New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
caddy-security v1.1.17 does not compile #196
Comments
@assistcontrol , try doing |
@assistcontrol , if you are building your own custom binary, add the following to Line 154 in 4dd61ac
|
Agreed, that does let caddy-security build on its own. I should have been mentioned originally that I'm doing |
@assistcontrol , try passing the substitution/replace using xcaddy —with. |
Wow, I never realized xcaddy could do that. Thanks! |
@assistcontrol , please post your final build command 😃 |
Works for me, and it's nicely future-proofed because the version is specified: if you update the dep in caddy-security, it won't drag old stuff in. |
working with @crewjam to address this here: crewjam/saml#478 |
Just highlighting that as it stands the fix causes a security related test to fail, which is why it has stalled. I haven't looked at the fork but I'd urge a little bit of caution here. |
@crewjam Not having dug into the code too much and not being an expert on XML canonicalization, from what I can see passing "false" to the canonicalization method means comments won't be considered for canonicalization. At first I thought "how could that possibly be a problem?" But it looks like maybe it could be: https://workos.com/blog/fun-with-saml-sso-vulnerabilities-and-footguns Depending on the ordering of canonicalization vs signature verification steps. I know SAML pretty well but not your library--if you want to discuss further let me know. |
v1.1.17 doesn't build, as per greenpau/caddy-security#196
I know that you've forked
crewjam/saml
intoorigin_crewjam_saml
, but the schema fix is in a branch that isn't used by caddy-security. As a result, I believe that v1.1.17 can't build.Given that the bug for the schema error has been sitting for months in @crewjam's repo and caddy-security's build is currently broken, what's your plan? Will caddy-security just not build temporarily until the upstream PR gets merged, or do you intend to merge your schema fix to your fork's main and use that?
The text was updated successfully, but these errors were encountered: