From 91153f7eeff3c9626863c2e4f581621e88038430 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 29 2020 07:01:35 +0000 Subject: import mod_auth_openidc-1.8.8-7.el7 --- diff --git a/SOURCES/0004-Backport-of-improve-validation-of-the-post-logout-UR.patch b/SOURCES/0004-Backport-of-improve-validation-of-the-post-logout-UR.patch new file mode 100644 index 0000000..d3bdaba --- /dev/null +++ b/SOURCES/0004-Backport-of-improve-validation-of-the-post-logout-UR.patch @@ -0,0 +1,129 @@ +From 0486590c2944b39b480ab1713026ea402420863e Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 16 Mar 2020 21:09:37 +0100 +Subject: [PATCH 4/6] Backport of improve validation of the post-logout URL; + closes #449 + +--- + src/mod_auth_openidc.c | 90 +++++++++++++++++++++++++----------------- + 1 file changed, 53 insertions(+), 37 deletions(-) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index b504ecbf62f839a82ad205fa5f825f9a8428dfdb..431e89e086fbb72f56ea2a212e63c6ac693f62a2 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -2083,6 +2083,52 @@ static int oidc_handle_logout_request(request_rec *r, oidc_cfg *c, + return HTTP_MOVED_TEMPORARILY; + } + ++static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, char **err_str, char **err_desc) { ++ apr_uri_t uri; ++ const char *c_host = NULL; ++ ++ if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) { ++ *err_str = apr_pstrdup(r->pool, "Malformed URL"); ++ *err_desc = apr_psprintf(r->pool, "Logout URL malformed: %s", url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } ++ ++ c_host = oidc_get_current_url_host(r); ++ if ((uri.hostname != NULL) ++ && ((strstr(c_host, uri.hostname) == NULL) ++ || (strstr(uri.hostname, c_host) == NULL))) { ++ *err_str = apr_pstrdup(r->pool, "Invalid Request"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "logout value \"%s\" does not match the hostname of the current request \"%s\"", ++ apr_uri_unparse(r->pool, &uri, 0), c_host); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } else if (strstr(url, "/") != url) { ++ *err_str = apr_pstrdup(r->pool, "Malformed URL"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "No hostname was parsed and it does not seem to be relative, i.e starting with '/': %s", ++ url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } ++ ++ /* validate the URL to prevent HTTP header splitting */ ++ if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) { ++ *err_str = apr_pstrdup(r->pool, "Invalid Request"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "logout value \"%s\" contains illegal \"\n\" or \"\r\" character(s)", ++ url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ + /* + * perform (single) logout + */ +@@ -2090,6 +2136,8 @@ static int oidc_handle_logout(request_rec *r, oidc_cfg *c, session_rec *session) + + /* pickup the command or URL where the user wants to go after logout */ + char *url = NULL; ++ char *error_str = NULL; ++ char *error_description = NULL; + oidc_util_get_request_parameter(r, "logout", &url); + + oidc_debug(r, "enter (url=%s)", url); +@@ -2103,44 +2151,12 @@ static int oidc_handle_logout(request_rec *r, oidc_cfg *c, session_rec *session) + url = c->default_slo_url; + + } else { +- + /* do input validation on the logout parameter value */ +- +- const char *error_description = NULL; +- apr_uri_t uri; +- +- if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) { +- const char *error_description = apr_psprintf(r->pool, +- "Logout URL malformed: %s", url); +- oidc_error(r, "%s", error_description); +- return oidc_util_html_send_error(r, c->error_template, +- "Malformed URL", error_description, +- HTTP_INTERNAL_SERVER_ERROR); +- +- } +- +- if ((strstr(r->hostname, uri.hostname) == NULL) +- || (strstr(uri.hostname, r->hostname) == NULL)) { +- error_description = +- apr_psprintf(r->pool, +- "logout value \"%s\" does not match the hostname of the current request \"%s\"", +- apr_uri_unparse(r->pool, &uri, 0), r->hostname); +- oidc_error(r, "%s", error_description); +- return oidc_util_html_send_error(r, c->error_template, +- "Invalid Request", error_description, +- HTTP_INTERNAL_SERVER_ERROR); +- } +- +- /* validate the URL to prevent HTTP header splitting */ +- if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) { +- error_description = +- apr_psprintf(r->pool, +- "logout value \"%s\" contains illegal \"\n\" or \"\r\" character(s)", +- url); +- oidc_error(r, "%s", error_description); +- return oidc_util_html_send_error(r, c->error_template, +- "Invalid Request", error_description, +- HTTP_INTERNAL_SERVER_ERROR); ++ if (oidc_validate_post_logout_url(r, url, &error_str, ++ &error_description) == FALSE) { ++ return oidc_util_html_send_error(r, c->error_template, error_str, ++ error_description, ++ HTTP_BAD_REQUEST); + } + } + +-- +2.21.1 + diff --git a/SOURCES/0005-Backport-of-Fix-open-redirect-starting-with-a-slash.patch b/SOURCES/0005-Backport-of-Fix-open-redirect-starting-with-a-slash.patch new file mode 100644 index 0000000..f9ffe8a --- /dev/null +++ b/SOURCES/0005-Backport-of-Fix-open-redirect-starting-with-a-slash.patch @@ -0,0 +1,31 @@ +From e14beee7d9a3e23a7f5d44413ffd15b89497326f Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 16 Mar 2020 21:16:26 +0100 +Subject: [PATCH 5/6] Backport of Fix open redirect starting with a slash + +--- + src/mod_auth_openidc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index 431e89e086fbb72f56ea2a212e63c6ac693f62a2..4b1177050ec34976c954b133c6b1499232c3b0ba 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -2124,6 +2124,14 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, + url); + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; ++ } else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) { ++ *err_str = apr_pstrdup(r->pool, "Malformed URL"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "No hostname was parsed and starting with '//': %s", ++ url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; + } + + return TRUE; +-- +2.21.1 + diff --git a/SOURCES/0006-Backport-of-Fix-open-redirect-starting-with-a-slash-.patch b/SOURCES/0006-Backport-of-Fix-open-redirect-starting-with-a-slash-.patch new file mode 100644 index 0000000..0a94ef0 --- /dev/null +++ b/SOURCES/0006-Backport-of-Fix-open-redirect-starting-with-a-slash-.patch @@ -0,0 +1,32 @@ +From 68dcb6be79ed694acf0b1729d8688e871b08f40c Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 16 Mar 2020 21:19:00 +0100 +Subject: [PATCH 6/6] Backport of Fix open redirect starting with a slash and a + backslash + +--- + src/mod_auth_openidc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index 4b1177050ec34976c954b133c6b1499232c3b0ba..3a11a9839f3d4249d112ab6fd64987ddcab07976 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -2132,6 +2132,14 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, + url); + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; ++ } else if ((uri.hostname == NULL) && (strstr(url, "/\\") == url)) { ++ *err_str = apr_pstrdup(r->pool, "Malformed URL"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "No hostname was parsed and starting with '/\\': %s", ++ url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; + } + + return TRUE; +-- +2.21.1 + diff --git a/SOURCES/0007-Fix-the-previous-backports.patch b/SOURCES/0007-Fix-the-previous-backports.patch new file mode 100644 index 0000000..c3d0e2b --- /dev/null +++ b/SOURCES/0007-Fix-the-previous-backports.patch @@ -0,0 +1,61 @@ +From a5c9f79516fd4097817ac75a37af3b191a3d1448 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 1 Jun 2020 21:47:28 +0200 +Subject: [PATCH] Fix the previous backports + +--- + src/mod_auth_openidc.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c +index e16d500..74f206b 100644 +--- a/src/mod_auth_openidc.c ++++ b/src/mod_auth_openidc.c +@@ -2585,7 +2585,7 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, + apr_uri_unparse(r->pool, &uri, 0), c_host); + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; +- } else if (strstr(url, "/") != url) { ++ } else if ((uri.hostname == NULL) && (strstr(url, "/") != url)) { + *err_str = apr_pstrdup(r->pool, "Malformed URL"); + *err_desc = + apr_psprintf(r->pool, +@@ -2593,17 +2593,6 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, + url); + oidc_error(r, "%s: %s", *err_str, *err_desc); + return FALSE; +- } +- +- /* validate the URL to prevent HTTP header splitting */ +- if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) { +- *err_str = apr_pstrdup(r->pool, "Invalid Request"); +- *err_desc = +- apr_psprintf(r->pool, +- "logout value \"%s\" contains illegal \"\n\" or \"\r\" character(s)", +- url); +- oidc_error(r, "%s: %s", *err_str, *err_desc); +- return FALSE; + } else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) { + *err_str = apr_pstrdup(r->pool, "Malformed URL"); + *err_desc = +@@ -2622,6 +2611,17 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url, + return FALSE; + } + ++ /* validate the URL to prevent HTTP header splitting */ ++ if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) { ++ *err_str = apr_pstrdup(r->pool, "Invalid Request"); ++ *err_desc = ++ apr_psprintf(r->pool, ++ "logout value \"%s\" contains illegal \"\n\" or \"\r\" character(s)", ++ url); ++ oidc_error(r, "%s: %s", *err_str, *err_desc); ++ return FALSE; ++ } ++ + return TRUE; + } + +-- +2.21.3 + diff --git a/SPECS/mod_auth_openidc.spec b/SPECS/mod_auth_openidc.spec index 2c83c33..6e1f543 100644 --- a/SPECS/mod_auth_openidc.spec +++ b/SPECS/mod_auth_openidc.spec @@ -15,7 +15,7 @@ Name: mod_auth_openidc Version: 1.8.8 -Release: 5%{?dist} +Release: 7%{?dist} Summary: OpenID Connect auth module for Apache HTTP Server Group: System Environment/Daemons @@ -27,6 +27,10 @@ Patch0: decrypt_aesgcm.patch Patch1: 0001-don-t-echo-query-params-on-invalid-requests-to-redir.patch Patch2: 0002-Backport-security-fix-scrub-headers-on-OIDCUnAuthAct.patch Patch3: 0003-Backport-security-fix-scrub-headers-for-AuthType-oau.patch +Patch4: 0004-Backport-of-improve-validation-of-the-post-logout-UR.patch +Patch5: 0005-Backport-of-Fix-open-redirect-starting-with-a-slash.patch +Patch6: 0006-Backport-of-Fix-open-redirect-starting-with-a-slash-.patch +Patch7: 0007-Fix-the-previous-backports.patch BuildRequires: httpd-devel BuildRequires: openssl-devel @@ -48,6 +52,10 @@ an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. %patch1 -p1 -b echo_req %patch2 -p1 -b scrub_headers %patch3 -p1 -b scrub_headers_oauth +%patch4 -p1 -b improve_logout_validation +%patch5 -p1 -b logout_slash +%patch6 -p1 -b logout_backslash +%patch7 -p1 -b logout_regression %build # workaround rpm-buildroot-usage @@ -99,6 +107,18 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache %changelog +* Mon Mar 16 2020 Jakub Hrozek - 1.8.8-7 +- Fix a regression in the previous patches +- Related: rhbz#1805748 - CVE-2019-20479 mod_auth_openidc: open redirect + issue exists in URLs with slash and backslash [rhel-7] + +* Mon Mar 16 2020 Jakub Hrozek - 1.8.8-6 +- Resolves: rhbz#1805748 - CVE-2019-20479 mod_auth_openidc: open redirect + issue exists in URLs with slash and backslash [rhel-7] +- Resolves: rhbz#1805067 - CVE-2019-14857 mod_auth_openidc: Open redirect + in logout url when using URLs with leading slashes + [rhel-7] + * Tue Jan 29 2019 Jakub Hrozek - 1.8.8-5 - Resolves: rhbz#1626297 - CVE-2017-6413 mod_auth_openidc: OIDC_CLAIM and OIDCAuthNHeader not skipped in an "AuthType oauth20"