1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
From: Scott Cantor <cantor.2@osu.edu>
Date: Tue, 6 Jun 2023 16:31:48 -0400
Subject: CPPXT-157 - Install blocking URI resolver into Santuario
https://shibboleth.atlassian.net/browse/CPPXT-157
---
xmltooling/XMLToolingConfig.cpp | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/xmltooling/XMLToolingConfig.cpp b/xmltooling/XMLToolingConfig.cpp
index 4bd5b11..dd5634d 100644
--- a/xmltooling/XMLToolingConfig.cpp
+++ b/xmltooling/XMLToolingConfig.cpp
@@ -75,6 +75,7 @@
# include <xsec/framework/XSECException.hpp>
# include <xsec/framework/XSECProvider.hpp>
# include <xsec/transformers/TXFMBase.hpp>
+# include <xsec/framework/XSECURIResolver.hpp>
#endif
using namespace soap11;
@@ -116,7 +117,7 @@ namespace {
#endif
static ptr_vector<Mutex> g_openssl_locks;
- extern "C" void openssl_locking_callback(int mode,int n,const char *file,int line)
+ extern "C" void openssl_locking_callback(int mode, int n, const char *, int)
{
if (mode & CRYPTO_LOCK)
g_openssl_locks[n].lock();
@@ -144,7 +145,7 @@ namespace {
void setInput(TXFMBase *newInput) {
input = newInput;
if (newInput->getOutputType() != TXFMBase::BYTE_STREAM)
- throw XSECException(XSECException::TransformInputOutputFail, "OutputLog transform requires BYTE_STREAM input");
+ throw XSECException(XSECException ::TransformInputOutputFail, "OutputLog transform requires BYTE_STREAM input");
keepComments = input->getCommentsStatus();
m_log.debug("\n----- BEGIN SIGNATURE DEBUG -----\n");
}
@@ -175,6 +176,27 @@ namespace {
return nullptr;
}
+ class BlockingXSECURIResolver : public XSECURIResolver {
+ public:
+ BlockingXSECURIResolver() : m_log(Category::getInstance(XMLTOOLING_LOGCAT ".XMLSecurity")) {}
+ ~BlockingXSECURIResolver() {}
+
+ BinInputStream* resolveURI(const XMLCh* uri) {
+ auto_ptr_char temp(uri);
+ m_log.warn("blocked remote resource retrieval by xml-security-c library: %s",
+ temp.get() ? temp.get() : "(none)");
+ return nullptr;
+ }
+
+ void setBaseURI(const XMLCh* uri) {}
+
+ XSECURIResolver* clone() {
+ return new BlockingXSECURIResolver();
+ }
+
+ private:
+ Category& m_log;
+ };
#endif
#ifdef WIN32
@@ -400,6 +422,7 @@ bool XMLToolingInternalConfig::init(bool deprecationSupport)
XSECPlatformUtils::Initialise();
XSECPlatformUtils::SetReferenceLoggingSink(TXFMOutputLogFactory);
m_xsecProvider.reset(new XSECProvider());
+ m_xsecProvider->setDefaultURIResolver(new BlockingXSECURIResolver());
log.debug("XML-Security %s initialization complete", XSEC_FULLVERSIONDOT);
#endif
|
