Compare commits
No commits in common. "c8" and "c10s" have entirely different histories.
1
.gitignore
vendored
1
.gitignore
vendored
@ -1 +0,0 @@
|
|||||||
SOURCES/mod_auth_mellon-0.14.0.tar.gz
|
|
@ -1 +0,0 @@
|
|||||||
4a93f8b093e1dea20e8a286931693c614903f2d9 SOURCES/mod_auth_mellon-0.14.0.tar.gz
|
|
@ -1,80 +0,0 @@
|
|||||||
From e09a28a30e13e5c22b481010f26b4a7743a09280 Mon Sep 17 00:00:00 2001
|
|
||||||
From: John Dennis <jdennis@redhat.com>
|
|
||||||
Date: Tue, 5 Mar 2019 10:15:48 +0100
|
|
||||||
Subject: [PATCH] Modify am_handler setup to run before mod_proxy
|
|
||||||
|
|
||||||
The way the ECP flow works is that when a client initiates the flow, the
|
|
||||||
SP's response is HTTP 200, but not the requested content, but a signed XML
|
|
||||||
document that contains the "samlp:AuthnRequest" element. The idea is that
|
|
||||||
the ECP client would then determine the IDP and send the document to the
|
|
||||||
IDP, get a samlp:Response and convey that to the SP to get access to the
|
|
||||||
protected resource.
|
|
||||||
|
|
||||||
Internally, the auth check which is normally done with am_check_uid() set to
|
|
||||||
apache's ap_hook_check_user_id() hook, just responds with OK, so it pretends
|
|
||||||
to authenticate the user. Then in the usual flow, the request reaches the
|
|
||||||
ap_hook_handler which handles the request. There in the pipeline, mellon
|
|
||||||
registers functions am_handler() which should run first (APR_HOOK_FIRST),
|
|
||||||
determine that this request is an ECP one and return the ECP AuthnRequest
|
|
||||||
document. But in case the proxy module is also in the picture, the proxy
|
|
||||||
module "races" for who gets to be the first to handle the request in the
|
|
||||||
pipeline and wins. Therefore, the request reaches the protected resource
|
|
||||||
via mod_proxy and returns it.
|
|
||||||
|
|
||||||
This fix modifies the ap_hook_handler() call to explicitly run before
|
|
||||||
handlers from mod_proxy.c
|
|
||||||
|
|
||||||
To reproduce the bug:
|
|
||||||
0) Have a SP with mellon connected to a Keycloak IDP (or any other IDP I
|
|
||||||
guess). In the example below, my SAML SP is saml.federation.test
|
|
||||||
1) Set a Location protected by mellon that proxies requests to another
|
|
||||||
URL. For example:
|
|
||||||
|
|
||||||
ProxyPass /sp-proxy http://app.federation.test/example_app/
|
|
||||||
<Location /sp-proxy>
|
|
||||||
AuthType Mellon
|
|
||||||
MellonEnable auth
|
|
||||||
Require valid-user
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
2) call:
|
|
||||||
curl -L -H "Accept: application/vnd.paos+xml" \
|
|
||||||
-H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' \
|
|
||||||
http://saml.federation.test/sp-proxy
|
|
||||||
|
|
||||||
Before the patch, you would see whatever is served from the proxied
|
|
||||||
page. With the patch, you should get back a XML document with a
|
|
||||||
samlp:AuthnRequest.
|
|
||||||
---
|
|
||||||
mod_auth_mellon.c | 8 +++++++-
|
|
||||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/mod_auth_mellon.c b/mod_auth_mellon.c
|
|
||||||
index 74bd328..5330f48 100644
|
|
||||||
--- a/mod_auth_mellon.c
|
|
||||||
+++ b/mod_auth_mellon.c
|
|
||||||
@@ -207,6 +207,12 @@ static int am_create_request(request_rec *r)
|
|
||||||
|
|
||||||
static void register_hooks(apr_pool_t *p)
|
|
||||||
{
|
|
||||||
+ /* Our handler needs to run before mod_proxy so that it can properly
|
|
||||||
+ * return ECP AuthnRequest messages when running as a reverse proxy.
|
|
||||||
+ * See: https://github.com/Uninett/mod_auth_mellon/pull/196
|
|
||||||
+ */
|
|
||||||
+ static const char * const run_handler_before[]={ "mod_proxy.c", NULL };
|
|
||||||
+
|
|
||||||
ap_hook_access_checker(am_auth_mellon_user, NULL, NULL, APR_HOOK_MIDDLE);
|
|
||||||
ap_hook_check_user_id(am_check_uid, NULL, NULL, APR_HOOK_MIDDLE);
|
|
||||||
ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE);
|
|
||||||
@@ -222,7 +228,7 @@ static void register_hooks(apr_pool_t *p)
|
|
||||||
* Therefore this hook must run before any handler that may check
|
|
||||||
* r->handler and decide that it is the only handler for this URL.
|
|
||||||
*/
|
|
||||||
- ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST);
|
|
||||||
+ ap_hook_handler(am_handler, NULL, run_handler_before, APR_HOOK_FIRST);
|
|
||||||
|
|
||||||
#ifdef ENABLE_DIAGNOSTICS
|
|
||||||
ap_hook_open_logs(am_diag_log_init,NULL,NULL,APR_HOOK_MIDDLE);
|
|
||||||
--
|
|
||||||
2.19.2
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From 62041428a32de402e0be6ba45fe12df6a83bedb8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Olav Morken <olav.morken@uninett.no>
|
|
||||||
Date: Tue, 19 Mar 2019 13:42:22 +0100
|
|
||||||
Subject: [PATCH] Fix redirect URL validation bypass
|
|
||||||
|
|
||||||
It turns out that browsers silently convert backslash characters into
|
|
||||||
forward slashes, while apr_uri_parse() does not.
|
|
||||||
|
|
||||||
This mismatch allows an attacker to bypass the redirect URL validation
|
|
||||||
by using an URL like:
|
|
||||||
|
|
||||||
https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/
|
|
||||||
|
|
||||||
mod_auth_mellon will assume that it is a relative URL and allow the
|
|
||||||
request to pass through, while the browsers will use it as an absolute
|
|
||||||
url and redirect to https://malicious.example.org/ .
|
|
||||||
|
|
||||||
This patch fixes this issue by rejecting all redirect URLs with
|
|
||||||
backslashes.
|
|
||||||
---
|
|
||||||
auth_mellon_util.c | 7 +++++++
|
|
||||||
1 file changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
|
|
||||||
index 0fab309..fd442f9 100644
|
|
||||||
--- a/auth_mellon_util.c
|
|
||||||
+++ b/auth_mellon_util.c
|
|
||||||
@@ -927,6 +927,13 @@ int am_check_url(request_rec *r, const char *url)
|
|
||||||
"Control character detected in URL.");
|
|
||||||
return HTTP_BAD_REQUEST;
|
|
||||||
}
|
|
||||||
+ if (*i == '\\') {
|
|
||||||
+ /* Reject backslash character, as it can be used to bypass
|
|
||||||
+ * redirect URL validation. */
|
|
||||||
+ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
|
|
||||||
+ "Backslash character detected in URL.");
|
|
||||||
+ return HTTP_BAD_REQUEST;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
return OK;
|
|
||||||
--
|
|
||||||
2.19.2
|
|
||||||
|
|
@ -1,172 +0,0 @@
|
|||||||
diff -up mod_auth_mellon-0.14.0/auth_mellon_cache.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_cache.c
|
|
||||||
--- mod_auth_mellon-0.14.0/auth_mellon_cache.c.env_prefix 2017-10-02 11:44:08.000000000 +0200
|
|
||||||
+++ mod_auth_mellon-0.14.0/auth_mellon_cache.c 2019-06-10 09:46:36.806014513 +0200
|
|
||||||
@@ -589,7 +589,7 @@ void am_cache_env_populate(request_rec *
|
|
||||||
*/
|
|
||||||
for(i = 0; i < t->size; ++i) {
|
|
||||||
varname = am_cache_entry_get_string(t, &t->env[i].varname);
|
|
||||||
- varname_prefix = "MELLON_";
|
|
||||||
+ varname_prefix = d->env_prefix;
|
|
||||||
|
|
||||||
/* Check if we should map this name into another name. */
|
|
||||||
env_varname_conf = (am_envattr_conf_t *)apr_hash_get(
|
|
||||||
diff -up mod_auth_mellon-0.14.0/auth_mellon_config.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_config.c
|
|
||||||
--- mod_auth_mellon-0.14.0/auth_mellon_config.c.env_prefix 2018-03-16 08:14:54.000000000 +0100
|
|
||||||
+++ mod_auth_mellon-0.14.0/auth_mellon_config.c 2019-06-10 09:46:36.807014516 +0200
|
|
||||||
@@ -36,6 +36,11 @@ static const char *default_endpoint_path
|
|
||||||
*/
|
|
||||||
static const char *default_user_attribute = "NAME_ID";
|
|
||||||
|
|
||||||
+/* This is the default prefix to use for attributes received from the
|
|
||||||
+ * server. Customizable using the MellonEnvPrefix option
|
|
||||||
+ */
|
|
||||||
+static const char *default_env_prefix = "MELLON_";
|
|
||||||
+
|
|
||||||
/* This is the default name of the cookie which mod_auth_mellon will set.
|
|
||||||
* If you change this, then you should also update the description of the
|
|
||||||
* MellonVar configuration directive.
|
|
||||||
@@ -1372,8 +1377,10 @@ const command_rec auth_mellon_commands[]
|
|
||||||
am_set_setenv_slot,
|
|
||||||
NULL,
|
|
||||||
OR_AUTHCFG,
|
|
||||||
- "Renames attributes received from the server while retaining prefix MELLON_. The format is"
|
|
||||||
- " MellonSetEnv <old name> <new name>."
|
|
||||||
+ "Renames attributes received from the server while retaining the"
|
|
||||||
+ " prefix. The prefix defaults to MELLON_ but can be changed with"
|
|
||||||
+ " MellonEnvPrefix."
|
|
||||||
+ " The format is MellonSetEnv <old name> <new name>."
|
|
||||||
),
|
|
||||||
AP_INIT_TAKE2(
|
|
||||||
"MellonSetEnvNoPrefix",
|
|
||||||
@@ -1383,6 +1390,13 @@ const command_rec auth_mellon_commands[]
|
|
||||||
"Renames attributes received from the server without adding prefix. The format is"
|
|
||||||
" MellonSetEnvNoPrefix <old name> <new name>."
|
|
||||||
),
|
|
||||||
+ AP_INIT_TAKE1(
|
|
||||||
+ "MellonEnvPrefix",
|
|
||||||
+ ap_set_string_slot,
|
|
||||||
+ (void *)APR_OFFSETOF(am_dir_cfg_rec, env_prefix),
|
|
||||||
+ OR_AUTHCFG,
|
|
||||||
+ "The prefix to use for attributes received from the server."
|
|
||||||
+ ),
|
|
||||||
AP_INIT_FLAG(
|
|
||||||
"MellonSessionDump",
|
|
||||||
ap_set_flag_slot,
|
|
||||||
@@ -1714,6 +1728,7 @@ void *auth_mellon_dir_config(apr_pool_t
|
|
||||||
dir->cookie_path = NULL;
|
|
||||||
dir->cookie_samesite = am_samesite_default;
|
|
||||||
dir->envattr = apr_hash_make(p);
|
|
||||||
+ dir->env_prefix = default_env_prefix;
|
|
||||||
dir->userattr = default_user_attribute;
|
|
||||||
dir->idpattr = NULL;
|
|
||||||
dir->signature_method = inherit_signature_method;
|
|
||||||
@@ -1868,6 +1883,10 @@ void *auth_mellon_dir_merge(apr_pool_t *
|
|
||||||
add_cfg->envattr :
|
|
||||||
base_cfg->envattr);
|
|
||||||
|
|
||||||
+ new_cfg->env_prefix = (add_cfg->env_prefix != default_env_prefix ?
|
|
||||||
+ add_cfg->env_prefix :
|
|
||||||
+ base_cfg->env_prefix);
|
|
||||||
+
|
|
||||||
new_cfg->userattr = (add_cfg->userattr != default_user_attribute ?
|
|
||||||
add_cfg->userattr :
|
|
||||||
base_cfg->userattr);
|
|
||||||
diff -up mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c
|
|
||||||
--- mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c.env_prefix 2018-03-16 08:14:54.000000000 +0100
|
|
||||||
+++ mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c 2019-06-10 09:46:36.808014518 +0200
|
|
||||||
@@ -442,6 +442,9 @@ am_diag_log_dir_cfg(request_rec *r, int
|
|
||||||
"%sMellonCookieSameSite (cookie_samesite): %s\n",
|
|
||||||
indent(level+1),
|
|
||||||
am_diag_samesite_str(r, cfg->cookie_samesite));
|
|
||||||
+ apr_file_printf(diag_cfg->fd,
|
|
||||||
+ "%sMellonEnvPrefix (env_prefix): %s\n",
|
|
||||||
+ indent(level+1), cfg->env_prefix);
|
|
||||||
|
|
||||||
apr_file_printf(diag_cfg->fd,
|
|
||||||
"%sMellonCond (cond): %d items\n",
|
|
||||||
@@ -466,7 +469,7 @@ am_diag_log_dir_cfg(request_rec *r, int
|
|
||||||
apr_hash_this(hash_item, (void *)&key, NULL, (void *)&envattr_conf);
|
|
||||||
|
|
||||||
if (envattr_conf->prefixed) {
|
|
||||||
- name = apr_pstrcat(r->pool, "MELLON_",
|
|
||||||
+ name = apr_pstrcat(r->pool, cfg->env_prefix,
|
|
||||||
envattr_conf->name, NULL);
|
|
||||||
} else {
|
|
||||||
name = envattr_conf->name;
|
|
||||||
diff -up mod_auth_mellon-0.14.0/auth_mellon.h.env_prefix mod_auth_mellon-0.14.0/auth_mellon.h
|
|
||||||
--- mod_auth_mellon-0.14.0/auth_mellon.h.env_prefix 2018-03-16 08:14:54.000000000 +0100
|
|
||||||
+++ mod_auth_mellon-0.14.0/auth_mellon.h 2019-06-10 09:46:36.805014510 +0200
|
|
||||||
@@ -237,6 +237,7 @@ typedef struct am_dir_cfg_rec {
|
|
||||||
am_samesite_t cookie_samesite;
|
|
||||||
apr_array_header_t *cond;
|
|
||||||
apr_hash_t *envattr;
|
|
||||||
+ const char *env_prefix;
|
|
||||||
const char *userattr;
|
|
||||||
const char *idpattr;
|
|
||||||
LassoSignatureMethod signature_method;
|
|
||||||
diff -up mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc.env_prefix mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc
|
|
||||||
--- mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc.env_prefix 2018-03-16 08:14:54.000000000 +0100
|
|
||||||
+++ mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc 2019-06-10 09:48:08.422237471 +0200
|
|
||||||
@@ -2007,11 +2007,13 @@ attributes.
|
|
||||||
assertion to a name of your choosing when it is placed in the Apache
|
|
||||||
environment. This is controlled by `MellonSetEnv` and
|
|
||||||
`MellonSetEnvNoPrefix` directives. The distinction
|
|
||||||
- is `MellonSetEnv` always prepends the `MELLON_` prefix to the
|
|
||||||
+ is `MellonSetEnv` always prepends a prefix to the
|
|
||||||
environment variable name to help to prevent name collisions. The
|
|
||||||
+ prefix defaults to `MELLON_` and can be configured using the
|
|
||||||
+ `MellonEnvPrefix` configuration option. The
|
|
||||||
`MellonSetEnvNoPrefix` directive also remaps the assertion name to a
|
|
||||||
name of your choosing but it omits prepending the environment
|
|
||||||
- variable name with `MELLON_`. See <<map_assertion_attr_name>>
|
|
||||||
+ variable name with the prefix. See <<map_assertion_attr_name>>
|
|
||||||
|
|
||||||
Using the <<assertion_response,assertion example>> Mellon places these
|
|
||||||
environment variables in the Apache environment. See
|
|
||||||
@@ -2096,10 +2098,12 @@ and `MellonSetEnvNoPrefix` directives. T
|
|
||||||
assertion attribute to a name of your choosing. The `MellonSetEnv`
|
|
||||||
directive follows the same convention as all other assertion
|
|
||||||
attributes added by Mellon in that it always prefixes the environment
|
|
||||||
-variable name with `MELLON_` to help avoid name collisions in the
|
|
||||||
+variable name with a configurable prefix, which defaults to `MELLON_` to help avoid name collisions in the
|
|
||||||
Apache environment. However sometimes you do not want the `MELLON_`
|
|
||||||
-prefix added and instead you want to use exactly the environment
|
|
||||||
-variable name as specified., `MellonSetEnvNoPrefix` serves this role.
|
|
||||||
+prefix added. In case you simply want the variables prefixed with
|
|
||||||
+a different string, use the `MellonEnvPrefix` configuration option. If,
|
|
||||||
+instead you want to use exactly the environment variable name as specified.,
|
|
||||||
+`MellonSetEnvNoPrefix` serves this role.
|
|
||||||
|
|
||||||
To illustrate let's look at an example. Suppose your web app is
|
|
||||||
expecting an attribute which is the user's last name, specifically it
|
|
||||||
@@ -2117,6 +2121,15 @@ MellonSetEnvNoPrefix REMOTE_USER_LASTNAM
|
|
||||||
Also see <<set_remote_user>> for an example of setting the `REMOTE_USER`
|
|
||||||
environment variable using `MellonSetEnvNoPrefix`.
|
|
||||||
|
|
||||||
+The `MellonEnvPrefix` variable might be useful e.g. if you
|
|
||||||
+are migrating from a different SP which used its own prefix
|
|
||||||
+for the variables passed by the IdP. For example, to prefix
|
|
||||||
+all variables with `NOLLEM_` you would use:
|
|
||||||
+
|
|
||||||
+----
|
|
||||||
+MellonEnvPrefix NOLLEM_
|
|
||||||
+----
|
|
||||||
+
|
|
||||||
=== Using Mellon to apply constraints [[assertion_constraints]]
|
|
||||||
|
|
||||||
SAML attributes can be used for more than exporting those values to a
|
|
||||||
diff -up mod_auth_mellon-0.14.0/README.md.env_prefix mod_auth_mellon-0.14.0/README.md
|
|
||||||
--- mod_auth_mellon-0.14.0/README.md.env_prefix 2018-03-16 08:14:54.000000000 +0100
|
|
||||||
+++ mod_auth_mellon-0.14.0/README.md 2019-06-10 09:46:36.805014510 +0200
|
|
||||||
@@ -253,6 +253,11 @@ MellonDiagnosticsEnable Off
|
|
||||||
# Default. None set.
|
|
||||||
MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName"
|
|
||||||
|
|
||||||
+ # MellonEnvPrefix changes the string the variables passed from the
|
|
||||||
+ # IdP are prefixed with.
|
|
||||||
+ # Default: MELLON_
|
|
||||||
+ MellonEnvPrefix "NOLLEM_"
|
|
||||||
+
|
|
||||||
# MellonMergeEnvVars merges multiple values of environment variables
|
|
||||||
# set using MellonSetEnv into single variable:
|
|
||||||
# ie: MYENV_VAR => val1;val2;val3 instead of default behaviour of:
|
|
@ -1,49 +0,0 @@
|
|||||||
From 6358a5169762ef7b89d8b6d0f1a99b006f0fdd2f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Olav Morken <olav.morken@uninett.no>
|
|
||||||
Date: Wed, 25 Jul 2018 12:19:39 +0200
|
|
||||||
Subject: [PATCH] Fix incorrect header used for detecting AJAX requests
|
|
||||||
|
|
||||||
The code was looking for "X-Request-With", but the header is actually
|
|
||||||
"X-Requested-With". As far as I can tell, it has always been the
|
|
||||||
latter, at least in the jQuery source code.
|
|
||||||
|
|
||||||
Fixes issue #174.
|
|
||||||
---
|
|
||||||
README.md | 2 +-
|
|
||||||
auth_mellon_handler.c | 4 ++--
|
|
||||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/README.md b/README.md
|
|
||||||
index 0a91dc5..8d85b43 100644
|
|
||||||
--- a/README.md
|
|
||||||
+++ b/README.md
|
|
||||||
@@ -180,7 +180,7 @@ MellonDiagnosticsEnable Off
|
|
||||||
# then we will redirect him to the login page of the IdP.
|
|
||||||
#
|
|
||||||
# There is a special handling of AJAX requests, that are
|
|
||||||
- # identified by the "X-Request-With: XMLHttpRequest" HTTP
|
|
||||||
+ # identified by the "X-Requested-With: XMLHttpRequest" HTTP
|
|
||||||
# header. Since no user interaction can happen there,
|
|
||||||
# we always fail unauthenticated (not logged in) requests
|
|
||||||
# with a 403 Forbidden error without redirecting to the IdP.
|
|
||||||
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
|
|
||||||
index b16dc45..e33e6e9 100644
|
|
||||||
--- a/auth_mellon_handler.c
|
|
||||||
+++ b/auth_mellon_handler.c
|
|
||||||
@@ -3658,11 +3658,11 @@ int am_auth_mellon_user(request_rec *r)
|
|
||||||
* If this is an AJAX request, we cannot proceed to the IdP,
|
|
||||||
* Just fail early to save our resources
|
|
||||||
*/
|
|
||||||
- ajax_header = apr_table_get(r->headers_in, "X-Request-With");
|
|
||||||
+ ajax_header = apr_table_get(r->headers_in, "X-Requested-With");
|
|
||||||
if (ajax_header != NULL &&
|
|
||||||
strcmp(ajax_header, "XMLHttpRequest") == 0) {
|
|
||||||
AM_LOG_RERROR(APLOG_MARK, APLOG_INFO, 0, r,
|
|
||||||
- "Deny unauthenticated X-Request-With XMLHttpRequest "
|
|
||||||
+ "Deny unauthenticated X-Requested-With XMLHttpRequest "
|
|
||||||
"(AJAX) request");
|
|
||||||
return HTTP_FORBIDDEN;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -1,28 +0,0 @@
|
|||||||
From 297093e6a48a4c0fd307c2206c59a8c8eb84fb53 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Valentin <awakenine@users.noreply.github.com>
|
|
||||||
Date: Fri, 6 Sep 2019 13:30:36 +0300
|
|
||||||
Subject: [PATCH] Update auth_mellon_mode.c
|
|
||||||
|
|
||||||
Fix open redirect CVE-2019-13038
|
|
||||||
---
|
|
||||||
auth_mellon_util.c | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
|
|
||||||
index fd442f9..7dff61e 100644
|
|
||||||
--- a/auth_mellon_util.c
|
|
||||||
+++ b/auth_mellon_util.c
|
|
||||||
@@ -116,6 +116,10 @@ int am_validate_redirect_url(request_rec *r, const char *url)
|
|
||||||
|
|
||||||
/* Sanity check of the scheme of the domain. We only allow http and https. */
|
|
||||||
if (uri.scheme) {
|
|
||||||
+ /* http and https schemes without hostname are invalid. */
|
|
||||||
+ if (!uri.hostname) {
|
|
||||||
+ return HTTP_BAD_REQUEST;
|
|
||||||
+ }
|
|
||||||
if (strcasecmp(uri.scheme, "http")
|
|
||||||
&& strcasecmp(uri.scheme, "https")) {
|
|
||||||
AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r,
|
|
||||||
--
|
|
||||||
2.21.0
|
|
||||||
|
|
@ -1,95 +0,0 @@
|
|||||||
From fb5ad7bf997946df4472cb94d7875ee70281d59c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Anthony Critelli <acritelli@datto.com>
|
|
||||||
Date: Tue, 7 Jan 2020 11:14:24 -0500
|
|
||||||
Subject: [PATCH] Add none option for samesite
|
|
||||||
|
|
||||||
---
|
|
||||||
README.md | 7 +++++--
|
|
||||||
auth_mellon.h | 3 ++-
|
|
||||||
auth_mellon_config.c | 2 ++
|
|
||||||
auth_mellon_cookie.c | 4 +++-
|
|
||||||
auth_mellon_diagnostics.c | 1 +
|
|
||||||
5 files changed, 13 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/README.md b/README.md
|
|
||||||
index be374bc..82a88fc 100644
|
|
||||||
--- a/README.md
|
|
||||||
+++ b/README.md
|
|
||||||
@@ -218,8 +218,11 @@ MellonDiagnosticsEnable Off
|
|
||||||
|
|
||||||
# MellonCookieSameSite allows control over the SameSite value used
|
|
||||||
# for the authentication cookie.
|
|
||||||
- # The setting accepts values of "Strict" or "Lax"
|
|
||||||
- # If not set, the SameSite attribute is not set on the cookie.
|
|
||||||
+ # The setting accepts values of "Strict", "Lax", or "None".
|
|
||||||
+ # When using none, you should set "MellonSecureCookie On" to prevent
|
|
||||||
+ # compatibility issues with newer browsers.
|
|
||||||
+ # If not set, the SameSite attribute is not set on the cookie. In newer
|
|
||||||
+ # browsers, this may cause SameSite to default to "Lax"
|
|
||||||
# Default: not set
|
|
||||||
# MellonCookieSameSite lax
|
|
||||||
|
|
||||||
diff --git a/auth_mellon.h b/auth_mellon.h
|
|
||||||
index 9ef2d8a..5f5a20b 100644
|
|
||||||
--- a/auth_mellon.h
|
|
||||||
+++ b/auth_mellon.h
|
|
||||||
@@ -164,7 +164,8 @@ typedef enum {
|
|
||||||
typedef enum {
|
|
||||||
am_samesite_default,
|
|
||||||
am_samesite_lax,
|
|
||||||
- am_samesite_strict
|
|
||||||
+ am_samesite_strict,
|
|
||||||
+ am_samesite_none,
|
|
||||||
} am_samesite_t;
|
|
||||||
|
|
||||||
typedef enum {
|
|
||||||
diff --git a/auth_mellon_config.c b/auth_mellon_config.c
|
|
||||||
index 7932e2d..f1a9d12 100644
|
|
||||||
--- a/auth_mellon_config.c
|
|
||||||
+++ b/auth_mellon_config.c
|
|
||||||
@@ -583,6 +583,8 @@ static const char *am_set_samesite_slot(cmd_parms *cmd,
|
|
||||||
d->cookie_samesite = am_samesite_lax;
|
|
||||||
} else if(!strcasecmp(arg, "strict")) {
|
|
||||||
d->cookie_samesite = am_samesite_strict;
|
|
||||||
+ } else if(!strcasecmp(arg, "none")) {
|
|
||||||
+ d->cookie_samesite = am_samesite_none;
|
|
||||||
} else {
|
|
||||||
return "The MellonCookieSameSite parameter must be 'lax' or 'strict'";
|
|
||||||
}
|
|
||||||
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
|
|
||||||
index 8394c18..b2c8535 100644
|
|
||||||
--- a/auth_mellon_cookie.c
|
|
||||||
+++ b/auth_mellon_cookie.c
|
|
||||||
@@ -1,7 +1,7 @@
|
|
||||||
/*
|
|
||||||
*
|
|
||||||
* auth_mellon_cookie.c: an authentication apache module
|
|
||||||
- * Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
|
|
||||||
+ * Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
|
|
||||||
*
|
|
||||||
* This program is free software; you can redistribute it and/or modify
|
|
||||||
* it under the terms of the GNU General Public License as published by
|
|
||||||
@@ -73,6 +73,8 @@ static const char *am_cookie_params(request_rec *r)
|
|
||||||
cookie_samesite = "; SameSite=Lax";
|
|
||||||
} else if (cfg->cookie_samesite == am_samesite_strict) {
|
|
||||||
cookie_samesite = "; SameSite=Strict";
|
|
||||||
+ } else if (cfg->cookie_samesite == am_samesite_none) {
|
|
||||||
+ cookie_samesite = "; SameSite=None";
|
|
||||||
}
|
|
||||||
|
|
||||||
secure_cookie = cfg->secure;
|
|
||||||
diff --git a/auth_mellon_diagnostics.c b/auth_mellon_diagnostics.c
|
|
||||||
index 792e894..912814b 100644
|
|
||||||
--- a/auth_mellon_diagnostics.c
|
|
||||||
+++ b/auth_mellon_diagnostics.c
|
|
||||||
@@ -214,6 +214,7 @@ am_diag_samesite_str(request_rec *r, am_samesite_t samesite)
|
|
||||||
case am_samesite_default: return "default";
|
|
||||||
case am_samesite_lax: return "lax";
|
|
||||||
case am_samesite_strict: return "strict";
|
|
||||||
+ case am_samesite_none: return "none";
|
|
||||||
default:
|
|
||||||
return apr_psprintf(r->pool, "unknown (%d)", samesite);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.21.0
|
|
||||||
|
|
@ -1,69 +0,0 @@
|
|||||||
From b9d87e0deb528817689f1648999a95645b1b19ad Mon Sep 17 00:00:00 2001
|
|
||||||
From: Keita SUZUKI <keita@osstech.co.jp>
|
|
||||||
Date: Mon, 20 Jan 2020 11:03:14 +0900
|
|
||||||
Subject: [PATCH] avoid always set SameSite cookie
|
|
||||||
|
|
||||||
---
|
|
||||||
auth_mellon.h | 5 +++++
|
|
||||||
auth_mellon_cookie.c | 22 ++++++++++++++++------
|
|
||||||
2 files changed, 21 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/auth_mellon.h b/auth_mellon.h
|
|
||||||
index 5f5a20b..8bb8023 100644
|
|
||||||
--- a/auth_mellon.h
|
|
||||||
+++ b/auth_mellon.h
|
|
||||||
@@ -96,6 +96,11 @@ typedef enum {
|
|
||||||
} am_diag_flags_t;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+
|
|
||||||
+/* Disable SameSite Environment Value */
|
|
||||||
+#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
|
|
||||||
+
|
|
||||||
+
|
|
||||||
/* This is the length of the id we use (for session IDs and
|
|
||||||
* replaying POST data).
|
|
||||||
*/
|
|
||||||
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
|
|
||||||
index b2c8535..55f77a5 100644
|
|
||||||
--- a/auth_mellon_cookie.c
|
|
||||||
+++ b/auth_mellon_cookie.c
|
|
||||||
@@ -59,6 +59,7 @@ static const char *am_cookie_params(request_rec *r)
|
|
||||||
const char *cookie_domain = ap_get_server_name(r);
|
|
||||||
const char *cookie_path = "/";
|
|
||||||
const char *cookie_samesite = "";
|
|
||||||
+ const char *env_var_value = NULL;
|
|
||||||
am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
|
|
||||||
|
|
||||||
if (cfg->cookie_domain) {
|
|
||||||
@@ -69,12 +70,21 @@ static const char *am_cookie_params(request_rec *r)
|
|
||||||
cookie_path = cfg->cookie_path;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (cfg->cookie_samesite == am_samesite_lax) {
|
|
||||||
- cookie_samesite = "; SameSite=Lax";
|
|
||||||
- } else if (cfg->cookie_samesite == am_samesite_strict) {
|
|
||||||
- cookie_samesite = "; SameSite=Strict";
|
|
||||||
- } else if (cfg->cookie_samesite == am_samesite_none) {
|
|
||||||
- cookie_samesite = "; SameSite=None";
|
|
||||||
+ if (r->subprocess_env != NULL){
|
|
||||||
+ env_var_value = apr_table_get(r->subprocess_env,
|
|
||||||
+ AM_DISABLE_SAMESITE_ENV_VAR);
|
|
||||||
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
|
|
||||||
+ "%s : %s", AM_DISABLE_SAMESITE_ENV_VAR, env_var_value);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (env_var_value == NULL){
|
|
||||||
+ if (cfg->cookie_samesite == am_samesite_lax) {
|
|
||||||
+ cookie_samesite = "; SameSite=Lax";
|
|
||||||
+ } else if (cfg->cookie_samesite == am_samesite_strict) {
|
|
||||||
+ cookie_samesite = "; SameSite=Strict";
|
|
||||||
+ } else if (cfg->cookie_samesite == am_samesite_none) {
|
|
||||||
+ cookie_samesite = "; SameSite=None";
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
secure_cookie = cfg->secure;
|
|
||||||
--
|
|
||||||
2.21.0
|
|
||||||
|
|
@ -1,78 +0,0 @@
|
|||||||
From 7ef4ae72a8578475064eb66e3ed5703ccf6ee078 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ruediger Pluem <r.pluem@gmx.de>
|
|
||||||
Date: Thu, 30 Apr 2020 07:56:01 +0200
|
|
||||||
Subject: [PATCH] Set SameSite to None on test cookie
|
|
||||||
|
|
||||||
If the SameSite cookie attribute is to be set because
|
|
||||||
MellonCookieSameSite is configured and MELLON_DISABLE_SAMESITE not set
|
|
||||||
for this particular request set it to None for the test cookie.
|
|
||||||
This ensures that the test cookie with the static test content does not
|
|
||||||
get lost in the HTTP-POST binding request issued by the autosubmit form
|
|
||||||
returned by the IDP.
|
|
||||||
Addresses #20
|
|
||||||
|
|
||||||
* auth_mellon.h: Add AM_FORCE_SAMESITE_NONE_NOTE
|
|
||||||
|
|
||||||
* auth_mellon_handler.c (am_send_login_authn_request): Set request note
|
|
||||||
to set SameSite to None if appropriate.
|
|
||||||
|
|
||||||
* auth_mellon_cookie.c (am_cookie_params): Set SameSite to None if
|
|
||||||
requested via request note.
|
|
||||||
---
|
|
||||||
auth_mellon.h | 3 +++
|
|
||||||
auth_mellon_cookie.c | 6 +++++-
|
|
||||||
auth_mellon_handler.c | 5 +++++
|
|
||||||
3 files changed, 13 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/auth_mellon.h b/auth_mellon.h
|
|
||||||
index fd39b28..401ed9c 100644
|
|
||||||
--- a/auth_mellon.h
|
|
||||||
+++ b/auth_mellon.h
|
|
||||||
@@ -100,6 +100,9 @@ typedef enum {
|
|
||||||
/* Disable SameSite Environment Value */
|
|
||||||
#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
|
|
||||||
|
|
||||||
+/* Force setting SameSite to None */
|
|
||||||
+#define AM_FORCE_SAMESITE_NONE_NOTE "MELLON_FORCE_SAMESITE_NONE"
|
|
||||||
+
|
|
||||||
|
|
||||||
/* This is the length of the id we use (for session IDs and
|
|
||||||
* replaying POST data).
|
|
||||||
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
|
|
||||||
index 55f77a5..6bff81e 100644
|
|
||||||
--- a/auth_mellon_cookie.c
|
|
||||||
+++ b/auth_mellon_cookie.c
|
|
||||||
@@ -78,7 +78,11 @@ static const char *am_cookie_params(request_rec *r)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (env_var_value == NULL){
|
|
||||||
- if (cfg->cookie_samesite == am_samesite_lax) {
|
|
||||||
+ if ((cfg->cookie_samesite != am_samesite_default) &&
|
|
||||||
+ (apr_table_get(r->notes, AM_FORCE_SAMESITE_NONE_NOTE) != NULL)) {
|
|
||||||
+ cookie_samesite = "; SameSite=None";
|
|
||||||
+ }
|
|
||||||
+ else if (cfg->cookie_samesite == am_samesite_lax) {
|
|
||||||
cookie_samesite = "; SameSite=Lax";
|
|
||||||
} else if (cfg->cookie_samesite == am_samesite_strict) {
|
|
||||||
cookie_samesite = "; SameSite=Strict";
|
|
||||||
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
|
|
||||||
index 395ee1d..40c9bcd 100644
|
|
||||||
--- a/auth_mellon_handler.c
|
|
||||||
+++ b/auth_mellon_handler.c
|
|
||||||
@@ -3261,8 +3261,13 @@ static int am_send_login_authn_request(request_rec *r, const char *idp,
|
|
||||||
/* Add cookie for cookie test. We know that we should have
|
|
||||||
* a valid cookie when we return from the IdP after SP-initiated
|
|
||||||
* login.
|
|
||||||
+ * Ensure that SameSite is set to None for this cookie if SameSite
|
|
||||||
+ * is allowed to be set as the cookie otherwise gets lost on
|
|
||||||
+ * HTTP-POST binding messages.
|
|
||||||
*/
|
|
||||||
+ apr_table_setn(r->notes, AM_FORCE_SAMESITE_NONE_NOTE, "1");
|
|
||||||
am_cookie_set(r, "cookietest");
|
|
||||||
+ apr_table_unset(r->notes, AM_FORCE_SAMESITE_NONE_NOTE);
|
|
||||||
|
|
||||||
server = am_get_lasso_server(r);
|
|
||||||
if(server == NULL) {
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,47 +0,0 @@
|
|||||||
From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: AIMOTO Norihito <aimoto@osstech.co.jp>
|
|
||||||
Date: Tue, 6 Jul 2021 22:57:24 +0200
|
|
||||||
Subject: [PATCH] Prevent redirect to URLs that begin with '///'
|
|
||||||
|
|
||||||
Visiting a logout URL like this:
|
|
||||||
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
|
|
||||||
would have redirected the user to fishing-site.example.com
|
|
||||||
|
|
||||||
With the patch, this URL would be rejected.
|
|
||||||
|
|
||||||
Fixes: CVE-2021-3639
|
|
||||||
---
|
|
||||||
auth_mellon_util.c | 10 ++++++++++
|
|
||||||
1 file changed, 10 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
|
|
||||||
index 2f8c9c3..6a686db 100644
|
|
||||||
--- a/auth_mellon_util.c
|
|
||||||
+++ b/auth_mellon_util.c
|
|
||||||
@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
|
|
||||||
{
|
|
||||||
const char *i;
|
|
||||||
|
|
||||||
+ if (url == NULL) {
|
|
||||||
+ return HTTP_BAD_REQUEST;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
for (i = url; *i; i++) {
|
|
||||||
if (*i >= 0 && *i < ' ') {
|
|
||||||
/* Deny all control-characters. */
|
|
||||||
@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (strstr(url, "///") == url) {
|
|
||||||
+ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
|
|
||||||
+ "URL starts with '///'");
|
|
||||||
+ return HTTP_BAD_REQUEST;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.3
|
|
||||||
|
|
@ -1 +0,0 @@
|
|||||||
LoadModule auth_mellon_module modules/mod_auth_mellon.so
|
|
@ -1,83 +0,0 @@
|
|||||||
Red Hat Specific mod_auth_mellon Information
|
|
||||||
============================================
|
|
||||||
|
|
||||||
This README contains information specific to Red Hat's distribution of
|
|
||||||
``mod_auth_mellon``.
|
|
||||||
|
|
||||||
Diagnostic Logging
|
|
||||||
------------------
|
|
||||||
|
|
||||||
Diagnostic logging can be used to collect run time information to help
|
|
||||||
diagnose problems with your ``mod_auth_mellon`` deployment. Please see
|
|
||||||
the "Mellon Diagnostics" section in the Mellon User Guide for more
|
|
||||||
details.
|
|
||||||
|
|
||||||
How to enable diagnostic logging on Red Hat systems
|
|
||||||
```````````````````````````````````````````````````
|
|
||||||
|
|
||||||
Diagnostic logging adds overhead to the execution of
|
|
||||||
``mod_auth_mellon``. The code to emit diagnostic logging must be
|
|
||||||
compiled into ``mod_auth_mellon`` at build time. In addition the
|
|
||||||
diagnostic log file may contain security sensitive information which
|
|
||||||
should not normally be written to a log file. If you have a
|
|
||||||
version of ``mod_auth_mellon`` which was built with diagnostics you
|
|
||||||
can disable diagnostic logging via the ``MellonDiagnosticsEnable``
|
|
||||||
configuration directive. However given human nature the potential to
|
|
||||||
enable diagnostic logging while resolving a problem and then forget to
|
|
||||||
disable it is not a situation that should exist by default. Therefore
|
|
||||||
given the overhead consideration and the desire to avoid enabling
|
|
||||||
diagnostic logging by mistake the Red Hat ``mod_auth_mellon`` RPM's
|
|
||||||
ship with two versions of the ``mod_auth_mellon`` Apache module.
|
|
||||||
|
|
||||||
1. The ``mod_auth_mellon`` RPM contains the normal Apache module
|
|
||||||
``/usr/lib*/httpd/modules/mod_auth_mellon.so``
|
|
||||||
|
|
||||||
2. The ``mod_auth_mellon-diagnostics`` RPM contains the diagnostic
|
|
||||||
version of the Apache module
|
|
||||||
``/usr/lib*/httpd/modules/mod_auth_mellon-diagnostics.so``
|
|
||||||
|
|
||||||
Because each version of the module has a different name both the
|
|
||||||
normal and diagnostic modules can be installed simultaneously without
|
|
||||||
conflict. But Apache will only load one of the two modules. Which
|
|
||||||
module is loaded is controlled by the
|
|
||||||
``/etc/httpd/conf.modules.d/10-auth_mellon.conf`` config file which
|
|
||||||
has a line in it which looks like this::
|
|
||||||
|
|
||||||
LoadModule auth_mellon_module modules/mod_auth_mellon.so
|
|
||||||
|
|
||||||
To load the diagnostics version of the module you need to change the
|
|
||||||
module name so it looks like this::
|
|
||||||
|
|
||||||
LoadModule auth_mellon_module modules/mod_auth_mellon-diagnostics.so
|
|
||||||
|
|
||||||
**Don't forget to change it back again when you're done debugging.**
|
|
||||||
|
|
||||||
You'll also need to enable the collection of diagnostic information,
|
|
||||||
do this by adding this directive at the top of your Mellon conf.d
|
|
||||||
config file or inside your virtual host config (diagnostics are per
|
|
||||||
server instance)::
|
|
||||||
|
|
||||||
MellonDiagnosticsEnable On
|
|
||||||
|
|
||||||
.. NOTE::
|
|
||||||
Some versions of the Mellon User Guide have a typo in the name of
|
|
||||||
this directive, it incorrectly uses ``MellonDiagnosticEnable``
|
|
||||||
instead of ``MellonDiagnosticsEnable``. The difference is
|
|
||||||
Diagnostics is plural.
|
|
||||||
|
|
||||||
The Apache ``error_log`` will contain a message indicating how it
|
|
||||||
processed the ``MellonDiagnosticsEnable`` directive. If you loaded the
|
|
||||||
standard module without diagnostics you'll see a message like this::
|
|
||||||
|
|
||||||
MellonDiagnosticsEnable has no effect because Mellon was not
|
|
||||||
compiled with diagnostics enabled, use
|
|
||||||
./configure --enable-diagnostics at build time to turn this
|
|
||||||
feature on.
|
|
||||||
|
|
||||||
If you've loaded the diagnostics version of the module you'll see a
|
|
||||||
message in the ``error_log`` like this::
|
|
||||||
|
|
||||||
mellon diagnostics enabled for virtual server *:443
|
|
||||||
(/etc/httpd/conf.d/my_server.conf:7)
|
|
||||||
ServerName=https://my_server.example.com:443, diagnostics
|
|
||||||
filename=logs/mellon_diagnostics
|
|
@ -1,2 +0,0 @@
|
|||||||
MellonCacheSize 100
|
|
||||||
MellonLockFile "/run/mod_auth_mellon/lock"
|
|
@ -1,126 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
set -e
|
|
||||||
|
|
||||||
PROG="$(basename "$0")"
|
|
||||||
|
|
||||||
printUsage() {
|
|
||||||
echo "Usage: $PROG ENTITY-ID ENDPOINT-URL"
|
|
||||||
echo ""
|
|
||||||
echo "Example:"
|
|
||||||
echo " $PROG urn:someservice https://sp.example.org/mellon"
|
|
||||||
echo ""
|
|
||||||
}
|
|
||||||
|
|
||||||
if [ "$#" -lt 2 ]; then
|
|
||||||
printUsage
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
ENTITYID="$1"
|
|
||||||
if [ -z "$ENTITYID" ]; then
|
|
||||||
echo "$PROG: An entity ID is required." >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
BASEURL="$2"
|
|
||||||
if [ -z "$BASEURL" ]; then
|
|
||||||
echo "$PROG: The URL to the MellonEndpointPath is required." >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! echo "$BASEURL" | grep -q '^https\?://'; then
|
|
||||||
echo "$PROG: The URL must start with \"http://\" or \"https://\"." >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
HOST="$(echo "$BASEURL" | sed 's#^[a-z]*://\([^/]*\).*#\1#')"
|
|
||||||
BASEURL="$(echo "$BASEURL" | sed 's#/$##')"
|
|
||||||
|
|
||||||
OUTFILE="$(echo "$ENTITYID" | sed 's/[^0-9A-Za-z.]/_/g' | sed 's/__*/_/g')"
|
|
||||||
echo "Output files:"
|
|
||||||
echo "Private key: $OUTFILE.key"
|
|
||||||
echo "Certificate: $OUTFILE.cert"
|
|
||||||
echo "Metadata: $OUTFILE.xml"
|
|
||||||
echo "Host: $HOST"
|
|
||||||
echo
|
|
||||||
echo "Endpoints:"
|
|
||||||
echo "SingleLogoutService (SOAP): $BASEURL/logout"
|
|
||||||
echo "SingleLogoutService (HTTP-Redirect): $BASEURL/logout"
|
|
||||||
echo "AssertionConsumerService (HTTP-POST): $BASEURL/postResponse"
|
|
||||||
echo "AssertionConsumerService (HTTP-Artifact): $BASEURL/artifactResponse"
|
|
||||||
echo "AssertionConsumerService (PAOS): $BASEURL/paosResponse"
|
|
||||||
echo
|
|
||||||
|
|
||||||
# No files should not be readable by the rest of the world.
|
|
||||||
umask 0077
|
|
||||||
|
|
||||||
TEMPLATEFILE="$(mktemp -t mellon_create_sp.XXXXXXXXXX)"
|
|
||||||
|
|
||||||
cat >"$TEMPLATEFILE" <<EOF
|
|
||||||
RANDFILE = /dev/urandom
|
|
||||||
[req]
|
|
||||||
default_bits = 2048
|
|
||||||
default_keyfile = privkey.pem
|
|
||||||
distinguished_name = req_distinguished_name
|
|
||||||
prompt = no
|
|
||||||
policy = policy_anything
|
|
||||||
[req_distinguished_name]
|
|
||||||
commonName = $HOST
|
|
||||||
EOF
|
|
||||||
|
|
||||||
openssl req -utf8 -batch -config "$TEMPLATEFILE" -new -x509 -days 3652 -nodes -out "$OUTFILE.cert" -keyout "$OUTFILE.key" 2>/dev/null
|
|
||||||
|
|
||||||
rm -f "$TEMPLATEFILE"
|
|
||||||
|
|
||||||
CERT="$(grep -v '^-----' "$OUTFILE.cert")"
|
|
||||||
|
|
||||||
cat >"$OUTFILE.xml" <<EOF
|
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
|
||||||
<EntityDescriptor
|
|
||||||
entityID="$ENTITYID"
|
|
||||||
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
|
|
||||||
<SPSSODescriptor
|
|
||||||
AuthnRequestsSigned="true"
|
|
||||||
WantAssertionsSigned="true"
|
|
||||||
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
|
||||||
<KeyDescriptor use="signing">
|
|
||||||
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
||||||
<ds:X509Data>
|
|
||||||
<ds:X509Certificate>$CERT</ds:X509Certificate>
|
|
||||||
</ds:X509Data>
|
|
||||||
</ds:KeyInfo>
|
|
||||||
</KeyDescriptor>
|
|
||||||
<KeyDescriptor use="encryption">
|
|
||||||
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
||||||
<ds:X509Data>
|
|
||||||
<ds:X509Certificate>$CERT</ds:X509Certificate>
|
|
||||||
</ds:X509Data>
|
|
||||||
</ds:KeyInfo>
|
|
||||||
</KeyDescriptor>
|
|
||||||
<SingleLogoutService
|
|
||||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
|
|
||||||
Location="$BASEURL/logout" />
|
|
||||||
<SingleLogoutService
|
|
||||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
|
||||||
Location="$BASEURL/logout" />
|
|
||||||
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
|
|
||||||
<AssertionConsumerService
|
|
||||||
index="0"
|
|
||||||
isDefault="true"
|
|
||||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
|
||||||
Location="$BASEURL/postResponse" />
|
|
||||||
<AssertionConsumerService
|
|
||||||
index="1"
|
|
||||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
|
|
||||||
Location="$BASEURL/artifactResponse" />
|
|
||||||
<AssertionConsumerService
|
|
||||||
index="2"
|
|
||||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
|
|
||||||
Location="$BASEURL/paosResponse" />
|
|
||||||
</SPSSODescriptor>
|
|
||||||
</EntityDescriptor>
|
|
||||||
EOF
|
|
||||||
|
|
||||||
umask 0777
|
|
||||||
chmod go+r "$OUTFILE.xml"
|
|
||||||
chmod go+r "$OUTFILE.cert"
|
|
File diff suppressed because one or more lines are too long
@ -1,2 +0,0 @@
|
|||||||
# mod_auth_mellon lock file is created in this directory
|
|
||||||
d /run/mod_auth_mellon 0755 apache apache
|
|
@ -1,275 +0,0 @@
|
|||||||
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
|
||||||
Name: mod_auth_mellon
|
|
||||||
Version: 0.14.0
|
|
||||||
Release: 12%{?dist}.1
|
|
||||||
Group: System Environment/Daemons
|
|
||||||
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
|
|
||||||
Source1: auth_mellon.conf
|
|
||||||
Source2: 10-auth_mellon.conf
|
|
||||||
Source3: mod_auth_mellon.conf
|
|
||||||
Source4: mellon_create_metadata.sh
|
|
||||||
Source5: README.redhat.rst
|
|
||||||
Source6: mellon_user_guide.html
|
|
||||||
License: GPLv2+
|
|
||||||
BuildRequires: gcc
|
|
||||||
BuildRequires: curl-devel
|
|
||||||
BuildRequires: glib2-devel
|
|
||||||
BuildRequires: httpd-devel
|
|
||||||
BuildRequires: lasso-devel >= 2.5.1
|
|
||||||
BuildRequires: openssl-devel
|
|
||||||
BuildRequires: xmlsec1-devel
|
|
||||||
Requires: httpd-mmn = %{_httpd_mmn}
|
|
||||||
Requires: lasso >= 2.5.1
|
|
||||||
Url: https://github.com/UNINETT/mod_auth_mellon
|
|
||||||
|
|
||||||
Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
|
|
||||||
Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch
|
|
||||||
Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch
|
|
||||||
Patch0004: 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch
|
|
||||||
Patch0005: 0005-CVE_2019_13038.patch
|
|
||||||
Patch0006: 0006-Add-none-option-for-samesite.patch
|
|
||||||
Patch0007: 0007-avoid-always-set-SameSite-cookie.patch
|
|
||||||
Patch0008: 0008-Set-SameSite-to-None-on-test-cookie.patch
|
|
||||||
Patch0009: 0009-Prevent-redirect-to-URLs-that-begin-with.patch
|
|
||||||
|
|
||||||
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
|
|
||||||
# I could not get asciidoc to render properly so instead I generated
|
|
||||||
# mellon_user_guide.html on Fedora using asciidoctor and included
|
|
||||||
# mellon_user_guide.html as a SOURCE. If the user guide source is updated
|
|
||||||
# the mellon_user_guide.html will need to be regenerated.
|
|
||||||
|
|
||||||
%description
|
|
||||||
The mod_auth_mellon module is an authentication service that implements the
|
|
||||||
SAML 2.0 federation protocol. It grants access based on the attributes
|
|
||||||
received in assertions generated by a IdP server.
|
|
||||||
|
|
||||||
%prep
|
|
||||||
%setup -q -n %{name}-%{version}
|
|
||||||
%patch1 -p1
|
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
|
||||||
%patch4 -p1
|
|
||||||
%patch5 -p1
|
|
||||||
%patch6 -p1
|
|
||||||
%patch7 -p1
|
|
||||||
%patch8 -p1
|
|
||||||
%patch9 -p1
|
|
||||||
|
|
||||||
%build
|
|
||||||
export APXS=%{_httpd_apxs}
|
|
||||||
%configure --enable-diagnostics
|
|
||||||
make clean
|
|
||||||
make %{?_smp_mflags}
|
|
||||||
cp .libs/%{name}.so %{name}-diagnostics.so
|
|
||||||
|
|
||||||
%configure
|
|
||||||
make clean
|
|
||||||
make %{?_smp_mflags}
|
|
||||||
|
|
||||||
%install
|
|
||||||
# install module
|
|
||||||
mkdir -p %{buildroot}%{_httpd_moddir}
|
|
||||||
install -m 755 .libs/%{name}.so %{buildroot}%{_httpd_moddir}
|
|
||||||
install -m 755 %{name}-diagnostics.so %{buildroot}%{_httpd_moddir}
|
|
||||||
|
|
||||||
# install module configuration
|
|
||||||
mkdir -p %{buildroot}%{_httpd_confdir}
|
|
||||||
install -m 644 %{SOURCE1} %{buildroot}%{_httpd_confdir}
|
|
||||||
mkdir -p %{buildroot}%{_httpd_modconfdir}
|
|
||||||
install -m 644 %{SOURCE2} %{buildroot}%{_httpd_modconfdir}
|
|
||||||
|
|
||||||
mkdir -p %{buildroot}%{_tmpfilesdir}
|
|
||||||
install -m 644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}
|
|
||||||
mkdir -p %{buildroot}/run/%{name}
|
|
||||||
|
|
||||||
# install script to generate metadata
|
|
||||||
mkdir -p %{buildroot}/%{_libexecdir}/%{name}
|
|
||||||
install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name}
|
|
||||||
|
|
||||||
#install documentation
|
|
||||||
mkdir -p %{buildroot}/%{_pkgdocdir}
|
|
||||||
|
|
||||||
# install Red Hat README
|
|
||||||
install -m 644 %{SOURCE5} %{buildroot}/%{_pkgdocdir}
|
|
||||||
|
|
||||||
# install user guide
|
|
||||||
cp -r doc/user_guide %{buildroot}/%{_pkgdocdir}
|
|
||||||
install -m 644 %{SOURCE6} %{buildroot}/%{_pkgdocdir}/user_guide
|
|
||||||
|
|
||||||
%package diagnostics
|
|
||||||
Summary: Build of mod_auth_mellon with diagnostic logging
|
|
||||||
Requires: %{name} = %{version}-%{release}
|
|
||||||
|
|
||||||
%description diagnostics
|
|
||||||
Build of mod_auth_mellon with diagnostic logging. See README.redhat.rst
|
|
||||||
in the doc directory for instructions on using the diagnostics build.
|
|
||||||
|
|
||||||
%files diagnostics
|
|
||||||
%{_httpd_moddir}/%{name}-diagnostics.so
|
|
||||||
|
|
||||||
%files
|
|
||||||
%if 0%{?rhel} && 0%{?rhel} < 7
|
|
||||||
%doc COPYING
|
|
||||||
%else
|
|
||||||
%license COPYING
|
|
||||||
%endif
|
|
||||||
%doc README.md NEWS ECP.rst
|
|
||||||
%doc %{_pkgdocdir}/README.redhat.rst
|
|
||||||
%doc %{_pkgdocdir}/user_guide
|
|
||||||
%config(noreplace) %{_httpd_modconfdir}/10-auth_mellon.conf
|
|
||||||
%config(noreplace) %{_httpd_confdir}/auth_mellon.conf
|
|
||||||
%{_httpd_moddir}/mod_auth_mellon.so
|
|
||||||
%{_tmpfilesdir}/mod_auth_mellon.conf
|
|
||||||
%{_libexecdir}/%{name}
|
|
||||||
%attr(0755,apache,apache) %dir /run/%{name}/
|
|
||||||
|
|
||||||
%changelog
|
|
||||||
* Wed Dec 15 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12.1
|
|
||||||
- Resolves: rhbz#1986805 - CVE-2021-3639 mod_auth_mellon: Open Redirect
|
|
||||||
vulnerability in logout URLs [rhel-8]
|
|
||||||
|
|
||||||
* Mon Jan 25 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12
|
|
||||||
- Resolves: rhbz#1791262 - Backport SameSite=None cookie from upstream to
|
|
||||||
support latest browsers
|
|
||||||
|
|
||||||
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-11
|
|
||||||
- Resolves: rhbz#1731053 - CVE-2019-13038 mod_auth_mellon: an Open Redirect
|
|
||||||
via the login?ReturnTo= substring which could
|
|
||||||
facilitate information theft [rhel-8]
|
|
||||||
|
|
||||||
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-10
|
|
||||||
- Resolves: rhbz#1761774 - mod_auth_mellon fix for AJAX header name
|
|
||||||
X-Requested-With
|
|
||||||
|
|
||||||
* Thu Jun 13 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-9
|
|
||||||
- Just bump the release number
|
|
||||||
- Related: rhbz#1718238 - mod_auth_mellon-diagnostics RPM not in product
|
|
||||||
listings
|
|
||||||
|
|
||||||
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-8
|
|
||||||
- Resolves: rhbz#1691894 - [RFE] Config option to change mod_auth_mellon prefix
|
|
||||||
|
|
||||||
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-7
|
|
||||||
- Apply the patch from the previous commit
|
|
||||||
- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open
|
|
||||||
redirect in logout url when using URLs with
|
|
||||||
backslashes [rhel-8]
|
|
||||||
|
|
||||||
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-6
|
|
||||||
- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open
|
|
||||||
redirect in logout url when using URLs with
|
|
||||||
backslashes [rhel-8]
|
|
||||||
|
|
||||||
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-5
|
|
||||||
- Resolves: rhbz#1692457 - CVE-2019-3878 mod_auth_mellon: authentication
|
|
||||||
bypass in ECP flow [rhel-8.1.0]
|
|
||||||
|
|
||||||
* Wed Apr 24 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-4
|
|
||||||
- Resolves: rhbz#1702695 - fresh install of mod_auth_mellon shows rpm
|
|
||||||
verification warnings
|
|
||||||
|
|
||||||
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 0.14.0-3
|
|
||||||
- Rebuild with fixed binutils
|
|
||||||
|
|
||||||
* Fri Jun 1 2018 <jdennis@redhat.com> - 0.14.0-2
|
|
||||||
- Resolves: rhbz#1553885
|
|
||||||
- fix file permissions on doc files
|
|
||||||
|
|
||||||
* Fri Jun 1 2018 <jdennis@redhat.com> - 0.14.0-1
|
|
||||||
- Resolves: rhbz#1553885
|
|
||||||
- Rebase to current upstream release
|
|
||||||
|
|
||||||
* Thu Mar 29 2018 John Dennis <jdennis@redhat.com> - 0.13.1-2
|
|
||||||
- Resolves: rhbz#1481330 Add diagnostic logging
|
|
||||||
- Resolves: rhbz#1295472 Add MellonSignatureMethod config option to set
|
|
||||||
signature method used to sign SAML messages sent by Mellon.
|
|
||||||
Defaults to original sha1.
|
|
||||||
|
|
||||||
* Sun Oct 1 2017 John Dennis <jdennis@redhat.com> - 0.13.1-1
|
|
||||||
- upgrade to new upstream release
|
|
||||||
|
|
||||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-7
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-6
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
|
||||||
|
|
||||||
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-5
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Jan 17 2017 John Dennis <jdennis@redhat.com> - 0.12.0-4
|
|
||||||
- Resolves: bug #1414019 Incorrect PAOS Content-Type header
|
|
||||||
|
|
||||||
* Mon Jan 9 2017 John Dennis <jdennis@redhat.com> - 0.12.0-3
|
|
||||||
- bump release for rebuild
|
|
||||||
|
|
||||||
* Tue May 3 2016 John Dennis <jdennis@redhat.com> - 0.12.0-2
|
|
||||||
- Resolves: bug #1332729, mellon conflicts with mod_auth_openidc
|
|
||||||
- am_check_uid() should be no-op if mellon not enabled
|
|
||||||
|
|
||||||
* Wed Mar 9 2016 John Dennis <jdennis@redhat.com> - 0.12.0-1
|
|
||||||
- Update to new upstream 0.12.0
|
|
||||||
- [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
|
|
||||||
incorrect error handling when reading POST data from client.
|
|
||||||
|
|
||||||
- [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
|
|
||||||
resource exhaustion) due to missing size checks when reading
|
|
||||||
POST data.
|
|
||||||
|
|
||||||
In addition this release contains the following new features and fixes:
|
|
||||||
|
|
||||||
- Add MellonRedirectDomains option to limit the sites that
|
|
||||||
mod_auth_mellon can redirect to. This option is enabled by default.
|
|
||||||
|
|
||||||
- Add support for ECP service options in PAOS requests.
|
|
||||||
|
|
||||||
- Fix AssertionConsumerService lookup for PAOS requests.
|
|
||||||
|
|
||||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.0-4
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Dec 23 2015 John Dennis <jdennis@redhat.com> - 0.11.0-3
|
|
||||||
- Fix the following warning that appears in the Apache log
|
|
||||||
lasso-CRITICAL **: lasso_provider_get_metadata_list_for_role: assertion '_lasso_provider_get_role_index(role)' failed
|
|
||||||
|
|
||||||
* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-2
|
|
||||||
- Add lasso 2.5.0 version dependency
|
|
||||||
|
|
||||||
* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-1
|
|
||||||
- Upgrade to upstream 0.11.0 release.
|
|
||||||
- Includes ECP support, see NEWS for all changes.
|
|
||||||
- Update mellon_create_metadata.sh to match internally generated metadata,
|
|
||||||
includes AssertionConsumerService for postResponse, artifactResponse &
|
|
||||||
paosResponse.
|
|
||||||
|
|
||||||
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.10.0-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Jan 7 2015 Simo Sorce <simo@redhat.com> 0.10.0-1
|
|
||||||
- New upstream release
|
|
||||||
|
|
||||||
* Tue Sep 2 2014 Simo Sorce <simo@redhat.com> 0.9.1-1
|
|
||||||
- New upstream release
|
|
||||||
|
|
||||||
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.0-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Jun 24 2014 Simo Sorce <simo@redhat.com> 0.8.0-1
|
|
||||||
- New upstream realease version 0.8.0
|
|
||||||
- Upstream moved to github
|
|
||||||
- Drops patches as they have been all included upstream
|
|
||||||
|
|
||||||
* Fri Jun 20 2014 Simo Sorce <simo@redhat.com> 0.7.0-3
|
|
||||||
- Backport of useful patches from upstream
|
|
||||||
- Better handling of IDP reported errors
|
|
||||||
- Better handling of session data storage size
|
|
||||||
|
|
||||||
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.0-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Dec 10 2013 Simo Sorce <simo@redhat.com> 0.7.0-1
|
|
||||||
- Fix ownership of /run files
|
|
||||||
|
|
||||||
* Wed Nov 27 2013 Simo Sorce <simo@redhat.com> 0.7.0-0
|
|
||||||
- Initial Fedora release based on version 0.7.0
|
|
||||||
- Based on an old spec file by Jean-Marc Liger <jmliger@siris.sorbonne.fr>
|
|
1
dead.package
Normal file
1
dead.package
Normal file
@ -0,0 +1 @@
|
|||||||
|
mod_auth_mellon was removed due to minimization efforts prior to public launch
|
Loading…
Reference in New Issue
Block a user