Blame SOURCES/0002-Fix-redirect-URL-validation-bypass.patch

8f4470
From 62041428a32de402e0be6ba45fe12df6a83bedb8 Mon Sep 17 00:00:00 2001
8f4470
From: Olav Morken <olav.morken@uninett.no>
8f4470
Date: Tue, 19 Mar 2019 13:42:22 +0100
8f4470
Subject: [PATCH] Fix redirect URL validation bypass
8f4470
8f4470
It turns out that browsers silently convert backslash characters into
8f4470
forward slashes, while apr_uri_parse() does not.
8f4470
8f4470
This mismatch allows an attacker to bypass the redirect URL validation
8f4470
by using an URL like:
8f4470
8f4470
  https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/
8f4470
8f4470
mod_auth_mellon will assume that it is a relative URL and allow the
8f4470
request to pass through, while the browsers will use it as an absolute
8f4470
url and redirect to https://malicious.example.org/ .
8f4470
8f4470
This patch fixes this issue by rejecting all redirect URLs with
8f4470
backslashes.
8f4470
---
8f4470
 auth_mellon_util.c | 7 +++++++
8f4470
 1 file changed, 7 insertions(+)
8f4470
8f4470
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
8f4470
index 0fab309..fd442f9 100644
8f4470
--- a/auth_mellon_util.c
8f4470
+++ b/auth_mellon_util.c
8f4470
@@ -927,6 +927,13 @@ int am_check_url(request_rec *r, const char *url)
8f4470
                           "Control character detected in URL.");
8f4470
             return HTTP_BAD_REQUEST;
8f4470
         }
8f4470
+        if (*i == '\\') {
8f4470
+            /* Reject backslash character, as it can be used to bypass
8f4470
+             * redirect URL validation. */
8f4470
+            AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
8f4470
+                          "Backslash character detected in URL.");
8f4470
+            return HTTP_BAD_REQUEST;
8f4470
+        }
8f4470
     }
8f4470
 
8f4470
     return OK;
8f4470
-- 
8f4470
2.19.2
8f4470