From a0f8fc7af11311e8e50637ae17751561d9a06231 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mar 31 2020 09:32:34 +0000
Subject: import mod_auth_mellon-0.14.0-8.el7


---

diff --git a/SOURCES/0003-Fix-incorrect-header-used-for-detecting-AJAX-request.patch b/SOURCES/0003-Fix-incorrect-header-used-for-detecting-AJAX-request.patch
new file mode 100644
index 0000000..7f5971a
--- /dev/null
+++ b/SOURCES/0003-Fix-incorrect-header-used-for-detecting-AJAX-request.patch
@@ -0,0 +1,49 @@
+From 6358a5169762ef7b89d8b6d0f1a99b006f0fdd2f Mon Sep 17 00:00:00 2001
+From: Olav Morken <olav.morken@uninett.no>
+Date: Wed, 25 Jul 2018 12:19:39 +0200
+Subject: [PATCH] Fix incorrect header used for detecting AJAX requests
+
+The code was looking for "X-Request-With", but the header is actually
+"X-Requested-With". As far as I can tell, it has always been the
+latter, at least in the jQuery source code.
+
+Fixes issue #174.
+---
+ README.md             | 2 +-
+ auth_mellon_handler.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/README.md b/README.md
+index 0a91dc5..8d85b43 100644
+--- a/README.md
++++ b/README.md
+@@ -180,7 +180,7 @@ MellonDiagnosticsEnable Off
+         #           then we will redirect him to the login page of the IdP.
+         #
+         #           There is a special handling of AJAX requests, that are
+-        #           identified by the "X-Request-With: XMLHttpRequest" HTTP
++        #           identified by the "X-Requested-With: XMLHttpRequest" HTTP
+         #           header. Since no user interaction can happen there,
+         #           we always fail unauthenticated (not logged in) requests
+         #           with a 403 Forbidden error without redirecting to the IdP.
+diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
+index b16dc45..e33e6e9 100644
+--- a/auth_mellon_handler.c
++++ b/auth_mellon_handler.c
+@@ -3658,11 +3658,11 @@ int am_auth_mellon_user(request_rec *r)
+              * If this is an AJAX request, we cannot proceed to the IdP,
+              * Just fail early to save our resources
+              */
+-            ajax_header = apr_table_get(r->headers_in, "X-Request-With");
++            ajax_header = apr_table_get(r->headers_in, "X-Requested-With");
+             if (ajax_header != NULL &&
+                 strcmp(ajax_header, "XMLHttpRequest") == 0) {
+                     AM_LOG_RERROR(APLOG_MARK, APLOG_INFO, 0, r,
+-                      "Deny unauthenticated X-Request-With XMLHttpRequest "
++                      "Deny unauthenticated X-Requested-With XMLHttpRequest "
+                       "(AJAX) request");
+                     return HTTP_FORBIDDEN;
+             }
+-- 
+2.20.1
+
diff --git a/SOURCES/0004-CVE_2019_13038.patch b/SOURCES/0004-CVE_2019_13038.patch
new file mode 100644
index 0000000..f04a4e4
--- /dev/null
+++ b/SOURCES/0004-CVE_2019_13038.patch
@@ -0,0 +1,28 @@
+From 297093e6a48a4c0fd307c2206c59a8c8eb84fb53 Mon Sep 17 00:00:00 2001
+From: Valentin <awakenine@users.noreply.github.com>
+Date: Fri, 6 Sep 2019 13:30:36 +0300
+Subject: [PATCH] Update auth_mellon_mode.c
+
+Fix open redirect CVE-2019-13038
+---
+ auth_mellon_util.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/auth_mellon_util.c b/auth_mellon_util.c
+index fd442f9..7dff61e 100644
+--- a/auth_mellon_util.c
++++ b/auth_mellon_util.c
+@@ -116,6 +116,10 @@ int am_validate_redirect_url(request_rec *r, const char *url)
+ 
+     /* Sanity check of the scheme of the domain. We only allow http and https. */
+     if (uri.scheme) {
++	/* http and https schemes without hostname are invalid. */
++        if (!uri.hostname) {
++            return HTTP_BAD_REQUEST;
++	}
+         if (strcasecmp(uri.scheme, "http")
+             && strcasecmp(uri.scheme, "https")) {
+             AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r,
+-- 
+2.21.0
+
diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec
index 61ae66c..d368414 100644
--- a/SPECS/mod_auth_mellon.spec
+++ b/SPECS/mod_auth_mellon.spec
@@ -1,7 +1,7 @@
 Summary: A SAML 2.0 authentication module for the Apache Httpd Server
 Name: mod_auth_mellon
 Version: 0.14.0
-Release: 2%{?dist}.4
+Release: 8%{?dist}
 Group: System Environment/Daemons
 Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
 Source1: auth_mellon.conf
@@ -23,6 +23,8 @@ Url: https://github.com/UNINETT/mod_auth_mellon
 
 Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
 Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch
+Patch0003: 0003-Fix-incorrect-header-used-for-detecting-AJAX-request.patch
+Patch0004: 0004-CVE_2019_13038.patch
 
 # FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
 # I could not get asciidoc to render properly so instead I generated
@@ -39,6 +41,8 @@ received in assertions generated by a IdP server.
 %setup -q -n %{name}-%{version}
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
 
 %build
 export APXS=%{_httpd_apxs}
@@ -110,23 +114,33 @@ in the doc directory for instructions on using the diagnostics build.
 %dir /run/%{name}/
 
 %changelog
-* Mon Apr  8 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-2.4
-- Actually apply the patch in the previous build
-- Resolves: rhbz#1697488 - CVE-2019-3877 mod_auth_mellon: open redirect
+* Wed Oct  9 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-8
+- Resolves: rhbz#1731052 - CVE-2019-13038 mod_auth_mellon: an Open Redirect via
+                           the login?ReturnTo= substring which could facilitate
+                           information theft [rhel-7]
+
+* Tue Aug  6 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-7
+- Resolves: rhbz#1727789 - mod_auth_mellon fix for AJAX header name
+                           X-Requested-With
+
+* Tue Apr  2 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-6
+- Apply the patch from the previous commit
+- Resolves: rhbz#1692470 - CVE-2019-3877 mod_auth_mellon: open redirect
                            in logout url when using URLs with backslashes
+                           [rhel-7]
 
-* Mon Apr  8 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-2.3
-- Resolves: rhbz#1697488 - CVE-2019-3877 mod_auth_mellon: open redirect
+* Tue Apr  2 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-5
+- Resolves: rhbz#1692470 - CVE-2019-3877 mod_auth_mellon: open redirect
                            in logout url when using URLs with backslashes
-                           [rhel-7] [rhel-7.6.z]
+                           [rhel-7]
 
-* Mon Apr  8 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-2.2
-- Resolves: rhbz#1697487 - mod_auth_mellon Cert files name wrong when
-                           hostname contains a number
+* Fri Mar 22 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-4
+- Resolves: rhbz#1576719 - ECP flow not triggering, instead client access
+                           secured resources without ECP authentication
 
-* Fri Mar 22 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-2.1
-- Resolves: rhbz#1692455 - CVE-2019-3878 mod_auth_mellon: authentication
-                           bypass in ECP flow [rhel-7.6.z]
+* Tue Mar  5 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-3
+- Resolves: rhbz#1652980 - mod_auth_mellon Cert files name wrong when
+                           hostname contains a number
 
 * Fri Jun  1 2018  <jdennis@redhat.com> - 0.14.0-2
 - Resolves: rhbz#1553885