Blame SOURCES/0004-CVE_2019_13038.patch
|
 |
a0f8fc |
From 297093e6a48a4c0fd307c2206c59a8c8eb84fb53 Mon Sep 17 00:00:00 2001
|
|
|
a0f8fc |
From: Valentin <awakenine@users.noreply.github.com>
|
|
|
a0f8fc |
Date: Fri, 6 Sep 2019 13:30:36 +0300
|
|
|
a0f8fc |
Subject: [PATCH] Update auth_mellon_mode.c
|
|
|
a0f8fc |
|
|
|
a0f8fc |
Fix open redirect CVE-2019-13038
|
|
|
a0f8fc |
---
|
|
|
a0f8fc |
auth_mellon_util.c | 4 ++++
|
|
|
a0f8fc |
1 file changed, 4 insertions(+)
|
|
|
a0f8fc |
|
|
|
a0f8fc |
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
|
|
|
a0f8fc |
index fd442f9..7dff61e 100644
|
|
|
a0f8fc |
--- a/auth_mellon_util.c
|
|
|
a0f8fc |
+++ b/auth_mellon_util.c
|
|
|
a0f8fc |
@@ -116,6 +116,10 @@ int am_validate_redirect_url(request_rec *r, const char *url)
|
|
|
a0f8fc |
|
|
|
a0f8fc |
/* Sanity check of the scheme of the domain. We only allow http and https. */
|
|
|
a0f8fc |
if (uri.scheme) {
|
|
|
a0f8fc |
+ /* http and https schemes without hostname are invalid. */
|
|
|
a0f8fc |
+ if (!uri.hostname) {
|
|
|
a0f8fc |
+ return HTTP_BAD_REQUEST;
|
|
|
a0f8fc |
+ }
|
|
|
a0f8fc |
if (strcasecmp(uri.scheme, "http")
|
|
|
a0f8fc |
&& strcasecmp(uri.scheme, "https")) {
|
|
|
a0f8fc |
AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r,
|
|
|
a0f8fc |
--
|
|
|
a0f8fc |
2.21.0
|
|
|
a0f8fc |
|