packages/mod_auth_openidc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!2 fix CVE-2019-20479

Browse Source 
From: @wangxiao65
Reviewed-by: @zhanghua1831,@small_leek,@ruebb,@small_leek,@miao_kaibo
Signed-off-by: @small_leek,@ruebb,@small_leek,@miao_kaibo
This commit is contained in:
openeuler-ci-bot 2021-02-22 09:41:25 +08:00 committed by Gitee
commit 9701468c57
2 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
CVE-2019-20479.patch Normal file
View File

@ -0,0 +1,28 @@
From 2d20c58597c9f7065e5362e603a5c348141c45ea Mon Sep 17 00:00:00 2001
From: AIMOTO NORIHITO <aimoto@osstech.co.jp>
Date: Tue, 12 Nov 2019 17:09:23 +0900
Subject: [PATCH] Fix open redirect starting with a slash and backslash
---
src/mod_auth_openidc.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
index 2467a42..b47a697 100644
--- a/src/mod_auth_openidc.c
+++ b/src/mod_auth_openidc.c
@@ -3063,6 +3063,14 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url,
url);
oidc_error(r, "%s: %s", *err_str, *err_desc);
return FALSE;
+ } else if ((uri.hostname == NULL) && (strstr(url, "/\\") == url)) {
+ *err_str = apr_pstrdup(r->pool, "Malformed URL");
+ *err_desc =
+ apr_psprintf(r->pool,
+ "No hostname was parsed and starting with '/\\': %s",
+ url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
}
/* validate the URL to prevent HTTP header splitting */

6
mod_auth_openidc.spec
View File

@ -7,11 +7,12 @@
Name: mod_auth_openidc Name: mod_auth_openidc
Version: 2.4.0.3 Version: 2.4.0.3
Release: 2 Release: 3
Summary: OpenID Connect Relying Party module for Apache 2.x HTTP Server Summary: OpenID Connect Relying Party module for Apache 2.x HTTP Server
License: ASL 2.0 License: ASL 2.0
URL: https://github.com/zmartzone/mod_auth_openidc URL: https://github.com/zmartzone/mod_auth_openidc
Source0: https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz Source0: https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz
Patch0000: CVE-2019-20479.patch
BuildRequires: gcc httpd-devel openssl-devel curl-devel jansson-devel BuildRequires: gcc httpd-devel openssl-devel curl-devel jansson-devel
BuildRequires: pcre-devel autoconf automake cjose-devel jq-devel BuildRequires: pcre-devel autoconf automake cjose-devel jq-devel
@ -58,5 +59,8 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/{metadata,cache}
%dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/{metadata,cache} %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/{metadata,cache}
%changelog %changelog
* Fri Feb 19 2021 wangxiao <wangxiao65@huawei.com> 2.4.0.3-3
- Fix CVE-2019-20479
* Fri Apr 24 2020 Captain Wei <captain.a.wei@gmail.com> 2.4.0.3-2 * Fri Apr 24 2020 Captain Wei <captain.a.wei@gmail.com> 2.4.0.3-2
- Package init - Package init