import mod_auth_mellon-0.14.0-11.el8
This commit is contained in:
parent
b4731cd814
commit
c545d305c4
@ -0,0 +1,49 @@
|
|||||||
|
From 6358a5169762ef7b89d8b6d0f1a99b006f0fdd2f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Olav Morken <olav.morken@uninett.no>
|
||||||
|
Date: Wed, 25 Jul 2018 12:19:39 +0200
|
||||||
|
Subject: [PATCH] Fix incorrect header used for detecting AJAX requests
|
||||||
|
|
||||||
|
The code was looking for "X-Request-With", but the header is actually
|
||||||
|
"X-Requested-With". As far as I can tell, it has always been the
|
||||||
|
latter, at least in the jQuery source code.
|
||||||
|
|
||||||
|
Fixes issue #174.
|
||||||
|
---
|
||||||
|
README.md | 2 +-
|
||||||
|
auth_mellon_handler.c | 4 ++--
|
||||||
|
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/README.md b/README.md
|
||||||
|
index 0a91dc5..8d85b43 100644
|
||||||
|
--- a/README.md
|
||||||
|
+++ b/README.md
|
||||||
|
@@ -180,7 +180,7 @@ MellonDiagnosticsEnable Off
|
||||||
|
# then we will redirect him to the login page of the IdP.
|
||||||
|
#
|
||||||
|
# There is a special handling of AJAX requests, that are
|
||||||
|
- # identified by the "X-Request-With: XMLHttpRequest" HTTP
|
||||||
|
+ # identified by the "X-Requested-With: XMLHttpRequest" HTTP
|
||||||
|
# header. Since no user interaction can happen there,
|
||||||
|
# we always fail unauthenticated (not logged in) requests
|
||||||
|
# with a 403 Forbidden error without redirecting to the IdP.
|
||||||
|
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
|
||||||
|
index b16dc45..e33e6e9 100644
|
||||||
|
--- a/auth_mellon_handler.c
|
||||||
|
+++ b/auth_mellon_handler.c
|
||||||
|
@@ -3658,11 +3658,11 @@ int am_auth_mellon_user(request_rec *r)
|
||||||
|
* If this is an AJAX request, we cannot proceed to the IdP,
|
||||||
|
* Just fail early to save our resources
|
||||||
|
*/
|
||||||
|
- ajax_header = apr_table_get(r->headers_in, "X-Request-With");
|
||||||
|
+ ajax_header = apr_table_get(r->headers_in, "X-Requested-With");
|
||||||
|
if (ajax_header != NULL &&
|
||||||
|
strcmp(ajax_header, "XMLHttpRequest") == 0) {
|
||||||
|
AM_LOG_RERROR(APLOG_MARK, APLOG_INFO, 0, r,
|
||||||
|
- "Deny unauthenticated X-Request-With XMLHttpRequest "
|
||||||
|
+ "Deny unauthenticated X-Requested-With XMLHttpRequest "
|
||||||
|
"(AJAX) request");
|
||||||
|
return HTTP_FORBIDDEN;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
28
SOURCES/0005-CVE_2019_13038.patch
Normal file
28
SOURCES/0005-CVE_2019_13038.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
From 297093e6a48a4c0fd307c2206c59a8c8eb84fb53 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Valentin <awakenine@users.noreply.github.com>
|
||||||
|
Date: Fri, 6 Sep 2019 13:30:36 +0300
|
||||||
|
Subject: [PATCH] Update auth_mellon_mode.c
|
||||||
|
|
||||||
|
Fix open redirect CVE-2019-13038
|
||||||
|
---
|
||||||
|
auth_mellon_util.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
|
||||||
|
index fd442f9..7dff61e 100644
|
||||||
|
--- a/auth_mellon_util.c
|
||||||
|
+++ b/auth_mellon_util.c
|
||||||
|
@@ -116,6 +116,10 @@ int am_validate_redirect_url(request_rec *r, const char *url)
|
||||||
|
|
||||||
|
/* Sanity check of the scheme of the domain. We only allow http and https. */
|
||||||
|
if (uri.scheme) {
|
||||||
|
+ /* http and https schemes without hostname are invalid. */
|
||||||
|
+ if (!uri.hostname) {
|
||||||
|
+ return HTTP_BAD_REQUEST;
|
||||||
|
+ }
|
||||||
|
if (strcasecmp(uri.scheme, "http")
|
||||||
|
&& strcasecmp(uri.scheme, "https")) {
|
||||||
|
AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r,
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
||||||
Name: mod_auth_mellon
|
Name: mod_auth_mellon
|
||||||
Version: 0.14.0
|
Version: 0.14.0
|
||||||
Release: 9%{?dist}
|
Release: 11%{?dist}
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
|
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
|
||||||
Source1: auth_mellon.conf
|
Source1: auth_mellon.conf
|
||||||
@ -25,6 +25,8 @@ Url: https://github.com/UNINETT/mod_auth_mellon
|
|||||||
Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
|
Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
|
||||||
Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch
|
Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch
|
||||||
Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch
|
Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch
|
||||||
|
Patch0004: 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch
|
||||||
|
Patch0005: 0005-CVE_2019_13038.patch
|
||||||
|
|
||||||
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
|
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
|
||||||
# I could not get asciidoc to render properly so instead I generated
|
# I could not get asciidoc to render properly so instead I generated
|
||||||
@ -42,6 +44,8 @@ received in assertions generated by a IdP server.
|
|||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
|
%patch4 -p1
|
||||||
|
%patch5 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export APXS=%{_httpd_apxs}
|
export APXS=%{_httpd_apxs}
|
||||||
@ -112,6 +116,15 @@ in the doc directory for instructions on using the diagnostics build.
|
|||||||
%attr(0755,apache,apache) %dir /run/%{name}/
|
%attr(0755,apache,apache) %dir /run/%{name}/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-11
|
||||||
|
- Resolves: rhbz#1731053 - CVE-2019-13038 mod_auth_mellon: an Open Redirect
|
||||||
|
via the login?ReturnTo= substring which could
|
||||||
|
facilitate information theft [rhel-8]
|
||||||
|
|
||||||
|
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-10
|
||||||
|
- Resolves: rhbz#1761774 - mod_auth_mellon fix for AJAX header name
|
||||||
|
X-Requested-With
|
||||||
|
|
||||||
* Thu Jun 13 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-9
|
* Thu Jun 13 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-9
|
||||||
- Just bump the release number
|
- Just bump the release number
|
||||||
- Related: rhbz#1718238 - mod_auth_mellon-diagnostics RPM not in product
|
- Related: rhbz#1718238 - mod_auth_mellon-diagnostics RPM not in product
|
||||||
|
Loading…
Reference in New Issue
Block a user