|
 |
0462b3 |
From f1e8dec3e749eea3a54553e07b7a1994a4aaf5b9 Mon Sep 17 00:00:00 2001
|
|
|
0462b3 |
From: Jakub Hrozek <jakub.hrozek@posteo.se>
|
|
|
0462b3 |
Date: Fri, 23 Nov 2018 15:38:42 +0100
|
|
|
0462b3 |
Subject: [PATCH 1001/1002] Backport security fix: scrub headers on
|
|
|
0462b3 |
OIDCUnAuthAction pass; closes #222
|
|
|
0462b3 |
|
|
|
0462b3 |
---
|
|
|
0462b3 |
src/mod_auth_openidc.c | 46 ++++++++++++++++++++++++++++--------------
|
|
|
0462b3 |
1 file changed, 31 insertions(+), 15 deletions(-)
|
|
|
0462b3 |
|
|
|
0462b3 |
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
|
|
|
0462b3 |
index a494238..f00280f 100644
|
|
|
0462b3 |
--- a/src/mod_auth_openidc.c
|
|
|
0462b3 |
+++ b/src/mod_auth_openidc.c
|
|
|
0462b3 |
@@ -133,6 +133,29 @@ static void oidc_scrub_request_headers(request_rec *r, const char *claim_prefix,
|
|
|
0462b3 |
r->headers_in = clean_headers;
|
|
|
0462b3 |
}
|
|
|
0462b3 |
|
|
|
0462b3 |
+static void oidc_scrub_headers(request_rec *r) {
|
|
|
0462b3 |
+ oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
|
|
|
0462b3 |
+ &auth_openidc_module);
|
|
|
0462b3 |
+
|
|
|
0462b3 |
+ /* get a handle to the directory config */
|
|
|
0462b3 |
+ oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
|
|
|
0462b3 |
+ &auth_openidc_module);
|
|
|
0462b3 |
+
|
|
|
0462b3 |
+ if (cfg->scrub_request_headers != 0) {
|
|
|
0462b3 |
+ /* scrub all headers starting with OIDC_ first */
|
|
|
0462b3 |
+ oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX,
|
|
|
0462b3 |
+ dir_cfg->authn_header);
|
|
|
0462b3 |
+ /*
|
|
|
0462b3 |
+ * then see if the claim headers need to be removed on top of that
|
|
|
0462b3 |
+ * (i.e. the prefix does not start with the default OIDC_)
|
|
|
0462b3 |
+ */
|
|
|
0462b3 |
+ if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX)
|
|
|
0462b3 |
+ != cfg->claim_prefix)) {
|
|
|
0462b3 |
+ oidc_scrub_request_headers(r, cfg->claim_prefix, NULL);
|
|
|
0462b3 |
+ }
|
|
|
0462b3 |
+ }
|
|
|
0462b3 |
+}
|
|
|
0462b3 |
+
|
|
|
0462b3 |
#define OIDC_SHA1_LEN 20
|
|
|
0462b3 |
|
|
|
0462b3 |
/*
|
|
|
0462b3 |
@@ -988,21 +1011,7 @@ static int oidc_handle_existing_session(request_rec *r, oidc_cfg *cfg,
|
|
|
0462b3 |
* we're going to pass the information that we have to the application,
|
|
|
0462b3 |
* but first we need to scrub the headers that we're going to use for security reasons
|
|
|
0462b3 |
*/
|
|
|
0462b3 |
- if (cfg->scrub_request_headers != 0) {
|
|
|
0462b3 |
-
|
|
|
0462b3 |
- /* scrub all headers starting with OIDC_ first */
|
|
|
0462b3 |
- oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX,
|
|
|
0462b3 |
- dir_cfg->authn_header);
|
|
|
0462b3 |
-
|
|
|
0462b3 |
- /*
|
|
|
0462b3 |
- * then see if the claim headers need to be removed on top of that
|
|
|
0462b3 |
- * (i.e. the prefix does not start with the default OIDC_)
|
|
|
0462b3 |
- */
|
|
|
0462b3 |
- if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX)
|
|
|
0462b3 |
- != cfg->claim_prefix)) {
|
|
|
0462b3 |
- oidc_scrub_request_headers(r, cfg->claim_prefix, NULL);
|
|
|
0462b3 |
- }
|
|
|
0462b3 |
- }
|
|
|
0462b3 |
+ oidc_scrub_headers(r);
|
|
|
0462b3 |
|
|
|
0462b3 |
/* set the user authentication HTTP header if set and required */
|
|
|
0462b3 |
if ((r->user != NULL) && (dir_cfg->authn_header != NULL))
|
|
|
0462b3 |
@@ -2560,6 +2569,13 @@ static int oidc_check_userid_openidc(request_rec *r, oidc_cfg *c) {
|
|
|
0462b3 |
case RETURN401:
|
|
|
0462b3 |
return HTTP_UNAUTHORIZED;
|
|
|
0462b3 |
case PASS:
|
|
|
0462b3 |
+ /*
|
|
|
0462b3 |
+ * we're not going to pass information about
|
|
|
0462b3 |
+ * an authenticated user to the application, *
|
|
|
0462b3 |
+ * but we do need to scrub the headers that
|
|
|
0462b3 |
+ * mod_auth_openidc would set for security reasons
|
|
|
0462b3 |
+ */
|
|
|
0462b3 |
+ oidc_scrub_headers(r);
|
|
|
0462b3 |
return OK;
|
|
|
0462b3 |
case AUTHENTICATE:
|
|
|
0462b3 |
/* if this is a Javascript path we won't redirect the user and create a state cookie */
|
|
|
0462b3 |
--
|
|
|
0462b3 |
2.19.2
|
|
|
0462b3 |
|