import mod_auth_mellon-0.14.0-12.el8

This commit is contained in:
CentOS Sources 2021-03-30 09:08:56 -04:00 committed by Stepan Oksanichenko
parent 97123bd6fd
commit 72335c35b7
4 changed files with 253 additions and 1 deletions

View File

@ -0,0 +1,95 @@
From fb5ad7bf997946df4472cb94d7875ee70281d59c Mon Sep 17 00:00:00 2001
From: Anthony Critelli <acritelli@datto.com>
Date: Tue, 7 Jan 2020 11:14:24 -0500
Subject: [PATCH] Add none option for samesite
---
README.md | 7 +++++--
auth_mellon.h | 3 ++-
auth_mellon_config.c | 2 ++
auth_mellon_cookie.c | 4 +++-
auth_mellon_diagnostics.c | 1 +
5 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
index be374bc..82a88fc 100644
--- a/README.md
+++ b/README.md
@@ -218,8 +218,11 @@ MellonDiagnosticsEnable Off
# MellonCookieSameSite allows control over the SameSite value used
# for the authentication cookie.
- # The setting accepts values of "Strict" or "Lax"
- # If not set, the SameSite attribute is not set on the cookie.
+ # The setting accepts values of "Strict", "Lax", or "None".
+ # When using none, you should set "MellonSecureCookie On" to prevent
+ # compatibility issues with newer browsers.
+ # If not set, the SameSite attribute is not set on the cookie. In newer
+ # browsers, this may cause SameSite to default to "Lax"
# Default: not set
# MellonCookieSameSite lax
diff --git a/auth_mellon.h b/auth_mellon.h
index 9ef2d8a..5f5a20b 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -164,7 +164,8 @@ typedef enum {
typedef enum {
am_samesite_default,
am_samesite_lax,
- am_samesite_strict
+ am_samesite_strict,
+ am_samesite_none,
} am_samesite_t;
typedef enum {
diff --git a/auth_mellon_config.c b/auth_mellon_config.c
index 7932e2d..f1a9d12 100644
--- a/auth_mellon_config.c
+++ b/auth_mellon_config.c
@@ -583,6 +583,8 @@ static const char *am_set_samesite_slot(cmd_parms *cmd,
d->cookie_samesite = am_samesite_lax;
} else if(!strcasecmp(arg, "strict")) {
d->cookie_samesite = am_samesite_strict;
+ } else if(!strcasecmp(arg, "none")) {
+ d->cookie_samesite = am_samesite_none;
} else {
return "The MellonCookieSameSite parameter must be 'lax' or 'strict'";
}
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
index 8394c18..b2c8535 100644
--- a/auth_mellon_cookie.c
+++ b/auth_mellon_cookie.c
@@ -1,7 +1,7 @@
/*
*
* auth_mellon_cookie.c: an authentication apache module
- * Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
+ * Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -73,6 +73,8 @@ static const char *am_cookie_params(request_rec *r)
cookie_samesite = "; SameSite=Lax";
} else if (cfg->cookie_samesite == am_samesite_strict) {
cookie_samesite = "; SameSite=Strict";
+ } else if (cfg->cookie_samesite == am_samesite_none) {
+ cookie_samesite = "; SameSite=None";
}
secure_cookie = cfg->secure;
diff --git a/auth_mellon_diagnostics.c b/auth_mellon_diagnostics.c
index 792e894..912814b 100644
--- a/auth_mellon_diagnostics.c
+++ b/auth_mellon_diagnostics.c
@@ -214,6 +214,7 @@ am_diag_samesite_str(request_rec *r, am_samesite_t samesite)
case am_samesite_default: return "default";
case am_samesite_lax: return "lax";
case am_samesite_strict: return "strict";
+ case am_samesite_none: return "none";
default:
return apr_psprintf(r->pool, "unknown (%d)", samesite);
}
--
2.21.0

View File

@ -0,0 +1,69 @@
From b9d87e0deb528817689f1648999a95645b1b19ad Mon Sep 17 00:00:00 2001
From: Keita SUZUKI <keita@osstech.co.jp>
Date: Mon, 20 Jan 2020 11:03:14 +0900
Subject: [PATCH] avoid always set SameSite cookie
---
auth_mellon.h | 5 +++++
auth_mellon_cookie.c | 22 ++++++++++++++++------
2 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/auth_mellon.h b/auth_mellon.h
index 5f5a20b..8bb8023 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -96,6 +96,11 @@ typedef enum {
} am_diag_flags_t;
#endif
+
+/* Disable SameSite Environment Value */
+#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
+
+
/* This is the length of the id we use (for session IDs and
* replaying POST data).
*/
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
index b2c8535..55f77a5 100644
--- a/auth_mellon_cookie.c
+++ b/auth_mellon_cookie.c
@@ -59,6 +59,7 @@ static const char *am_cookie_params(request_rec *r)
const char *cookie_domain = ap_get_server_name(r);
const char *cookie_path = "/";
const char *cookie_samesite = "";
+ const char *env_var_value = NULL;
am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
if (cfg->cookie_domain) {
@@ -69,12 +70,21 @@ static const char *am_cookie_params(request_rec *r)
cookie_path = cfg->cookie_path;
}
- if (cfg->cookie_samesite == am_samesite_lax) {
- cookie_samesite = "; SameSite=Lax";
- } else if (cfg->cookie_samesite == am_samesite_strict) {
- cookie_samesite = "; SameSite=Strict";
- } else if (cfg->cookie_samesite == am_samesite_none) {
- cookie_samesite = "; SameSite=None";
+ if (r->subprocess_env != NULL){
+ env_var_value = apr_table_get(r->subprocess_env,
+ AM_DISABLE_SAMESITE_ENV_VAR);
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "%s : %s", AM_DISABLE_SAMESITE_ENV_VAR, env_var_value);
+ }
+
+ if (env_var_value == NULL){
+ if (cfg->cookie_samesite == am_samesite_lax) {
+ cookie_samesite = "; SameSite=Lax";
+ } else if (cfg->cookie_samesite == am_samesite_strict) {
+ cookie_samesite = "; SameSite=Strict";
+ } else if (cfg->cookie_samesite == am_samesite_none) {
+ cookie_samesite = "; SameSite=None";
+ }
}
secure_cookie = cfg->secure;
--
2.21.0

View File

@ -0,0 +1,78 @@
From 7ef4ae72a8578475064eb66e3ed5703ccf6ee078 Mon Sep 17 00:00:00 2001
From: Ruediger Pluem <r.pluem@gmx.de>
Date: Thu, 30 Apr 2020 07:56:01 +0200
Subject: [PATCH] Set SameSite to None on test cookie
If the SameSite cookie attribute is to be set because
MellonCookieSameSite is configured and MELLON_DISABLE_SAMESITE not set
for this particular request set it to None for the test cookie.
This ensures that the test cookie with the static test content does not
get lost in the HTTP-POST binding request issued by the autosubmit form
returned by the IDP.
Addresses #20
* auth_mellon.h: Add AM_FORCE_SAMESITE_NONE_NOTE
* auth_mellon_handler.c (am_send_login_authn_request): Set request note
to set SameSite to None if appropriate.
* auth_mellon_cookie.c (am_cookie_params): Set SameSite to None if
requested via request note.
---
auth_mellon.h | 3 +++
auth_mellon_cookie.c | 6 +++++-
auth_mellon_handler.c | 5 +++++
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/auth_mellon.h b/auth_mellon.h
index fd39b28..401ed9c 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -100,6 +100,9 @@ typedef enum {
/* Disable SameSite Environment Value */
#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
+/* Force setting SameSite to None */
+#define AM_FORCE_SAMESITE_NONE_NOTE "MELLON_FORCE_SAMESITE_NONE"
+
/* This is the length of the id we use (for session IDs and
* replaying POST data).
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
index 55f77a5..6bff81e 100644
--- a/auth_mellon_cookie.c
+++ b/auth_mellon_cookie.c
@@ -78,7 +78,11 @@ static const char *am_cookie_params(request_rec *r)
}
if (env_var_value == NULL){
- if (cfg->cookie_samesite == am_samesite_lax) {
+ if ((cfg->cookie_samesite != am_samesite_default) &&
+ (apr_table_get(r->notes, AM_FORCE_SAMESITE_NONE_NOTE) != NULL)) {
+ cookie_samesite = "; SameSite=None";
+ }
+ else if (cfg->cookie_samesite == am_samesite_lax) {
cookie_samesite = "; SameSite=Lax";
} else if (cfg->cookie_samesite == am_samesite_strict) {
cookie_samesite = "; SameSite=Strict";
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
index 395ee1d..40c9bcd 100644
--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
@@ -3261,8 +3261,13 @@ static int am_send_login_authn_request(request_rec *r, const char *idp,
/* Add cookie for cookie test. We know that we should have
* a valid cookie when we return from the IdP after SP-initiated
* login.
+ * Ensure that SameSite is set to None for this cookie if SameSite
+ * is allowed to be set as the cookie otherwise gets lost on
+ * HTTP-POST binding messages.
*/
+ apr_table_setn(r->notes, AM_FORCE_SAMESITE_NONE_NOTE, "1");
am_cookie_set(r, "cookietest");
+ apr_table_unset(r->notes, AM_FORCE_SAMESITE_NONE_NOTE);
server = am_get_lasso_server(r);
if(server == NULL) {
--
2.26.2

View File

@ -1,7 +1,7 @@
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
Name: mod_auth_mellon
Version: 0.14.0
Release: 11%{?dist}
Release: 12%{?dist}
Group: System Environment/Daemons
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source1: auth_mellon.conf
@ -27,6 +27,9 @@ Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch
Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch
Patch0004: 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch
Patch0005: 0005-CVE_2019_13038.patch
Patch0006: 0006-Add-none-option-for-samesite.patch
Patch0007: 0007-avoid-always-set-SameSite-cookie.patch
Patch0008: 0008-Set-SameSite-to-None-on-test-cookie.patch
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
# I could not get asciidoc to render properly so instead I generated
@ -46,6 +49,9 @@ received in assertions generated by a IdP server.
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build
export APXS=%{_httpd_apxs}
@ -116,6 +122,10 @@ in the doc directory for instructions on using the diagnostics build.
%attr(0755,apache,apache) %dir /run/%{name}/
%changelog
* Mon Jan 25 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12
- Resolves: rhbz#1791262 - Backport SameSite=None cookie from upstream to
support latest browsers
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-11
- Resolves: rhbz#1731053 - CVE-2019-13038 mod_auth_mellon: an Open Redirect
via the login?ReturnTo= substring which could