|
 |
a860d0 |
From 62041428a32de402e0be6ba45fe12df6a83bedb8 Mon Sep 17 00:00:00 2001
|
|
|
a860d0 |
From: Olav Morken <olav.morken@uninett.no>
|
|
|
a860d0 |
Date: Tue, 19 Mar 2019 13:42:22 +0100
|
|
|
a860d0 |
Subject: [PATCH] Fix redirect URL validation bypass
|
|
|
a860d0 |
|
|
|
a860d0 |
It turns out that browsers silently convert backslash characters into
|
|
|
a860d0 |
forward slashes, while apr_uri_parse() does not.
|
|
|
a860d0 |
|
|
|
a860d0 |
This mismatch allows an attacker to bypass the redirect URL validation
|
|
|
a860d0 |
by using an URL like:
|
|
|
a860d0 |
|
|
|
a860d0 |
https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/
|
|
|
a860d0 |
|
|
|
a860d0 |
mod_auth_mellon will assume that it is a relative URL and allow the
|
|
|
a860d0 |
request to pass through, while the browsers will use it as an absolute
|
|
|
a860d0 |
url and redirect to https://malicious.example.org/ .
|
|
|
a860d0 |
|
|
|
a860d0 |
This patch fixes this issue by rejecting all redirect URLs with
|
|
|
a860d0 |
backslashes.
|
|
|
a860d0 |
---
|
|
|
a860d0 |
auth_mellon_util.c | 7 +++++++
|
|
|
a860d0 |
1 file changed, 7 insertions(+)
|
|
|
a860d0 |
|
|
|
a860d0 |
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
|
|
|
a860d0 |
index 0fab309..fd442f9 100644
|
|
|
a860d0 |
--- a/auth_mellon_util.c
|
|
|
a860d0 |
+++ b/auth_mellon_util.c
|
|
|
a860d0 |
@@ -927,6 +927,13 @@ int am_check_url(request_rec *r, const char *url)
|
|
|
a860d0 |
"Control character detected in URL.");
|
|
|
a860d0 |
return HTTP_BAD_REQUEST;
|
|
|
a860d0 |
}
|
|
|
a860d0 |
+ if (*i == '\\') {
|
|
|
a860d0 |
+ /* Reject backslash character, as it can be used to bypass
|
|
|
a860d0 |
+ * redirect URL validation. */
|
|
|
a860d0 |
+ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
|
|
|
a860d0 |
+ "Backslash character detected in URL.");
|
|
|
a860d0 |
+ return HTTP_BAD_REQUEST;
|
|
|
a860d0 |
+ }
|
|
|
a860d0 |
}
|
|
|
a860d0 |
|
|
|
a860d0 |
return OK;
|
|
|
a860d0 |
--
|
|
|
a860d0 |
2.19.2
|
|
|
a860d0 |
|