diff --git a/SOURCES/0002-Fix-redirect-URL-validation-bypass.patch b/SOURCES/0002-Fix-redirect-URL-validation-bypass.patch new file mode 100644 index 0000000..b3f18c5 --- /dev/null +++ b/SOURCES/0002-Fix-redirect-URL-validation-bypass.patch @@ -0,0 +1,44 @@ +From 62041428a32de402e0be6ba45fe12df6a83bedb8 Mon Sep 17 00:00:00 2001 +From: Olav Morken +Date: Tue, 19 Mar 2019 13:42:22 +0100 +Subject: [PATCH] Fix redirect URL validation bypass + +It turns out that browsers silently convert backslash characters into +forward slashes, while apr_uri_parse() does not. + +This mismatch allows an attacker to bypass the redirect URL validation +by using an URL like: + + https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/ + +mod_auth_mellon will assume that it is a relative URL and allow the +request to pass through, while the browsers will use it as an absolute +url and redirect to https://malicious.example.org/ . + +This patch fixes this issue by rejecting all redirect URLs with +backslashes. +--- + auth_mellon_util.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/auth_mellon_util.c b/auth_mellon_util.c +index 0fab309..fd442f9 100644 +--- a/auth_mellon_util.c ++++ b/auth_mellon_util.c +@@ -927,6 +927,13 @@ int am_check_url(request_rec *r, const char *url) + "Control character detected in URL."); + return HTTP_BAD_REQUEST; + } ++ if (*i == '\\') { ++ /* Reject backslash character, as it can be used to bypass ++ * redirect URL validation. */ ++ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r, ++ "Backslash character detected in URL."); ++ return HTTP_BAD_REQUEST; ++ } + } + + return OK; +-- +2.19.2 + diff --git a/SOURCES/0003-backport-Make-the-environment-variable-prefix-configurable.patch b/SOURCES/0003-backport-Make-the-environment-variable-prefix-configurable.patch new file mode 100644 index 0000000..48f6203 --- /dev/null +++ b/SOURCES/0003-backport-Make-the-environment-variable-prefix-configurable.patch @@ -0,0 +1,172 @@ +diff -up mod_auth_mellon-0.14.0/auth_mellon_cache.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_cache.c +--- mod_auth_mellon-0.14.0/auth_mellon_cache.c.env_prefix 2017-10-02 11:44:08.000000000 +0200 ++++ mod_auth_mellon-0.14.0/auth_mellon_cache.c 2019-06-10 09:46:36.806014513 +0200 +@@ -589,7 +589,7 @@ void am_cache_env_populate(request_rec * + */ + for(i = 0; i < t->size; ++i) { + varname = am_cache_entry_get_string(t, &t->env[i].varname); +- varname_prefix = "MELLON_"; ++ varname_prefix = d->env_prefix; + + /* Check if we should map this name into another name. */ + env_varname_conf = (am_envattr_conf_t *)apr_hash_get( +diff -up mod_auth_mellon-0.14.0/auth_mellon_config.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_config.c +--- mod_auth_mellon-0.14.0/auth_mellon_config.c.env_prefix 2018-03-16 08:14:54.000000000 +0100 ++++ mod_auth_mellon-0.14.0/auth_mellon_config.c 2019-06-10 09:46:36.807014516 +0200 +@@ -36,6 +36,11 @@ static const char *default_endpoint_path + */ + static const char *default_user_attribute = "NAME_ID"; + ++/* This is the default prefix to use for attributes received from the ++ * server. Customizable using the MellonEnvPrefix option ++ */ ++static const char *default_env_prefix = "MELLON_"; ++ + /* This is the default name of the cookie which mod_auth_mellon will set. + * If you change this, then you should also update the description of the + * MellonVar configuration directive. +@@ -1372,8 +1377,10 @@ const command_rec auth_mellon_commands[] + am_set_setenv_slot, + NULL, + OR_AUTHCFG, +- "Renames attributes received from the server while retaining prefix MELLON_. The format is" +- " MellonSetEnv ." ++ "Renames attributes received from the server while retaining the" ++ " prefix. The prefix defaults to MELLON_ but can be changed with" ++ " MellonEnvPrefix." ++ " The format is MellonSetEnv ." + ), + AP_INIT_TAKE2( + "MellonSetEnvNoPrefix", +@@ -1383,6 +1390,13 @@ const command_rec auth_mellon_commands[] + "Renames attributes received from the server without adding prefix. The format is" + " MellonSetEnvNoPrefix ." + ), ++ AP_INIT_TAKE1( ++ "MellonEnvPrefix", ++ ap_set_string_slot, ++ (void *)APR_OFFSETOF(am_dir_cfg_rec, env_prefix), ++ OR_AUTHCFG, ++ "The prefix to use for attributes received from the server." ++ ), + AP_INIT_FLAG( + "MellonSessionDump", + ap_set_flag_slot, +@@ -1714,6 +1728,7 @@ void *auth_mellon_dir_config(apr_pool_t + dir->cookie_path = NULL; + dir->cookie_samesite = am_samesite_default; + dir->envattr = apr_hash_make(p); ++ dir->env_prefix = default_env_prefix; + dir->userattr = default_user_attribute; + dir->idpattr = NULL; + dir->signature_method = inherit_signature_method; +@@ -1868,6 +1883,10 @@ void *auth_mellon_dir_merge(apr_pool_t * + add_cfg->envattr : + base_cfg->envattr); + ++ new_cfg->env_prefix = (add_cfg->env_prefix != default_env_prefix ? ++ add_cfg->env_prefix : ++ base_cfg->env_prefix); ++ + new_cfg->userattr = (add_cfg->userattr != default_user_attribute ? + add_cfg->userattr : + base_cfg->userattr); +diff -up mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c +--- mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c.env_prefix 2018-03-16 08:14:54.000000000 +0100 ++++ mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c 2019-06-10 09:46:36.808014518 +0200 +@@ -442,6 +442,9 @@ am_diag_log_dir_cfg(request_rec *r, int + "%sMellonCookieSameSite (cookie_samesite): %s\n", + indent(level+1), + am_diag_samesite_str(r, cfg->cookie_samesite)); ++ apr_file_printf(diag_cfg->fd, ++ "%sMellonEnvPrefix (env_prefix): %s\n", ++ indent(level+1), cfg->env_prefix); + + apr_file_printf(diag_cfg->fd, + "%sMellonCond (cond): %d items\n", +@@ -466,7 +469,7 @@ am_diag_log_dir_cfg(request_rec *r, int + apr_hash_this(hash_item, (void *)&key, NULL, (void *)&envattr_conf); + + if (envattr_conf->prefixed) { +- name = apr_pstrcat(r->pool, "MELLON_", ++ name = apr_pstrcat(r->pool, cfg->env_prefix, + envattr_conf->name, NULL); + } else { + name = envattr_conf->name; +diff -up mod_auth_mellon-0.14.0/auth_mellon.h.env_prefix mod_auth_mellon-0.14.0/auth_mellon.h +--- mod_auth_mellon-0.14.0/auth_mellon.h.env_prefix 2018-03-16 08:14:54.000000000 +0100 ++++ mod_auth_mellon-0.14.0/auth_mellon.h 2019-06-10 09:46:36.805014510 +0200 +@@ -237,6 +237,7 @@ typedef struct am_dir_cfg_rec { + am_samesite_t cookie_samesite; + apr_array_header_t *cond; + apr_hash_t *envattr; ++ const char *env_prefix; + const char *userattr; + const char *idpattr; + LassoSignatureMethod signature_method; +diff -up mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc.env_prefix mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc +--- mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc.env_prefix 2018-03-16 08:14:54.000000000 +0100 ++++ mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc 2019-06-10 09:48:08.422237471 +0200 +@@ -2007,11 +2007,13 @@ attributes. + assertion to a name of your choosing when it is placed in the Apache + environment. This is controlled by `MellonSetEnv` and + `MellonSetEnvNoPrefix` directives. The distinction +- is `MellonSetEnv` always prepends the `MELLON_` prefix to the ++ is `MellonSetEnv` always prepends a prefix to the + environment variable name to help to prevent name collisions. The ++ prefix defaults to `MELLON_` and can be configured using the ++ `MellonEnvPrefix` configuration option. The + `MellonSetEnvNoPrefix` directive also remaps the assertion name to a + name of your choosing but it omits prepending the environment +- variable name with `MELLON_`. See <> ++ variable name with the prefix. See <> + + Using the <> Mellon places these + environment variables in the Apache environment. See +@@ -2096,10 +2098,12 @@ and `MellonSetEnvNoPrefix` directives. T + assertion attribute to a name of your choosing. The `MellonSetEnv` + directive follows the same convention as all other assertion + attributes added by Mellon in that it always prefixes the environment +-variable name with `MELLON_` to help avoid name collisions in the ++variable name with a configurable prefix, which defaults to `MELLON_` to help avoid name collisions in the + Apache environment. However sometimes you do not want the `MELLON_` +-prefix added and instead you want to use exactly the environment +-variable name as specified., `MellonSetEnvNoPrefix` serves this role. ++prefix added. In case you simply want the variables prefixed with ++a different string, use the `MellonEnvPrefix` configuration option. If, ++instead you want to use exactly the environment variable name as specified., ++`MellonSetEnvNoPrefix` serves this role. + + To illustrate let's look at an example. Suppose your web app is + expecting an attribute which is the user's last name, specifically it +@@ -2117,6 +2121,15 @@ MellonSetEnvNoPrefix REMOTE_USER_LASTNAM + Also see <> for an example of setting the `REMOTE_USER` + environment variable using `MellonSetEnvNoPrefix`. + ++The `MellonEnvPrefix` variable might be useful e.g. if you ++are migrating from a different SP which used its own prefix ++for the variables passed by the IdP. For example, to prefix ++all variables with `NOLLEM_` you would use: ++ ++---- ++MellonEnvPrefix NOLLEM_ ++---- ++ + === Using Mellon to apply constraints [[assertion_constraints]] + + SAML attributes can be used for more than exporting those values to a +diff -up mod_auth_mellon-0.14.0/README.md.env_prefix mod_auth_mellon-0.14.0/README.md +--- mod_auth_mellon-0.14.0/README.md.env_prefix 2018-03-16 08:14:54.000000000 +0100 ++++ mod_auth_mellon-0.14.0/README.md 2019-06-10 09:46:36.805014510 +0200 +@@ -253,6 +253,11 @@ MellonDiagnosticsEnable Off + # Default. None set. + MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName" + ++ # MellonEnvPrefix changes the string the variables passed from the ++ # IdP are prefixed with. ++ # Default: MELLON_ ++ MellonEnvPrefix "NOLLEM_" ++ + # MellonMergeEnvVars merges multiple values of environment variables + # set using MellonSetEnv into single variable: + # ie: MYENV_VAR => val1;val2;val3 instead of default behaviour of: diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec index a8de5b0..d1ad732 100644 --- a/SPECS/mod_auth_mellon.spec +++ b/SPECS/mod_auth_mellon.spec @@ -1,7 +1,7 @@ Summary: A SAML 2.0 authentication module for the Apache Httpd Server Name: mod_auth_mellon Version: 0.14.0 -Release: 3%{?dist}.2 +Release: 9%{?dist} Group: System Environment/Daemons Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz Source1: auth_mellon.conf @@ -23,6 +23,8 @@ Requires: lasso >= 2.5.1 Url: https://github.com/UNINETT/mod_auth_mellon Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch +Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch +Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch # FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However, # I could not get asciidoc to render properly so instead I generated @@ -38,6 +40,8 @@ received in assertions generated by a IdP server. %prep %setup -q -n %{name}-%{version} %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build export APXS=%{_httpd_apxs} @@ -105,12 +109,35 @@ in the doc directory for instructions on using the diagnostics build. %{_httpd_moddir}/mod_auth_mellon.so %{_tmpfilesdir}/mod_auth_mellon.conf %{_libexecdir}/%{name} -%dir /run/%{name}/ +%attr(0755,apache,apache) %dir /run/%{name}/ %changelog -* Tue Apr 16 2019 Jakub Hrozek - 0.14.0-3.2 -- Resolves: rhbz#1696197 - CVE-2019-3878 mod_auth_mellon: authentication - bypass in ECP flow [rhel-8.0.0.z] +* Thu Jun 13 2019 Jakub Hrozek - 0.14.0-9 +- Just bump the release number +- Related: rhbz#1718238 - mod_auth_mellon-diagnostics RPM not in product + listings + +* Fri Jun 7 2019 Jakub Hrozek - 0.14.0-8 +- Resolves: rhbz#1691894 - [RFE] Config option to change mod_auth_mellon prefix + +* Fri Jun 7 2019 Jakub Hrozek - 0.14.0-7 +- Apply the patch from the previous commit +- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open + redirect in logout url when using URLs with + backslashes [rhel-8] + +* Fri Jun 7 2019 Jakub Hrozek - 0.14.0-6 +- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open + redirect in logout url when using URLs with + backslashes [rhel-8] + +* Fri Jun 7 2019 Jakub Hrozek - 0.14.0-5 +- Resolves: rhbz#1692457 - CVE-2019-3878 mod_auth_mellon: authentication + bypass in ECP flow [rhel-8.1.0] + +* Wed Apr 24 2019 Jakub Hrozek - 0.14.0-4 +- Resolves: rhbz#1702695 - fresh install of mod_auth_mellon shows rpm + verification warnings * Mon Jul 30 2018 Florian Weimer - 0.14.0-3 - Rebuild with fixed binutils