This project is read-only.

Updates from OIOSAML


I've attached a zip file that contains a port of the changes that were in OIOSAML.NET 1.7.9 to set the XMLResolver to NULL to prevent XML injection.
There is also a small change in the test app.config file to allow an additional test to be run when not building in the folder C:\Projects\SAML\Saml2

file attachments


i8beef wrote Sep 1, 2016 at 12:19 AM

I've looked at applying your changes, and while I basically understand where its going, because it affects so many files, I'm not sure how it affects XML serialization when you ARE using namespaces, and because I don't have anywhere to test it, I have it in a separate branch, and it needs testing before i merge it.

I've moved this project to, and if we can get someone to test the 6-OIOSAML-1.7.9-XmlResolver-Changes branch, and ensure that this doesn't play havoc with any of the namespace serializations with documents generated herein, then I will merge it. I know this was an upstream change, so it's probably safe as we haven't diverged THAT much, but I'd still rather be safe than sorry on this one.

GitHub ticket would be a better place to continue this conversation