import mod_auth_mellon-0.14.0-12.el8.1
This commit is contained in:
parent
f628aa42c5
commit
e47d0b5de3
47
SOURCES/0009-Prevent-redirect-to-URLs-that-begin-with.patch
Normal file
47
SOURCES/0009-Prevent-redirect-to-URLs-that-begin-with.patch
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: AIMOTO Norihito <aimoto@osstech.co.jp>
|
||||||
|
Date: Tue, 6 Jul 2021 22:57:24 +0200
|
||||||
|
Subject: [PATCH] Prevent redirect to URLs that begin with '///'
|
||||||
|
|
||||||
|
Visiting a logout URL like this:
|
||||||
|
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
|
||||||
|
would have redirected the user to fishing-site.example.com
|
||||||
|
|
||||||
|
With the patch, this URL would be rejected.
|
||||||
|
|
||||||
|
Fixes: CVE-2021-3639
|
||||||
|
---
|
||||||
|
auth_mellon_util.c | 10 ++++++++++
|
||||||
|
1 file changed, 10 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
|
||||||
|
index 2f8c9c3..6a686db 100644
|
||||||
|
--- a/auth_mellon_util.c
|
||||||
|
+++ b/auth_mellon_util.c
|
||||||
|
@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
|
||||||
|
{
|
||||||
|
const char *i;
|
||||||
|
|
||||||
|
+ if (url == NULL) {
|
||||||
|
+ return HTTP_BAD_REQUEST;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
for (i = url; *i; i++) {
|
||||||
|
if (*i >= 0 && *i < ' ') {
|
||||||
|
/* Deny all control-characters. */
|
||||||
|
@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (strstr(url, "///") == url) {
|
||||||
|
+ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
|
||||||
|
+ "URL starts with '///'");
|
||||||
|
+ return HTTP_BAD_REQUEST;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
||||||
Name: mod_auth_mellon
|
Name: mod_auth_mellon
|
||||||
Version: 0.14.0
|
Version: 0.14.0
|
||||||
Release: 12%{?dist}
|
Release: 12%{?dist}.1
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
|
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
|
||||||
Source1: auth_mellon.conf
|
Source1: auth_mellon.conf
|
||||||
@ -30,6 +30,7 @@ Patch0005: 0005-CVE_2019_13038.patch
|
|||||||
Patch0006: 0006-Add-none-option-for-samesite.patch
|
Patch0006: 0006-Add-none-option-for-samesite.patch
|
||||||
Patch0007: 0007-avoid-always-set-SameSite-cookie.patch
|
Patch0007: 0007-avoid-always-set-SameSite-cookie.patch
|
||||||
Patch0008: 0008-Set-SameSite-to-None-on-test-cookie.patch
|
Patch0008: 0008-Set-SameSite-to-None-on-test-cookie.patch
|
||||||
|
Patch0009: 0009-Prevent-redirect-to-URLs-that-begin-with.patch
|
||||||
|
|
||||||
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
|
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
|
||||||
# I could not get asciidoc to render properly so instead I generated
|
# I could not get asciidoc to render properly so instead I generated
|
||||||
@ -52,6 +53,7 @@ received in assertions generated by a IdP server.
|
|||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
|
%patch9 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export APXS=%{_httpd_apxs}
|
export APXS=%{_httpd_apxs}
|
||||||
@ -122,6 +124,10 @@ in the doc directory for instructions on using the diagnostics build.
|
|||||||
%attr(0755,apache,apache) %dir /run/%{name}/
|
%attr(0755,apache,apache) %dir /run/%{name}/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Dec 15 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12.1
|
||||||
|
- Resolves: rhbz#1986805 - CVE-2021-3639 mod_auth_mellon: Open Redirect
|
||||||
|
vulnerability in logout URLs [rhel-8]
|
||||||
|
|
||||||
* Mon Jan 25 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12
|
* Mon Jan 25 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12
|
||||||
- Resolves: rhbz#1791262 - Backport SameSite=None cookie from upstream to
|
- Resolves: rhbz#1791262 - Backport SameSite=None cookie from upstream to
|
||||||
support latest browsers
|
support latest browsers
|
||||||
|
Loading…
Reference in New Issue
Block a user