Web server module can build incorrect XML messages which shibd then fails to parse
Description
Environment
Attachments
Activity
Scott Cantor December 17, 2010 at 2:39 PM
Closing after release.
Scott Cantor September 20, 2010 at 11:22 AM
http://svn.middleware.georgetown.edu/view/cpp-sp?view=rev&revision=3327
This was self-inflicted, I didn't remember that the set of headers that get remoted are actually limited already to very little, usually only Cookie, so I just went ahead and protected anything.
Scott Cantor September 20, 2010 at 8:52 AM
Reopening to deal with cookies and possibly other headers.
Lukas Hämmerle September 20, 2010 at 6:51 AM(edited)
We found out that the same error results for cookies that contain umlauts.
The reason for the XMLParserException seems to be that mod_shib also sends the cookies (why are the cookies needed at all by shibd?)
received to shibd. If one of these cookie contains a value with an umlaut like "Universität Zürich", shibd will choke on it.
A demo that reproduces this error can be found here:
https://dieng.switch.ch/debug/
Maybe it is enough to add unsafe="1" to the string element in:
<var name="Cookie">
<string>
[... cookies ....]
</string>
</var>
of the wddxPacket packet. Similar changes already were applied to hostname and uri elements of the wddxPacket packet:
http://svn.middleware.georgetown.edu/view/cpp-sp/branches/REL_2/shibsp/handler/impl/RemotedHandler.cpp?r1=2963&r2=2962&pathrev=2963
Scott Cantor June 23, 2009 at 12:47 PM
Closing after releases.
When a request arrives for a protected URL (requires session) and the relaystate is not passed in a cookie but as a url parameter and the url has invalid UTF data AND... just kidding.
The web server module builds incorrect XML which gets sent to the shibd daemons.
It then outputs this error:
2009-03-18 16:33:29 ERROR XMLTooling.ParserPool [2]: fatal error on line 1, column 1, message: An exception occurred! Type:UTFDataFormatException, Message:invalid byte 2 () of a 3-byte sequence.
2009-03-18 16:33:29 ERROR Shibboleth.Listener [2]: error processing incoming message: fatal error during XML parsing: An exception occurred! Type:UTFDataFormatException, Message:invalid byte 2 () of a 3-byte s
equence.
This is an example of an invalid message (the .. are the invalid chars):
tcpflow[29485]: listening on lo
127.000.000.001.50126-127.000.000.001.01600: ....
127.000.000.001.50126-127.000.000.001.01600: <wddxPacket version="1.0" lowercase="no"><header/><data><struct name="default/Login::run::Shib1SI"><var name="application_id"><string>default</string></var><var name="entity_id"><string>https://idp.sapo.pt/shibboleth</string></var><var name="acsLocation"><string>http://sso2.sso.bk.sapo.pt/Shibboleth.sso/SAML/Artifact</string></var><var name="RelayState"><string>http://sso2.sso.bk.sapo.pt/secure/headers.pl?v=3&url=http://feeds.webtuga.com/~r/gametuga/~3/pVRVw3IzkEA/&title=Fable%20est...%20mais%20barato</string></var></struct></data></wddxPacket>
I don't what is the best option here, should the invalid chars be stripped, xml escaped? But build an incorrect message that later can't be parsed doesn't seem like the best option.
As an example I will attach an invalid request that can be used like this (the url has to be altered though, nc is netcat):
nc WEBSERVER 80 < req.txt