import mod_auth_mellon-0.14.0-12.el8
This commit is contained in:
parent
97123bd6fd
commit
72335c35b7
95
SOURCES/0006-Add-none-option-for-samesite.patch
Normal file
95
SOURCES/0006-Add-none-option-for-samesite.patch
Normal file
@ -0,0 +1,95 @@
|
||||
From fb5ad7bf997946df4472cb94d7875ee70281d59c Mon Sep 17 00:00:00 2001
|
||||
From: Anthony Critelli <acritelli@datto.com>
|
||||
Date: Tue, 7 Jan 2020 11:14:24 -0500
|
||||
Subject: [PATCH] Add none option for samesite
|
||||
|
||||
---
|
||||
README.md | 7 +++++--
|
||||
auth_mellon.h | 3 ++-
|
||||
auth_mellon_config.c | 2 ++
|
||||
auth_mellon_cookie.c | 4 +++-
|
||||
auth_mellon_diagnostics.c | 1 +
|
||||
5 files changed, 13 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/README.md b/README.md
|
||||
index be374bc..82a88fc 100644
|
||||
--- a/README.md
|
||||
+++ b/README.md
|
||||
@@ -218,8 +218,11 @@ MellonDiagnosticsEnable Off
|
||||
|
||||
# MellonCookieSameSite allows control over the SameSite value used
|
||||
# for the authentication cookie.
|
||||
- # The setting accepts values of "Strict" or "Lax"
|
||||
- # If not set, the SameSite attribute is not set on the cookie.
|
||||
+ # The setting accepts values of "Strict", "Lax", or "None".
|
||||
+ # When using none, you should set "MellonSecureCookie On" to prevent
|
||||
+ # compatibility issues with newer browsers.
|
||||
+ # If not set, the SameSite attribute is not set on the cookie. In newer
|
||||
+ # browsers, this may cause SameSite to default to "Lax"
|
||||
# Default: not set
|
||||
# MellonCookieSameSite lax
|
||||
|
||||
diff --git a/auth_mellon.h b/auth_mellon.h
|
||||
index 9ef2d8a..5f5a20b 100644
|
||||
--- a/auth_mellon.h
|
||||
+++ b/auth_mellon.h
|
||||
@@ -164,7 +164,8 @@ typedef enum {
|
||||
typedef enum {
|
||||
am_samesite_default,
|
||||
am_samesite_lax,
|
||||
- am_samesite_strict
|
||||
+ am_samesite_strict,
|
||||
+ am_samesite_none,
|
||||
} am_samesite_t;
|
||||
|
||||
typedef enum {
|
||||
diff --git a/auth_mellon_config.c b/auth_mellon_config.c
|
||||
index 7932e2d..f1a9d12 100644
|
||||
--- a/auth_mellon_config.c
|
||||
+++ b/auth_mellon_config.c
|
||||
@@ -583,6 +583,8 @@ static const char *am_set_samesite_slot(cmd_parms *cmd,
|
||||
d->cookie_samesite = am_samesite_lax;
|
||||
} else if(!strcasecmp(arg, "strict")) {
|
||||
d->cookie_samesite = am_samesite_strict;
|
||||
+ } else if(!strcasecmp(arg, "none")) {
|
||||
+ d->cookie_samesite = am_samesite_none;
|
||||
} else {
|
||||
return "The MellonCookieSameSite parameter must be 'lax' or 'strict'";
|
||||
}
|
||||
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
|
||||
index 8394c18..b2c8535 100644
|
||||
--- a/auth_mellon_cookie.c
|
||||
+++ b/auth_mellon_cookie.c
|
||||
@@ -1,7 +1,7 @@
|
||||
/*
|
||||
*
|
||||
* auth_mellon_cookie.c: an authentication apache module
|
||||
- * Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
|
||||
+ * Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@@ -73,6 +73,8 @@ static const char *am_cookie_params(request_rec *r)
|
||||
cookie_samesite = "; SameSite=Lax";
|
||||
} else if (cfg->cookie_samesite == am_samesite_strict) {
|
||||
cookie_samesite = "; SameSite=Strict";
|
||||
+ } else if (cfg->cookie_samesite == am_samesite_none) {
|
||||
+ cookie_samesite = "; SameSite=None";
|
||||
}
|
||||
|
||||
secure_cookie = cfg->secure;
|
||||
diff --git a/auth_mellon_diagnostics.c b/auth_mellon_diagnostics.c
|
||||
index 792e894..912814b 100644
|
||||
--- a/auth_mellon_diagnostics.c
|
||||
+++ b/auth_mellon_diagnostics.c
|
||||
@@ -214,6 +214,7 @@ am_diag_samesite_str(request_rec *r, am_samesite_t samesite)
|
||||
case am_samesite_default: return "default";
|
||||
case am_samesite_lax: return "lax";
|
||||
case am_samesite_strict: return "strict";
|
||||
+ case am_samesite_none: return "none";
|
||||
default:
|
||||
return apr_psprintf(r->pool, "unknown (%d)", samesite);
|
||||
}
|
||||
--
|
||||
2.21.0
|
||||
|
69
SOURCES/0007-avoid-always-set-SameSite-cookie.patch
Normal file
69
SOURCES/0007-avoid-always-set-SameSite-cookie.patch
Normal file
@ -0,0 +1,69 @@
|
||||
From b9d87e0deb528817689f1648999a95645b1b19ad Mon Sep 17 00:00:00 2001
|
||||
From: Keita SUZUKI <keita@osstech.co.jp>
|
||||
Date: Mon, 20 Jan 2020 11:03:14 +0900
|
||||
Subject: [PATCH] avoid always set SameSite cookie
|
||||
|
||||
---
|
||||
auth_mellon.h | 5 +++++
|
||||
auth_mellon_cookie.c | 22 ++++++++++++++++------
|
||||
2 files changed, 21 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/auth_mellon.h b/auth_mellon.h
|
||||
index 5f5a20b..8bb8023 100644
|
||||
--- a/auth_mellon.h
|
||||
+++ b/auth_mellon.h
|
||||
@@ -96,6 +96,11 @@ typedef enum {
|
||||
} am_diag_flags_t;
|
||||
#endif
|
||||
|
||||
+
|
||||
+/* Disable SameSite Environment Value */
|
||||
+#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
|
||||
+
|
||||
+
|
||||
/* This is the length of the id we use (for session IDs and
|
||||
* replaying POST data).
|
||||
*/
|
||||
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
|
||||
index b2c8535..55f77a5 100644
|
||||
--- a/auth_mellon_cookie.c
|
||||
+++ b/auth_mellon_cookie.c
|
||||
@@ -59,6 +59,7 @@ static const char *am_cookie_params(request_rec *r)
|
||||
const char *cookie_domain = ap_get_server_name(r);
|
||||
const char *cookie_path = "/";
|
||||
const char *cookie_samesite = "";
|
||||
+ const char *env_var_value = NULL;
|
||||
am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
|
||||
|
||||
if (cfg->cookie_domain) {
|
||||
@@ -69,12 +70,21 @@ static const char *am_cookie_params(request_rec *r)
|
||||
cookie_path = cfg->cookie_path;
|
||||
}
|
||||
|
||||
- if (cfg->cookie_samesite == am_samesite_lax) {
|
||||
- cookie_samesite = "; SameSite=Lax";
|
||||
- } else if (cfg->cookie_samesite == am_samesite_strict) {
|
||||
- cookie_samesite = "; SameSite=Strict";
|
||||
- } else if (cfg->cookie_samesite == am_samesite_none) {
|
||||
- cookie_samesite = "; SameSite=None";
|
||||
+ if (r->subprocess_env != NULL){
|
||||
+ env_var_value = apr_table_get(r->subprocess_env,
|
||||
+ AM_DISABLE_SAMESITE_ENV_VAR);
|
||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||
+ "%s : %s", AM_DISABLE_SAMESITE_ENV_VAR, env_var_value);
|
||||
+ }
|
||||
+
|
||||
+ if (env_var_value == NULL){
|
||||
+ if (cfg->cookie_samesite == am_samesite_lax) {
|
||||
+ cookie_samesite = "; SameSite=Lax";
|
||||
+ } else if (cfg->cookie_samesite == am_samesite_strict) {
|
||||
+ cookie_samesite = "; SameSite=Strict";
|
||||
+ } else if (cfg->cookie_samesite == am_samesite_none) {
|
||||
+ cookie_samesite = "; SameSite=None";
|
||||
+ }
|
||||
}
|
||||
|
||||
secure_cookie = cfg->secure;
|
||||
--
|
||||
2.21.0
|
||||
|
78
SOURCES/0008-Set-SameSite-to-None-on-test-cookie.patch
Normal file
78
SOURCES/0008-Set-SameSite-to-None-on-test-cookie.patch
Normal file
@ -0,0 +1,78 @@
|
||||
From 7ef4ae72a8578475064eb66e3ed5703ccf6ee078 Mon Sep 17 00:00:00 2001
|
||||
From: Ruediger Pluem <r.pluem@gmx.de>
|
||||
Date: Thu, 30 Apr 2020 07:56:01 +0200
|
||||
Subject: [PATCH] Set SameSite to None on test cookie
|
||||
|
||||
If the SameSite cookie attribute is to be set because
|
||||
MellonCookieSameSite is configured and MELLON_DISABLE_SAMESITE not set
|
||||
for this particular request set it to None for the test cookie.
|
||||
This ensures that the test cookie with the static test content does not
|
||||
get lost in the HTTP-POST binding request issued by the autosubmit form
|
||||
returned by the IDP.
|
||||
Addresses #20
|
||||
|
||||
* auth_mellon.h: Add AM_FORCE_SAMESITE_NONE_NOTE
|
||||
|
||||
* auth_mellon_handler.c (am_send_login_authn_request): Set request note
|
||||
to set SameSite to None if appropriate.
|
||||
|
||||
* auth_mellon_cookie.c (am_cookie_params): Set SameSite to None if
|
||||
requested via request note.
|
||||
---
|
||||
auth_mellon.h | 3 +++
|
||||
auth_mellon_cookie.c | 6 +++++-
|
||||
auth_mellon_handler.c | 5 +++++
|
||||
3 files changed, 13 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/auth_mellon.h b/auth_mellon.h
|
||||
index fd39b28..401ed9c 100644
|
||||
--- a/auth_mellon.h
|
||||
+++ b/auth_mellon.h
|
||||
@@ -100,6 +100,9 @@ typedef enum {
|
||||
/* Disable SameSite Environment Value */
|
||||
#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
|
||||
|
||||
+/* Force setting SameSite to None */
|
||||
+#define AM_FORCE_SAMESITE_NONE_NOTE "MELLON_FORCE_SAMESITE_NONE"
|
||||
+
|
||||
|
||||
/* This is the length of the id we use (for session IDs and
|
||||
* replaying POST data).
|
||||
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
|
||||
index 55f77a5..6bff81e 100644
|
||||
--- a/auth_mellon_cookie.c
|
||||
+++ b/auth_mellon_cookie.c
|
||||
@@ -78,7 +78,11 @@ static const char *am_cookie_params(request_rec *r)
|
||||
}
|
||||
|
||||
if (env_var_value == NULL){
|
||||
- if (cfg->cookie_samesite == am_samesite_lax) {
|
||||
+ if ((cfg->cookie_samesite != am_samesite_default) &&
|
||||
+ (apr_table_get(r->notes, AM_FORCE_SAMESITE_NONE_NOTE) != NULL)) {
|
||||
+ cookie_samesite = "; SameSite=None";
|
||||
+ }
|
||||
+ else if (cfg->cookie_samesite == am_samesite_lax) {
|
||||
cookie_samesite = "; SameSite=Lax";
|
||||
} else if (cfg->cookie_samesite == am_samesite_strict) {
|
||||
cookie_samesite = "; SameSite=Strict";
|
||||
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
|
||||
index 395ee1d..40c9bcd 100644
|
||||
--- a/auth_mellon_handler.c
|
||||
+++ b/auth_mellon_handler.c
|
||||
@@ -3261,8 +3261,13 @@ static int am_send_login_authn_request(request_rec *r, const char *idp,
|
||||
/* Add cookie for cookie test. We know that we should have
|
||||
* a valid cookie when we return from the IdP after SP-initiated
|
||||
* login.
|
||||
+ * Ensure that SameSite is set to None for this cookie if SameSite
|
||||
+ * is allowed to be set as the cookie otherwise gets lost on
|
||||
+ * HTTP-POST binding messages.
|
||||
*/
|
||||
+ apr_table_setn(r->notes, AM_FORCE_SAMESITE_NONE_NOTE, "1");
|
||||
am_cookie_set(r, "cookietest");
|
||||
+ apr_table_unset(r->notes, AM_FORCE_SAMESITE_NONE_NOTE);
|
||||
|
||||
server = am_get_lasso_server(r);
|
||||
if(server == NULL) {
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,7 +1,7 @@
|
||||
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
||||
Name: mod_auth_mellon
|
||||
Version: 0.14.0
|
||||
Release: 11%{?dist}
|
||||
Release: 12%{?dist}
|
||||
Group: System Environment/Daemons
|
||||
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
|
||||
Source1: auth_mellon.conf
|
||||
@ -27,6 +27,9 @@ Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch
|
||||
Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch
|
||||
Patch0004: 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch
|
||||
Patch0005: 0005-CVE_2019_13038.patch
|
||||
Patch0006: 0006-Add-none-option-for-samesite.patch
|
||||
Patch0007: 0007-avoid-always-set-SameSite-cookie.patch
|
||||
Patch0008: 0008-Set-SameSite-to-None-on-test-cookie.patch
|
||||
|
||||
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
|
||||
# I could not get asciidoc to render properly so instead I generated
|
||||
@ -46,6 +49,9 @@ received in assertions generated by a IdP server.
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
|
||||
%build
|
||||
export APXS=%{_httpd_apxs}
|
||||
@ -116,6 +122,10 @@ in the doc directory for instructions on using the diagnostics build.
|
||||
%attr(0755,apache,apache) %dir /run/%{name}/
|
||||
|
||||
%changelog
|
||||
* Mon Jan 25 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12
|
||||
- Resolves: rhbz#1791262 - Backport SameSite=None cookie from upstream to
|
||||
support latest browsers
|
||||
|
||||
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-11
|
||||
- Resolves: rhbz#1731053 - CVE-2019-13038 mod_auth_mellon: an Open Redirect
|
||||
via the login?ReturnTo= substring which could
|
||||
|
Loading…
Reference in New Issue
Block a user