rpms / mod_auth_mellon

Clone
Source Code
GIT

Blame SOURCES/0009-Prevent-redirect-to-URLs-that-begin-with.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   cecfde2870b15c6230874bd9fd9f535e5a5a5009
  2.   SOURCES
  3.   0009-Prevent-redirect-to-URLs-that-begin-with.patch
Blob History Raw
cecfde 
From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
cecfde 
From: AIMOTO Norihito <aimoto@osstech.co.jp>
cecfde 
Date: Tue, 6 Jul 2021 22:57:24 +0200
cecfde 
Subject: [PATCH] Prevent redirect to URLs that begin with '///'
cecfde
cecfde 
Visiting a logout URL like this:
cecfde 
    https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
cecfde 
would have redirected the user to fishing-site.example.com
cecfde
cecfde 
With the patch, this URL would be rejected.
cecfde
cecfde 
Fixes: CVE-2021-3639
cecfde 
---
cecfde 
 auth_mellon_util.c | 10 ++++++++++
cecfde 
 1 file changed, 10 insertions(+)
cecfde
cecfde 
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
cecfde 
index 2f8c9c3..6a686db 100644
cecfde 
--- a/auth_mellon_util.c
cecfde 
+++ b/auth_mellon_util.c
cecfde 
@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
cecfde 
 {
cecfde 
     const char *i;
cecfde
cecfde 
+    if (url == NULL) {
cecfde 
+        return HTTP_BAD_REQUEST;
cecfde 
+    }
cecfde 
+
cecfde 
     for (i = url; *i; i++) {
cecfde 
         if (*i >= 0 && *i < ' ') {
cecfde 
             /* Deny all control-characters. */
cecfde 
@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
cecfde 
         }
cecfde 
     }
cecfde
cecfde 
+    if (strstr(url, "///") == url) {
cecfde 
+        AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
cecfde 
+                          "URL starts with '///'");
cecfde 
+        return HTTP_BAD_REQUEST;
cecfde 
+    }
cecfde 
+
cecfde 
     return OK;
cecfde 
 }
cecfde
cecfde 
--
cecfde 
2.26.3
cecfde

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation