Bug #47
lasso_node_impl_init_from_xml do not verify the element name if currently parse
100%
Description
We can give any xmlNode tree to this function and any GObject subclass of
LassoNode it will work. We should at least validate that:
strcmp(curNode->name, class->node_data->node_name) ||
g_strcmp0(lasso_registry_default_get_mapping(curNode->ns->href,
curNode->name, LASSO_LASSO_HREF), G_OBJECT_CLASS_NAME(object))
It is a problem in lasso_login_process_authn_response, because we assume that
the response we receive is a lib_authn_response:
»·······profile->response = lasso_lib_authn_response_new(NULL, NULL);
»·······format = lasso_node_init_from_message(
»·······»·······»·······LASSO_NODE(profile->response),
authn_response_msg);
»·······if (format LASSO_MESSAGE_FORMAT_UNKNOWN || format
LASSO_MESSAGE_FORMAT_ERROR) {
»·······»·······return
critical_error(LASSO_PROFILE_ERROR_INVALID_MSG);
»·······}
and in a recent usage (vecozo) we received a samlp:Response instead, which is
wrong
but lasso did not signal it.
Is everybody ok ?
Associated revisions
fix segfault when parsed node has no namespace (#47)
This bug was introduced in commit 8d06806d, the check for a correct namespace on
head node of parsed XML fragments does not handle the case where the node has no
namespace. Using lasso_equal_namespace() fix this.
History
Updated by Benjamin Dauvergne about 13 years ago
- Category set to XML Framework
This will need extensive testing to be sure that there will be no regressions.
Updated by Benjamin Dauvergne over 7 years ago
- Assignee set to Benjamin Dauvergne
- Target version changed from future to 318
- Patch proposed set to No
Updated by Benjamin Dauvergne over 7 years ago
- Status changed from Nouveau to Résolu (à déployer)
- % Done changed from 0 to 100
Appliqué par commit 8d06806db6869cbc2ac8df13128d401d241c9744.
check node names in lasso_node_impl_init_from_xml() (fixes #47)