rpms / mod_auth_mellon

Clone
Source Code
GIT

Blame SOURCES/0001-Prevent-redirect-to-URLs-that-begin-with.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c9
  2.   SOURCES
  3.   0001-Prevent-redirect-to-URLs-that-begin-with.patch
Blob History Raw
cd021e 
From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
cd021e 
From: AIMOTO Norihito <aimoto@osstech.co.jp>
cd021e 
Date: Tue, 6 Jul 2021 22:57:24 +0200
cd021e 
Subject: [PATCH] Prevent redirect to URLs that begin with '///'
cd021e
cd021e 
Visiting a logout URL like this:
cd021e 
    https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
cd021e 
would have redirected the user to fishing-site.example.com
cd021e
cd021e 
With the patch, this URL would be rejected.
cd021e
cd021e 
Fixes: CVE-2021-3639
cd021e 
---
cd021e 
 auth_mellon_util.c | 10 ++++++++++
cd021e 
 1 file changed, 10 insertions(+)
cd021e
cd021e 
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
cd021e 
index 2f8c9c3..6a686db 100644
cd021e 
--- a/auth_mellon_util.c
cd021e 
+++ b/auth_mellon_util.c
cd021e 
@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
cd021e 
 {
cd021e 
     const char *i;
cd021e
cd021e 
+    if (url == NULL) {
cd021e 
+        return HTTP_BAD_REQUEST;
cd021e 
+    }
cd021e 
+
cd021e 
     for (i = url; *i; i++) {
cd021e 
         if (*i >= 0 && *i < ' ') {
cd021e 
             /* Deny all control-characters. */
cd021e 
@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
cd021e 
         }
cd021e 
     }
cd021e
cd021e 
+    if (strstr(url, "///") == url) {
cd021e 
+        AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
cd021e 
+                          "URL starts with '///'");
cd021e 
+        return HTTP_BAD_REQUEST;
cd021e 
+    }
cd021e 
+
cd021e 
     return OK;
cd021e 
 }
cd021e
cd021e 
--
cd021e 
2.26.3
cd021e

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation