rpms/mod_auth_openidc
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c8-stream-2.3
mod_auth_openidc/SOURCES/0001-CVE-2022-23527.patch

78 lines
2.7 KiB
Diff
Raw Permalink Blame History

commit 4c494e4a59a15580e3226dcd6c02b24076b73421
Author: Tomas Halman <thalman@redhat.com>
Date: Mon Feb 27 13:18:55 2023 +0100
Backport of fixes for CVE-2022-23527
CVE-2022-23527 prevent open redirect in default setup
This patch is based on 87119f44, f38af0e2, 1a394a86 and
1c808c58 updates.
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index b36f6c1..099c716 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -2543,6 +2543,20 @@ static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
oidc_error(r, "%s: %s", *err_str, *err_desc);
return FALSE;
}
+ if ( (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL)
+ || (strstr(url, "/\t") != NULL)
+ || (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL)
+ || (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL)
+ || (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL)
+ || (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL)
+ || (strstr(url, "/〱") != NULL) || (strstr(url, "/ー") != NULL)
+ || (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL)
+ || (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) {
+ *err_str = apr_pstrdup(r->pool, "Invalid URL");
+ *err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
return TRUE;
}
diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
index 2218d76..8757411 100644
--- a/src/mod_auth_openidc.h
+++ b/src/mod_auth_openidc.h
@@ -800,6 +800,7 @@ char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const ap
char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
apr_byte_t oidc_enabled(request_rec *r);
char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params);
+char* oidc_util_strcasestr(const char *s1, const char *s2);
/* HTTP header constants */
#define OIDC_HTTP_HDR_COOKIE "Cookie"
diff --git a/src/util.c b/src/util.c
index 4c46156..c6453d0 100644
--- a/src/util.c
+++ b/src/util.c
@@ -446,6 +446,24 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
return output;
}
+char* oidc_util_strcasestr(const char *s1, const char *s2) {
+ const char *s = s1;
+ const char *p = s2;
+ do {
+ if (!*p)
+ return (char*) s1;
+ if ((*p == *s) || (tolower(*p) == tolower(*s))) {
+ ++p;
+ ++s;
+ } else {
+ p = s2;
+ if (!*s)
+ return NULL;
+ s = ++s1;
+ }
+ } while (1);
+ return *p ? NULL : (char*) s1;
+}
/*
* get the URL scheme that is currently being accessed
Reference in New Issue View Git Blame Copy Permalink