import mod_auth_mellon-0.14.0-3.el8_0.2

This commit is contained in:
CentOS Sources 2019-05-07 15:24:22 -04:00 committed by Andrew Lukoshko
parent b344d0ece5
commit 525e98697a
2 changed files with 88 additions and 1 deletions

View File

@ -0,0 +1,80 @@
From e09a28a30e13e5c22b481010f26b4a7743a09280 Mon Sep 17 00:00:00 2001
From: John Dennis <jdennis@redhat.com>
Date: Tue, 5 Mar 2019 10:15:48 +0100
Subject: [PATCH] Modify am_handler setup to run before mod_proxy
The way the ECP flow works is that when a client initiates the flow, the
SP's response is HTTP 200, but not the requested content, but a signed XML
document that contains the "samlp:AuthnRequest" element. The idea is that
the ECP client would then determine the IDP and send the document to the
IDP, get a samlp:Response and convey that to the SP to get access to the
protected resource.
Internally, the auth check which is normally done with am_check_uid() set to
apache's ap_hook_check_user_id() hook, just responds with OK, so it pretends
to authenticate the user. Then in the usual flow, the request reaches the
ap_hook_handler which handles the request. There in the pipeline, mellon
registers functions am_handler() which should run first (APR_HOOK_FIRST),
determine that this request is an ECP one and return the ECP AuthnRequest
document. But in case the proxy module is also in the picture, the proxy
module "races" for who gets to be the first to handle the request in the
pipeline and wins. Therefore, the request reaches the protected resource
via mod_proxy and returns it.
This fix modifies the ap_hook_handler() call to explicitly run before
handlers from mod_proxy.c
To reproduce the bug:
0) Have a SP with mellon connected to a Keycloak IDP (or any other IDP I
guess). In the example below, my SAML SP is saml.federation.test
1) Set a Location protected by mellon that proxies requests to another
URL. For example:
ProxyPass /sp-proxy http://app.federation.test/example_app/
<Location /sp-proxy>
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
2) call:
curl -L -H "Accept: application/vnd.paos+xml" \
-H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' \
http://saml.federation.test/sp-proxy
Before the patch, you would see whatever is served from the proxied
page. With the patch, you should get back a XML document with a
samlp:AuthnRequest.
---
mod_auth_mellon.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/mod_auth_mellon.c b/mod_auth_mellon.c
index 74bd328..5330f48 100644
--- a/mod_auth_mellon.c
+++ b/mod_auth_mellon.c
@@ -207,6 +207,12 @@ static int am_create_request(request_rec *r)
static void register_hooks(apr_pool_t *p)
{
+ /* Our handler needs to run before mod_proxy so that it can properly
+ * return ECP AuthnRequest messages when running as a reverse proxy.
+ * See: https://github.com/Uninett/mod_auth_mellon/pull/196
+ */
+ static const char * const run_handler_before[]={ "mod_proxy.c", NULL };
+
ap_hook_access_checker(am_auth_mellon_user, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_check_user_id(am_check_uid, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE);
@@ -222,7 +228,7 @@ static void register_hooks(apr_pool_t *p)
* Therefore this hook must run before any handler that may check
* r->handler and decide that it is the only handler for this URL.
*/
- ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST);
+ ap_hook_handler(am_handler, NULL, run_handler_before, APR_HOOK_FIRST);
#ifdef ENABLE_DIAGNOSTICS
ap_hook_open_logs(am_diag_log_init,NULL,NULL,APR_HOOK_MIDDLE);
--
2.19.2

View File

@ -1,7 +1,7 @@
Summary: A SAML 2.0 authentication module for the Apache Httpd Server Summary: A SAML 2.0 authentication module for the Apache Httpd Server
Name: mod_auth_mellon Name: mod_auth_mellon
Version: 0.14.0 Version: 0.14.0
Release: 3%{?dist} Release: 3%{?dist}.2
Group: System Environment/Daemons Group: System Environment/Daemons
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source1: auth_mellon.conf Source1: auth_mellon.conf
@ -22,6 +22,8 @@ Requires: httpd-mmn = %{_httpd_mmn}
Requires: lasso >= 2.5.1 Requires: lasso >= 2.5.1
Url: https://github.com/UNINETT/mod_auth_mellon Url: https://github.com/UNINETT/mod_auth_mellon
Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However, # FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
# I could not get asciidoc to render properly so instead I generated # I could not get asciidoc to render properly so instead I generated
# mellon_user_guide.html on Fedora using asciidoctor and included # mellon_user_guide.html on Fedora using asciidoctor and included
@ -35,6 +37,7 @@ received in assertions generated by a IdP server.
%prep %prep
%setup -q -n %{name}-%{version} %setup -q -n %{name}-%{version}
%patch1 -p1
%build %build
export APXS=%{_httpd_apxs} export APXS=%{_httpd_apxs}
@ -105,6 +108,10 @@ in the doc directory for instructions on using the diagnostics build.
%dir /run/%{name}/ %dir /run/%{name}/
%changelog %changelog
* Tue Apr 16 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-3.2
- Resolves: rhbz#1696197 - CVE-2019-3878 mod_auth_mellon: authentication
bypass in ECP flow [rhel-8.0.0.z]
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 0.14.0-3 * Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 0.14.0-3
- Rebuild with fixed binutils - Rebuild with fixed binutils