import mod_auth_mellon-0.14.0-12.el8
This commit is contained in:
parent
ad23017074
commit
f628aa42c5
95
SOURCES/0006-Add-none-option-for-samesite.patch
Normal file
95
SOURCES/0006-Add-none-option-for-samesite.patch
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
From fb5ad7bf997946df4472cb94d7875ee70281d59c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anthony Critelli <acritelli@datto.com>
|
||||||
|
Date: Tue, 7 Jan 2020 11:14:24 -0500
|
||||||
|
Subject: [PATCH] Add none option for samesite
|
||||||
|
|
||||||
|
---
|
||||||
|
README.md | 7 +++++--
|
||||||
|
auth_mellon.h | 3 ++-
|
||||||
|
auth_mellon_config.c | 2 ++
|
||||||
|
auth_mellon_cookie.c | 4 +++-
|
||||||
|
auth_mellon_diagnostics.c | 1 +
|
||||||
|
5 files changed, 13 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/README.md b/README.md
|
||||||
|
index be374bc..82a88fc 100644
|
||||||
|
--- a/README.md
|
||||||
|
+++ b/README.md
|
||||||
|
@@ -218,8 +218,11 @@ MellonDiagnosticsEnable Off
|
||||||
|
|
||||||
|
# MellonCookieSameSite allows control over the SameSite value used
|
||||||
|
# for the authentication cookie.
|
||||||
|
- # The setting accepts values of "Strict" or "Lax"
|
||||||
|
- # If not set, the SameSite attribute is not set on the cookie.
|
||||||
|
+ # The setting accepts values of "Strict", "Lax", or "None".
|
||||||
|
+ # When using none, you should set "MellonSecureCookie On" to prevent
|
||||||
|
+ # compatibility issues with newer browsers.
|
||||||
|
+ # If not set, the SameSite attribute is not set on the cookie. In newer
|
||||||
|
+ # browsers, this may cause SameSite to default to "Lax"
|
||||||
|
# Default: not set
|
||||||
|
# MellonCookieSameSite lax
|
||||||
|
|
||||||
|
diff --git a/auth_mellon.h b/auth_mellon.h
|
||||||
|
index 9ef2d8a..5f5a20b 100644
|
||||||
|
--- a/auth_mellon.h
|
||||||
|
+++ b/auth_mellon.h
|
||||||
|
@@ -164,7 +164,8 @@ typedef enum {
|
||||||
|
typedef enum {
|
||||||
|
am_samesite_default,
|
||||||
|
am_samesite_lax,
|
||||||
|
- am_samesite_strict
|
||||||
|
+ am_samesite_strict,
|
||||||
|
+ am_samesite_none,
|
||||||
|
} am_samesite_t;
|
||||||
|
|
||||||
|
typedef enum {
|
||||||
|
diff --git a/auth_mellon_config.c b/auth_mellon_config.c
|
||||||
|
index 7932e2d..f1a9d12 100644
|
||||||
|
--- a/auth_mellon_config.c
|
||||||
|
+++ b/auth_mellon_config.c
|
||||||
|
@@ -583,6 +583,8 @@ static const char *am_set_samesite_slot(cmd_parms *cmd,
|
||||||
|
d->cookie_samesite = am_samesite_lax;
|
||||||
|
} else if(!strcasecmp(arg, "strict")) {
|
||||||
|
d->cookie_samesite = am_samesite_strict;
|
||||||
|
+ } else if(!strcasecmp(arg, "none")) {
|
||||||
|
+ d->cookie_samesite = am_samesite_none;
|
||||||
|
} else {
|
||||||
|
return "The MellonCookieSameSite parameter must be 'lax' or 'strict'";
|
||||||
|
}
|
||||||
|
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
|
||||||
|
index 8394c18..b2c8535 100644
|
||||||
|
--- a/auth_mellon_cookie.c
|
||||||
|
+++ b/auth_mellon_cookie.c
|
||||||
|
@@ -1,7 +1,7 @@
|
||||||
|
/*
|
||||||
|
*
|
||||||
|
* auth_mellon_cookie.c: an authentication apache module
|
||||||
|
- * Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
|
||||||
|
+ * Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU General Public License as published by
|
||||||
|
@@ -73,6 +73,8 @@ static const char *am_cookie_params(request_rec *r)
|
||||||
|
cookie_samesite = "; SameSite=Lax";
|
||||||
|
} else if (cfg->cookie_samesite == am_samesite_strict) {
|
||||||
|
cookie_samesite = "; SameSite=Strict";
|
||||||
|
+ } else if (cfg->cookie_samesite == am_samesite_none) {
|
||||||
|
+ cookie_samesite = "; SameSite=None";
|
||||||
|
}
|
||||||
|
|
||||||
|
secure_cookie = cfg->secure;
|
||||||
|
diff --git a/auth_mellon_diagnostics.c b/auth_mellon_diagnostics.c
|
||||||
|
index 792e894..912814b 100644
|
||||||
|
--- a/auth_mellon_diagnostics.c
|
||||||
|
+++ b/auth_mellon_diagnostics.c
|
||||||
|
@@ -214,6 +214,7 @@ am_diag_samesite_str(request_rec *r, am_samesite_t samesite)
|
||||||
|
case am_samesite_default: return "default";
|
||||||
|
case am_samesite_lax: return "lax";
|
||||||
|
case am_samesite_strict: return "strict";
|
||||||
|
+ case am_samesite_none: return "none";
|
||||||
|
default:
|
||||||
|
return apr_psprintf(r->pool, "unknown (%d)", samesite);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
69
SOURCES/0007-avoid-always-set-SameSite-cookie.patch
Normal file
69
SOURCES/0007-avoid-always-set-SameSite-cookie.patch
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
From b9d87e0deb528817689f1648999a95645b1b19ad Mon Sep 17 00:00:00 2001
|
||||||
|
From: Keita SUZUKI <keita@osstech.co.jp>
|
||||||
|
Date: Mon, 20 Jan 2020 11:03:14 +0900
|
||||||
|
Subject: [PATCH] avoid always set SameSite cookie
|
||||||
|
|
||||||
|
---
|
||||||
|
auth_mellon.h | 5 +++++
|
||||||
|
auth_mellon_cookie.c | 22 ++++++++++++++++------
|
||||||
|
2 files changed, 21 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/auth_mellon.h b/auth_mellon.h
|
||||||
|
index 5f5a20b..8bb8023 100644
|
||||||
|
--- a/auth_mellon.h
|
||||||
|
+++ b/auth_mellon.h
|
||||||
|
@@ -96,6 +96,11 @@ typedef enum {
|
||||||
|
} am_diag_flags_t;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+
|
||||||
|
+/* Disable SameSite Environment Value */
|
||||||
|
+#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/* This is the length of the id we use (for session IDs and
|
||||||
|
* replaying POST data).
|
||||||
|
*/
|
||||||
|
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
|
||||||
|
index b2c8535..55f77a5 100644
|
||||||
|
--- a/auth_mellon_cookie.c
|
||||||
|
+++ b/auth_mellon_cookie.c
|
||||||
|
@@ -59,6 +59,7 @@ static const char *am_cookie_params(request_rec *r)
|
||||||
|
const char *cookie_domain = ap_get_server_name(r);
|
||||||
|
const char *cookie_path = "/";
|
||||||
|
const char *cookie_samesite = "";
|
||||||
|
+ const char *env_var_value = NULL;
|
||||||
|
am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
|
||||||
|
|
||||||
|
if (cfg->cookie_domain) {
|
||||||
|
@@ -69,12 +70,21 @@ static const char *am_cookie_params(request_rec *r)
|
||||||
|
cookie_path = cfg->cookie_path;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (cfg->cookie_samesite == am_samesite_lax) {
|
||||||
|
- cookie_samesite = "; SameSite=Lax";
|
||||||
|
- } else if (cfg->cookie_samesite == am_samesite_strict) {
|
||||||
|
- cookie_samesite = "; SameSite=Strict";
|
||||||
|
- } else if (cfg->cookie_samesite == am_samesite_none) {
|
||||||
|
- cookie_samesite = "; SameSite=None";
|
||||||
|
+ if (r->subprocess_env != NULL){
|
||||||
|
+ env_var_value = apr_table_get(r->subprocess_env,
|
||||||
|
+ AM_DISABLE_SAMESITE_ENV_VAR);
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
||||||
|
+ "%s : %s", AM_DISABLE_SAMESITE_ENV_VAR, env_var_value);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (env_var_value == NULL){
|
||||||
|
+ if (cfg->cookie_samesite == am_samesite_lax) {
|
||||||
|
+ cookie_samesite = "; SameSite=Lax";
|
||||||
|
+ } else if (cfg->cookie_samesite == am_samesite_strict) {
|
||||||
|
+ cookie_samesite = "; SameSite=Strict";
|
||||||
|
+ } else if (cfg->cookie_samesite == am_samesite_none) {
|
||||||
|
+ cookie_samesite = "; SameSite=None";
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
secure_cookie = cfg->secure;
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
78
SOURCES/0008-Set-SameSite-to-None-on-test-cookie.patch
Normal file
78
SOURCES/0008-Set-SameSite-to-None-on-test-cookie.patch
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
From 7ef4ae72a8578475064eb66e3ed5703ccf6ee078 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ruediger Pluem <r.pluem@gmx.de>
|
||||||
|
Date: Thu, 30 Apr 2020 07:56:01 +0200
|
||||||
|
Subject: [PATCH] Set SameSite to None on test cookie
|
||||||
|
|
||||||
|
If the SameSite cookie attribute is to be set because
|
||||||
|
MellonCookieSameSite is configured and MELLON_DISABLE_SAMESITE not set
|
||||||
|
for this particular request set it to None for the test cookie.
|
||||||
|
This ensures that the test cookie with the static test content does not
|
||||||
|
get lost in the HTTP-POST binding request issued by the autosubmit form
|
||||||
|
returned by the IDP.
|
||||||
|
Addresses #20
|
||||||
|
|
||||||
|
* auth_mellon.h: Add AM_FORCE_SAMESITE_NONE_NOTE
|
||||||
|
|
||||||
|
* auth_mellon_handler.c (am_send_login_authn_request): Set request note
|
||||||
|
to set SameSite to None if appropriate.
|
||||||
|
|
||||||
|
* auth_mellon_cookie.c (am_cookie_params): Set SameSite to None if
|
||||||
|
requested via request note.
|
||||||
|
---
|
||||||
|
auth_mellon.h | 3 +++
|
||||||
|
auth_mellon_cookie.c | 6 +++++-
|
||||||
|
auth_mellon_handler.c | 5 +++++
|
||||||
|
3 files changed, 13 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/auth_mellon.h b/auth_mellon.h
|
||||||
|
index fd39b28..401ed9c 100644
|
||||||
|
--- a/auth_mellon.h
|
||||||
|
+++ b/auth_mellon.h
|
||||||
|
@@ -100,6 +100,9 @@ typedef enum {
|
||||||
|
/* Disable SameSite Environment Value */
|
||||||
|
#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
|
||||||
|
|
||||||
|
+/* Force setting SameSite to None */
|
||||||
|
+#define AM_FORCE_SAMESITE_NONE_NOTE "MELLON_FORCE_SAMESITE_NONE"
|
||||||
|
+
|
||||||
|
|
||||||
|
/* This is the length of the id we use (for session IDs and
|
||||||
|
* replaying POST data).
|
||||||
|
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
|
||||||
|
index 55f77a5..6bff81e 100644
|
||||||
|
--- a/auth_mellon_cookie.c
|
||||||
|
+++ b/auth_mellon_cookie.c
|
||||||
|
@@ -78,7 +78,11 @@ static const char *am_cookie_params(request_rec *r)
|
||||||
|
}
|
||||||
|
|
||||||
|
if (env_var_value == NULL){
|
||||||
|
- if (cfg->cookie_samesite == am_samesite_lax) {
|
||||||
|
+ if ((cfg->cookie_samesite != am_samesite_default) &&
|
||||||
|
+ (apr_table_get(r->notes, AM_FORCE_SAMESITE_NONE_NOTE) != NULL)) {
|
||||||
|
+ cookie_samesite = "; SameSite=None";
|
||||||
|
+ }
|
||||||
|
+ else if (cfg->cookie_samesite == am_samesite_lax) {
|
||||||
|
cookie_samesite = "; SameSite=Lax";
|
||||||
|
} else if (cfg->cookie_samesite == am_samesite_strict) {
|
||||||
|
cookie_samesite = "; SameSite=Strict";
|
||||||
|
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
|
||||||
|
index 395ee1d..40c9bcd 100644
|
||||||
|
--- a/auth_mellon_handler.c
|
||||||
|
+++ b/auth_mellon_handler.c
|
||||||
|
@@ -3261,8 +3261,13 @@ static int am_send_login_authn_request(request_rec *r, const char *idp,
|
||||||
|
/* Add cookie for cookie test. We know that we should have
|
||||||
|
* a valid cookie when we return from the IdP after SP-initiated
|
||||||
|
* login.
|
||||||
|
+ * Ensure that SameSite is set to None for this cookie if SameSite
|
||||||
|
+ * is allowed to be set as the cookie otherwise gets lost on
|
||||||
|
+ * HTTP-POST binding messages.
|
||||||
|
*/
|
||||||
|
+ apr_table_setn(r->notes, AM_FORCE_SAMESITE_NONE_NOTE, "1");
|
||||||
|
am_cookie_set(r, "cookietest");
|
||||||
|
+ apr_table_unset(r->notes, AM_FORCE_SAMESITE_NONE_NOTE);
|
||||||
|
|
||||||
|
server = am_get_lasso_server(r);
|
||||||
|
if(server == NULL) {
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
||||||
Name: mod_auth_mellon
|
Name: mod_auth_mellon
|
||||||
Version: 0.14.0
|
Version: 0.14.0
|
||||||
Release: 11%{?dist}
|
Release: 12%{?dist}
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
|
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
|
||||||
Source1: auth_mellon.conf
|
Source1: auth_mellon.conf
|
||||||
@ -27,6 +27,9 @@ Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch
|
|||||||
Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch
|
Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch
|
||||||
Patch0004: 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch
|
Patch0004: 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch
|
||||||
Patch0005: 0005-CVE_2019_13038.patch
|
Patch0005: 0005-CVE_2019_13038.patch
|
||||||
|
Patch0006: 0006-Add-none-option-for-samesite.patch
|
||||||
|
Patch0007: 0007-avoid-always-set-SameSite-cookie.patch
|
||||||
|
Patch0008: 0008-Set-SameSite-to-None-on-test-cookie.patch
|
||||||
|
|
||||||
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
|
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
|
||||||
# I could not get asciidoc to render properly so instead I generated
|
# I could not get asciidoc to render properly so instead I generated
|
||||||
@ -46,6 +49,9 @@ received in assertions generated by a IdP server.
|
|||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
|
%patch6 -p1
|
||||||
|
%patch7 -p1
|
||||||
|
%patch8 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export APXS=%{_httpd_apxs}
|
export APXS=%{_httpd_apxs}
|
||||||
@ -116,6 +122,10 @@ in the doc directory for instructions on using the diagnostics build.
|
|||||||
%attr(0755,apache,apache) %dir /run/%{name}/
|
%attr(0755,apache,apache) %dir /run/%{name}/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jan 25 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12
|
||||||
|
- Resolves: rhbz#1791262 - Backport SameSite=None cookie from upstream to
|
||||||
|
support latest browsers
|
||||||
|
|
||||||
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-11
|
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-11
|
||||||
- Resolves: rhbz#1731053 - CVE-2019-13038 mod_auth_mellon: an Open Redirect
|
- Resolves: rhbz#1731053 - CVE-2019-13038 mod_auth_mellon: an Open Redirect
|
||||||
via the login?ReturnTo= substring which could
|
via the login?ReturnTo= substring which could
|
||||||
|
Loading…
Reference in New Issue
Block a user