64 lines
2.7 KiB
Diff
64 lines
2.7 KiB
Diff
diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.c
|
|
--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.c.orig 2021-11-05 11:55:03.000000000 +0100
|
|
+++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.c 2024-04-15 17:53:49.601539683 +0200
|
|
@@ -2537,6 +2537,20 @@ static apr_byte_t oidc_validate_redirect
|
|
oidc_error(r, "%s: %s", *err_str, *err_desc);
|
|
return FALSE;
|
|
}
|
|
+ if ( (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL)
|
|
+ || (strstr(url, "/\t") != NULL)
|
|
+ || (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL)
|
|
+ || (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL)
|
|
+ || (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL)
|
|
+ || (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL)
|
|
+ || (strstr(url, "/〱") != NULL) || (strstr(url, "/ー") != NULL)
|
|
+ || (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL)
|
|
+ || (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) {
|
|
+ *err_str = apr_pstrdup(r->pool, "Invalid URL");
|
|
+ *err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
|
|
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
|
|
+ return FALSE;
|
|
+ }
|
|
|
|
return TRUE;
|
|
}
|
|
diff -up mod_auth_openidc-2.4.10/src/mod_auth_openidc.h.orig mod_auth_openidc-2.4.10/src/mod_auth_openidc.h
|
|
--- mod_auth_openidc-2.4.10/src/mod_auth_openidc.h.orig 2021-11-09 10:00:40.000000000 +0100
|
|
+++ mod_auth_openidc-2.4.10/src/mod_auth_openidc.h 2024-04-15 17:53:49.601539683 +0200
|
|
@@ -819,6 +819,7 @@ char *oidc_util_http_query_encoded_url(r
|
|
char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
|
|
apr_byte_t oidc_enabled(request_rec *r);
|
|
char *oidc_util_http_form_encoded_data(request_rec *r, const apr_table_t *params);
|
|
+char* oidc_util_strcasestr(const char *s1, const char *s2);
|
|
|
|
/* HTTP header constants */
|
|
#define OIDC_HTTP_HDR_COOKIE "Cookie"
|
|
diff -up mod_auth_openidc-2.4.10/src/util.c.orig mod_auth_openidc-2.4.10/src/util.c
|
|
--- mod_auth_openidc-2.4.10/src/util.c.orig 2021-11-05 11:55:03.000000000 +0100
|
|
+++ mod_auth_openidc-2.4.10/src/util.c 2024-04-15 17:53:49.602539684 +0200
|
|
@@ -435,6 +435,24 @@ char* oidc_util_javascript_escape(apr_po
|
|
return output;
|
|
}
|
|
|
|
+char* oidc_util_strcasestr(const char *s1, const char *s2) {
|
|
+ const char *s = s1;
|
|
+ const char *p = s2;
|
|
+ do {
|
|
+ if (!*p)
|
|
+ return (char*) s1;
|
|
+ if ((*p == *s) || (tolower(*p) == tolower(*s))) {
|
|
+ ++p;
|
|
+ ++s;
|
|
+ } else {
|
|
+ p = s2;
|
|
+ if (!*s)
|
|
+ return NULL;
|
|
+ s = ++s1;
|
|
+ }
|
|
+ } while (1);
|
|
+ return *p ? NULL : (char*) s1;
|
|
+}
|
|
|
|
/*
|
|
* get the URL scheme that is currently being accessed
|