1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75
|
From: Scott Cantor <cantor.2@osu.edu>
Date: Tue, 6 Jun 2023 16:31:48 -0400
Subject: CPPXT-157 - Install blocking URI resolver into Santuario
https://shibboleth.atlassian.net/browse/CPPXT-157
---
xmltooling/XMLToolingConfig.cpp | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/xmltooling/XMLToolingConfig.cpp b/xmltooling/XMLToolingConfig.cpp
index 4bd5b11..dd5634d 100644
--- a/xmltooling/XMLToolingConfig.cpp
+++ b/xmltooling/XMLToolingConfig.cpp
@@ -75,6 +75,7 @@
# include <xsec/framework/XSECException.hpp>
# include <xsec/framework/XSECProvider.hpp>
# include <xsec/transformers/TXFMBase.hpp>
+# include <xsec/framework/XSECURIResolver.hpp>
#endif
using namespace soap11;
@@ -116,7 +117,7 @@ namespace {
#endif
static ptr_vector<Mutex> g_openssl_locks;
- extern "C" void openssl_locking_callback(int mode,int n,const char *file,int line)
+ extern "C" void openssl_locking_callback(int mode, int n, const char *, int)
{
if (mode & CRYPTO_LOCK)
g_openssl_locks[n].lock();
@@ -144,7 +145,7 @@ namespace {
void setInput(TXFMBase *newInput) {
input = newInput;
if (newInput->getOutputType() != TXFMBase::BYTE_STREAM)
- throw XSECException(XSECException::TransformInputOutputFail, "OutputLog transform requires BYTE_STREAM input");
+ throw XSECException(XSECException ::TransformInputOutputFail, "OutputLog transform requires BYTE_STREAM input");
keepComments = input->getCommentsStatus();
m_log.debug("\n----- BEGIN SIGNATURE DEBUG -----\n");
}
@@ -175,6 +176,27 @@ namespace {
return nullptr;
}
+ class BlockingXSECURIResolver : public XSECURIResolver {
+ public:
+ BlockingXSECURIResolver() : m_log(Category::getInstance(XMLTOOLING_LOGCAT ".XMLSecurity")) {}
+ ~BlockingXSECURIResolver() {}
+
+ BinInputStream* resolveURI(const XMLCh* uri) {
+ auto_ptr_char temp(uri);
+ m_log.warn("blocked remote resource retrieval by xml-security-c library: %s",
+ temp.get() ? temp.get() : "(none)");
+ return nullptr;
+ }
+
+ void setBaseURI(const XMLCh* uri) {}
+
+ XSECURIResolver* clone() {
+ return new BlockingXSECURIResolver();
+ }
+
+ private:
+ Category& m_log;
+ };
#endif
#ifdef WIN32
@@ -400,6 +422,7 @@ bool XMLToolingInternalConfig::init(bool deprecationSupport)
XSECPlatformUtils::Initialise();
XSECPlatformUtils::SetReferenceLoggingSink(TXFMOutputLogFactory);
m_xsecProvider.reset(new XSECProvider());
+ m_xsecProvider->setDefaultURIResolver(new BlockingXSECURIResolver());
log.debug("XML-Security %s initialization complete", XSEC_FULLVERSIONDOT);
#endif
|