import mod_auth_mellon-0.14.0-3.el8_0.2
This commit is contained in:
parent
b344d0ece5
commit
525e98697a
@ -0,0 +1,80 @@
|
|||||||
|
From e09a28a30e13e5c22b481010f26b4a7743a09280 Mon Sep 17 00:00:00 2001
|
||||||
|
From: John Dennis <jdennis@redhat.com>
|
||||||
|
Date: Tue, 5 Mar 2019 10:15:48 +0100
|
||||||
|
Subject: [PATCH] Modify am_handler setup to run before mod_proxy
|
||||||
|
|
||||||
|
The way the ECP flow works is that when a client initiates the flow, the
|
||||||
|
SP's response is HTTP 200, but not the requested content, but a signed XML
|
||||||
|
document that contains the "samlp:AuthnRequest" element. The idea is that
|
||||||
|
the ECP client would then determine the IDP and send the document to the
|
||||||
|
IDP, get a samlp:Response and convey that to the SP to get access to the
|
||||||
|
protected resource.
|
||||||
|
|
||||||
|
Internally, the auth check which is normally done with am_check_uid() set to
|
||||||
|
apache's ap_hook_check_user_id() hook, just responds with OK, so it pretends
|
||||||
|
to authenticate the user. Then in the usual flow, the request reaches the
|
||||||
|
ap_hook_handler which handles the request. There in the pipeline, mellon
|
||||||
|
registers functions am_handler() which should run first (APR_HOOK_FIRST),
|
||||||
|
determine that this request is an ECP one and return the ECP AuthnRequest
|
||||||
|
document. But in case the proxy module is also in the picture, the proxy
|
||||||
|
module "races" for who gets to be the first to handle the request in the
|
||||||
|
pipeline and wins. Therefore, the request reaches the protected resource
|
||||||
|
via mod_proxy and returns it.
|
||||||
|
|
||||||
|
This fix modifies the ap_hook_handler() call to explicitly run before
|
||||||
|
handlers from mod_proxy.c
|
||||||
|
|
||||||
|
To reproduce the bug:
|
||||||
|
0) Have a SP with mellon connected to a Keycloak IDP (or any other IDP I
|
||||||
|
guess). In the example below, my SAML SP is saml.federation.test
|
||||||
|
1) Set a Location protected by mellon that proxies requests to another
|
||||||
|
URL. For example:
|
||||||
|
|
||||||
|
ProxyPass /sp-proxy http://app.federation.test/example_app/
|
||||||
|
<Location /sp-proxy>
|
||||||
|
AuthType Mellon
|
||||||
|
MellonEnable auth
|
||||||
|
Require valid-user
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
2) call:
|
||||||
|
curl -L -H "Accept: application/vnd.paos+xml" \
|
||||||
|
-H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' \
|
||||||
|
http://saml.federation.test/sp-proxy
|
||||||
|
|
||||||
|
Before the patch, you would see whatever is served from the proxied
|
||||||
|
page. With the patch, you should get back a XML document with a
|
||||||
|
samlp:AuthnRequest.
|
||||||
|
---
|
||||||
|
mod_auth_mellon.c | 8 +++++++-
|
||||||
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/mod_auth_mellon.c b/mod_auth_mellon.c
|
||||||
|
index 74bd328..5330f48 100644
|
||||||
|
--- a/mod_auth_mellon.c
|
||||||
|
+++ b/mod_auth_mellon.c
|
||||||
|
@@ -207,6 +207,12 @@ static int am_create_request(request_rec *r)
|
||||||
|
|
||||||
|
static void register_hooks(apr_pool_t *p)
|
||||||
|
{
|
||||||
|
+ /* Our handler needs to run before mod_proxy so that it can properly
|
||||||
|
+ * return ECP AuthnRequest messages when running as a reverse proxy.
|
||||||
|
+ * See: https://github.com/Uninett/mod_auth_mellon/pull/196
|
||||||
|
+ */
|
||||||
|
+ static const char * const run_handler_before[]={ "mod_proxy.c", NULL };
|
||||||
|
+
|
||||||
|
ap_hook_access_checker(am_auth_mellon_user, NULL, NULL, APR_HOOK_MIDDLE);
|
||||||
|
ap_hook_check_user_id(am_check_uid, NULL, NULL, APR_HOOK_MIDDLE);
|
||||||
|
ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE);
|
||||||
|
@@ -222,7 +228,7 @@ static void register_hooks(apr_pool_t *p)
|
||||||
|
* Therefore this hook must run before any handler that may check
|
||||||
|
* r->handler and decide that it is the only handler for this URL.
|
||||||
|
*/
|
||||||
|
- ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST);
|
||||||
|
+ ap_hook_handler(am_handler, NULL, run_handler_before, APR_HOOK_FIRST);
|
||||||
|
|
||||||
|
#ifdef ENABLE_DIAGNOSTICS
|
||||||
|
ap_hook_open_logs(am_diag_log_init,NULL,NULL,APR_HOOK_MIDDLE);
|
||||||
|
--
|
||||||
|
2.19.2
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
||||||
Name: mod_auth_mellon
|
Name: mod_auth_mellon
|
||||||
Version: 0.14.0
|
Version: 0.14.0
|
||||||
Release: 3%{?dist}
|
Release: 3%{?dist}.2
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
|
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
|
||||||
Source1: auth_mellon.conf
|
Source1: auth_mellon.conf
|
||||||
@ -22,6 +22,8 @@ Requires: httpd-mmn = %{_httpd_mmn}
|
|||||||
Requires: lasso >= 2.5.1
|
Requires: lasso >= 2.5.1
|
||||||
Url: https://github.com/UNINETT/mod_auth_mellon
|
Url: https://github.com/UNINETT/mod_auth_mellon
|
||||||
|
|
||||||
|
Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
|
||||||
|
|
||||||
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
|
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
|
||||||
# I could not get asciidoc to render properly so instead I generated
|
# I could not get asciidoc to render properly so instead I generated
|
||||||
# mellon_user_guide.html on Fedora using asciidoctor and included
|
# mellon_user_guide.html on Fedora using asciidoctor and included
|
||||||
@ -35,6 +37,7 @@ received in assertions generated by a IdP server.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{name}-%{version}
|
%setup -q -n %{name}-%{version}
|
||||||
|
%patch1 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export APXS=%{_httpd_apxs}
|
export APXS=%{_httpd_apxs}
|
||||||
@ -105,6 +108,10 @@ in the doc directory for instructions on using the diagnostics build.
|
|||||||
%dir /run/%{name}/
|
%dir /run/%{name}/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Apr 16 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-3.2
|
||||||
|
- Resolves: rhbz#1696197 - CVE-2019-3878 mod_auth_mellon: authentication
|
||||||
|
bypass in ECP flow [rhel-8.0.0.z]
|
||||||
|
|
||||||
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 0.14.0-3
|
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 0.14.0-3
|
||||||
- Rebuild with fixed binutils
|
- Rebuild with fixed binutils
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user