Package: release.debian.org Severity: important User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libapache2-mod-auth-openidc New upstream releases 2.1.4 and 2.1.5 are bugfix releases which mainly fix the two security holes CVE-2017-6059 and CVE-2017-6062. See attached debdiff Christoph -- ============================================================================ Christoph Martin, Leiter Unix-Systeme Zentrum für Datenverarbeitung, Uni-Mainz, Germany Anselm Franz von Bentzel-Weg 12, 55128 Mainz Telefon: +49(6131)3926337 Instant-Messaging: Jabber: mar...@jabber.uni-mainz.de (Siehe http://www.zdv.uni-mainz.de/4010.php)
diff -Nru libapache2-mod-auth-openidc-2.1.3/AUTHORS libapache2-mod-auth-openidc-2.1.5/AUTHORS --- libapache2-mod-auth-openidc-2.1.3/AUTHORS 2016-10-27 16:23:12.000000000 +0200 +++ libapache2-mod-auth-openidc-2.1.5/AUTHORS 2017-01-30 20:26:39.000000000 +0100 @@ -31,3 +31,5 @@ Andy Curtis <https://github.com/asc1> solsson <https://github.com/solsson> drdivano <https://github.com/drdivano> + AliceWonderMiscreations <https://github.com/AliceWonderMiscreations> + Wouter Hund <https://github.com/wouterhund> diff -Nru libapache2-mod-auth-openidc-2.1.3/ChangeLog libapache2-mod-auth-openidc-2.1.5/ChangeLog --- libapache2-mod-auth-openidc-2.1.3/ChangeLog 2016-12-13 18:25:06.000000000 +0100 +++ libapache2-mod-auth-openidc-2.1.5/ChangeLog 2017-01-30 20:06:45.000000000 +0100 @@ -1,3 +1,33 @@ +01/30/2017 +- security fix: scrub headers when `OIDCUnAuthAction pass` is used for an unauthenticated user +- release 2.1.5 + +01/29/2017 +- fix error message about passing id_token with session type client-cookie; mentioned in #220 +- bump to 2.1.5rc0 + +01/25/2017 +- release 2.1.4 + +01/18/2017 +- don't echo the query parameters on the error page when an invalid request is made to the Redirect URI; closes #212; thanks @LukasReschke + +01/14/2017 +- use dynamic memory buffer for writing HTTP call responses; solves curl/mpm-event interference; see #207 +- bump to 2.1.4rc1 + +01/10/2017 +- don't crash when data is POST-ed to the redirect URL, it has just 1 POST parameter and it is not "response_mode" + +01/2/2017 +- remove trailing linebreaks from input in test-cmd tool +- bump copyright year to 2017 + +12/14/2016 +- support Libre SSL, see #205, thanks @AliceWonderMiscreations +- update OIDC logout support to Front-Channel Logout 1.0 draft 01: http://openid.net/specs/openid-connect-frontchannel-1_0.html +- bump to 2.1.4rc0 + 12/13/2016 - release 2.1.3 diff -Nru libapache2-mod-auth-openidc-2.1.3/configure libapache2-mod-auth-openidc-2.1.5/configure --- libapache2-mod-auth-openidc-2.1.3/configure 2016-12-13 18:25:23.000000000 +0100 +++ libapache2-mod-auth-openidc-2.1.5/configure 2017-01-30 20:28:17.000000000 +0100 @@ -1,8 +1,8 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.1.3. +# Generated by GNU Autoconf 2.69 for mod_auth_openidc 2.1.5. # -# Report bugs to <hzandb...@pingidentity.com>. +# Report bugs to <hans.zandb...@zmartzone.eu>. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -266,7 +266,7 @@ $as_echo "$0: be upgraded to zsh 4.3.4 or later." else $as_echo "$0: Please tell bug-autoc...@gnu.org and -$0: hzandb...@pingidentity.com about your system, including +$0: hans.zandb...@zmartzone.eu about your system, including $0: any error possibly output before this message. Then $0: install a modern shell, or manually run the script $0: under such a shell if you do have one." @@ -579,9 +579,9 @@ # Identity of this package. PACKAGE_NAME='mod_auth_openidc' PACKAGE_TARNAME='mod_auth_openidc' -PACKAGE_VERSION='2.1.3' -PACKAGE_STRING='mod_auth_openidc 2.1.3' -PACKAGE_BUGREPORT='hzandb...@pingidentity.com' +PACKAGE_VERSION='2.1.5' +PACKAGE_STRING='mod_auth_openidc 2.1.5' +PACKAGE_BUGREPORT='hans.zandb...@zmartzone.eu' PACKAGE_URL='' ac_subst_vars='LTLIBOBJS @@ -626,7 +626,6 @@ docdir oldincludedir includedir -runstatedir localstatedir sharedstatedir sysconfdir @@ -711,7 +710,6 @@ sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' -runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -964,15 +962,6 @@ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; - -runstatedir | --runstatedir | --runstatedi | --runstated \ - | --runstate | --runstat | --runsta | --runst | --runs \ - | --run | --ru | --r) - ac_prev=runstatedir ;; - -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ - | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ - | --run=* | --ru=* | --r=*) - runstatedir=$ac_optarg ;; - -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1110,7 +1099,7 @@ for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir runstatedir + libdir localedir mandir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1223,7 +1212,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures mod_auth_openidc 2.1.3 to adapt to many kinds of systems. +\`configure' configures mod_auth_openidc 2.1.5 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1263,7 +1252,6 @@ --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] - --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -1286,7 +1274,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of mod_auth_openidc 2.1.3:";; + short | recursive ) echo "Configuration of mod_auth_openidc 2.1.5:";; esac cat <<\_ACEOF @@ -1328,7 +1316,7 @@ Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. -Report bugs to <hzandb...@pingidentity.com>. +Report bugs to <hans.zandb...@zmartzone.eu>. _ACEOF ac_status=$? fi @@ -1391,7 +1379,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -mod_auth_openidc configure 2.1.3 +mod_auth_openidc configure 2.1.5 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1408,7 +1396,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by mod_auth_openidc $as_me 2.1.3, which was +It was created by mod_auth_openidc $as_me 2.1.5, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -1757,7 +1745,7 @@ -NAMEVER=mod_auth_openidc-2.1.3 +NAMEVER=mod_auth_openidc-2.1.5 # This section defines the --with-apxs2 option. @@ -3276,7 +3264,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by mod_auth_openidc $as_me 2.1.3, which was +This file was extended by mod_auth_openidc $as_me 2.1.5, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -3323,13 +3311,13 @@ Configuration files: $config_files -Report bugs to <hzandb...@pingidentity.com>." +Report bugs to <hans.zandb...@zmartzone.eu>." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -mod_auth_openidc config.status 2.1.3 +mod_auth_openidc config.status 2.1.5 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru libapache2-mod-auth-openidc-2.1.3/configure.ac libapache2-mod-auth-openidc-2.1.5/configure.ac --- libapache2-mod-auth-openidc-2.1.3/configure.ac 2016-12-13 18:25:06.000000000 +0100 +++ libapache2-mod-auth-openidc-2.1.5/configure.ac 2017-01-30 20:05:16.000000000 +0100 @@ -1,4 +1,4 @@ -AC_INIT([mod_auth_openidc],[2.1.3],[hzandb...@pingidentity.com]) +AC_INIT([mod_auth_openidc],[2.1.5],[hans.zandb...@zmartzone.eu]) AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION()) diff -Nru libapache2-mod-auth-openidc-2.1.3/debian/changelog libapache2-mod-auth-openidc-2.1.5/debian/changelog --- libapache2-mod-auth-openidc-2.1.3/debian/changelog 2017-01-13 15:52:26.000000000 +0100 +++ libapache2-mod-auth-openidc-2.1.5/debian/changelog 2017-02-06 10:56:03.000000000 +0100 @@ -1,3 +1,12 @@ +libapache2-mod-auth-openidc (2.1.5-1) unstable; urgency=high + + * Imported Upstream version 2.1.5 + fixes two security issues: + https://github.com/pingidentity/mod_auth_openidc/issues/212 + https://github.com/pingidentity/mod_auth_openidc/issues/222 + + -- Christoph Martin <mar...@uni-mainz.de> Mon, 06 Feb 2017 10:56:03 +0100 + libapache2-mod-auth-openidc (2.1.3-1) unstable; urgency=medium * Fix watch file diff -Nru libapache2-mod-auth-openidc-2.1.3/DISCLAIMER libapache2-mod-auth-openidc-2.1.5/DISCLAIMER --- libapache2-mod-auth-openidc-2.1.3/DISCLAIMER 2016-01-08 21:50:18.000000000 +0100 +++ libapache2-mod-auth-openidc-2.1.5/DISCLAIMER 2017-01-28 14:28:49.000000000 +0100 @@ -1,5 +1,5 @@ /*************************************************************************** - * Copyright (C) 2014-2016 Ping Identity Corporation + * Copyright (C) 2014-2017 Ping Identity Corporation * All rights reserved. * * Ping Identity Corporation diff -Nru libapache2-mod-auth-openidc-2.1.3/README.md libapache2-mod-auth-openidc-2.1.5/README.md --- libapache2-mod-auth-openidc-2.1.3/README.md 2016-11-19 13:46:48.000000000 +0100 +++ libapache2-mod-auth-openidc-2.1.5/README.md 2017-01-28 14:28:49.000000000 +0100 @@ -271,13 +271,16 @@ There is a Google Group/mailing list at: [mod_auth_open...@googlegroups.com](mailto:mod_auth_open...@googlegroups.com) The corresponding forum/archive is at: - https://groups.google.com/forum/#!forum/mod_auth_openidc + https://groups.google.com/forum/#!forum/mod_auth_openidc +For commercial support and consultancy you can contact: + [i...@zmartzone.eu](mailto:i...@zmartzone.eu) + +Any questions/issues should go to the mailing list, the Github issues tracker or the +primary author [hans.zandb...@zmartzone.eu](mailto:hans.zandb...@zmartzone.eu) Disclaimer ---------- *This software is open sourced by Ping Identity but not supported commercially -as such. Any questions/issues should go to the mailing list, the Github issues -tracker or the author [hzandb...@pingidentity.com](mailto:hzandb...@pingidentity.com) -directly See also the DISCLAIMER file in this directory.* - +by Ping Identity, see also the DISCLAIMER file in this directory. For commercial support +you can contact [ZmartZone IAM](https://www.zmartzone.eu) as described above.* diff -Nru libapache2-mod-auth-openidc-2.1.3/src/authz.c libapache2-mod-auth-openidc-2.1.5/src/authz.c --- libapache2-mod-auth-openidc-2.1.3/src/authz.c 2016-09-05 22:16:39.000000000 +0200 +++ libapache2-mod-auth-openidc-2.1.5/src/authz.c 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -47,7 +47,7 @@ * * mostly copied from mod_auth_cas * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #include <http_core.h> diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/cache.h libapache2-mod-auth-openidc-2.1.5/src/cache/cache.h --- libapache2-mod-auth-openidc-2.1.3/src/cache/cache.h 2016-09-09 16:18:11.000000000 +0200 +++ libapache2-mod-auth-openidc-2.1.5/src/cache/cache.h 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -47,7 +47,7 @@ * * mem_cache-like interface and semantics (string keys/values) using a storage backend * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #ifndef _MOD_AUTH_OPENIDC_CACHE_H_ diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/file.c libapache2-mod-auth-openidc-2.1.5/src/cache/file.c --- libapache2-mod-auth-openidc-2.1.3/src/cache/file.c 2016-10-27 16:23:12.000000000 +0200 +++ libapache2-mod-auth-openidc-2.1.5/src/cache/file.c 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -47,7 +47,7 @@ * * caching using a file storage backend * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #include <apr_hash.h> diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/lock.c libapache2-mod-auth-openidc-2.1.5/src/cache/lock.c --- libapache2-mod-auth-openidc-2.1.3/src/cache/lock.c 2016-01-08 21:50:18.000000000 +0100 +++ libapache2-mod-auth-openidc-2.1.5/src/cache/lock.c 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -47,7 +47,7 @@ * * global lock implementation * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #ifndef WIN32 diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/memcache.c libapache2-mod-auth-openidc-2.1.5/src/cache/memcache.c --- libapache2-mod-auth-openidc-2.1.3/src/cache/memcache.c 2016-11-09 19:14:02.000000000 +0100 +++ libapache2-mod-auth-openidc-2.1.5/src/cache/memcache.c 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -47,7 +47,7 @@ * * caching using a memcache backend * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #include "apr_general.h" diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/redis.c libapache2-mod-auth-openidc-2.1.5/src/cache/redis.c --- libapache2-mod-auth-openidc-2.1.3/src/cache/redis.c 2016-09-09 16:18:11.000000000 +0200 +++ libapache2-mod-auth-openidc-2.1.5/src/cache/redis.c 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -47,7 +47,7 @@ * * caching using a Redis backend * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #include "apr_general.h" diff -Nru libapache2-mod-auth-openidc-2.1.3/src/cache/shm.c libapache2-mod-auth-openidc-2.1.5/src/cache/shm.c --- libapache2-mod-auth-openidc-2.1.3/src/cache/shm.c 2016-09-09 16:18:11.000000000 +0200 +++ libapache2-mod-auth-openidc-2.1.5/src/cache/shm.c 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -48,7 +48,7 @@ * caching using a shared memory backend, FIFO-style * based on mod_auth_mellon code * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #include <httpd.h> diff -Nru libapache2-mod-auth-openidc-2.1.3/src/config.c libapache2-mod-auth-openidc-2.1.5/src/config.c --- libapache2-mod-auth-openidc-2.1.3/src/config.c 2016-10-27 16:23:12.000000000 +0200 +++ libapache2-mod-auth-openidc-2.1.5/src/config.c 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -45,7 +45,7 @@ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #include <apr.h> diff -Nru libapache2-mod-auth-openidc-2.1.3/src/jose.c libapache2-mod-auth-openidc-2.1.5/src/jose.c --- libapache2-mod-auth-openidc-2.1.3/src/jose.c 2016-10-27 16:23:12.000000000 +0200 +++ libapache2-mod-auth-openidc-2.1.5/src/jose.c 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -47,7 +47,7 @@ * * JSON Web Token handling * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #include <apr_base64.h> @@ -1061,7 +1061,7 @@ } const BIGNUM *rsa_n, *rsa_e, *rsa_d; -#if OPENSSL_VERSION_NUMBER >= 0x10100005L +#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined (LIBRESSL_VERSION_NUMBER) RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d); #else rsa_n = rsa->n; diff -Nru libapache2-mod-auth-openidc-2.1.3/src/jose.h libapache2-mod-auth-openidc-2.1.5/src/jose.h --- libapache2-mod-auth-openidc-2.1.3/src/jose.h 2016-10-27 16:23:12.000000000 +0200 +++ libapache2-mod-auth-openidc-2.1.5/src/jose.h 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -47,7 +47,7 @@ * * JSON Object Signing and Encryption * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #ifndef MOD_AUTH_OPENIDC_JOSE_H_ diff -Nru libapache2-mod-auth-openidc-2.1.3/src/metadata.c libapache2-mod-auth-openidc-2.1.5/src/metadata.c --- libapache2-mod-auth-openidc-2.1.3/src/metadata.c 2016-10-27 16:23:12.000000000 +0200 +++ libapache2-mod-auth-openidc-2.1.5/src/metadata.c 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -47,7 +47,7 @@ * * OpenID Connect metadata handling routines, for both OP discovery and client registration * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #include <apr_hash.h> @@ -535,7 +535,7 @@ json_object_set_new(data, "initiate_login_uri", json_string(cfg->redirect_uri)); - json_object_set_new(data, "logout_uri", + json_object_set_new(data, "frontchannel_logout_uri", json_string(apr_psprintf(r->pool, "%s?logout=%s", cfg->redirect_uri, OIDC_GET_STYLE_LOGOUT_PARAM_VALUE))); diff -Nru libapache2-mod-auth-openidc-2.1.3/src/mod_auth_openidc.c libapache2-mod-auth-openidc-2.1.5/src/mod_auth_openidc.c --- libapache2-mod-auth-openidc-2.1.3/src/mod_auth_openidc.c 2016-11-09 19:14:02.000000000 +0100 +++ libapache2-mod-auth-openidc-2.1.5/src/mod_auth_openidc.c 2017-01-30 20:01:47.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -51,7 +51,7 @@ * Other code copied/borrowed/adapted: * shared memory caching: mod_auth_mellon * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu * **************************************************************************/ @@ -130,6 +130,30 @@ } /* + * scrub all mod_auth_openidc related headers + */ +static void oidc_scrub_headers(request_rec *r) { + oidc_cfg *cfg = ap_get_module_config(r->server->module_config, + &auth_openidc_module); + + if (cfg->scrub_request_headers != 0) { + + /* scrub all headers starting with OIDC_ first */ + oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX, + oidc_cfg_dir_authn_header(r)); + + /* + * then see if the claim headers need to be removed on top of that + * (i.e. the prefix does not start with the default OIDC_) + */ + if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX) + != cfg->claim_prefix)) { + oidc_scrub_request_headers(r, cfg->claim_prefix, NULL); + } + } +} + +/* * strip the session cookie from the headers sent to the application/backend */ static void oidc_strip_cookies(request_rec *r) { @@ -1260,21 +1284,7 @@ * we're going to pass the information that we have to the application, * but first we need to scrub the headers that we're going to use for security reasons */ - if (cfg->scrub_request_headers != 0) { - - /* scrub all headers starting with OIDC_ first */ - oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX, - oidc_cfg_dir_authn_header(r)); - - /* - * then see if the claim headers need to be removed on top of that - * (i.e. the prefix does not start with the default OIDC_) - */ - if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX) - != cfg->claim_prefix)) { - oidc_scrub_request_headers(r, cfg->claim_prefix, NULL); - } - } + oidc_scrub_headers(r); /* set the user authentication HTTP header if set and required */ if ((r->user != NULL) && (authn_header != NULL)) @@ -1302,18 +1312,18 @@ OIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars); } - if (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) { - if ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_SERIALIZED)) { + if ((cfg->pass_idtoken_as & OIDC_PASS_IDTOKEN_AS_SERIALIZED)) { + if (cfg->session_type != OIDC_SESSION_TYPE_CLIENT_COOKIE) { const char *s_id_token = NULL; /* get the compact serialized JWT from the session */ oidc_session_get(r, session, OIDC_IDTOKEN_SESSION_KEY, &s_id_token); /* pass the compact serialized JWT to the app in a header or environment variable */ oidc_util_set_app_info(r, "id_token", s_id_token, OIDC_DEFAULT_HEADER_PREFIX, pass_headers, pass_envvars); + } else { + oidc_error(r, + "session type \"client-cookie\" does not allow storing/passing the id_token; use \"OIDCSessionType server-cache\" for that"); } - } else { - oidc_error(r, - "session type \"client-cookie\" does not allow storing/passing the id_token; use \"OIDCSessionType server-cache\" for that"); } /* set the refresh_token in the app headers/variables, if enabled for this location/directory */ @@ -1846,6 +1856,7 @@ /* see if we've got any POST-ed data at all */ if ((apr_table_elts(params)->nelts < 1) || ((apr_table_elts(params)->nelts == 1) + && apr_table_get(params, "response_mode") && (apr_strnatcmp(apr_table_get(params, "response_mode"), "fragment") == 0))) { return oidc_util_html_send_error(r, c->error_template, @@ -2841,11 +2852,15 @@ oidc_handle_redirect_authorization_response(r, c, session); } + oidc_error(r, + "The OpenID Connect callback URL received an invalid request: %s; returning HTTP_INTERNAL_SERVER_ERROR", + r->args); + /* something went wrong */ return oidc_util_html_send_error(r, c->error_template, "Invalid Request", apr_psprintf(r->pool, - "The OpenID Connect callback URL received an invalid request: %s", - r->args), HTTP_INTERNAL_SERVER_ERROR); + "The OpenID Connect callback URL received an invalid request"), + HTTP_INTERNAL_SERVER_ERROR); } /* @@ -2955,6 +2970,13 @@ return HTTP_UNAUTHORIZED; case OIDC_UNAUTH_PASS: r->user = ""; + + /* + * we're not going to pass information about an authenticated user to the application, + * but we do need to scrub the headers that mod_auth_openidc would set for security reasons + */ + oidc_scrub_headers(r); + return OK; case OIDC_UNAUTH_AUTHENTICATE: /* if this is a Javascript path we won't redirect the user and create a state cookie */ diff -Nru libapache2-mod-auth-openidc-2.1.3/src/mod_auth_openidc.h libapache2-mod-auth-openidc-2.1.5/src/mod_auth_openidc.h --- libapache2-mod-auth-openidc-2.1.3/src/mod_auth_openidc.h 2016-12-13 18:25:06.000000000 +0100 +++ libapache2-mod-auth-openidc-2.1.5/src/mod_auth_openidc.h 2017-01-29 15:05:57.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -45,7 +45,7 @@ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #ifndef MOD_AUTH_OPENIDC_H_ diff -Nru libapache2-mod-auth-openidc-2.1.3/src/oauth.c libapache2-mod-auth-openidc-2.1.5/src/oauth.c --- libapache2-mod-auth-openidc-2.1.3/src/oauth.c 2016-10-20 14:09:24.000000000 +0200 +++ libapache2-mod-auth-openidc-2.1.5/src/oauth.c 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -45,7 +45,7 @@ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #include <apr_lib.h> diff -Nru libapache2-mod-auth-openidc-2.1.3/src/parse.c libapache2-mod-auth-openidc-2.1.5/src/parse.c --- libapache2-mod-auth-openidc-2.1.3/src/parse.c 2016-10-27 16:23:12.000000000 +0200 +++ libapache2-mod-auth-openidc-2.1.5/src/parse.c 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -47,7 +47,7 @@ * * Validation and parsing of configuration values. * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #include <apr_base64.h> diff -Nru libapache2-mod-auth-openidc-2.1.3/src/parse.h libapache2-mod-auth-openidc-2.1.5/src/parse.h --- libapache2-mod-auth-openidc-2.1.3/src/parse.h 2016-10-27 16:23:12.000000000 +0200 +++ libapache2-mod-auth-openidc-2.1.5/src/parse.h 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -47,7 +47,7 @@ * * Validation and parsing of configuration values. * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #ifndef MOD_AUTH_OPENIDC_PARSE_H_ diff -Nru libapache2-mod-auth-openidc-2.1.3/src/proto.c libapache2-mod-auth-openidc-2.1.5/src/proto.c --- libapache2-mod-auth-openidc-2.1.3/src/proto.c 2016-11-19 13:46:48.000000000 +0100 +++ libapache2-mod-auth-openidc-2.1.5/src/proto.c 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -45,7 +45,7 @@ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #include <httpd.h> diff -Nru libapache2-mod-auth-openidc-2.1.3/src/session.c libapache2-mod-auth-openidc-2.1.5/src/session.c --- libapache2-mod-auth-openidc-2.1.3/src/session.c 2016-12-13 18:25:06.000000000 +0100 +++ libapache2-mod-auth-openidc-2.1.5/src/session.c 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -45,7 +45,7 @@ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #include <apr_base64.h> diff -Nru libapache2-mod-auth-openidc-2.1.3/src/util.c libapache2-mod-auth-openidc-2.1.5/src/util.c --- libapache2-mod-auth-openidc-2.1.3/src/util.c 2016-10-20 14:09:24.000000000 +0200 +++ libapache2-mod-auth-openidc-2.1.5/src/util.c 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -45,7 +45,7 @@ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu */ #include <apr_strings.h> @@ -449,28 +449,48 @@ return url; } -/* maximum size of any response returned in HTTP calls */ -#define OIDC_CURL_MAX_RESPONSE_SIZE 65536 - /* buffer to hold HTTP call responses */ typedef struct oidc_curl_buffer { - char buf[OIDC_CURL_MAX_RESPONSE_SIZE]; - size_t written; + request_rec *r; + char *memory; + size_t size; } oidc_curl_buffer; +/* maximum acceptable size of HTTP responses: 1 Mb */ +#define OIDC_CURL_MAX_RESPONSE_SIZE 1024 * 1024 + /* * callback for CURL to write bytes that come back from an HTTP call */ -size_t oidc_curl_write(const void *ptr, size_t size, size_t nmemb, void *stream) { - oidc_curl_buffer *curlBuffer = (oidc_curl_buffer *) stream; +size_t oidc_curl_write(void *contents, size_t size, size_t nmemb, void *userp) { + size_t realsize = size * nmemb; + oidc_curl_buffer *mem = (oidc_curl_buffer *) userp; + + /* check if we don't run over the maximum buffer/memory size for HTTP responses */ + if (mem->size + realsize > OIDC_CURL_MAX_RESPONSE_SIZE) { + oidc_error(mem->r, + "HTTP response larger than maximum allowed size: current size=%ld, additional size=%ld, max=%d", + mem->size, realsize, OIDC_CURL_MAX_RESPONSE_SIZE); + return 0; + } - if ((nmemb * size) + curlBuffer->written >= OIDC_CURL_MAX_RESPONSE_SIZE) + /* allocate the new buffer for the current + new response bytes */ + char *newptr = apr_palloc(mem->r->pool, mem->size + realsize + 1); + if (newptr == NULL) { + oidc_error(mem->r, + "memory allocation for new buffer of %ld bytes failed", + mem->size + realsize + 1); return 0; + } - memcpy((curlBuffer->buf + curlBuffer->written), ptr, (nmemb * size)); - curlBuffer->written += (nmemb * size); + /* copy over the data from current memory plus the cURL buffer */ + memcpy(newptr, mem->memory, mem->size); + memcpy(&(newptr[mem->size]), contents, realsize); + mem->size += realsize; + mem->memory = newptr; + mem->memory[mem->size] = 0; - return (nmemb * size); + return realsize; } /* context structure for encoding parameters */ @@ -519,6 +539,9 @@ return FALSE; } + /* set the error buffer as empty before performing a request */ + curlError[0] = 0; + /* some of these are not really required */ curl_easy_setopt(curl, CURLOPT_HEADER, 0L); curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 1L); @@ -531,10 +554,11 @@ curl_easy_setopt(curl, CURLOPT_TIMEOUT, timeout); /* setup the buffer where the response will be written to */ - curlBuffer.written = 0; - memset(curlBuffer.buf, '\0', sizeof(curlBuffer.buf)); - curl_easy_setopt(curl, CURLOPT_WRITEDATA, &curlBuffer); + curlBuffer.r = r; + curlBuffer.memory = NULL; + curlBuffer.size = 0; curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, oidc_curl_write); + curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void * )&curlBuffer); #ifndef LIBCURL_NO_CURLPROTO curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, @@ -635,7 +659,8 @@ /* call it and record the result */ int rv = TRUE; if (curl_easy_perform(curl) != CURLE_OK) { - oidc_error(r, "curl_easy_perform() failed on: %s (%s)", url, curlError); + oidc_error(r, "curl_easy_perform() failed on: %s (%s)", url, + curlError[0] ? curlError : ""); rv = FALSE; goto out; } @@ -644,10 +669,10 @@ curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &response_code); oidc_debug(r, "HTTP response code=%ld", response_code); - *response = apr_pstrndup(r->pool, curlBuffer.buf, curlBuffer.written); + *response = apr_pstrndup(r->pool, curlBuffer.memory, curlBuffer.size); /* set and log the response */ - oidc_debug(r, "response=%s", *response); + oidc_debug(r, "response=%s", *response ? *response : ""); out: diff -Nru libapache2-mod-auth-openidc-2.1.3/test/test.c libapache2-mod-auth-openidc-2.1.5/test/test.c --- libapache2-mod-auth-openidc-2.1.3/test/test.c 2016-10-20 14:09:24.000000000 +0200 +++ libapache2-mod-auth-openidc-2.1.5/test/test.c 2017-01-28 14:28:49.000000000 +0100 @@ -18,7 +18,7 @@ */ /*************************************************************************** - * Copyright (C) 2013-2016 Ping Identity Corporation + * Copyright (C) 2013-2017 Ping Identity Corporation * All rights reserved. * * For further information please contact: @@ -45,7 +45,7 @@ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * - * @Author: Hans Zandbelt - hzandb...@pingidentity.com + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu * **************************************************************************/ diff -Nru libapache2-mod-auth-openidc-2.1.3/test/test-cmd.c libapache2-mod-auth-openidc-2.1.5/test/test-cmd.c --- libapache2-mod-auth-openidc-2.1.3/test/test-cmd.c 2016-11-09 19:14:02.000000000 +0100 +++ libapache2-mod-auth-openidc-2.1.5/test/test-cmd.c 2017-01-28 14:28:49.000000000 +0100 @@ -1,3 +1,54 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/*************************************************************************** + * Copyright (C) 2013-2017 Ping Identity Corporation + * All rights reserved. + * + * For further information please contact: + * + * Ping Identity Corporation + * 1099 18th St Suite 2950 + * Denver, CO 80202 + * 303.468.2900 + * http://www.pingidentity.com + * + * DISCLAIMER OF WARRANTIES: + * + * THE SOFTWARE PROVIDED HEREUNDER IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + * ANY WARRANTIES OR REPRESENTATIONS EXPRESS, IMPLIED OR STATUTORY; INCLUDING, + * WITHOUT LIMITATION, WARRANTIES OF QUALITY, PERFORMANCE, NONINFRINGEMENT, + * MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NOR ARE THERE ANY + * WARRANTIES CREATED BY A COURSE OR DEALING, COURSE OF PERFORMANCE OR TRADE + * USAGE. FURTHERMORE, THERE ARE NO WARRANTIES THAT THE SOFTWARE WILL MEET + * YOUR NEEDS OR BE FREE FROM ERRORS, OR THAT THE OPERATION OF THE SOFTWARE + * WILL BE UNINTERRUPTED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * @Author: Hans Zandbelt - hans.zandb...@zmartzone.eu + * + **************************************************************************/ + #include <stdio.h> #include <string.h> @@ -47,6 +98,12 @@ (*rbuf)[bytes_read] = '\0'; + bytes_read--; + while ((*rbuf)[bytes_read] == '\n') { + (*rbuf)[bytes_read] = '\0'; + bytes_read --; + } + apr_file_close(fd); return 0;
<<attachment: martin.vcf>>
signature.asc
Description: OpenPGP digital signature