XML tooling exception - malformed url

Cantor, Scott cantor.2 at osu.edu
Fri Jan 13 19:32:09 GMT 2012

On 1/13/12 2:18 PM, "sanjay joshi" <sanjayk.joshi at live.com> wrote:

>There are two other SP in the same setup version 3.1 wondering why they
>are not throwing this exception since IDP more or less would be sending
>relaystate to them as well.

There is no Shibboleth version 3.1. If you mean 2.3.1, there were bugs
involving URL sanitization before 2.4, and I would expect that the SP
would have attempted a redirect to a nonsensical URL and the browser would
just hang there or error out. It's possible it might have silently done
something else, but 2.3 is no longer supported and is vulnerable to major
security issues, so logout is the least of their problems. If you mean
something other than Shibboleth, it's not something I have any insight

But the IdP does have a bug, and the axiom about being liberal in what you
accept really doesn't apply to security software. Allowing invalid input
is something that should only be done consciously with a full analysis of
the impact, not as a general principle. I'd rather have it break
(correctly) and then decide to relax the behavior because I think it's
workable than miss a problem up front by being sloppy about the spec.

-- Scott

More information about the users mailing list