ISAPI header detection code is prone to false alarms

Basics

Technical

Logistics

Basics

Technical

Logistics

Description

The check for existing headers is scanning the ALL_HTTP variable and detecting a spoof attempt on nothing but a tail match on a header name when the "safeHeaderNames" option is off. This trips wildly on headers like "o" or "st" and should be tightened up to check for the real header name, same as the "safe" code path.

Environment

None

Activity

Scott Cantor
December 10, 2012 at 7:13 PM

Closing with release.

Scott Cantor
December 8, 2012 at 1:59 AM

http://svn.shibboleth.net/view/cpp-sp?rev=3834&view=rev

Resize issue view side panel

Fixed

Details

Assignee

Scott Cantor

Reporter

Scott Cantor

Original estimate

Created December 5, 2012 at 2:14 AM

Updated December 10, 2012 at 7:13 PM

Resolved December 8, 2012 at 1:59 AM

ISAPI header detection code is prone to false alarms

Description

Environment

Activity

Scott Cantor
December 10, 2012 at 7:13 PM

Scott Cantor
December 8, 2012 at 1:59 AM

Details

Assignee

Reporter

Original estimate

Components

Fix versions

Affects versions

Flag notifications

Something's gone wrong

Something's gone wrong

ISAPI header detection code is prone to false alarms

Description

Environment

Activity

Scott Cantor December 10, 2012 at 7:13 PM

Scott Cantor December 8, 2012 at 1:59 AM

Details

Assignee

Reporter

Original estimate

Components

Fix versions

Affects versions

Flag notifications

Something's gone wrong

Something's gone wrong

Scott Cantor
December 10, 2012 at 7:13 PM

Scott Cantor
December 8, 2012 at 1:59 AM