!9 [sync] PR-7: Upgrade to 2.4.9.4

From: @openeuler-sync-bot Reviewed-by: @zhujianwei001 Signed-off-by: @zhujianwei001
2021-09-16 01:37:06 +00:00 · 2021-09-16 01:37:06 +00:00 · dac42e875b
commit dac42e875b
parent 34e21adad4 2cba26b207
6 changed files with 7 additions and 119 deletions
--- a/CVE-2019-20479.patch
+++ b/CVE-2019-20479.patch
@ -1,28 +0,0 @@
 From 2d20c58597c9f7065e5362e603a5c348141c45ea Mon Sep 17 00:00:00 2001
 From: AIMOTO NORIHITO <aimoto@osstech.co.jp>
 Date: Tue, 12 Nov 2019 17:09:23 +0900
 Subject: [PATCH] Fix open redirect starting with a slash and backslash
 ---
 src/mod_auth_openidc.c | 8 ++++++++
 1 file changed, 8 insertions(+)
 diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
 index 2467a42..b47a697 100644
 --- a/src/mod_auth_openidc.c
 +++ b/src/mod_auth_openidc.c
@@ -3063,6 +3063,14 @@ static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char *url,
                                                 url);
                 oidc_error(r, "%s: %s", *err_str, *err_desc);
                 return FALSE;
 +        } else if ((uri.hostname == NULL) && (strstr(url, "/\\") == url)) {
 +                *err_str = apr_pstrdup(r->pool, "Malformed URL");
 +                *err_desc =
 +                                apr_psprintf(r->pool,
 +                                                "No hostname was parsed and starting with '/\\': %s",
 +                                                url);
 +                oidc_error(r, "%s: %s", *err_str, *err_desc);
 +                return FALSE;
 	}
 	/* validate the URL to prevent HTTP header splitting */
--- a/CVE-2021-20718-pre1.patch
+++ b/CVE-2021-20718-pre1.patch
@ -1,43 +0,0 @@
 From 9793565ade06dcea0626e8c05137725141ef827b Mon Sep 17 00:00:00 2001
 From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
 Date: Fri, 28 Aug 2020 19:05:52 +0200
 Subject: [PATCH] allow Content-Type check on backchannel logout to have postfixes utf-8 etc. ; bump to 2.4.4rc8
 Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
 ---
 configure.ac | 2 +-
 src/util.c   | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index c976c5c..7e8353c 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -1,4 +1,4 @@
 -AC_INIT([mod_auth_openidc],[2.4.0.3],[hans.zandbelt@zmartzone.eu])
 +AC_INIT([mod_auth_openidc],[2.4.4rc8],[hans.zandbelt@zmartzone.eu])
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 diff --git a/src/util.c b/src/util.c
 index 617136e..ca13512 100644
 --- a/src/util.c
 +++ b/src/util.c
@@ -1526,9 +1526,12 @@ apr_byte_t oidc_util_read_post_params(request_rec *r, apr_table_t *table,
 	const char *content_type = NULL;
 	content_type = oidc_util_hdr_in_content_type_get(r);
 -	if ((r->method_number != M_POST) || (apr_strnatcmp(content_type,
 -			OIDC_CONTENT_TYPE_FORM_ENCODED) != 0))
 +	if ((r->method_number != M_POST) || (strstr(content_type,
 +			OIDC_CONTENT_TYPE_FORM_ENCODED) != content_type)) {
 +		oidc_debug(r, "required content-type %s not found",
 +				OIDC_CONTENT_TYPE_FORM_ENCODED);
 		goto end;
 +	}
 	if (oidc_util_read(r, &data) != TRUE)
 		goto end;
 -- 
 2.23.0
--- a/CVE-2021-20718.patch
+++ b/CVE-2021-20718.patch
@ -1,42 +0,0 @@
 From 42a14e1d7a3fff62fc6b20df56f6dc38f086effd Mon Sep 17 00:00:00 2001
 From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
 Date: Fri, 30 Apr 2021 19:33:38 +0200
 Subject: [PATCH] fix potential crash when Content-Type is not set in
 POST requests thanks JPCERT/CC; release 2.4.8
 Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
 ---
 configure.ac | 2 +-
 src/util.c   | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index 7e8353c..50b555f 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -1,4 +1,4 @@
 -AC_INIT([mod_auth_openidc],[2.4.4rc8],[hans.zandbelt@zmartzone.eu])
 +AC_INIT([mod_auth_openidc],[2.4.8],[hans.zandbelt@zmartzone.eu])
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 diff --git a/src/util.c b/src/util.c
 index ca13512..2306c3a 100644
 --- a/src/util.c
 +++ b/src/util.c
@@ -1526,10 +1526,9 @@ apr_byte_t oidc_util_read_post_params(request_rec *r, apr_table_t *table,
 	const char *content_type = NULL;
 	content_type = oidc_util_hdr_in_content_type_get(r);
 -	if ((r->method_number != M_POST) || (strstr(content_type,
 +	if ((r->method_number != M_POST) || (content_type == NULL) || (strstr(content_type,
 			OIDC_CONTENT_TYPE_FORM_ENCODED) != content_type)) {
 -		oidc_debug(r, "required content-type %s not found",
 -				OIDC_CONTENT_TYPE_FORM_ENCODED);
 +		oidc_debug(r, "required content-type %s not found", OIDC_CONTENT_TYPE_FORM_ENCODED);
 		goto end;
 	}
 -- 
 2.23.0
--- a/mod_auth_openidc.spec
+++ b/mod_auth_openidc.spec
@ -6,15 +6,12 @@
 %global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc
 Name:           mod_auth_openidc
-Version:        2.4.0.3
+Version:        2.4.9.4
-Release:        4
+Release:        1
 Summary:        OpenID Connect Relying Party module for Apache 2.x HTTP Server
 License:        ASL 2.0
 URL:            https://github.com/zmartzone/mod_auth_openidc
-Source0:        https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz
+Source0:	https://github.com/zmartzone/mod_auth_openidc/archive/refs/tags/v%{version}.tar.gz
 Patch0000:      CVE-2019-20479.patch
 Patch0001:      CVE-2021-20718-pre1.patch
 Patch0002:      CVE-2021-20718.patch
 BuildRequires:  gcc httpd-devel openssl-devel curl-devel jansson-devel
 BuildRequires:  pcre-devel autoconf automake cjose-devel jq-devel
@ -61,6 +58,10 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/{metadata,cache}
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/{metadata,cache}
 %changelog
 * Wed Sep 15 2021 houyingchao <houyingchao@huawei.com> 2.4.9.4-1
 - Upgrade to 2.4.9.4
 - Fix CVE-2021-39191
 * Thu Jun 10 2021 wangyue <wangyue92@huawei.com> 2.4.0.3-4
 - Fix CVE-2021-20718
--- a/v2.4.0.3.tar.gz
+++ b/v2.4.0.3.tar.gz
--- a/v2.4.9.4.tar.gz
+++ b/v2.4.9.4.tar.gz