ISAPI header detection code is prone to false alarms

Basics

Technical

Logistics

Basics

Technical

Logistics

Description

The check for existing headers is scanning the ALL_HTTP variable and detecting a spoof attempt on nothing but a tail match on a header name when the "safeHeaderNames" option is off. This trips wildly on headers like "o" or "st" and should be tightened up to check for the real header name, same as the "safe" code path.

Environment

None

Activity

Show:

Scott Cantor December 10, 2012 at 7:13 PM

Closing with release.

Scott Cantor December 8, 2012 at 1:59 AM

http://svn.shibboleth.net/view/cpp-sp?rev=3834&view=rev

Fixed

Pinned fields

Click on the next to a field label to start pinning.

Details

Assignee

Scott Cantor

Reporter

Scott Cantor

Original estimate

Components

Fix versions

2.5.1

Affects versions

2.5.0

Created December 5, 2012 at 2:14 AM

Updated December 10, 2012 at 7:13 PM

Resolved December 8, 2012 at 1:59 AM

Configure