From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001 From: AIMOTO Norihito Date: Tue, 6 Jul 2021 22:57:24 +0200 Subject: [PATCH] Prevent redirect to URLs that begin with '///' Visiting a logout URL like this: https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html would have redirected the user to fishing-site.example.com With the patch, this URL would be rejected. Fixes: CVE-2021-3639 --- auth_mellon_util.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/auth_mellon_util.c b/auth_mellon_util.c index 2f8c9c3..6a686db 100644 --- a/auth_mellon_util.c +++ b/auth_mellon_util.c @@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url) { const char *i; + if (url == NULL) { + return HTTP_BAD_REQUEST; + } + for (i = url; *i; i++) { if (*i >= 0 && *i < ' ') { /* Deny all control-characters. */ @@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url) } } + if (strstr(url, "///") == url) { + AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r, + "URL starts with '///'"); + return HTTP_BAD_REQUEST; + } + return OK; } -- 2.26.3