Documentation On shib-attr allowed regex?
wferi at niif.hu
Tue Aug 7 11:20:52 EDT 2018
"Bryan K. Walton" <bwalton+1533146256 at leepfrog.com> writes:
> On Wed, Aug 01, 2018 at 06:08:28PM -0400, Tom Scavo wrote:
>>> On 08/01/2018 11:22 AM, Bryan K. Walton wrote:
>>>> We setup our shib-attr strings like this:
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CASUAL.*$
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CONTINUING.*$
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_ACAD_CONTINUING.*$
>>>> Require shib-attr carleton-ca-role ~ ^.*FNQM_CEJT.*$
>> Try this instead:
>> Require shib-attr carleton-ca-role ~
> Your suggestion of combing the regex into 1 regex seems to have resolved
> the issue.
Looks like your original regexes weren't complicated enough..:)
Seriously, such unexplained success makes me nervous, especially in
security software. Shouldn't the two approaches behave the same? Who
else might get access now? (BTW neither checks the boundaries, which is
a common flaw.)
Looks like the regex engine in Xerces-C is totally undocumented. Scott,
wouldn't it make sense to use a documented regex library instead?
More information about the users