/saml2/binding/impl/SAML2POSTDecoder.cpp
2020-03-06 17:38:05.000000000 +0100
+++ new/opensaml-3.3.1/saml/saml2/binding/impl/SAML2POSTDecoder.cpp
2025-03-12 14:37:28.000000000 +0100
@@ -92,11 +92,18 @@
throw BindingException("Unable to cast request object to HTTPRequest
type.");
if (strcmp(httpRequest->getMethod(),"POST"))
throw BindingException("Invalid HTTP method ($1).", params(1,
httpRequest->getMethod()));
- const char* msg = httpRequest->getParameter("SAMLResponse");
- if (!msg)
- msg = httpRequest->getParameter("SAMLRequest");
+
+ bool isRequest = false;
+ const char* msg = httpRequest->getParameter("SAMLRequest");
+ if (msg) {
+ isRequest = true;
+ } else {
+ msg = httpRequest->getParameter("SAMLResponse");
+ }
+
if (!msg)
throw BindingException("Request missing SAMLRequest or SAMLResponse
form parameter.");
+
const char* state = httpRequest->getParameter("RelayState");
if (state)
relayState = state;
@@ -121,16 +128,20 @@
saml2::RootObject* root = nullptr;
StatusResponseType* response = nullptr;
- RequestAbstractType* request =
dynamic_cast<RequestAbstractType*>(xmlObject.get());
- if (!request) {
+ RequestAbstractType* request = nullptr;
+ if (isRequest) {
+ request = dynamic_cast<RequestAbstractType*>(xmlObject.get());
+ if (!request) {
+ throw BindingException("XML content for SAML 2.0 HTTP-POST Decoder
was not a SAML 2.0 request message.");
+ }
+ root = static_cast<saml2::RootObject*>(request);
+ } else {
response = dynamic_cast<StatusResponseType*>(xmlObject.get());
- if (!response)
- throw BindingException("XML content for SAML 2.0 HTTP-POST Decoder
must be a SAML 2.0 protocol message.");
+ if (!response) {
+ throw BindingException("XML content for SAML 2.0 HTTP-POST Decoder
was not a SAML 2.0 response message.");
+ }
root = static_cast<saml2::RootObject*>(response);
}
- else {
- root = static_cast<saml2::RootObject*>(request);
- }
SchemaValidators.validate(root);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/opensaml-3.3.0/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp
new/opensaml-3.3.1/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp
--- old/opensaml-3.3.0/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp
2020-03-06 17:38:05.000000000 +0100
+++ new/opensaml-3.3.1/saml/saml2/binding/impl/SAML2RedirectDecoder.cpp
2025-03-12 14:37:28.000000000 +0100
@@ -90,16 +90,24 @@
const HTTPRequest* httpRequest=dynamic_cast<const
HTTPRequest*>(&genericRequest);
if (!httpRequest)
throw BindingException("Unable to cast request object to HTTPRequest
type.");
- const char* msg = httpRequest->getParameter("SAMLResponse");
- if (!msg)
- msg = httpRequest->getParameter("SAMLRequest");
+
+ bool isRequest = false;
+ const char* msg = httpRequest->getParameter("SAMLRequest");
+ if (msg) {
+ isRequest = true;
+ } else {
+ msg = httpRequest->getParameter("SAMLResponse");
+ }
+
if (!msg)
throw BindingException("Request missing SAMLRequest or SAMLResponse
query string parameter.");
+
const char* state = httpRequest->getParameter("RelayState");
if (state)
relayState = state;
else
relayState.erase();
+
state = httpRequest->getParameter("SAMLEncoding");
if (state &&
strcmp(state,samlconstants::SAML20_BINDING_URL_ENCODING_DEFLATE)) {
log.warn("SAMLEncoding (%s) was not recognized", state);
@@ -132,16 +140,20 @@
saml2::RootObject* root = nullptr;
StatusResponseType* response = nullptr;
- RequestAbstractType* request =
dynamic_cast<RequestAbstractType*>(xmlObject.get());
- if (!request) {
+ RequestAbstractType* request = nullptr;
+ if (isRequest) {
+ request = dynamic_cast<RequestAbstractType*>(xmlObject.get());
+ if (!request) {
+ throw BindingException("XML content for SAML 2.0 HTTP-Redirect
Decoder was not a SAML 2.0 request message.");
+ }
+ root = static_cast<saml2::RootObject*>(request);
+ } else {
response = dynamic_cast<StatusResponseType*>(xmlObject.get());
- if (!response)
- throw BindingException("XML content for SAML 2.0 HTTP-POST Decoder
must be a SAML 2.0 protocol message.");
+ if (!response) {
+ throw BindingException("XML content for SAML 2.0 HTTP-Redirect
Decoder was not a SAML 2.0 response message.");
+ }
root = static_cast<saml2::RootObject*>(response);
}
- else {
- root = static_cast<saml2::RootObject*>(request);
- }
SchemaValidators.validate(root);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/opensaml-3.3.0/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp
new/opensaml-3.3.1/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp
--- old/opensaml-3.3.0/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp
2024-09-10 16:23:36.000000000 +0200
+++ new/opensaml-3.3.1/saml/saml2/binding/impl/SAML2SOAPDecoder.cpp
2025-03-12 14:37:28.000000000 +0100
@@ -86,7 +86,7 @@
log.debug("validating input");
string s = genericRequest.getContentType();
- if (s.find("text/xml") == string::npos) {
+ if (s.find("text/xml") == string::npos ||
s.find("application/x-www-form-urlencoded") != string::npos) {
log.warn("ignoring incorrect content type (%s)", s.c_str() ? s.c_str()
: "none");
throw BindingException("Invalid content type for SOAP message.");
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/opensaml-3.3.0/saml/version.h
new/opensaml-3.3.1/saml/version.h
--- old/opensaml-3.3.0/saml/version.h 2024-09-09 22:29:11.000000000 +0200
+++ new/opensaml-3.3.1/saml/version.h 2025-03-10 20:22:57.000000000 +0100
@@ -44,7 +44,7 @@
#define OPENSAML_VERSION_MAJOR 3
#define OPENSAML_VERSION_MINOR 3
-#define OPENSAML_VERSION_REVISION 0
+#define OPENSAML_VERSION_REVISION 1
/** DO NOT MODIFY BELOW THIS LINE */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/opensaml-3.3.0/samlsign/samlsign.rc
new/opensaml-3.3.1/samlsign/samlsign.rc
--- old/opensaml-3.3.0/samlsign/samlsign.rc 2024-09-09 22:33:32.000000000
+0200
+++ new/opensaml-3.3.1/samlsign/samlsign.rc 2025-03-10 20:25:05.000000000
+0100
@@ -28,8 +28,8 @@
//
VS_VERSION_INFO VERSIONINFO
- FILEVERSION 3,3,0,0
- PRODUCTVERSION 3,3,0,0
+ FILEVERSION 3,3,1,0
+ PRODUCTVERSION 3,3,1,0
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
@@ -47,14 +47,14 @@
VALUE "Comments", "\0"
VALUE "CompanyName", "Shibboleth Consortium\0"
VALUE "FileDescription", "OpenSAML Signature Utility\0"
- VALUE "FileVersion", "3, 3, 0, 0\0"
+ VALUE "FileVersion", "3, 3, 1, 0\0"
VALUE "InternalName", "samlsign\0"
- VALUE "LegalCopyright", "Copyright 2001-2024 Various\0"
+ VALUE "LegalCopyright", "Copyright 2001-2025 Various\0"
VALUE "LegalTrademarks", "\0"
VALUE "OriginalFilename", "samlsign.exe\0"
VALUE "PrivateBuild", "\0"
- VALUE "ProductName", "OpenSAML 3.3.0\0"
- VALUE "ProductVersion", "3, 3, 0, 0\0"
+ VALUE "ProductName", "OpenSAML 3.3.1\0"
+ VALUE "ProductVersion", "3, 3, 1, 0\0"
VALUE "SpecialBuild", "\0"
END
END
