Bug #25640
Bug in saml2_authn_context.c, XmlSnippet
100%
Description
The definition of the struct XmlSnippet in lasso-2.6.0/lasso/xml/saml-2.0/saml2_authn_context.c seems to be wrong.
I append a saml response XML file that doesn't parse with this wrong XmlSnippet.
Here is the fixed version (SNIPPET_JUMP_ON_MISS should be SNIPPET_JUMP_ON_MATCH in both occurrences).
static struct XmlSnippet schema_snippets[] = {
{ "AuthnContextClassRef", SNIPPET_CONTENT | SNIPPET_OPTIONAL | SNIPPET_JUMP_ON_MATCH | SNIPPET_JUMP_3,
G_STRUCT_OFFSET(LassoSaml2AuthnContext, AuthnContextClassRef), NULL, NULL, NULL},
{ "AuthnContextDecl", SNIPPET_NODE | SNIPPET_OPTIONAL | SNIPPET_JUMP_ON_MATCH | SNIPPET_JUMP_4,
G_STRUCT_OFFSET(LassoSaml2AuthnContext, AuthnContextDecl), NULL, NULL, NULL},
{ "AuthnContextDeclRef", SNIPPET_CONTENT | SNIPPET_MANDATORY | SNIPPET_JUMP_3,
G_STRUCT_OFFSET(LassoSaml2AuthnContext, AuthnContextDeclRef), NULL, NULL, NULL},
{ "AuthnContextDecl", SNIPPET_NODE | SNIPPET_OPTIONAL | SNIPPET_JUMP_ON_MATCH | SNIPPET_JUMP_2,
G_STRUCT_OFFSET(LassoSaml2AuthnContext, AuthnContextDecl), NULL, NULL, NULL},
{ "AuthnContextDeclRef", SNIPPET_CONTENT | SNIPPET_OPTIONAL,
G_STRUCT_OFFSET(LassoSaml2AuthnContext, AuthnContextDeclRef), NULL, NULL, NULL},
{ "AuthenticatingAuthority", SNIPPET_CONTENT | SNIPPET_OPTIONAL,
G_STRUCT_OFFSET(LassoSaml2AuthnContext, AuthenticatingAuthority), NULL, NULL, NULL},
{NULL, 0, 0, NULL, NULL, NULL}
};
Best regards,
Paul Meurer
Fichiers
Révisions associées
xml: fix parsing of saml:AuthnContext (fixes #25640)
Decl/DeclRef are alternatives, when matching a Decl we should jump over
the DeclRef.
Historique
Mis à jour par Benjamin Dauvergne il y a plus de 5 ans
No only the second JUMP_ON_MISS should be a JUMP_ON_MATCH, see the schema :
* <complexType name="AuthnContextType"> * <sequence> * <choice> * <sequence> * <element ref="saml:AuthnContextClassRef"/> * <choice minOccurs="0"> * <element ref="saml:AuthnContextDecl"/> * <element ref="saml:AuthnContextDeclRef"/> * </choice> * </sequence> * <choice> * <element ref="saml:AuthnContextDecl"/> * <element ref="saml:AuthnContextDeclRef"/> * </choice> * </choice> * <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/> * </sequence> * </complexType>
Decl/DeclRef become mandatory if there is no ClassRef, it's optional otherwise, with a regexp like syntax :
( ClassRef ( Decl | DeclRef )? | ( Decl | DeclRef ) AuthenticatingAuthority* )
Mis à jour par Benjamin Dauvergne il y a plus de 5 ans
- Fichier 0001-xml-fix-parsing-of-saml-AuthnContext-fixes-25640.patch 0001-xml-fix-parsing-of-saml-AuthnContext-fixes-25640.patch ajouté
- Statut changé de Nouveau à Solution proposée
Could you check this smaller patch fix your instance of the problem ?
Mis à jour par Paul Meurer il y a plus de 5 ans
Yes, you are correct, obviously.
The smaller patch works for my problem. Thanks!
Mis à jour par Benjamin Dauvergne il y a plus de 5 ans
- Statut changé de Solution proposée à Solution validée
Mis à jour par Benjamin Dauvergne il y a plus de 5 ans
- Statut changé de Solution validée à Résolu (à déployer)
- % réalisé changé de 0 à 100
Appliqué par commit b891ed7dca9c93c5ec6f2ce2408681cab2a74a8b.
Mis à jour par Thijs Kinkhorst il y a plus de 4 ans
We ran into the same issue with the latest version of lasso (this is with NetIQ AM as an IdP). The patch indeed fixes it for us. So it would be great if a new release could be tagged!
Mis à jour par Benjamin Dauvergne il y a plus de 4 ans
- Statut changé de Résolu (à déployer) à Solution déployée
xml: fix parsing of saml:AuthnContext (fixes #25640)
Decl/DeclRef are alternatives, when matching a Decl we should jump over
the DeclRef.