rpms / mod_auth_openidc

Clone
Source Code
GIT

Files

  1.   569f44ed8db0bf846e24f0f9b739743e22a6af39
  2.   SOURCES
  3.   0023-apply-OIDCRedirectURLsAllowed-setting-to-target_link.patch
Blob Blame History Raw 
From eac10ec54971ff021113f96c80deab9991faafc4 Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Fri, 3 Sep 2021 10:41:21 +0200
Subject: [PATCH 4/4] apply OIDCRedirectURLsAllowed setting to target_link_uri

closes #672; thanks @Meheni
release 2.4.9.4

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
(cherry picked from commit 03e6bfb446f4e3f27c003d30d6a433e5dd8e2b3d)
---
 AUTHORS                |  31 +++++++
 auth_openidc.conf      |   5 +-
 src/mod_auth_openidc.c | 193 +++++++++++++++++++++--------------------
 3 files changed, 135 insertions(+), 94 deletions(-)

diff --git a/AUTHORS b/AUTHORS
index 1d91449..4f77eab 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -46,3 +46,34 @@ reporting bugs, providing fixes, suggesting useful features or other:
 	timpuri <https://github.com/timpuri>
 	Eldar Zaitov <https://github.com/kyprizel>
 	Gergan Penkov <https://github.com/gergan>
+	Florian Weimer <https://github.com/fweimer>
+	Aaron Donovan <https://github.com/amdonov>
+	Hans Petter Bieker <https://github.com/hpbieker>
+	archzone <https://github.com/archzone>
+	Petteri Stenius <https://github.com/psteniusubi>
+	Lance Fannin <lancekf08@gmail.com>
+	Ricardo Martin Camarero <https://github.com/rickyepoderi>
+	Filip Vujicic <https://github.com/FilipVujicic>
+	Janusz Ulanowski <https://github.com/janul>
+	Aimoto Norihito <https://github.com/oss-aimoto>
+	Andy Lindeman <https://github.com/alindeman>
+	Stefan Wachter <https://github.com/swachter>
+	Paolo Battino
+	absynth76 <https://github.com/absynth76>
+	Aaron Jones <https://github.com/wwaaron>
+	Bryan Ingram <https://github/bcingram>
+	Tim Deisser <https://github.com/deisser>
+	Peter Hurtenbach <https://github.com/Peter0x48>
+	Paul Spangler <https://github.com/spanglerco>
+	Chris Pawling <https://github.com/chris468>
+	Matthias Fleschütz <https://github.com/blindzero>
+	Harri Rautila <https://github.com/hrautila>
+	Tatsuhiko Yasumatsu <https://github.com/ty60>
+	Adam Stadler <https://github.com/tzfx>
+	Steffen Greber <https://github.com/codemaker219>
+	Iain Heggie <https://github.com/iainh>
+	Dirk Kok <https://github.com/Foxite>
+	Meheni https://github.com/Meheni
+
+
+
diff --git a/auth_openidc.conf b/auth_openidc.conf
index 75cdb8e..55febe5 100644
--- a/auth_openidc.conf
+++ b/auth_openidc.conf
@@ -786,8 +786,9 @@
 #OIDCStateInputHeaders [none|user-agent|x-forwarded-for|both]
 
 # Define one or more regular expressions that specify URLs (or domains) allowed for post logout and
-# other redirects such as the "return_to" value on refresh token requests, and the "login_uri" value
-# on session management based logins through the OP iframe, e.g.:
+# other redirects such as the "return_to" value on refresh token requests, the "login_uri" value
+# on session management based logins through the OP iframe, and the "target_link_uri" parameter in
+# 3rd-party initiated logins, e.g.:
 #   OIDCRedirectURLsAllowed ^https://www.example.com ^https://(\w+).example.org ^https://example.net/app
 # or:
 #   OIDCRedirectURLsAllowed ^https://www.example.com/logout$ ^https://www.example.com/app/return_to$ 
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index c96af75..4cc7976 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -2476,6 +2476,96 @@ static int oidc_target_link_uri_matches_configuration(request_rec *r,
 	return TRUE;
 }
 
+#define OIDC_MAX_URL_LENGTH 8192 * 2
+
+static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
+		const char *redirect_to_url, apr_byte_t restrict_to_host, char **err_str,
+		char **err_desc) {
+	apr_uri_t uri;
+	const char *c_host = NULL;
+	apr_hash_index_t *hi = NULL;
+	size_t i = 0;
+	char *url = apr_pstrndup(r->pool, redirect_to_url, OIDC_MAX_URL_LENGTH);
+
+	// replace potentially harmful backslashes with forward slashes
+	for (i = 0; i < strlen(url); i++)
+		if (url[i] == '\\')
+			url[i] = '/';
+
+	if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {
+		*err_str = apr_pstrdup(r->pool, "Malformed URL");
+		*err_desc = apr_psprintf(r->pool, "not a valid URL value: %s", url);
+		oidc_error(r, "%s: %s", *err_str, *err_desc);
+		return FALSE;
+	}
+
+	if (c->redirect_urls_allowed != NULL) {
+		for (hi = apr_hash_first(NULL, c->redirect_urls_allowed); hi; hi =
+				apr_hash_next(hi)) {
+			apr_hash_this(hi, (const void**) &c_host, NULL, NULL);
+			if (oidc_util_regexp_first_match(r->pool, url, c_host,
+					NULL, err_str) == TRUE)
+				break;
+		}
+		if (hi == NULL) {
+			*err_str = apr_pstrdup(r->pool, "URL not allowed");
+			*err_desc =
+					apr_psprintf(r->pool,
+							"value does not match the list of allowed redirect URLs: %s",
+							url);
+			oidc_error(r, "%s: %s", *err_str, *err_desc);
+			return FALSE;
+		}
+	} else if ((uri.hostname != NULL) && (restrict_to_host == TRUE)) {
+		c_host = oidc_get_current_url_host(r);
+		if ((strstr(c_host, uri.hostname) == NULL)
+				|| (strstr(uri.hostname, c_host) == NULL)) {
+			*err_str = apr_pstrdup(r->pool, "Invalid Request");
+			*err_desc =
+					apr_psprintf(r->pool,
+							"URL value \"%s\" does not match the hostname of the current request \"%s\"",
+							apr_uri_unparse(r->pool, &uri, 0), c_host);
+			oidc_error(r, "%s: %s", *err_str, *err_desc);
+			return FALSE;
+		}
+	}
+
+	if ((uri.hostname == NULL) && (strstr(url, "/") != url)) {
+		*err_str = apr_pstrdup(r->pool, "Malformed URL");
+		*err_desc =
+				apr_psprintf(r->pool,
+						"No hostname was parsed and it does not seem to be relative, i.e starting with '/': %s",
+						url);
+		oidc_error(r, "%s: %s", *err_str, *err_desc);
+		return FALSE;
+	} else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) {
+		*err_str = apr_pstrdup(r->pool, "Malformed URL");
+		*err_desc = apr_psprintf(r->pool,
+				"No hostname was parsed and starting with '//': %s", url);
+		oidc_error(r, "%s: %s", *err_str, *err_desc);
+		return FALSE;
+	} else if ((uri.hostname == NULL) && (strstr(url, "/\\") == url)) {
+		*err_str = apr_pstrdup(r->pool, "Malformed URL");
+		*err_desc = apr_psprintf(r->pool,
+				"No hostname was parsed and starting with '/\\': %s", url);
+		oidc_error(r, "%s: %s", *err_str, *err_desc);
+		return FALSE;
+	}
+
+	/* validate the URL to prevent HTTP header splitting */
+	if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) {
+		*err_str = apr_pstrdup(r->pool, "Invalid URL");
+		*err_desc =
+				apr_psprintf(r->pool,
+						"URL value \"%s\" contains illegal \"\n\" or \"\r\" character(s)",
+						url);
+		oidc_error(r, "%s: %s", *err_str, *err_desc);
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
 /*
  * handle a response from an IDP discovery page and/or handle 3rd-party initiated SSO
  */
@@ -2486,6 +2576,8 @@ static int oidc_handle_discovery_response(request_rec *r, oidc_cfg *c) {
 			*auth_request_params = NULL, *csrf_cookie, *csrf_query = NULL,
 			*user = NULL, *path_scopes;
 	oidc_provider_t *provider = NULL;
+	char *error_str = NULL;
+	char *error_description = NULL;
 
 	oidc_util_get_request_parameter(r, OIDC_DISC_OP_PARAM, &issuer);
 	oidc_util_get_request_parameter(r, OIDC_DISC_USER_PARAM, &user);
@@ -2529,7 +2621,7 @@ static int oidc_handle_discovery_response(request_rec *r, oidc_cfg *c) {
 		target_link_uri = c->default_sso_url;
 	}
 
-	/* do open redirect prevention */
+	/* do open redirect prevention, step 1 */
 	if (oidc_target_link_uri_matches_configuration(r, c, target_link_uri)
 			== FALSE) {
 		return oidc_util_html_send_error(r, c->error_template,
@@ -2538,6 +2630,14 @@ static int oidc_handle_discovery_response(request_rec *r, oidc_cfg *c) {
 				HTTP_UNAUTHORIZED);
 	}
 
+	/* do input validation on the target_link_uri parameter value, step 2 */
+	if (oidc_validate_redirect_url(r, c, target_link_uri, TRUE, &error_str,
+			&error_description) == FALSE) {
+		return oidc_util_html_send_error(r, c->error_template, error_str,
+				error_description,
+				HTTP_UNAUTHORIZED);
+	}
+
 	/* see if this is a static setup */
 	if (c->metadata_dir == NULL) {
 		if ((oidc_provider_static_config(r, c, &provider) == TRUE)
@@ -2687,97 +2787,6 @@ static int oidc_handle_logout_request(request_rec *r, oidc_cfg *c,
 	return HTTP_MOVED_TEMPORARILY;
 }
 
-
-#define OIDC_MAX_URL_LENGTH DEFAULT_LIMIT_REQUEST_LINE * 2
-
-static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
-		const char *redirect_to_url, apr_byte_t restrict_to_host, char **err_str,
-		char **err_desc) {
-	apr_uri_t uri;
-	const char *c_host = NULL;
-	apr_hash_index_t *hi = NULL;
-	size_t i = 0;
-	char *url = apr_pstrndup(r->pool, redirect_to_url, OIDC_MAX_URL_LENGTH);
-
-	// replace potentially harmful backslashes with forward slashes
-	for (i = 0; i < strlen(url); i++)
-		if (url[i] == '\\')
-			url[i] = '/';
-
-	if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {
-		*err_str = apr_pstrdup(r->pool, "Malformed URL");
-		*err_desc = apr_psprintf(r->pool, "not a valid URL value: %s", url);
-		oidc_error(r, "%s: %s", *err_str, *err_desc);
-		return FALSE;
-	}
-
-	if (c->redirect_urls_allowed != NULL) {
-		for (hi = apr_hash_first(NULL, c->redirect_urls_allowed); hi; hi =
-				apr_hash_next(hi)) {
-			apr_hash_this(hi, (const void**) &c_host, NULL, NULL);
-			if (oidc_util_regexp_first_match(r->pool, url, c_host,
-					NULL, err_str) == TRUE)
-				break;
-		}
-		if (hi == NULL) {
-			*err_str = apr_pstrdup(r->pool, "URL not allowed");
-			*err_desc =
-					apr_psprintf(r->pool,
-							"value does not match the list of allowed redirect URLs: %s",
-							url);
-			oidc_error(r, "%s: %s", *err_str, *err_desc);
-			return FALSE;
-		}
-	} else if ((uri.hostname != NULL) && (restrict_to_host == TRUE)) {
-		c_host = oidc_get_current_url_host(r);
-		if ((strstr(c_host, uri.hostname) == NULL)
-				|| (strstr(uri.hostname, c_host) == NULL)) {
-			*err_str = apr_pstrdup(r->pool, "Invalid Request");
-			*err_desc =
-					apr_psprintf(r->pool,
-							"URL value \"%s\" does not match the hostname of the current request \"%s\"",
-							apr_uri_unparse(r->pool, &uri, 0), c_host);
-			oidc_error(r, "%s: %s", *err_str, *err_desc);
-			return FALSE;
-		}
-	}
-
-	if ((uri.hostname == NULL) && (strstr(url, "/") != url)) {
-		*err_str = apr_pstrdup(r->pool, "Malformed URL");
-		*err_desc =
-				apr_psprintf(r->pool,
-						"No hostname was parsed and it does not seem to be relative, i.e starting with '/': %s",
-						url);
-		oidc_error(r, "%s: %s", *err_str, *err_desc);
-		return FALSE;
-	} else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) {
-		*err_str = apr_pstrdup(r->pool, "Malformed URL");
-		*err_desc = apr_psprintf(r->pool,
-				"No hostname was parsed and starting with '//': %s", url);
-		oidc_error(r, "%s: %s", *err_str, *err_desc);
-		return FALSE;
-	} else if ((uri.hostname == NULL) && (strstr(url, "/\\") == url)) {
-		*err_str = apr_pstrdup(r->pool, "Malformed URL");
-		*err_desc = apr_psprintf(r->pool,
-				"No hostname was parsed and starting with '/\\': %s", url);
-		oidc_error(r, "%s: %s", *err_str, *err_desc);
-		return FALSE;
-	}
-
-	/* validate the URL to prevent HTTP header splitting */
-	if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) {
-		*err_str = apr_pstrdup(r->pool, "Invalid URL");
-		*err_desc =
-				apr_psprintf(r->pool,
-						"URL value \"%s\" contains illegal \"\n\" or \"\r\" character(s)",
-						url);
-		oidc_error(r, "%s: %s", *err_str, *err_desc);
-		return FALSE;
-	}
-
-    return TRUE;
-}
-
 /*
  * perform (single) logout
  */
-- 
2.31.1

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation