Compare commits

...

No commits in common. "c9-beta" and "c8" have entirely different histories.
c9-beta ... c8

13 changed files with 7737 additions and 80 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/mod_auth_mellon-0.17.0.tar.gz
SOURCES/mod_auth_mellon-0.14.0.tar.gz

View File

@ -1 +1 @@
df4039cca9d706b10c49ea3435af0382da2b959a SOURCES/mod_auth_mellon-0.17.0.tar.gz
4a93f8b093e1dea20e8a286931693c614903f2d9 SOURCES/mod_auth_mellon-0.14.0.tar.gz

View File

@ -0,0 +1,80 @@
From e09a28a30e13e5c22b481010f26b4a7743a09280 Mon Sep 17 00:00:00 2001
From: John Dennis <jdennis@redhat.com>
Date: Tue, 5 Mar 2019 10:15:48 +0100
Subject: [PATCH] Modify am_handler setup to run before mod_proxy
The way the ECP flow works is that when a client initiates the flow, the
SP's response is HTTP 200, but not the requested content, but a signed XML
document that contains the "samlp:AuthnRequest" element. The idea is that
the ECP client would then determine the IDP and send the document to the
IDP, get a samlp:Response and convey that to the SP to get access to the
protected resource.
Internally, the auth check which is normally done with am_check_uid() set to
apache's ap_hook_check_user_id() hook, just responds with OK, so it pretends
to authenticate the user. Then in the usual flow, the request reaches the
ap_hook_handler which handles the request. There in the pipeline, mellon
registers functions am_handler() which should run first (APR_HOOK_FIRST),
determine that this request is an ECP one and return the ECP AuthnRequest
document. But in case the proxy module is also in the picture, the proxy
module "races" for who gets to be the first to handle the request in the
pipeline and wins. Therefore, the request reaches the protected resource
via mod_proxy and returns it.
This fix modifies the ap_hook_handler() call to explicitly run before
handlers from mod_proxy.c
To reproduce the bug:
0) Have a SP with mellon connected to a Keycloak IDP (or any other IDP I
guess). In the example below, my SAML SP is saml.federation.test
1) Set a Location protected by mellon that proxies requests to another
URL. For example:
ProxyPass /sp-proxy http://app.federation.test/example_app/
<Location /sp-proxy>
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
2) call:
curl -L -H "Accept: application/vnd.paos+xml" \
-H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' \
http://saml.federation.test/sp-proxy
Before the patch, you would see whatever is served from the proxied
page. With the patch, you should get back a XML document with a
samlp:AuthnRequest.
---
mod_auth_mellon.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/mod_auth_mellon.c b/mod_auth_mellon.c
index 74bd328..5330f48 100644
--- a/mod_auth_mellon.c
+++ b/mod_auth_mellon.c
@@ -207,6 +207,12 @@ static int am_create_request(request_rec *r)
static void register_hooks(apr_pool_t *p)
{
+ /* Our handler needs to run before mod_proxy so that it can properly
+ * return ECP AuthnRequest messages when running as a reverse proxy.
+ * See: https://github.com/Uninett/mod_auth_mellon/pull/196
+ */
+ static const char * const run_handler_before[]={ "mod_proxy.c", NULL };
+
ap_hook_access_checker(am_auth_mellon_user, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_check_user_id(am_check_uid, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE);
@@ -222,7 +228,7 @@ static void register_hooks(apr_pool_t *p)
* Therefore this hook must run before any handler that may check
* r->handler and decide that it is the only handler for this URL.
*/
- ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST);
+ ap_hook_handler(am_handler, NULL, run_handler_before, APR_HOOK_FIRST);
#ifdef ENABLE_DIAGNOSTICS
ap_hook_open_logs(am_diag_log_init,NULL,NULL,APR_HOOK_MIDDLE);
--
2.19.2

View File

@ -0,0 +1,44 @@
From 62041428a32de402e0be6ba45fe12df6a83bedb8 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Tue, 19 Mar 2019 13:42:22 +0100
Subject: [PATCH] Fix redirect URL validation bypass
It turns out that browsers silently convert backslash characters into
forward slashes, while apr_uri_parse() does not.
This mismatch allows an attacker to bypass the redirect URL validation
by using an URL like:
https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/
mod_auth_mellon will assume that it is a relative URL and allow the
request to pass through, while the browsers will use it as an absolute
url and redirect to https://malicious.example.org/ .
This patch fixes this issue by rejecting all redirect URLs with
backslashes.
---
auth_mellon_util.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
index 0fab309..fd442f9 100644
--- a/auth_mellon_util.c
+++ b/auth_mellon_util.c
@@ -927,6 +927,13 @@ int am_check_url(request_rec *r, const char *url)
"Control character detected in URL.");
return HTTP_BAD_REQUEST;
}
+ if (*i == '\\') {
+ /* Reject backslash character, as it can be used to bypass
+ * redirect URL validation. */
+ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
+ "Backslash character detected in URL.");
+ return HTTP_BAD_REQUEST;
+ }
}
return OK;
--
2.19.2

View File

@ -0,0 +1,172 @@
diff -up mod_auth_mellon-0.14.0/auth_mellon_cache.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_cache.c
--- mod_auth_mellon-0.14.0/auth_mellon_cache.c.env_prefix 2017-10-02 11:44:08.000000000 +0200
+++ mod_auth_mellon-0.14.0/auth_mellon_cache.c 2019-06-10 09:46:36.806014513 +0200
@@ -589,7 +589,7 @@ void am_cache_env_populate(request_rec *
*/
for(i = 0; i < t->size; ++i) {
varname = am_cache_entry_get_string(t, &t->env[i].varname);
- varname_prefix = "MELLON_";
+ varname_prefix = d->env_prefix;
/* Check if we should map this name into another name. */
env_varname_conf = (am_envattr_conf_t *)apr_hash_get(
diff -up mod_auth_mellon-0.14.0/auth_mellon_config.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_config.c
--- mod_auth_mellon-0.14.0/auth_mellon_config.c.env_prefix 2018-03-16 08:14:54.000000000 +0100
+++ mod_auth_mellon-0.14.0/auth_mellon_config.c 2019-06-10 09:46:36.807014516 +0200
@@ -36,6 +36,11 @@ static const char *default_endpoint_path
*/
static const char *default_user_attribute = "NAME_ID";
+/* This is the default prefix to use for attributes received from the
+ * server. Customizable using the MellonEnvPrefix option
+ */
+static const char *default_env_prefix = "MELLON_";
+
/* This is the default name of the cookie which mod_auth_mellon will set.
* If you change this, then you should also update the description of the
* MellonVar configuration directive.
@@ -1372,8 +1377,10 @@ const command_rec auth_mellon_commands[]
am_set_setenv_slot,
NULL,
OR_AUTHCFG,
- "Renames attributes received from the server while retaining prefix MELLON_. The format is"
- " MellonSetEnv <old name> <new name>."
+ "Renames attributes received from the server while retaining the"
+ " prefix. The prefix defaults to MELLON_ but can be changed with"
+ " MellonEnvPrefix."
+ " The format is MellonSetEnv <old name> <new name>."
),
AP_INIT_TAKE2(
"MellonSetEnvNoPrefix",
@@ -1383,6 +1390,13 @@ const command_rec auth_mellon_commands[]
"Renames attributes received from the server without adding prefix. The format is"
" MellonSetEnvNoPrefix <old name> <new name>."
),
+ AP_INIT_TAKE1(
+ "MellonEnvPrefix",
+ ap_set_string_slot,
+ (void *)APR_OFFSETOF(am_dir_cfg_rec, env_prefix),
+ OR_AUTHCFG,
+ "The prefix to use for attributes received from the server."
+ ),
AP_INIT_FLAG(
"MellonSessionDump",
ap_set_flag_slot,
@@ -1714,6 +1728,7 @@ void *auth_mellon_dir_config(apr_pool_t
dir->cookie_path = NULL;
dir->cookie_samesite = am_samesite_default;
dir->envattr = apr_hash_make(p);
+ dir->env_prefix = default_env_prefix;
dir->userattr = default_user_attribute;
dir->idpattr = NULL;
dir->signature_method = inherit_signature_method;
@@ -1868,6 +1883,10 @@ void *auth_mellon_dir_merge(apr_pool_t *
add_cfg->envattr :
base_cfg->envattr);
+ new_cfg->env_prefix = (add_cfg->env_prefix != default_env_prefix ?
+ add_cfg->env_prefix :
+ base_cfg->env_prefix);
+
new_cfg->userattr = (add_cfg->userattr != default_user_attribute ?
add_cfg->userattr :
base_cfg->userattr);
diff -up mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c
--- mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c.env_prefix 2018-03-16 08:14:54.000000000 +0100
+++ mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c 2019-06-10 09:46:36.808014518 +0200
@@ -442,6 +442,9 @@ am_diag_log_dir_cfg(request_rec *r, int
"%sMellonCookieSameSite (cookie_samesite): %s\n",
indent(level+1),
am_diag_samesite_str(r, cfg->cookie_samesite));
+ apr_file_printf(diag_cfg->fd,
+ "%sMellonEnvPrefix (env_prefix): %s\n",
+ indent(level+1), cfg->env_prefix);
apr_file_printf(diag_cfg->fd,
"%sMellonCond (cond): %d items\n",
@@ -466,7 +469,7 @@ am_diag_log_dir_cfg(request_rec *r, int
apr_hash_this(hash_item, (void *)&key, NULL, (void *)&envattr_conf);
if (envattr_conf->prefixed) {
- name = apr_pstrcat(r->pool, "MELLON_",
+ name = apr_pstrcat(r->pool, cfg->env_prefix,
envattr_conf->name, NULL);
} else {
name = envattr_conf->name;
diff -up mod_auth_mellon-0.14.0/auth_mellon.h.env_prefix mod_auth_mellon-0.14.0/auth_mellon.h
--- mod_auth_mellon-0.14.0/auth_mellon.h.env_prefix 2018-03-16 08:14:54.000000000 +0100
+++ mod_auth_mellon-0.14.0/auth_mellon.h 2019-06-10 09:46:36.805014510 +0200
@@ -237,6 +237,7 @@ typedef struct am_dir_cfg_rec {
am_samesite_t cookie_samesite;
apr_array_header_t *cond;
apr_hash_t *envattr;
+ const char *env_prefix;
const char *userattr;
const char *idpattr;
LassoSignatureMethod signature_method;
diff -up mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc.env_prefix mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc
--- mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc.env_prefix 2018-03-16 08:14:54.000000000 +0100
+++ mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc 2019-06-10 09:48:08.422237471 +0200
@@ -2007,11 +2007,13 @@ attributes.
assertion to a name of your choosing when it is placed in the Apache
environment. This is controlled by `MellonSetEnv` and
`MellonSetEnvNoPrefix` directives. The distinction
- is `MellonSetEnv` always prepends the `MELLON_` prefix to the
+ is `MellonSetEnv` always prepends a prefix to the
environment variable name to help to prevent name collisions. The
+ prefix defaults to `MELLON_` and can be configured using the
+ `MellonEnvPrefix` configuration option. The
`MellonSetEnvNoPrefix` directive also remaps the assertion name to a
name of your choosing but it omits prepending the environment
- variable name with `MELLON_`. See <<map_assertion_attr_name>>
+ variable name with the prefix. See <<map_assertion_attr_name>>
Using the <<assertion_response,assertion example>> Mellon places these
environment variables in the Apache environment. See
@@ -2096,10 +2098,12 @@ and `MellonSetEnvNoPrefix` directives. T
assertion attribute to a name of your choosing. The `MellonSetEnv`
directive follows the same convention as all other assertion
attributes added by Mellon in that it always prefixes the environment
-variable name with `MELLON_` to help avoid name collisions in the
+variable name with a configurable prefix, which defaults to `MELLON_` to help avoid name collisions in the
Apache environment. However sometimes you do not want the `MELLON_`
-prefix added and instead you want to use exactly the environment
-variable name as specified., `MellonSetEnvNoPrefix` serves this role.
+prefix added. In case you simply want the variables prefixed with
+a different string, use the `MellonEnvPrefix` configuration option. If,
+instead you want to use exactly the environment variable name as specified.,
+`MellonSetEnvNoPrefix` serves this role.
To illustrate let's look at an example. Suppose your web app is
expecting an attribute which is the user's last name, specifically it
@@ -2117,6 +2121,15 @@ MellonSetEnvNoPrefix REMOTE_USER_LASTNAM
Also see <<set_remote_user>> for an example of setting the `REMOTE_USER`
environment variable using `MellonSetEnvNoPrefix`.
+The `MellonEnvPrefix` variable might be useful e.g. if you
+are migrating from a different SP which used its own prefix
+for the variables passed by the IdP. For example, to prefix
+all variables with `NOLLEM_` you would use:
+
+----
+MellonEnvPrefix NOLLEM_
+----
+
=== Using Mellon to apply constraints [[assertion_constraints]]
SAML attributes can be used for more than exporting those values to a
diff -up mod_auth_mellon-0.14.0/README.md.env_prefix mod_auth_mellon-0.14.0/README.md
--- mod_auth_mellon-0.14.0/README.md.env_prefix 2018-03-16 08:14:54.000000000 +0100
+++ mod_auth_mellon-0.14.0/README.md 2019-06-10 09:46:36.805014510 +0200
@@ -253,6 +253,11 @@ MellonDiagnosticsEnable Off
# Default. None set.
MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName"
+ # MellonEnvPrefix changes the string the variables passed from the
+ # IdP are prefixed with.
+ # Default: MELLON_
+ MellonEnvPrefix "NOLLEM_"
+
# MellonMergeEnvVars merges multiple values of environment variables
# set using MellonSetEnv into single variable:
# ie: MYENV_VAR => val1;val2;val3 instead of default behaviour of:

View File

@ -0,0 +1,49 @@
From 6358a5169762ef7b89d8b6d0f1a99b006f0fdd2f Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Wed, 25 Jul 2018 12:19:39 +0200
Subject: [PATCH] Fix incorrect header used for detecting AJAX requests
The code was looking for "X-Request-With", but the header is actually
"X-Requested-With". As far as I can tell, it has always been the
latter, at least in the jQuery source code.
Fixes issue #174.
---
README.md | 2 +-
auth_mellon_handler.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index 0a91dc5..8d85b43 100644
--- a/README.md
+++ b/README.md
@@ -180,7 +180,7 @@ MellonDiagnosticsEnable Off
# then we will redirect him to the login page of the IdP.
#
# There is a special handling of AJAX requests, that are
- # identified by the "X-Request-With: XMLHttpRequest" HTTP
+ # identified by the "X-Requested-With: XMLHttpRequest" HTTP
# header. Since no user interaction can happen there,
# we always fail unauthenticated (not logged in) requests
# with a 403 Forbidden error without redirecting to the IdP.
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
index b16dc45..e33e6e9 100644
--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
@@ -3658,11 +3658,11 @@ int am_auth_mellon_user(request_rec *r)
* If this is an AJAX request, we cannot proceed to the IdP,
* Just fail early to save our resources
*/
- ajax_header = apr_table_get(r->headers_in, "X-Request-With");
+ ajax_header = apr_table_get(r->headers_in, "X-Requested-With");
if (ajax_header != NULL &&
strcmp(ajax_header, "XMLHttpRequest") == 0) {
AM_LOG_RERROR(APLOG_MARK, APLOG_INFO, 0, r,
- "Deny unauthenticated X-Request-With XMLHttpRequest "
+ "Deny unauthenticated X-Requested-With XMLHttpRequest "
"(AJAX) request");
return HTTP_FORBIDDEN;
}
--
2.20.1

View File

@ -0,0 +1,28 @@
From 297093e6a48a4c0fd307c2206c59a8c8eb84fb53 Mon Sep 17 00:00:00 2001
From: Valentin <awakenine@users.noreply.github.com>
Date: Fri, 6 Sep 2019 13:30:36 +0300
Subject: [PATCH] Update auth_mellon_mode.c
Fix open redirect CVE-2019-13038
---
auth_mellon_util.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
index fd442f9..7dff61e 100644
--- a/auth_mellon_util.c
+++ b/auth_mellon_util.c
@@ -116,6 +116,10 @@ int am_validate_redirect_url(request_rec *r, const char *url)
/* Sanity check of the scheme of the domain. We only allow http and https. */
if (uri.scheme) {
+ /* http and https schemes without hostname are invalid. */
+ if (!uri.hostname) {
+ return HTTP_BAD_REQUEST;
+ }
if (strcasecmp(uri.scheme, "http")
&& strcasecmp(uri.scheme, "https")) {
AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r,
--
2.21.0

View File

@ -0,0 +1,95 @@
From fb5ad7bf997946df4472cb94d7875ee70281d59c Mon Sep 17 00:00:00 2001
From: Anthony Critelli <acritelli@datto.com>
Date: Tue, 7 Jan 2020 11:14:24 -0500
Subject: [PATCH] Add none option for samesite
---
README.md | 7 +++++--
auth_mellon.h | 3 ++-
auth_mellon_config.c | 2 ++
auth_mellon_cookie.c | 4 +++-
auth_mellon_diagnostics.c | 1 +
5 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
index be374bc..82a88fc 100644
--- a/README.md
+++ b/README.md
@@ -218,8 +218,11 @@ MellonDiagnosticsEnable Off
# MellonCookieSameSite allows control over the SameSite value used
# for the authentication cookie.
- # The setting accepts values of "Strict" or "Lax"
- # If not set, the SameSite attribute is not set on the cookie.
+ # The setting accepts values of "Strict", "Lax", or "None".
+ # When using none, you should set "MellonSecureCookie On" to prevent
+ # compatibility issues with newer browsers.
+ # If not set, the SameSite attribute is not set on the cookie. In newer
+ # browsers, this may cause SameSite to default to "Lax"
# Default: not set
# MellonCookieSameSite lax
diff --git a/auth_mellon.h b/auth_mellon.h
index 9ef2d8a..5f5a20b 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -164,7 +164,8 @@ typedef enum {
typedef enum {
am_samesite_default,
am_samesite_lax,
- am_samesite_strict
+ am_samesite_strict,
+ am_samesite_none,
} am_samesite_t;
typedef enum {
diff --git a/auth_mellon_config.c b/auth_mellon_config.c
index 7932e2d..f1a9d12 100644
--- a/auth_mellon_config.c
+++ b/auth_mellon_config.c
@@ -583,6 +583,8 @@ static const char *am_set_samesite_slot(cmd_parms *cmd,
d->cookie_samesite = am_samesite_lax;
} else if(!strcasecmp(arg, "strict")) {
d->cookie_samesite = am_samesite_strict;
+ } else if(!strcasecmp(arg, "none")) {
+ d->cookie_samesite = am_samesite_none;
} else {
return "The MellonCookieSameSite parameter must be 'lax' or 'strict'";
}
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
index 8394c18..b2c8535 100644
--- a/auth_mellon_cookie.c
+++ b/auth_mellon_cookie.c
@@ -1,7 +1,7 @@
/*
*
* auth_mellon_cookie.c: an authentication apache module
- * Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
+ * Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -73,6 +73,8 @@ static const char *am_cookie_params(request_rec *r)
cookie_samesite = "; SameSite=Lax";
} else if (cfg->cookie_samesite == am_samesite_strict) {
cookie_samesite = "; SameSite=Strict";
+ } else if (cfg->cookie_samesite == am_samesite_none) {
+ cookie_samesite = "; SameSite=None";
}
secure_cookie = cfg->secure;
diff --git a/auth_mellon_diagnostics.c b/auth_mellon_diagnostics.c
index 792e894..912814b 100644
--- a/auth_mellon_diagnostics.c
+++ b/auth_mellon_diagnostics.c
@@ -214,6 +214,7 @@ am_diag_samesite_str(request_rec *r, am_samesite_t samesite)
case am_samesite_default: return "default";
case am_samesite_lax: return "lax";
case am_samesite_strict: return "strict";
+ case am_samesite_none: return "none";
default:
return apr_psprintf(r->pool, "unknown (%d)", samesite);
}
--
2.21.0

View File

@ -0,0 +1,69 @@
From b9d87e0deb528817689f1648999a95645b1b19ad Mon Sep 17 00:00:00 2001
From: Keita SUZUKI <keita@osstech.co.jp>
Date: Mon, 20 Jan 2020 11:03:14 +0900
Subject: [PATCH] avoid always set SameSite cookie
---
auth_mellon.h | 5 +++++
auth_mellon_cookie.c | 22 ++++++++++++++++------
2 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/auth_mellon.h b/auth_mellon.h
index 5f5a20b..8bb8023 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -96,6 +96,11 @@ typedef enum {
} am_diag_flags_t;
#endif
+
+/* Disable SameSite Environment Value */
+#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
+
+
/* This is the length of the id we use (for session IDs and
* replaying POST data).
*/
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
index b2c8535..55f77a5 100644
--- a/auth_mellon_cookie.c
+++ b/auth_mellon_cookie.c
@@ -59,6 +59,7 @@ static const char *am_cookie_params(request_rec *r)
const char *cookie_domain = ap_get_server_name(r);
const char *cookie_path = "/";
const char *cookie_samesite = "";
+ const char *env_var_value = NULL;
am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
if (cfg->cookie_domain) {
@@ -69,12 +70,21 @@ static const char *am_cookie_params(request_rec *r)
cookie_path = cfg->cookie_path;
}
- if (cfg->cookie_samesite == am_samesite_lax) {
- cookie_samesite = "; SameSite=Lax";
- } else if (cfg->cookie_samesite == am_samesite_strict) {
- cookie_samesite = "; SameSite=Strict";
- } else if (cfg->cookie_samesite == am_samesite_none) {
- cookie_samesite = "; SameSite=None";
+ if (r->subprocess_env != NULL){
+ env_var_value = apr_table_get(r->subprocess_env,
+ AM_DISABLE_SAMESITE_ENV_VAR);
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "%s : %s", AM_DISABLE_SAMESITE_ENV_VAR, env_var_value);
+ }
+
+ if (env_var_value == NULL){
+ if (cfg->cookie_samesite == am_samesite_lax) {
+ cookie_samesite = "; SameSite=Lax";
+ } else if (cfg->cookie_samesite == am_samesite_strict) {
+ cookie_samesite = "; SameSite=Strict";
+ } else if (cfg->cookie_samesite == am_samesite_none) {
+ cookie_samesite = "; SameSite=None";
+ }
}
secure_cookie = cfg->secure;
--
2.21.0

View File

@ -0,0 +1,78 @@
From 7ef4ae72a8578475064eb66e3ed5703ccf6ee078 Mon Sep 17 00:00:00 2001
From: Ruediger Pluem <r.pluem@gmx.de>
Date: Thu, 30 Apr 2020 07:56:01 +0200
Subject: [PATCH] Set SameSite to None on test cookie
If the SameSite cookie attribute is to be set because
MellonCookieSameSite is configured and MELLON_DISABLE_SAMESITE not set
for this particular request set it to None for the test cookie.
This ensures that the test cookie with the static test content does not
get lost in the HTTP-POST binding request issued by the autosubmit form
returned by the IDP.
Addresses #20
* auth_mellon.h: Add AM_FORCE_SAMESITE_NONE_NOTE
* auth_mellon_handler.c (am_send_login_authn_request): Set request note
to set SameSite to None if appropriate.
* auth_mellon_cookie.c (am_cookie_params): Set SameSite to None if
requested via request note.
---
auth_mellon.h | 3 +++
auth_mellon_cookie.c | 6 +++++-
auth_mellon_handler.c | 5 +++++
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/auth_mellon.h b/auth_mellon.h
index fd39b28..401ed9c 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -100,6 +100,9 @@ typedef enum {
/* Disable SameSite Environment Value */
#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
+/* Force setting SameSite to None */
+#define AM_FORCE_SAMESITE_NONE_NOTE "MELLON_FORCE_SAMESITE_NONE"
+
/* This is the length of the id we use (for session IDs and
* replaying POST data).
diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
index 55f77a5..6bff81e 100644
--- a/auth_mellon_cookie.c
+++ b/auth_mellon_cookie.c
@@ -78,7 +78,11 @@ static const char *am_cookie_params(request_rec *r)
}
if (env_var_value == NULL){
- if (cfg->cookie_samesite == am_samesite_lax) {
+ if ((cfg->cookie_samesite != am_samesite_default) &&
+ (apr_table_get(r->notes, AM_FORCE_SAMESITE_NONE_NOTE) != NULL)) {
+ cookie_samesite = "; SameSite=None";
+ }
+ else if (cfg->cookie_samesite == am_samesite_lax) {
cookie_samesite = "; SameSite=Lax";
} else if (cfg->cookie_samesite == am_samesite_strict) {
cookie_samesite = "; SameSite=Strict";
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
index 395ee1d..40c9bcd 100644
--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
@@ -3261,8 +3261,13 @@ static int am_send_login_authn_request(request_rec *r, const char *idp,
/* Add cookie for cookie test. We know that we should have
* a valid cookie when we return from the IdP after SP-initiated
* login.
+ * Ensure that SameSite is set to None for this cookie if SameSite
+ * is allowed to be set as the cookie otherwise gets lost on
+ * HTTP-POST binding messages.
*/
+ apr_table_setn(r->notes, AM_FORCE_SAMESITE_NONE_NOTE, "1");
am_cookie_set(r, "cookietest");
+ apr_table_unset(r->notes, AM_FORCE_SAMESITE_NONE_NOTE);
server = am_get_lasso_server(r);
if(server == NULL) {
--
2.26.2

File diff suppressed because one or more lines are too long

View File

@ -1,28 +1,42 @@
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
Name: mod_auth_mellon
Version: 0.17.0
Release: 7%{?dist}
Source0: https://github.com/latchset/mod_auth_mellon/releases/download/v0.17.0/mod_auth_mellon-0.17.0.tar.gz
Version: 0.14.0
Release: 12%{?dist}.1
Group: System Environment/Daemons
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source1: auth_mellon.conf
Source2: 10-auth_mellon.conf
Source3: mod_auth_mellon.conf
Source4: mellon_create_metadata.sh
Source5: README.redhat.rst
Source6: mellon_user_guide.html
License: GPLv2+
BuildRequires: make
BuildRequires: gcc
BuildRequires: curl-devel
BuildRequires: glib2-devel
BuildRequires: httpd-devel
BuildRequires: lasso-devel >= 2.5.1-13
BuildRequires: lasso-devel >= 2.5.1
BuildRequires: openssl-devel
BuildRequires: xmlsec1-devel
BuildRequires: rubygem-asciidoctor
Requires: httpd-mmn = %{_httpd_mmn}
Requires: lasso >= 2.5.1-13
Url: https://github.com/latchset/mod_auth_mellon
Requires: lasso >= 2.5.1
Url: https://github.com/UNINETT/mod_auth_mellon
Patch0001: 0001-Prevent-redirect-to-URLs-that-begin-with.patch
Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch
Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch
Patch0004: 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch
Patch0005: 0005-CVE_2019_13038.patch
Patch0006: 0006-Add-none-option-for-samesite.patch
Patch0007: 0007-avoid-always-set-SameSite-cookie.patch
Patch0008: 0008-Set-SameSite-to-None-on-test-cookie.patch
Patch0009: 0009-Prevent-redirect-to-URLs-that-begin-with.patch
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
# I could not get asciidoc to render properly so instead I generated
# mellon_user_guide.html on Fedora using asciidoctor and included
# mellon_user_guide.html as a SOURCE. If the user guide source is updated
# the mellon_user_guide.html will need to be regenerated.
%description
The mod_auth_mellon module is an authentication service that implements the
@ -30,21 +44,27 @@ SAML 2.0 federation protocol. It grants access based on the attributes
received in assertions generated by a IdP server.
%prep
%autosetup -n %{name}-%{version}
%setup -q -n %{name}-%{version}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%build
export APXS=%{_httpd_apxs}
%configure --enable-diagnostics
make clean
%{make_build}
make %{?_smp_mflags}
cp .libs/%{name}.so %{name}-diagnostics.so
%configure
make clean
%{make_build}
pushd doc/user_guide
asciidoctor -a data-uri mellon_user_guide.adoc
popd
make %{?_smp_mflags}
%install
# install module
@ -70,10 +90,11 @@ install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name}
mkdir -p %{buildroot}/%{_pkgdocdir}
# install Red Hat README
install %{SOURCE5} %{buildroot}/%{_pkgdocdir}
install -m 644 %{SOURCE5} %{buildroot}/%{_pkgdocdir}
# install user guide
cp -r doc/user_guide %{buildroot}/%{_pkgdocdir}
install -m 644 %{SOURCE6} %{buildroot}/%{_pkgdocdir}/user_guide
%package diagnostics
Summary: Build of mod_auth_mellon with diagnostic logging
@ -100,81 +121,69 @@ in the doc directory for instructions on using the diagnostics build.
%{_httpd_moddir}/mod_auth_mellon.so
%{_tmpfilesdir}/mod_auth_mellon.conf
%{_libexecdir}/%{name}
%dir %attr(-, apache, apache) /run/%{name}/
%attr(0755,apache,apache) %dir /run/%{name}/
%changelog
* Tue Jul 26 2022 Tomas Halman <thalman@redhat.com> - 0.17.0-7
- bad user/group ownership for /run/mod_auth_mellon
Resolves: rhbz#2047948
* Wed Dec 15 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12.1
- Resolves: rhbz#1986805 - CVE-2021-3639 mod_auth_mellon: Open Redirect
vulnerability in logout URLs [rhel-8]
* Fri Jul 30 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.17.0-6
- Related: rhbz#1986806 - CVE-2021-3639 mod_auth_mellon: Open Redirect
vulnerability in logout URLs
* Mon Jan 25 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12
- Resolves: rhbz#1791262 - Backport SameSite=None cookie from upstream to
support latest browsers
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.17.0-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.17.0-4
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.17.0-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.17.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Sep 16 2020 Jakub Hrozek <jhrozek@redhat.com> - 0.17.0-1
- New upstream version 0.17.0
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu Feb 13 2020 Tom Stellard <tstellar@redhat.com> - 0.16.0-2
- Use make_build macro instead of just make
- https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make
* Mon Feb 3 2020 Jakub Hrozek <jhrozek@redhat.com> - 0.16.0-1
- New upstream version 0.16.0
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.15.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Nov 19 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.15.0-1
- New upstream version 0.15.0
- Resolves: rhbz#1725742 - CVE-2019-13038 mod_auth_mellon: an Open Redirect
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-11
- Resolves: rhbz#1731053 - CVE-2019-13038 mod_auth_mellon: an Open Redirect
via the login?ReturnTo= substring which could
facilitate information theft [fedora-all]
facilitate information theft [rhel-8]
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.14.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-10
- Resolves: rhbz#1761774 - mod_auth_mellon fix for AJAX header name
X-Requested-With
* Fri Mar 22 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.2-1
- Upgrade to 0.14.2
- Related: rhbz#1691771 - CVE-2019-3877 mod_auth_mellon: open redirect in
logout url when using URLs with backslashes
- Related: rhbz#1691136 - CVE-2019-3878 mod_auth_mellon: authentication
bypass in ECP flow
* Thu Jun 13 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-9
- Just bump the release number
- Related: rhbz#1718238 - mod_auth_mellon-diagnostics RPM not in product
listings
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.14.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-8
- Resolves: rhbz#1691894 - [RFE] Config option to change mod_auth_mellon prefix
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.14.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-7
- Apply the patch from the previous commit
- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open
redirect in logout url when using URLs with
backslashes [rhel-8]
* Wed May 2 2018 John Dennis <jdennis@redhat.com> - 0.14.0-3
- update lasso version dependency
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-6
- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open
redirect in logout url when using URLs with
backslashes [rhel-8]
* Tue May 1 2018 John Dennis <jdennis@redhat.com> - 0.14.0-2
- clean diagnostics build prior to normal build
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-5
- Resolves: rhbz#1692457 - CVE-2019-3878 mod_auth_mellon: authentication
bypass in ECP flow [rhel-8.1.0]
* Thu Apr 19 2018 John Dennis <jdennis@redhat.com> - 0.14.0-1
- Upgrade to new upstream release
- Add README.redhat.rst doc explaining packaging of this module.
* Wed Apr 24 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-4
- Resolves: rhbz#1702695 - fresh install of mod_auth_mellon shows rpm
verification warnings
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.13.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 0.14.0-3
- Rebuild with fixed binutils
* Fri Jun 1 2018 <jdennis@redhat.com> - 0.14.0-2
- Resolves: rhbz#1553885
- fix file permissions on doc files
* Fri Jun 1 2018 <jdennis@redhat.com> - 0.14.0-1
- Resolves: rhbz#1553885
- Rebase to current upstream release
* Thu Mar 29 2018 John Dennis <jdennis@redhat.com> - 0.13.1-2
- Resolves: rhbz#1481330 Add diagnostic logging
- Resolves: rhbz#1295472 Add MellonSignatureMethod config option to set
signature method used to sign SAML messages sent by Mellon.
Defaults to original sha1.
* Sun Oct 1 2017 John Dennis <jdennis@redhat.com> - 0.13.1-1
- upgrade to new upstream release