diff --git a/SOURCES/0002-Fix-redirect-URL-validation-bypass.patch b/SOURCES/0002-Fix-redirect-URL-validation-bypass.patch
new file mode 100644
index 0000000..b3f18c5
--- /dev/null
+++ b/SOURCES/0002-Fix-redirect-URL-validation-bypass.patch
@@ -0,0 +1,44 @@
+From 62041428a32de402e0be6ba45fe12df6a83bedb8 Mon Sep 17 00:00:00 2001
+From: Olav Morken <olav.morken@uninett.no>
+Date: Tue, 19 Mar 2019 13:42:22 +0100
+Subject: [PATCH] Fix redirect URL validation bypass
+
+It turns out that browsers silently convert backslash characters into
+forward slashes, while apr_uri_parse() does not.
+
+This mismatch allows an attacker to bypass the redirect URL validation
+by using an URL like:
+
+ https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/
+
+mod_auth_mellon will assume that it is a relative URL and allow the
+request to pass through, while the browsers will use it as an absolute
+url and redirect to https://malicious.example.org/ .
+
+This patch fixes this issue by rejecting all redirect URLs with
+backslashes.
+---
+ auth_mellon_util.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/auth_mellon_util.c b/auth_mellon_util.c
+index 0fab309..fd442f9 100644
+--- a/auth_mellon_util.c
++++ b/auth_mellon_util.c
+@@ -927,6 +927,13 @@ int am_check_url(request_rec *r, const char *url)
+ "Control character detected in URL.");
+ return HTTP_BAD_REQUEST;
+ }
++ if (*i == '\\') {
++ /* Reject backslash character, as it can be used to bypass
++ * redirect URL validation. */
++ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
++ "Backslash character detected in URL.");
++ return HTTP_BAD_REQUEST;
++ }
+ }
+
+ return OK;
+--
+2.19.2
+
diff --git a/SOURCES/0003-backport-Make-the-environment-variable-prefix-configurable.patch b/SOURCES/0003-backport-Make-the-environment-variable-prefix-configurable.patch
new file mode 100644
index 0000000..48f6203
--- /dev/null
+++ b/SOURCES/0003-backport-Make-the-environment-variable-prefix-configurable.patch
@@ -0,0 +1,172 @@
+diff -up mod_auth_mellon-0.14.0/auth_mellon_cache.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_cache.c
+--- mod_auth_mellon-0.14.0/auth_mellon_cache.c.env_prefix 2017-10-02 11:44:08.000000000 +0200
++++ mod_auth_mellon-0.14.0/auth_mellon_cache.c 2019-06-10 09:46:36.806014513 +0200
+@@ -589,7 +589,7 @@ void am_cache_env_populate(request_rec *
+ */
+ for(i = 0; i < t->size; ++i) {
+ varname = am_cache_entry_get_string(t, &t->env[i].varname);
+- varname_prefix = "MELLON_";
++ varname_prefix = d->env_prefix;
+
+ /* Check if we should map this name into another name. */
+ env_varname_conf = (am_envattr_conf_t *)apr_hash_get(
+diff -up mod_auth_mellon-0.14.0/auth_mellon_config.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_config.c
+--- mod_auth_mellon-0.14.0/auth_mellon_config.c.env_prefix 2018-03-16 08:14:54.000000000 +0100
++++ mod_auth_mellon-0.14.0/auth_mellon_config.c 2019-06-10 09:46:36.807014516 +0200
+@@ -36,6 +36,11 @@ static const char *default_endpoint_path
+ */
+ static const char *default_user_attribute = "NAME_ID";
+
++/* This is the default prefix to use for attributes received from the
++ * server. Customizable using the MellonEnvPrefix option
++ */
++static const char *default_env_prefix = "MELLON_";
++
+ /* This is the default name of the cookie which mod_auth_mellon will set.
+ * If you change this, then you should also update the description of the
+ * MellonVar configuration directive.
+@@ -1372,8 +1377,10 @@ const command_rec auth_mellon_commands[]
+ am_set_setenv_slot,
+ NULL,
+ OR_AUTHCFG,
+- "Renames attributes received from the server while retaining prefix MELLON_. The format is"
+- " MellonSetEnv <old name> <new name>."
++ "Renames attributes received from the server while retaining the"
++ " prefix. The prefix defaults to MELLON_ but can be changed with"
++ " MellonEnvPrefix."
++ " The format is MellonSetEnv <old name> <new name>."
+ ),
+ AP_INIT_TAKE2(
+ "MellonSetEnvNoPrefix",
+@@ -1383,6 +1390,13 @@ const command_rec auth_mellon_commands[]
+ "Renames attributes received from the server without adding prefix. The format is"
+ " MellonSetEnvNoPrefix <old name> <new name>."
+ ),
++ AP_INIT_TAKE1(
++ "MellonEnvPrefix",
++ ap_set_string_slot,
++ (void *)APR_OFFSETOF(am_dir_cfg_rec, env_prefix),
++ OR_AUTHCFG,
++ "The prefix to use for attributes received from the server."
++ ),
+ AP_INIT_FLAG(
+ "MellonSessionDump",
+ ap_set_flag_slot,
+@@ -1714,6 +1728,7 @@ void *auth_mellon_dir_config(apr_pool_t
+ dir->cookie_path = NULL;
+ dir->cookie_samesite = am_samesite_default;
+ dir->envattr = apr_hash_make(p);
++ dir->env_prefix = default_env_prefix;
+ dir->userattr = default_user_attribute;
+ dir->idpattr = NULL;
+ dir->signature_method = inherit_signature_method;
+@@ -1868,6 +1883,10 @@ void *auth_mellon_dir_merge(apr_pool_t *
+ add_cfg->envattr :
+ base_cfg->envattr);
+
++ new_cfg->env_prefix = (add_cfg->env_prefix != default_env_prefix ?
++ add_cfg->env_prefix :
++ base_cfg->env_prefix);
++
+ new_cfg->userattr = (add_cfg->userattr != default_user_attribute ?
+ add_cfg->userattr :
+ base_cfg->userattr);
+diff -up mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c
+--- mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c.env_prefix 2018-03-16 08:14:54.000000000 +0100
++++ mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c 2019-06-10 09:46:36.808014518 +0200
+@@ -442,6 +442,9 @@ am_diag_log_dir_cfg(request_rec *r, int
+ "%sMellonCookieSameSite (cookie_samesite): %s\n",
+ indent(level+1),
+ am_diag_samesite_str(r, cfg->cookie_samesite));
++ apr_file_printf(diag_cfg->fd,
++ "%sMellonEnvPrefix (env_prefix): %s\n",
++ indent(level+1), cfg->env_prefix);
+
+ apr_file_printf(diag_cfg->fd,
+ "%sMellonCond (cond): %d items\n",
+@@ -466,7 +469,7 @@ am_diag_log_dir_cfg(request_rec *r, int
+ apr_hash_this(hash_item, (void *)&key, NULL, (void *)&envattr_conf);
+
+ if (envattr_conf->prefixed) {
+- name = apr_pstrcat(r->pool, "MELLON_",
++ name = apr_pstrcat(r->pool, cfg->env_prefix,
+ envattr_conf->name, NULL);
+ } else {
+ name = envattr_conf->name;
+diff -up mod_auth_mellon-0.14.0/auth_mellon.h.env_prefix mod_auth_mellon-0.14.0/auth_mellon.h
+--- mod_auth_mellon-0.14.0/auth_mellon.h.env_prefix 2018-03-16 08:14:54.000000000 +0100
++++ mod_auth_mellon-0.14.0/auth_mellon.h 2019-06-10 09:46:36.805014510 +0200
+@@ -237,6 +237,7 @@ typedef struct am_dir_cfg_rec {
+ am_samesite_t cookie_samesite;
+ apr_array_header_t *cond;
+ apr_hash_t *envattr;
++ const char *env_prefix;
+ const char *userattr;
+ const char *idpattr;
+ LassoSignatureMethod signature_method;
+diff -up mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc.env_prefix mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc
+--- mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc.env_prefix 2018-03-16 08:14:54.000000000 +0100
++++ mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc 2019-06-10 09:48:08.422237471 +0200
+@@ -2007,11 +2007,13 @@ attributes.
+ assertion to a name of your choosing when it is placed in the Apache
+ environment. This is controlled by `MellonSetEnv` and
+ `MellonSetEnvNoPrefix` directives. The distinction
+- is `MellonSetEnv` always prepends the `MELLON_` prefix to the
++ is `MellonSetEnv` always prepends a prefix to the
+ environment variable name to help to prevent name collisions. The
++ prefix defaults to `MELLON_` and can be configured using the
++ `MellonEnvPrefix` configuration option. The
+ `MellonSetEnvNoPrefix` directive also remaps the assertion name to a
+ name of your choosing but it omits prepending the environment
+- variable name with `MELLON_`. See <<map_assertion_attr_name>>
++ variable name with the prefix. See <<map_assertion_attr_name>>
+
+ Using the <<assertion_response,assertion example>> Mellon places these
+ environment variables in the Apache environment. See
+@@ -2096,10 +2098,12 @@ and `MellonSetEnvNoPrefix` directives. T
+ assertion attribute to a name of your choosing. The `MellonSetEnv`
+ directive follows the same convention as all other assertion
+ attributes added by Mellon in that it always prefixes the environment
+-variable name with `MELLON_` to help avoid name collisions in the
++variable name with a configurable prefix, which defaults to `MELLON_` to help avoid name collisions in the
+ Apache environment. However sometimes you do not want the `MELLON_`
+-prefix added and instead you want to use exactly the environment
+-variable name as specified., `MellonSetEnvNoPrefix` serves this role.
++prefix added. In case you simply want the variables prefixed with
++a different string, use the `MellonEnvPrefix` configuration option. If,
++instead you want to use exactly the environment variable name as specified.,
++`MellonSetEnvNoPrefix` serves this role.
+
+ To illustrate let's look at an example. Suppose your web app is
+ expecting an attribute which is the user's last name, specifically it
+@@ -2117,6 +2121,15 @@ MellonSetEnvNoPrefix REMOTE_USER_LASTNAM
+ Also see <<set_remote_user>> for an example of setting the `REMOTE_USER`
+ environment variable using `MellonSetEnvNoPrefix`.
+
++The `MellonEnvPrefix` variable might be useful e.g. if you
++are migrating from a different SP which used its own prefix
++for the variables passed by the IdP. For example, to prefix
++all variables with `NOLLEM_` you would use:
++
++----
++MellonEnvPrefix NOLLEM_
++----
++
+ === Using Mellon to apply constraints [[assertion_constraints]]
+
+ SAML attributes can be used for more than exporting those values to a
+diff -up mod_auth_mellon-0.14.0/README.md.env_prefix mod_auth_mellon-0.14.0/README.md
+--- mod_auth_mellon-0.14.0/README.md.env_prefix 2018-03-16 08:14:54.000000000 +0100
++++ mod_auth_mellon-0.14.0/README.md 2019-06-10 09:46:36.805014510 +0200
+@@ -253,6 +253,11 @@ MellonDiagnosticsEnable Off
+ # Default. None set.
+ MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName"
+
++ # MellonEnvPrefix changes the string the variables passed from the
++ # IdP are prefixed with.
++ # Default: MELLON_
++ MellonEnvPrefix "NOLLEM_"
++
+ # MellonMergeEnvVars merges multiple values of environment variables
+ # set using MellonSetEnv into single variable:
+ # ie: MYENV_VAR => val1;val2;val3 instead of default behaviour of:
diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec
index a8de5b0..d1ad732 100644
--- a/SPECS/mod_auth_mellon.spec
+++ b/SPECS/mod_auth_mellon.spec
@@ -1,7 +1,7 @@
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
Name: mod_auth_mellon
Version: 0.14.0
-Release: 3%{?dist}.2
+Release: 9%{?dist}
Group: System Environment/Daemons
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source1: auth_mellon.conf
@@ -23,6 +23,8 @@ Requires: lasso >= 2.5.1
Url: https://github.com/UNINETT/mod_auth_mellon
Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
+Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch
+Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
# I could not get asciidoc to render properly so instead I generated
@@ -38,6 +40,8 @@ received in assertions generated by a IdP server.
%prep
%setup -q -n %{name}-%{version}
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
%build
export APXS=%{_httpd_apxs}
@@ -105,12 +109,35 @@ in the doc directory for instructions on using the diagnostics build.
%{_httpd_moddir}/mod_auth_mellon.so
%{_tmpfilesdir}/mod_auth_mellon.conf
%{_libexecdir}/%{name}
-%dir /run/%{name}/
+%attr(0755,apache,apache) %dir /run/%{name}/
%changelog
-* Tue Apr 16 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-3.2
-- Resolves: rhbz#1696197 - CVE-2019-3878 mod_auth_mellon: authentication
- bypass in ECP flow [rhel-8.0.0.z]
+* Thu Jun 13 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-9
+- Just bump the release number
+- Related: rhbz#1718238 - mod_auth_mellon-diagnostics RPM not in product
+ listings
+
+* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-8
+- Resolves: rhbz#1691894 - [RFE] Config option to change mod_auth_mellon prefix
+
+* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-7
+- Apply the patch from the previous commit
+- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open
+ redirect in logout url when using URLs with
+ backslashes [rhel-8]
+
+* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-6
+- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open
+ redirect in logout url when using URLs with
+ backslashes [rhel-8]
+
+* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-5
+- Resolves: rhbz#1692457 - CVE-2019-3878 mod_auth_mellon: authentication
+ bypass in ECP flow [rhel-8.1.0]
+
+* Wed Apr 24 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-4
+- Resolves: rhbz#1702695 - fresh install of mod_auth_mellon shows rpm
+ verification warnings
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 0.14.0-3
- Rebuild with fixed binutils