Not setting http.secretkey yields undefined behaviour

[olifre]

I am using xrootd 4.6.1 with xrdhttpvoms 0.2.4 from EPEL on a CentOS 7 system.

Not setting http.secretkey but "using" it (by activating http.selfhttps2http and / or desthttps no) will not cause a startup failure or error message, but lead to creation of random tokens, potentially including non-ASCII characters.
This breaks on the client side, since the redirection URI can not be accessed.
Also, that is probably use of unintialized memory - might be exploitable?

[ffurano]

Hi,
I was sure I had answered, obviously I was wrong. Sorry for the delay then.

I'd say that you spotted a minor bug, that allows to define a configuration that basically rejects all the clients by distributing broken signatures to them. A sysadmin would immediately understand that his system is totally broken, so I believe that the exploitability of such a wrong combination is insignificant. Moreover the bug does not prevent any kind of correct usage/config of the framework.

I will fix it in the next week or so

[ffurano]

#579 should fix this

[abh3]

Merged fix.