~fkooman

Berlin

https://www.tuxed.net/

~fkooman/php-saml-sp

Last active 9 months ago

~fkooman/eduvpn-devel

Last active 2 years ago

~fkooman/eduvpn-announce

Last active 2 years ago
View more

Recent activity

Security Update (CVE-2023-26267) 9 months ago

From François Kooman to ~fkooman/php-saml-sp 

Hi all,

Recently we released a security update for php-saml-sp, this applies to 
both 1.x and 2.x.

CVE-2023-26267
https://www.cve.org/CVERecord?id=CVE-2023-26267

Make sure you update to at least 2.1.1 (for 2.x) or 1.1.1 (for 1.x) and 
you are good.

Regards,
François

Re: [PATCH] add option to disable Signature on AuthnRequest 1 year, 15 days ago

From François Kooman to ~fkooman/php-saml-sp 

On 09.11.22 21:42, Peter Brand wrote:
> Signing AuthnRequests is only useful if there's information included in the
> AuthnRequest that must not be tampered with, e.g. to prevend someone from
> sending an alternative AuthnRequest that's missing a required
> AuthnContextClassRef or has disabled ForceAuthn when that's required.

You are correct. However, providing a toggle to admins increases the 
risk they'll shoot themselves in the foot in a possible future where ACR 
or "ForceAuthn" is enabled and they forget to (re)enable signatures.

Also having signatures always enabled makes it less likely the IdP will 
stop working when signatures are (all of a sudden) enabled.

> While it not always being useful may still be good enough to always keep signing,

Show all refs on /refs for Debian watch file 1 year, 4 months ago

From François Kooman to ~sircmpwn/sr.ht-discuss 

Hi!

For my Debian packages I point `debian/watch` file to the "refs" page in 
order to download sources (attached artifacts).

However, the "/refs" page is using pagination which is an issue for 
older tags that are no longer "in view".

My current `debian/watch` file:

## cut ##
version=4
opts="pgpmode=auto,downloadurlmangle=s%/~fkooman/@PACKAGE@/archive/@ANY_VERSION@@ARCHIVE_EXT@%/~fkooman/@PACKAGE@/refs/download/$1/@PACKAGE@-$1.tar.xz%" 
\

Re: [PATCH meta.sr.ht] URL encode TOTP QR code URI 5 years ago

From François Kooman to ~sircmpwn/sr.ht-dev 

On 07/25/2018 12:26 AM, Drew DeVault wrote:
> Thanks for the patch! I've applied it and will be deploying it shortly.

Thanks so much! It works now!

Cheers,
François

[PATCH meta.sr.ht] URL encode TOTP QR code URI 5 years ago

From François Kooman to ~sircmpwn/sr.ht-dev 

For QR code readers built in to TOTP applications like FreeOTP, the
"label" needs to be URL encoded [0].

FreeOTP for iOS was unable to import the TOTP QR code generated by
meta.sr.ht.

This is a fix for [1].

[0] https://github.com/google/google-authenticator/wiki/Key-Uri-Format
[1] https://todo.sr.ht/%7Esircmpwn/meta.sr.ht/47
---
 metasrht/blueprints/security.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
[message trimmed]