You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am using xrootd 4.6.1 with xrdhttpvoms 0.2.4 from EPEL on a CentOS 7 system.
Not setting http.secretkey but "using" it (by activating http.selfhttps2http and / or desthttps no) will not cause a startup failure or error message, but lead to creation of random tokens, potentially including non-ASCII characters.
This breaks on the client side, since the redirection URI can not be accessed.
Also, that is probably use of unintialized memory - might be exploitable?
The text was updated successfully, but these errors were encountered:
olifre
changed the title
Not setting http.secretkey yields to undefined behaviour
Not setting http.secretkey yields undefined behaviour
Aug 18, 2017
Hi,
I was sure I had answered, obviously I was wrong. Sorry for the delay then.
I'd say that you spotted a minor bug, that allows to define a configuration that basically rejects all the clients by distributing broken signatures to them. A sysadmin would immediately understand that his system is totally broken, so I believe that the exploitability of such a wrong combination is insignificant. Moreover the bug does not prevent any kind of correct usage/config of the framework.
I am using xrootd 4.6.1 with xrdhttpvoms 0.2.4 from EPEL on a CentOS 7 system.
Not setting
http.secretkey
but "using" it (by activatinghttp.selfhttps2http
and / ordesthttps no
) will not cause a startup failure or error message, but lead to creation of random tokens, potentially including non-ASCII characters.This breaks on the client side, since the redirection URI can not be accessed.
Also, that is probably use of unintialized memory - might be exploitable?
The text was updated successfully, but these errors were encountered: