I am using xrootd 4.6.1 with xrdhttpvoms 0.2.4 from EPEL on a CentOS 7 system.

Not setting http.secretkey but "using" it (by activating http.selfhttps2http and / or desthttps no) will not cause a startup failure or error message, but lead to creation of random tokens, potentially including non-ASCII characters.
This breaks on the client side, since the redirection URI can not be accessed.
Also, that is probably use of unintialized memory - might be exploitable?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"Not setting http.secretkey yields to undefined behaviour (#567)"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/567"}}}

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1