Protect against CR characters in metadata.

CR characters in metadata (which can only appear as the result of a character reference) can trigger the SSPCPP-684 bug in the Shibboleth SP. So, prevent them from appearing.
InCommon · Apr 15, 2016 · e5435a3 · e5435a3
1 parent 56ea82d
commit e5435a3
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
@@ -301,6 +301,9 @@
 
     <!-- *** Parent beans for ukf-mda. *** -->
 
+    <bean id="CRDetectionStage" abstract="true" parent="stage_parent"
+        class="uk.org.ukfederation.mda.dom.CRDetectionStage"/>
+
     <bean id="EntityAttributeAddingStage" abstract="true" parent="stage_parent"
         class="uk.org.ukfederation.mda.dom.saml.mdattr.EntityAttributeAddingStage"/>
 

diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
@@ -323,6 +323,14 @@
         *********************
     -->
 
+    <!--
+        check_cr
+        
+        Check for the presence of CR characters in text content or attribute values.
+        This protects against SSPCPP-684 in the Shibboleth SP.
+    -->
+    <bean id="check_cr" parent="CRDetectionStage"/>
+
     <!--
         check_misc
     -->
@@ -563,6 +571,7 @@
                 <ref bean="check_adfs"/>
                 <ref bean="check_algsupport"/>
                 <ref bean="check_bindings"/>
+                <ref bean="check_cr"/>
                 <ref bean="check_hoksso"/>
                 <ref bean="check_idpdisc"/>
                 <ref bean="check_incmd"/>

diff --git a/tools/ukf-mda/ukf-mda-0.9.0.jar → tools/ukf-mda/ukf-mda-0.9.1.jar b/tools/ukf-mda/ukf-mda-0.9.0.jar → tools/ukf-mda/ukf-mda-0.9.1.jar