From eac10ec54971ff021113f96c80deab9991faafc4 Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Fri, 3 Sep 2021 10:41:21 +0200
Subject: [PATCH 4/4] apply OIDCRedirectURLsAllowed setting to target_link_uri
closes #672; thanks @Meheni
release 2.4.9.4
Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
(cherry picked from commit 03e6bfb446f4e3f27c003d30d6a433e5dd8e2b3d)
---
AUTHORS | 31 +++++++
auth_openidc.conf | 5 +-
src/mod_auth_openidc.c | 193 +++++++++++++++++++++--------------------
3 files changed, 135 insertions(+), 94 deletions(-)
diff --git a/AUTHORS b/AUTHORS
index 1d91449..4f77eab 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -46,3 +46,34 @@ reporting bugs, providing fixes, suggesting useful features or other:
timpuri <https://github.com/timpuri>
Eldar Zaitov <https://github.com/kyprizel>
Gergan Penkov <https://github.com/gergan>
+ Florian Weimer <https://github.com/fweimer>
+ Aaron Donovan <https://github.com/amdonov>
+ Hans Petter Bieker <https://github.com/hpbieker>
+ archzone <https://github.com/archzone>
+ Petteri Stenius <https://github.com/psteniusubi>
+ Lance Fannin <lancekf08@gmail.com>
+ Ricardo Martin Camarero <https://github.com/rickyepoderi>
+ Filip Vujicic <https://github.com/FilipVujicic>
+ Janusz Ulanowski <https://github.com/janul>
+ Aimoto Norihito <https://github.com/oss-aimoto>
+ Andy Lindeman <https://github.com/alindeman>
+ Stefan Wachter <https://github.com/swachter>
+ Paolo Battino
+ absynth76 <https://github.com/absynth76>
+ Aaron Jones <https://github.com/wwaaron>
+ Bryan Ingram <https://github/bcingram>
+ Tim Deisser <https://github.com/deisser>
+ Peter Hurtenbach <https://github.com/Peter0x48>
+ Paul Spangler <https://github.com/spanglerco>
+ Chris Pawling <https://github.com/chris468>
+ Matthias Fleschütz <https://github.com/blindzero>
+ Harri Rautila <https://github.com/hrautila>
+ Tatsuhiko Yasumatsu <https://github.com/ty60>
+ Adam Stadler <https://github.com/tzfx>
+ Steffen Greber <https://github.com/codemaker219>
+ Iain Heggie <https://github.com/iainh>
+ Dirk Kok <https://github.com/Foxite>
+ Meheni https://github.com/Meheni
+
+
+
diff --git a/auth_openidc.conf b/auth_openidc.conf
index 75cdb8e..55febe5 100644
--- a/auth_openidc.conf
+++ b/auth_openidc.conf
@@ -786,8 +786,9 @@
#OIDCStateInputHeaders [none|user-agent|x-forwarded-for|both]
# Define one or more regular expressions that specify URLs (or domains) allowed for post logout and
-# other redirects such as the "return_to" value on refresh token requests, and the "login_uri" value
-# on session management based logins through the OP iframe, e.g.:
+# other redirects such as the "return_to" value on refresh token requests, the "login_uri" value
+# on session management based logins through the OP iframe, and the "target_link_uri" parameter in
+# 3rd-party initiated logins, e.g.:
# OIDCRedirectURLsAllowed ^https://www.example.com ^https://(\w+).example.org ^https://example.net/app
# or:
# OIDCRedirectURLsAllowed ^https://www.example.com/logout$ ^https://www.example.com/app/return_to$
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index c96af75..4cc7976 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -2476,6 +2476,96 @@ static int oidc_target_link_uri_matches_configuration(request_rec *r,
return TRUE;
}
+#define OIDC_MAX_URL_LENGTH 8192 * 2
+
+static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
+ const char *redirect_to_url, apr_byte_t restrict_to_host, char **err_str,
+ char **err_desc) {
+ apr_uri_t uri;
+ const char *c_host = NULL;
+ apr_hash_index_t *hi = NULL;
+ size_t i = 0;
+ char *url = apr_pstrndup(r->pool, redirect_to_url, OIDC_MAX_URL_LENGTH);
+
+ // replace potentially harmful backslashes with forward slashes
+ for (i = 0; i < strlen(url); i++)
+ if (url[i] == '\\')
+ url[i] = '/';
+
+ if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {
+ *err_str = apr_pstrdup(r->pool, "Malformed URL");
+ *err_desc = apr_psprintf(r->pool, "not a valid URL value: %s", url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
+
+ if (c->redirect_urls_allowed != NULL) {
+ for (hi = apr_hash_first(NULL, c->redirect_urls_allowed); hi; hi =
+ apr_hash_next(hi)) {
+ apr_hash_this(hi, (const void**) &c_host, NULL, NULL);
+ if (oidc_util_regexp_first_match(r->pool, url, c_host,
+ NULL, err_str) == TRUE)
+ break;
+ }
+ if (hi == NULL) {
+ *err_str = apr_pstrdup(r->pool, "URL not allowed");
+ *err_desc =
+ apr_psprintf(r->pool,
+ "value does not match the list of allowed redirect URLs: %s",
+ url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
+ } else if ((uri.hostname != NULL) && (restrict_to_host == TRUE)) {
+ c_host = oidc_get_current_url_host(r);
+ if ((strstr(c_host, uri.hostname) == NULL)
+ || (strstr(uri.hostname, c_host) == NULL)) {
+ *err_str = apr_pstrdup(r->pool, "Invalid Request");
+ *err_desc =
+ apr_psprintf(r->pool,
+ "URL value \"%s\" does not match the hostname of the current request \"%s\"",
+ apr_uri_unparse(r->pool, &uri, 0), c_host);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
+ }
+
+ if ((uri.hostname == NULL) && (strstr(url, "/") != url)) {
+ *err_str = apr_pstrdup(r->pool, "Malformed URL");
+ *err_desc =
+ apr_psprintf(r->pool,
+ "No hostname was parsed and it does not seem to be relative, i.e starting with '/': %s",
+ url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ } else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) {
+ *err_str = apr_pstrdup(r->pool, "Malformed URL");
+ *err_desc = apr_psprintf(r->pool,
+ "No hostname was parsed and starting with '//': %s", url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ } else if ((uri.hostname == NULL) && (strstr(url, "/\\") == url)) {
+ *err_str = apr_pstrdup(r->pool, "Malformed URL");
+ *err_desc = apr_psprintf(r->pool,
+ "No hostname was parsed and starting with '/\\': %s", url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
+
+ /* validate the URL to prevent HTTP header splitting */
+ if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) {
+ *err_str = apr_pstrdup(r->pool, "Invalid URL");
+ *err_desc =
+ apr_psprintf(r->pool,
+ "URL value \"%s\" contains illegal \"\n\" or \"\r\" character(s)",
+ url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
/*
* handle a response from an IDP discovery page and/or handle 3rd-party initiated SSO
*/
@@ -2486,6 +2576,8 @@ static int oidc_handle_discovery_response(request_rec *r, oidc_cfg *c) {
*auth_request_params = NULL, *csrf_cookie, *csrf_query = NULL,
*user = NULL, *path_scopes;
oidc_provider_t *provider = NULL;
+ char *error_str = NULL;
+ char *error_description = NULL;
oidc_util_get_request_parameter(r, OIDC_DISC_OP_PARAM, &issuer);
oidc_util_get_request_parameter(r, OIDC_DISC_USER_PARAM, &user);
@@ -2529,7 +2621,7 @@ static int oidc_handle_discovery_response(request_rec *r, oidc_cfg *c) {
target_link_uri = c->default_sso_url;
}
- /* do open redirect prevention */
+ /* do open redirect prevention, step 1 */
if (oidc_target_link_uri_matches_configuration(r, c, target_link_uri)
== FALSE) {
return oidc_util_html_send_error(r, c->error_template,
@@ -2538,6 +2630,14 @@ static int oidc_handle_discovery_response(request_rec *r, oidc_cfg *c) {
HTTP_UNAUTHORIZED);
}
+ /* do input validation on the target_link_uri parameter value, step 2 */
+ if (oidc_validate_redirect_url(r, c, target_link_uri, TRUE, &error_str,
+ &error_description) == FALSE) {
+ return oidc_util_html_send_error(r, c->error_template, error_str,
+ error_description,
+ HTTP_UNAUTHORIZED);
+ }
+
/* see if this is a static setup */
if (c->metadata_dir == NULL) {
if ((oidc_provider_static_config(r, c, &provider) == TRUE)
@@ -2687,97 +2787,6 @@ static int oidc_handle_logout_request(request_rec *r, oidc_cfg *c,
return HTTP_MOVED_TEMPORARILY;
}
-
-#define OIDC_MAX_URL_LENGTH DEFAULT_LIMIT_REQUEST_LINE * 2
-
-static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
- const char *redirect_to_url, apr_byte_t restrict_to_host, char **err_str,
- char **err_desc) {
- apr_uri_t uri;
- const char *c_host = NULL;
- apr_hash_index_t *hi = NULL;
- size_t i = 0;
- char *url = apr_pstrndup(r->pool, redirect_to_url, OIDC_MAX_URL_LENGTH);
-
- // replace potentially harmful backslashes with forward slashes
- for (i = 0; i < strlen(url); i++)
- if (url[i] == '\\')
- url[i] = '/';
-
- if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {
- *err_str = apr_pstrdup(r->pool, "Malformed URL");
- *err_desc = apr_psprintf(r->pool, "not a valid URL value: %s", url);
- oidc_error(r, "%s: %s", *err_str, *err_desc);
- return FALSE;
- }
-
- if (c->redirect_urls_allowed != NULL) {
- for (hi = apr_hash_first(NULL, c->redirect_urls_allowed); hi; hi =
- apr_hash_next(hi)) {
- apr_hash_this(hi, (const void**) &c_host, NULL, NULL);
- if (oidc_util_regexp_first_match(r->pool, url, c_host,
- NULL, err_str) == TRUE)
- break;
- }
- if (hi == NULL) {
- *err_str = apr_pstrdup(r->pool, "URL not allowed");
- *err_desc =
- apr_psprintf(r->pool,
- "value does not match the list of allowed redirect URLs: %s",
- url);
- oidc_error(r, "%s: %s", *err_str, *err_desc);
- return FALSE;
- }
- } else if ((uri.hostname != NULL) && (restrict_to_host == TRUE)) {
- c_host = oidc_get_current_url_host(r);
- if ((strstr(c_host, uri.hostname) == NULL)
- || (strstr(uri.hostname, c_host) == NULL)) {
- *err_str = apr_pstrdup(r->pool, "Invalid Request");
- *err_desc =
- apr_psprintf(r->pool,
- "URL value \"%s\" does not match the hostname of the current request \"%s\"",
- apr_uri_unparse(r->pool, &uri, 0), c_host);
- oidc_error(r, "%s: %s", *err_str, *err_desc);
- return FALSE;
- }
- }
-
- if ((uri.hostname == NULL) && (strstr(url, "/") != url)) {
- *err_str = apr_pstrdup(r->pool, "Malformed URL");
- *err_desc =
- apr_psprintf(r->pool,
- "No hostname was parsed and it does not seem to be relative, i.e starting with '/': %s",
- url);
- oidc_error(r, "%s: %s", *err_str, *err_desc);
- return FALSE;
- } else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) {
- *err_str = apr_pstrdup(r->pool, "Malformed URL");
- *err_desc = apr_psprintf(r->pool,
- "No hostname was parsed and starting with '//': %s", url);
- oidc_error(r, "%s: %s", *err_str, *err_desc);
- return FALSE;
- } else if ((uri.hostname == NULL) && (strstr(url, "/\\") == url)) {
- *err_str = apr_pstrdup(r->pool, "Malformed URL");
- *err_desc = apr_psprintf(r->pool,
- "No hostname was parsed and starting with '/\\': %s", url);
- oidc_error(r, "%s: %s", *err_str, *err_desc);
- return FALSE;
- }
-
- /* validate the URL to prevent HTTP header splitting */
- if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) {
- *err_str = apr_pstrdup(r->pool, "Invalid URL");
- *err_desc =
- apr_psprintf(r->pool,
- "URL value \"%s\" contains illegal \"\n\" or \"\r\" character(s)",
- url);
- oidc_error(r, "%s: %s", *err_str, *err_desc);
- return FALSE;
- }
-
- return TRUE;
-}
-
/*
* perform (single) logout
*/
--
2.31.1