rpms / mod_auth_mellon

Clone
Source Code
GIT

Blame 0002-Fix-redirect-URL-validation-bypass.patch

f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 main rawhide
  1.   f29
  2.   0002-Fix-redirect-URL-validation-bypass.patch
Blob History Raw
Jakub Hrozek 83b8373 
From 62041428a32de402e0be6ba45fe12df6a83bedb8 Mon Sep 17 00:00:00 2001
Jakub Hrozek 83b8373 
From: Olav Morken <olav.morken@uninett.no>
Jakub Hrozek 83b8373 
Date: Tue, 19 Mar 2019 13:42:22 +0100
Jakub Hrozek 83b8373 
Subject: [PATCH] Fix redirect URL validation bypass
Jakub Hrozek 83b8373
Jakub Hrozek 83b8373 
It turns out that browsers silently convert backslash characters into
Jakub Hrozek 83b8373 
forward slashes, while apr_uri_parse() does not.
Jakub Hrozek 83b8373
Jakub Hrozek 83b8373 
This mismatch allows an attacker to bypass the redirect URL validation
Jakub Hrozek 83b8373 
by using an URL like:
Jakub Hrozek 83b8373
Jakub Hrozek 83b8373 
  https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/
Jakub Hrozek 83b8373
Jakub Hrozek 83b8373 
mod_auth_mellon will assume that it is a relative URL and allow the
Jakub Hrozek 83b8373 
request to pass through, while the browsers will use it as an absolute
Jakub Hrozek 83b8373 
url and redirect to https://malicious.example.org/ .
Jakub Hrozek 83b8373
Jakub Hrozek 83b8373 
This patch fixes this issue by rejecting all redirect URLs with
Jakub Hrozek 83b8373 
backslashes.
Jakub Hrozek 83b8373 
---
Jakub Hrozek 83b8373 
 auth_mellon_util.c | 7 +++++++
Jakub Hrozek 83b8373 
 1 file changed, 7 insertions(+)
Jakub Hrozek 83b8373
Jakub Hrozek 83b8373 
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
Jakub Hrozek 83b8373 
index 0fab309..fd442f9 100644
Jakub Hrozek 83b8373 
--- a/auth_mellon_util.c
Jakub Hrozek 83b8373 
+++ b/auth_mellon_util.c
Jakub Hrozek 83b8373 
@@ -927,6 +927,13 @@ int am_check_url(request_rec *r, const char *url)
Jakub Hrozek 83b8373 
                           "Control character detected in URL.");
Jakub Hrozek 83b8373 
             return HTTP_BAD_REQUEST;
Jakub Hrozek 83b8373 
         }
Jakub Hrozek 83b8373 
+        if (*i == '\\') {
Jakub Hrozek 83b8373 
+            /* Reject backslash character, as it can be used to bypass
Jakub Hrozek 83b8373 
+             * redirect URL validation. */
Jakub Hrozek 83b8373 
+            AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
Jakub Hrozek 83b8373 
+                          "Backslash character detected in URL.");
Jakub Hrozek 83b8373 
+            return HTTP_BAD_REQUEST;
Jakub Hrozek 83b8373 
+        }
Jakub Hrozek 83b8373 
     }
Jakub Hrozek 83b8373
Jakub Hrozek 83b8373 
     return OK;
Jakub Hrozek 83b8373 
--
Jakub Hrozek 83b8373 
2.19.2
Jakub Hrozek 83b8373
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.