This project is read-only.
2
Vote

Updates from OIOSAML

description

I've attached a zip file that contains a port of the changes that were in OIOSAML.NET 1.7.9 to set the XMLResolver to NULL to prevent XML injection.
There is also a small change in the test app.config file to allow an additional test to be run when not building in the folder C:\Projects\SAML\Saml2

file attachments

comments

i8beef wrote Sep 1, 2016 at 12:19 AM

I've looked at applying your changes, and while I basically understand where its going, because it affects so many files, I'm not sure how it affects XML serialization when you ARE using namespaces, and because I don't have anywhere to test it, I have it in a separate branch, and it needs testing before i merge it.

I've moved this project to https://github.com/i8beef/SAML2, and if we can get someone to test the 6-OIOSAML-1.7.9-XmlResolver-Changes branch, and ensure that this doesn't play havoc with any of the namespace serializations with documents generated herein, then I will merge it. I know this was an upstream change, so it's probably safe as we haven't diverged THAT much, but I'd still rather be safe than sorry on this one.

GitHub ticket https://github.com/i8beef/SAML2/issues/6 would be a better place to continue this conversation