[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problem when mod_auth_saml processing the defaultqs

"=?gb18030?B?x/HDr7uq?=" <qmh524@xxxxxx> said:
> Hi, all
> I want to dismiss Idp select page using DEFAULTQS in mod_auth_saml with DEFAULTQS=l0http://xxxx.org=1
> but the zxid_parse_cgi will change the cf->defaultqs' value, which cause Idp select page can't be dismiss at second time
> is this a bug?

Seems to be.

> I change the mod_auth_saml.c:452 from
> zxid_parse_cgi(cf, &cgi, cf->defaultqs);
> to
> zxid_parse_cgi(cf, &cgi, apr_pstrdup(r->pool, cf->defaultqs));
> this will fix the issue

Basically zxid_parse_cgi() will modify the string in place (add null
terminations where & appears) and take references to the string.
Thus if same cf->defaultqs is used second time, it will already
have nul terminations in it, producing the bug.

Your fix seems correct, assuming that the lifetime of the cgi
object is less than the allocation pool. On first thought this
would seem to be the correct assumption.

Thank you for the patch (which was not against the latest
version, and no version was mentioned, but I found the spot anyway :-).

Will be in next release.