Shibboleth SP Server variables in IIS
Cantor, Scott
cantor.2 at osu.edu
Thu Apr 23 14:07:13 EDT 2020
On 4/23/20, 12:58 PM, "users on behalf of user1630508" <users-bounces at shibboleth.net on behalf of pgrandsard at pagepath.com> wrote:
> This appears broken in ASP/IIS. I have always used Request.ServerVariables
> which are secure and not available to HTTP clients.
Prior to V3 there was never any Shibboleth support for server variables because IIS' ISAPI filter API literally didn't allow for it. So by definition you haven’t "always" used them unless you weren't using Shibboleth.
Since V3, it has apparently been the case that there appears to be no way for the new API to set them for ASP Classic. Since nobody has managed to figure out the bug, if it exists, it's simply not working and therefore works exactly the same way it did in V2 with ASP classic. So again, no change.
Both headers and server variables work properly now with ASP.NET.
In no case does any routine exposure exist because of the header protection code in the SP. The risk is theoretical that unfixed exploits in the protection mechanism exist, as well as people doing things like exposing the random key used to prevent the smuggling by doing what any piece of CGI 101 documentation says not to do, dumping every header to users.
-- Scott
More information about the users
mailing list