Remove the unnecessary LTO patch
Resolves: rhbz#1951277
This commit is contained in:
parent
41024c12ac
commit
15f15a0efa
@ -1,15 +0,0 @@
|
||||
--- mod_auth_openidc-2.4.3/Makefile.in.nonlto
|
||||
+++ mod_auth_openidc-2.4.3/Makefile.in
|
||||
@@ -73,8 +73,11 @@
|
||||
@NAMEVER@.tar.gz: $(DISTFILES)
|
||||
tar -c --transform="s#^#@NAMEVER@/#" -vzf $@ $(DISTFILES)
|
||||
|
||||
+APXS_CFLAGS := $(shell @APXS2@ -q CFLAGS | sed 's/-f[^ ]*lto[^ ]* //g') $(CFLAGS) $(shell @APXS2@ -q EXTRA_CPPFLAGS)
|
||||
+APXS_CC := $(shell @APXS2@ -q CC) $(APXS_CFLAGS) $(shell @APXS2@ -q EXTRA_INCLUDES)
|
||||
+
|
||||
test/test test/test-cmd: test/test.c test/test-cmd.c test/stub.c src/mod_auth_openidc.la
|
||||
- @APXS2@ @APXS2_OPTS@ -Wc,"-DNAMEVER=\"@NAMEVER@\" $(CFLAGS)" -Wl,"$(LIBS)" -Isrc -Wc,-Wall -Wc,-g -c -o $@ $@.c test/stub.c $(SRC:.c=.lo) @APR_LIBS@
|
||||
+ $(APXS_CC) -DNAMEVER=\"@NAMEVER@\" $(CFLAGS) $(LIBS) -Isrc -Wall -g -o $@ $@.c test/stub.c $(SRC:.c=.o) @APR_LIBS@
|
||||
|
||||
test-compile: test/test test/test-cmd
|
||||
|
@ -1,4 +1,4 @@
|
||||
%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo 0-0)}}
|
||||
%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)}}
|
||||
%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}}
|
||||
%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %{_sysconfdir}/httpd/conf.d}}
|
||||
|
||||
@ -15,13 +15,12 @@
|
||||
|
||||
Name: mod_auth_openidc
|
||||
Version: 2.4.4.1
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: OpenID Connect auth module for Apache HTTP Server
|
||||
|
||||
License: ASL 2.0
|
||||
URL: https://github.com/zmartzone/mod_auth_openidc
|
||||
Source0: https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz
|
||||
Patch0: mod_auth_openidc-2.4.3-nonlto.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: httpd-devel
|
||||
@ -42,7 +41,6 @@ an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1 -b .nonlto
|
||||
|
||||
%build
|
||||
# workaround rpm-buildroot-usage
|
||||
@ -96,6 +94,9 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
|
||||
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache
|
||||
|
||||
%changelog
|
||||
* Fri Apr 30 2021 Tomas Halman <thalman@redhat.com> - 2.4.4.1-3
|
||||
- Resolves: rhbz#1951277 - Remove unnecessary LTO patch
|
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.4.1-2
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
|
@ -1,167 +0,0 @@
|
||||
commit fe7dfb14c45262df3b15bda374b2ee390b43cfb4
|
||||
Author: John Dennis <jdennis@redhat.com>
|
||||
Date: Tue Aug 14 18:08:56 2018 -0400
|
||||
|
||||
test_proto_authorization_request() segfault due to uninitialized value
|
||||
|
||||
Many thanks to Florian Weimer <fweimer@redhat.com> for his assistence
|
||||
in helping diagnose the problem.
|
||||
|
||||
In test_proto_authorization_request() it creates a provider object but
|
||||
fails to fully initialize it. In particular it fails to initialize
|
||||
auth_request_method to OIDC_AUTH_REQUEST_METHOD_GET.
|
||||
|
||||
The function oidc_proto_authorization_request() in the file
|
||||
src/proto.c has a weak test for provider->auth_request_method on line
|
||||
646.
|
||||
|
||||
if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) {
|
||||
/* construct a HTML POST auto-submit page with the authorization request parameters */
|
||||
} else {
|
||||
/* construct the full authorization request URL */
|
||||
}
|
||||
|
||||
The assumption is provider->auth_request_method must be one of
|
||||
OIDC_AUTH_REQUEST_METHOD_GET or OIDC_AUTH_REQUEST_METHOD_POST but if
|
||||
the provider struct is not properly initialized it could be any random
|
||||
value. Therefore the fact provider->auth_request_method does not equal
|
||||
OIDC_AUTH_REQUEST_METHOD_POST does not imply it's
|
||||
OIDC_AUTH_REQUEST_METHOD_GET. The test would also be a problem if
|
||||
OIDC_AUTH_REQUEST_METHOD ever added a new enumerated value.
|
||||
|
||||
The defined values for OIDC_AUTH_REQUEST_METHOD are:
|
||||
define OIDC_AUTH_REQUEST_METHOD_GET 0
|
||||
define OIDC_AUTH_REQUEST_METHOD_POST 1
|
||||
|
||||
So what the test on line src/proto.c:646 is really saying is this:
|
||||
if provider->auth_request_method != 1 then use the GET method.
|
||||
|
||||
The unit test works most of the time because it's unlikely the
|
||||
unitialized auth_request_method member will be exactly 1. Except on
|
||||
some architectures it is (e.g. s390x). Of course what's on the stack
|
||||
is influenced by a variety of factors (all unknown).
|
||||
|
||||
The segfault occurs because oidc_proto_authorization_request() takes
|
||||
the OIDC_AUTH_REQUEST_METHOD_POST branch and calls
|
||||
oidc_proto_html_post() which then operates on more uninitialized
|
||||
data. Specfically request->connection->bucket_alloc is
|
||||
NULL. Fortunately the request object was intialized to zero via
|
||||
apr_pcalloc() so at least bucket_alloc will consistetnly be NULL.
|
||||
|
||||
Here is the stack trace:
|
||||
|
||||
Program received signal SIGSEGV, Segmentation fault.
|
||||
0x00007ffff6b9f67a in apr_bucket_alloc () from /lib64/libaprutil-1.so.0
|
||||
(gdb) bt
|
||||
from /lib64/libaprutil-1.so.0
|
||||
data=0x6adfe0 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\">\n<html>\n <head>\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\">\n <title>Submitting"...,
|
||||
data_len=825, content_type=0x47311a "text/html", success_rvalue=-2)
|
||||
at src/util.c:1307
|
||||
title=0x46bf28 "Submitting...", html_head=0x0,
|
||||
on_load=0x46bf0d "document.forms[0].submit()",
|
||||
html_body=0x6add40 " <p>Submitting Authentication Request...</p>\n <form method=\"post\" action=\"https://idp.example.com/authorize\">\n <p>\n <input type=\"hidden\" name=\"response_type\" value=\"code\">\n <input"..., status_code=-2) at src/util.c:1349
|
||||
url=0x465758 "https://idp.example.com/authorize", params=0x6acf30)
|
||||
at src/proto.c:544
|
||||
provider=0x7fffffffd260, login_hint=0x0,
|
||||
redirect_uri=0x465790 "https://www.example.com/protected/",
|
||||
state=0x4657b3 "12345", proto_state=0x68e5f0, id_token_hint=0x0,
|
||||
nge=0x0, auth_request_params=0x0, path_scope=0x0) at src/proto.c:650
|
||||
|
||||
This patch does the following:
|
||||
|
||||
1) Initializes the provider struct created on the stack in
|
||||
test_proto_authorization_request to zero so it's at least
|
||||
initialized to known consistent values.
|
||||
|
||||
2) Initializes provider.auth_request_method to
|
||||
OIDC_AUTH_REQUEST_METHOD_GET.
|
||||
|
||||
3) Initializes request->connection->bucket_alloc via
|
||||
apr_bucket_alloc_create() so if one does enter that code it won't
|
||||
segfault.
|
||||
|
||||
It's easy to verify the above observations.
|
||||
|
||||
If you explicitly intialize provider.auth_request_method to
|
||||
OIDC_AUTH_REQUEST_METHOD_POST in test_proto_authorization_request()
|
||||
instead of allowing it to be a random stack value you will segfault
|
||||
every time. However if you initialize request->connection->bucket_alloc
|
||||
the segfault goes away and the unit test correctly reports the error,
|
||||
e.g.
|
||||
|
||||
Failed: # test_proto_authorization_request: error in oidc_proto_authorization_request (1): result "0" != expected "1"
|
||||
|
||||
WARNING: This patch does not address the test in proto.c:646. That
|
||||
test should be augmented to assure only valid enumerated values are
|
||||
operated on and if the enumerated value is not valid it should return
|
||||
an error.
|
||||
|
||||
Note: The above was fixed in the following commit.
|
||||
|
||||
Signed-off-by: John Dennis <jdennis@redhat.com>
|
||||
|
||||
diff --git a/test/test.c b/test/test.c
|
||||
index 16f09b5..87d3700 100755
|
||||
--- a/test/test.c
|
||||
+++ b/test/test.c
|
||||
@@ -1019,6 +1019,9 @@ static char *test_proto_validate_code(request_rec *r) {
|
||||
static char * test_proto_authorization_request(request_rec *r) {
|
||||
|
||||
oidc_provider_t provider;
|
||||
+
|
||||
+ memset(&provider, 0, sizeof(provider));
|
||||
+
|
||||
provider.issuer = "https://idp.example.com";
|
||||
provider.authorization_endpoint_url = "https://idp.example.com/authorize";
|
||||
provider.scope = "openid";
|
||||
@@ -1028,6 +1031,8 @@ static char * test_proto_authorization_request(request_rec *r) {
|
||||
provider.auth_request_params = NULL;
|
||||
provider.request_object = NULL;
|
||||
provider.token_binding_policy = OIDC_TOKEN_BINDING_POLICY_OPTIONAL;
|
||||
+ provider.auth_request_method = OIDC_AUTH_REQUEST_METHOD_GET;
|
||||
+
|
||||
const char *redirect_uri = "https://www.example.com/protected/";
|
||||
const char *state = "12345";
|
||||
|
||||
@@ -1260,6 +1265,7 @@ static request_rec * test_setup(apr_pool_t *pool) {
|
||||
sizeof(struct process_rec));
|
||||
request->server->process->pool = request->pool;
|
||||
request->connection = apr_pcalloc(request->pool, sizeof(struct conn_rec));
|
||||
+ request->connection->bucket_alloc = apr_bucket_alloc_create(request->pool);
|
||||
request->connection->local_addr = apr_pcalloc(request->pool,
|
||||
sizeof(apr_sockaddr_t));
|
||||
|
||||
commit aca77a82c1ce2f1ec8f363066ffbc480b3bd75c8
|
||||
Author: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
|
||||
Date: Wed Aug 15 07:47:57 2018 +0200
|
||||
|
||||
add sanity check on provider->auth_request_method; closes #382
|
||||
|
||||
thanks @jdennis; bump to 2.3.8rc4
|
||||
|
||||
Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
|
||||
|
||||
diff --git a/src/proto.c b/src/proto.c
|
||||
index e9dbc99..ac7696a 100644
|
||||
--- a/src/proto.c
|
||||
+++ b/src/proto.c
|
||||
@@ -649,7 +649,7 @@ int oidc_proto_authorization_request(request_rec *r,
|
||||
rv = oidc_proto_html_post(r, provider->authorization_endpoint_url,
|
||||
params);
|
||||
|
||||
- } else {
|
||||
+ } else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) {
|
||||
|
||||
/* construct the full authorization request URL */
|
||||
authorization_request = oidc_util_http_query_encoded_url(r,
|
||||
@@ -666,6 +666,10 @@ int oidc_proto_authorization_request(request_rec *r,
|
||||
/* and tell Apache to return an HTTP Redirect (302) message */
|
||||
rv = HTTP_MOVED_TEMPORARILY;
|
||||
}
|
||||
+ } else {
|
||||
+ oidc_error(r, "provider->auth_request_method set to wrong value: %d",
|
||||
+ provider->auth_request_method);
|
||||
+ return HTTP_INTERNAL_SERVER_ERROR;
|
||||
}
|
||||
|
||||
/* add a referred token binding request for the provider if enabled */
|
Loading…
Reference in New Issue
Block a user