--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org
Control: affects -1 + src:lemonldap-ng
[ Reason ]
Two new vulnerabilities have been dicovered and fixed in lemonldap-ng:
- an open redirection due to incorrect escape handling
- an open redirection only when configuration is edited by hand and
doesn't follow OIDC specifications
- a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
A little-know feature of OIDC allows the OpenID Provider to fetch the
Authorization request parameters itself by indicating a request_uri
parameter. This feature is now restricted to a white list using this
patch
[ Impact ]
Two low and one medium security issue.
[ Tests ]
Patches includes test updates
[ Risks ]
Outside of test changes, patches are not so big and the test coverage
provided by upstream is good, so risk is moderate.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
- open redirection patch: use `URI->new($url)->as_string` in each
redirections
- OIDC open redirection patch: just rejects requests with `redirect_uri` if
relying party configuration has no declared redirect URIs.
- SSRF patch:
* add new configuration parameter to list authorized "request_uris"
* change the algorithm that manage request_uri parameter
Cheers,
Yadd
diff --git a/debian/NEWS b/debian/NEWS
index c4d7ee951..ba4a14a12 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium
+
+ A little-know feature of OIDC allows the OpenID Provider to fetch the
+ Authorization request parameters itself by indicating a request_uri
+ parameter.
+ By default, this feature is now restricted to a white list. See
+ Relying-Party security option to fill this field.
+
+ -- Yadd <y...@debian.org> Fri, 29 Sep 2023 17:38:51 +0400
+
lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium
AuthBasic now enforces 2FA activation (CVE-2023-28862):
diff --git a/debian/changelog b/debian/changelog
index 5d2c62ac0..35d5599a4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium
+
+ * Fix open redirection when OIDC RP has no redirect uris
+ * Fix open redirection due to incorrect escape handling
+ * Fix Server-Side-Request-Forgery issue in OIDC (CVE-2023-44469)
+
+ -- Yadd <y...@debian.org> Fri, 29 Sep 2023 16:35:14 +0400
+
lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium
* Fix 2FA issue when using AuthBasic handler (CVE-2023-28862)
@@ -19,7 +27,7 @@ lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium
lemonldap-ng (2.0.11+ds-4+deb11u1) bullseye; urgency=medium
- * Fix auth process in password-testing plugins (Closes: CVE-2021-20874)
+ * Fix auth process in password-testing plugins (Closes: #1005302,
CVE-2021-40874)
-- Yadd <y...@debian.org> Thu, 24 Feb 2022 15:16:09 +0100
diff --git a/debian/clean b/debian/clean
index 73f167814..cdb4a5ae4 100644
--- a/debian/clean
+++ b/debian/clean
@@ -1,3 +1,4 @@
+doc/pages/documentation/current/.buildinfo
lemonldap-ng-manager/site/htdocs/static/js/conftree.js
lemonldap-ng-manager/site/htdocs/static/struct.json
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
diff --git a/debian/patches/SSRF-issue.patch b/debian/patches/SSRF-issue.patch
new file mode 100644
index 000000000..dce756430
--- /dev/null
+++ b/debian/patches/SSRF-issue.patch
@@ -0,0 +1,627 @@
+Description: fix SSRF vulnerability
+ Issue described here:
https://security.lauritz-holtmann.de/post/sso-security-ssrf/
+Author: Maxime Besson <maxime.bes...@worteks.com>
+Origin: upstream,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998
+Forwarded: not-needed
+Applied-Upstream: 2.17.1,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2023-09-23
+
+--- a/doc/sources/admin/idpopenidconnect.rst
++++ b/doc/sources/admin/idpopenidconnect.rst
+@@ -278,6 +278,11 @@
+ the Session Browser.
+ - **Allow OAuth2.0 Password Grant** (since version ``2.0.8``): Allow the
use of the :ref:`Resource Owner Password Credentials Grant
<resource-owner-password-grant>` by this client. This feature only works if you
have configured a form-based authentication module.
+ - **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``):
Allow the use of the :ref:`Resource Owner Password Credentials Grant
<client-credentials-grant>` by this client.
++ - **Allowed URLs for fetching Request Object**: (since version ``2.17.1``):
++ which URLs may be called by the portal to fetch the request object (see
++ `request_uri
++
<https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter>`__
++ in OIDC specifications). These URLs may use wildcards
(``https://app.example.com/*``).
+ - **Authentication Level**: required authentication level to access this
application
+ - **Access Rule**: lets you specify a :doc:`Perl rule<rules_examples>` to
restrict access to this client
+
+--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
++++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+@@ -4202,6 +4202,7 @@
+ oidcRPMetaDataOptionsAuthorizationCodeExpiration => { type => 'int' },
+ oidcRPMetaDataOptionsOfflineSessionExpiration => { type => 'int' },
+ oidcRPMetaDataOptionsRedirectUris => { type => 'text',
},
++ oidcRPMetaDataOptionsRequestUris => { type => 'text',
},
+ oidcRPMetaDataOptionsExtraClaims => {
+ type => 'keyTextContainer',
+ keyTest => qr/^[\x21\x23-\x5B\x5D-\x7E]+$/,
+--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm
++++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm
+@@ -225,6 +225,7 @@
+ 'oidcRPMetaDataOptionsAllowOffline',
+ 'oidcRPMetaDataOptionsAllowPasswordGrant',
+
'oidcRPMetaDataOptionsAllowClientCredentialsGrant',
++ 'oidcRPMetaDataOptionsRequestUris',
+ 'oidcRPMetaDataOptionsAuthnLevel',
+ 'oidcRPMetaDataOptionsRule',
+ ]
+--- a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
++++ b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
+@@ -626,6 +626,7 @@
+ "oidcRPMetaDataOptionsLogoutUrl":"يو آر إل",
+ "oidcOPMetaDataOptionsProtocol":"بروتوكول",
+ "oidcRPMetaDataOptionsPublic":"Public client",
++"oidcRPMetaDataOptionsRequestUris":"Allowed URLs for fetching Request Object",
+ "oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
+ "oidcRPMetaDataOptionsAuthnLevel":"مستوى إثبات الهوية",
+ "oidcRPMetaDataOptionsRule":"قاعدة الدخول",
+@@ -1194,4 +1195,4 @@
+ "samlRelayStateTimeout":"تناوب حالة مهلة الجلسة ",
+ "samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين",
+ "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
+-}
+\ No newline at end of file
++}
+--- a/lemonldap-ng-manager/site/htdocs/static/languages/de.json
++++ b/lemonldap-ng-manager/site/htdocs/static/languages/de.json
+@@ -626,6 +626,7 @@
+ "oidcRPMetaDataOptionsLogoutUrl":"URL",
+ "oidcOPMetaDataOptionsProtocol":"Protocol",
+ "oidcRPMetaDataOptionsPublic":"Public client",
++"oidcRPMetaDataOptionsRequestUris":"Allowed URLs for fetching Request Object",
+ "oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
+ "oidcRPMetaDataOptionsAuthnLevel":"Authentication level",
+ "oidcRPMetaDataOptionsRule":"Access rule",
+@@ -1194,4 +1195,4 @@
+ "samlRelayStateTimeout":"RelayState session timeout",
+ "samlUseQueryStringSpecific":"Use specific query_string method",
+ "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
+-}
+\ No newline at end of file
++}
+--- a/lemonldap-ng-manager/site/htdocs/static/languages/en.json
++++ b/lemonldap-ng-manager/site/htdocs/static/languages/en.json
+@@ -626,6 +626,7 @@
+ "oidcRPMetaDataOptionsLogoutUrl":"URL",
+ "oidcOPMetaDataOptionsProtocol":"Protocol",
+ "oidcRPMetaDataOptionsPublic":"Public client",
++"oidcRPMetaDataOptionsRequestUris":"Allowed URLs for fetching Request Object",
+ "oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
+ "oidcRPMetaDataOptionsAuthnLevel":"Authentication level",
+ "oidcRPMetaDataOptionsRule":"Access rule",
+--- a/lemonldap-ng-manager/site/htdocs/static/languages/es.json
++++ b/lemonldap-ng-manager/site/htdocs/static/languages/es.json
+@@ -626,6 +626,7 @@
+ "oidcRPMetaDataOptionsLogoutUrl":"URL",
+ "oidcOPMetaDataOptionsProtocol":"Protocolo",
+ "oidcRPMetaDataOptionsPublic":"Cliente público",
++"oidcRPMetaDataOptionsRequestUris":"Allowed URLs for fetching Request Object",
+ "oidcRPMetaDataOptionsRequirePKCE":"Se requiere PKCE",
+ "oidcRPMetaDataOptionsAuthnLevel":"Authentication level",
+ "oidcRPMetaDataOptionsRule":"Regla de acceso",
+@@ -1194,4 +1195,4 @@
+ "samlRelayStateTimeout":"RelayState session timeout",
+ "samlUseQueryStringSpecific":"Use specific query_string method",
+ "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
+-}
+\ No newline at end of file
++}
+--- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
++++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
+@@ -627,6 +627,7 @@
+ "oidcRPMetaDataOptionsLogoutUrl":"URL",
+ "oidcOPMetaDataOptionsProtocol":"Protocole",
+ "oidcRPMetaDataOptionsPublic":"Client public",
++"oidcRPMetaDataOptionsRequestUris":"URLs autorisées pour récupérer les
paramètres de la requête",
+ "oidcRPMetaDataOptionsRequirePKCE":"PKCE requis",
+ "oidcRPMetaDataOptionsAuthnLevel":"Niveau d'authentification",
+ "oidcRPMetaDataOptionsRule":"Règle d'accès",
+--- a/lemonldap-ng-manager/site/htdocs/static/languages/it.json
++++ b/lemonldap-ng-manager/site/htdocs/static/languages/it.json
+@@ -626,6 +626,7 @@
+ "oidcRPMetaDataOptionsLogoutUrl":"URL",
+ "oidcOPMetaDataOptionsProtocol":"Protocollo",
+ "oidcRPMetaDataOptionsPublic":"Cliente pubblico",
++"oidcRPMetaDataOptionsRequestUris":"Allowed URLs for fetching Request Object",
+ "oidcRPMetaDataOptionsRequirePKCE":"Richiedi PKCE",
+ "oidcRPMetaDataOptionsAuthnLevel":"Livello di autenticazione",
+ "oidcRPMetaDataOptionsRule":"Regola di accesso",
+@@ -1194,4 +1195,4 @@
+ "samlRelayStateTimeout":"Timeout di sessione di RelayState",
+ "samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string",
+ "samlOverrideIDPEntityID":"Sostituisci l'ID entità quando agisce come IDP"
+-}
+\ No newline at end of file
++}
+--- a/lemonldap-ng-manager/site/htdocs/static/languages/pl.json
++++ b/lemonldap-ng-manager/site/htdocs/static/languages/pl.json
+@@ -626,6 +626,7 @@
+ "oidcRPMetaDataOptionsLogoutUrl":"URL",
+ "oidcOPMetaDataOptionsProtocol":"Protokół",
+ "oidcRPMetaDataOptionsPublic":"Klient publiczny",
++"oidcRPMetaDataOptionsRequestUris":"Allowed URLs for fetching Request Object",
+ "oidcRPMetaDataOptionsRequirePKCE":"Wymagaj PKCE",
+ "oidcRPMetaDataOptionsAuthnLevel":"Poziom uwierzytelnienia",
+ "oidcRPMetaDataOptionsRule":"Reguła dostępu",
+@@ -1194,4 +1195,4 @@
+ "samlRelayStateTimeout":"Limit czasu sesji RelayState",
+ "samlUseQueryStringSpecific":"Użyj określonej metody query_string",
+ "samlOverrideIDPEntityID":"Zastąp identyfikator jednostki podczas działania
jako IDP"
+-}
+\ No newline at end of file
++}
+--- a/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
++++ b/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
+@@ -626,6 +626,7 @@
+ "oidcRPMetaDataOptionsLogoutUrl":"URL",
+ "oidcOPMetaDataOptionsProtocol":"Protokol",
+ "oidcRPMetaDataOptionsPublic":"Açık istemci",
++"oidcRPMetaDataOptionsRequestUris":"Allowed URLs for fetching Request Object",
+ "oidcRPMetaDataOptionsRequirePKCE":"PKCE gerektir",
+ "oidcRPMetaDataOptionsAuthnLevel":"Doğrulama seviyesi",
+ "oidcRPMetaDataOptionsRule":"Erişim kuralı",
+@@ -1194,4 +1195,4 @@
+ "samlRelayStateTimeout":"RelayState oturum zaman aşımı",
+ "samlUseQueryStringSpecific":"Spesifik query_string metodu kullan",
+ "samlOverrideIDPEntityID":"IDP olarak davrandığında Varlık ID'yi geçersiz kıl"
+-}
+\ No newline at end of file
++}
+--- a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
++++ b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
+@@ -626,6 +626,7 @@
+ "oidcRPMetaDataOptionsLogoutUrl":"URL",
+ "oidcOPMetaDataOptionsProtocol":"Giao thức",
+ "oidcRPMetaDataOptionsPublic":"Public client",
++"oidcRPMetaDataOptionsRequestUris":"Allowed URLs for fetching Request Object",
+ "oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
+ "oidcRPMetaDataOptionsAuthnLevel":"Mức xác thực",
+ "oidcRPMetaDataOptionsRule":"Quy tắc truy cập",
+@@ -1194,4 +1195,4 @@
+ "samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ",
+ "samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể",
+ "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
+-}
+\ No newline at end of file
++}
+--- a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
++++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
+@@ -626,6 +626,7 @@
+ "oidcRPMetaDataOptionsLogoutUrl":"URL",
+ "oidcOPMetaDataOptionsProtocol":"Protocol",
+ "oidcRPMetaDataOptionsPublic":"Public client",
++"oidcRPMetaDataOptionsRequestUris":"Allowed URLs for fetching Request Object",
+ "oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
+ "oidcRPMetaDataOptionsAuthnLevel":"认证级别",
+ "oidcRPMetaDataOptionsRule":"Access rule",
+@@ -1194,4 +1195,4 @@
+ "samlRelayStateTimeout":"RelayState session timeout",
+ "samlUseQueryStringSpecific":"Use specific query_string method",
+ "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
+-}
+\ No newline at end of file
++}
+--- a/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json
++++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json
+@@ -626,6 +626,7 @@
+ "oidcRPMetaDataOptionsLogoutUrl":"URL",
+ "oidcOPMetaDataOptionsProtocol":"協定",
+ "oidcRPMetaDataOptionsPublic":"公開客戶端",
++"oidcRPMetaDataOptionsRequestUris":"Allowed URLs for fetching Request Object",
+ "oidcRPMetaDataOptionsRequirePKCE":"需要 PKCE",
+ "oidcRPMetaDataOptionsAuthnLevel":"驗證等級",
+ "oidcRPMetaDataOptionsRule":"存取規則",
+@@ -1194,4 +1195,4 @@
+ "samlRelayStateTimeout":"RelayState 工作階段逾時",
+ "samlUseQueryStringSpecific":"使用特定的 query_string 方法",
+ "samlOverrideIDPEntityID":"充當 IDP 覆寫實體 ID"
+-}
+\ No newline at end of file
++}
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
+@@ -195,32 +195,97 @@
+ $self->logger->debug(
+ "OIDC $flow flow requested (response type: $response_type)");
+
+- # Extract request_uri/request parameter
+- if ( $oidc_request->{'request_uri'} ) {
+- my $request =
+- $self->getRequestJWT( $oidc_request->{'request_uri'} );
++ # Client ID must be provided and cannot come from
++ # request or request_uri
++ unless ( $oidc_request->{'client_id'} ) {
++ $self->logger->error("Client ID is required");
++ return PE_ERROR;
++ }
++
++ # Check client_id
++ my $client_id = $oidc_request->{'client_id'};
++ $self->logger->debug("Request from client id $client_id");
++
++ # Verify that client_id is registered in configuration
++ my $rp = $self->getRP($client_id);
++
++ unless ($rp) {
++ $self->logger->error(
++ "No registered Relying Party found with"
++ . " client_id $client_id" );
++ return PE_UNAUTHORIZEDPARTNER;
++ }
++ else {
++ $self->logger->debug("Client id $client_id matches RP $rp");
++ }
+
+- if ($request) {
+- $oidc_request->{'request'} = $request;
++ # Scope must be provided and cannot come from request or
request_uri
++ unless ( $oidc_request->{'scope'} ) {
++ $self->logger->error("Scope is required");
++ return PE_ERROR;
++ }
++
++ # Extract request_uri/request parameter
++ if ( my $request_uri = $oidc_request->{'request_uri'} ) {
++ if (
++ $self->isUriAllowedForRP(
++ $request_uri, $rp,
++ "oidcRPMetaDataOptionsRequestUris", 1
++ )
++ )
++ {
++ my $request = $self->getRequestJWT($request_uri);
++ if ($request) {
++ $oidc_request->{'request'} = $request;
++ }
++ else {
++ $self->logger->error(
++ "Error with Request URI resolution");
++ return PE_ERROR;
++ }
+ }
+ else {
+- $self->logger->error("Error with Request URI resolution");
++ $self->logger->error(
++ "Request URI $request_uri is not allowed for $rp");
+ return PE_ERROR;
+ }
+ }
+
+ if ( $oidc_request->{'request'} ) {
+- my $request =
+- $self->getJWTJSONData( $oidc_request->{'request'} );
++ if (
++ $self->verifyJWTSignature(
++ $oidc_request->{'request'},
++ undef, $rp
++ )
++ )
++ {
++ $self->logger->debug("JWT signature request verified");
++ my $request = getJWTPayload( $oidc_request->{'request'} );
+
+- # Override OIDC parameters by request content
+- foreach ( keys %$request ) {
+- $self->logger->debug(
+-"Override $_ OIDC param by value present in request parameter"
+- );
+- $oidc_request->{$_} = $request->{$_};
+- $self->p->setHiddenFormValue( $req, $_, $request->{$_},
'',
+- 0 );
++ # Override OIDC parameters by request content
++ foreach ( keys %$request ) {
++ $self->logger->debug( "Override $_ OIDC param"
++ . " by value present in request parameter" );
++
++ if ( $_ eq "client_id" or $_ eq "response_type" ) {
++ if ( $oidc_request->{$_} ne $request->{$_} ) {
++ $self->logger->error( "$_ from request JWT ("
++ . $oidc_request->{$_}
++ . ") does not match $_ from request URI
("
++ . $request->{$_}
++ . ")" );
++ return PE_ERROR;
++ }
++ }
++ $oidc_request->{$_} = $request->{$_};
++ $self->p->setHiddenFormValue( $req, $_,
$request->{$_},
++ '', 0 );
++ }
++ }
++ else {
++ $self->logger->error(
++ "JWT signature request can not be verified");
++ return PE_ERROR;
+ }
+ }
+
+@@ -229,37 +294,12 @@
+ $self->logger->error("Redirect URI is required");
+ return PE_ERROR;
+ }
+- unless ( $oidc_request->{'scope'} ) {
+- $self->logger->error("Scope is required");
+- return PE_ERROR;
+- }
+- unless ( $oidc_request->{'client_id'} ) {
+- $self->logger->error("Client ID is required");
+- return PE_ERROR;
+- }
+ if ( $flow eq "implicit" and not defined $oidc_request->{'nonce'}
)
+ {
+ $self->logger->error("Nonce is required for implicit flow");
+ return PE_ERROR;
+ }
+
+- # Check client_id
+- my $client_id = $oidc_request->{'client_id'};
+- $self->logger->debug("Request from client id $client_id");
+-
+- # Verify that client_id is registered in configuration
+- my $rp = $self->getRP($client_id);
+-
+- unless ($rp) {
+- $self->logger->error(
+-"No registered Relying Party found with client_id $client_id"
+- );
+- return PE_UNAUTHORIZEDPARTNER;
+- }
+- else {
+- $self->logger->debug("Client id $client_id matches RP $rp");
+- }
+-
+ # Check if this RP is authorized
+ if ( my $rule = $self->spRules->{$rp} ) {
+ unless ( $rule->( $req, $req->sessionInfo ) ) {
+@@ -276,24 +316,14 @@
+
+ # Check redirect_uri
+ my $redirect_uri = $oidc_request->{'redirect_uri'};
+- my $redirect_uris = $self->conf->{oidcRPMetaDataOptions}->{$rp}
+- ->{oidcRPMetaDataOptionsRedirectUris};
+-
+- if ($redirect_uris) {
+- my $redirect_uri_allowed = 0;
+- foreach ( split( /\s+/, $redirect_uris ) ) {
+- $redirect_uri_allowed = 1 if $redirect_uri eq $_;
+- }
+- unless ($redirect_uri_allowed) {
+- $self->userLogger->error(
+- "Redirect URI $redirect_uri not allowed");
+- return PE_BADURL;
+- }
+- }
+- elsif ($redirect_uri) {
+- $self->logger->error(
+-"RP $rp has no RedirectUris, unable to handle accept
redirect_uri=$redirect_uri"
+- );
++ if (
++ !$self->isUriAllowedForRP(
++ $redirect_uri, $rp, 'oidcRPMetaDataOptionsRedirectUris'
++ )
++ )
++ {
++ $self->userLogger->error(
++ "Redirect URI $redirect_uri not allowed");
+ return 37; # PE_BADURL value
+ }
+
+@@ -397,24 +427,6 @@
+ return PE_OK;
+ }
+
+- # Check Request JWT signature
+- if ( $oidc_request->{'request'} ) {
+- unless (
+- $self->verifyJWTSignature(
+- $oidc_request->{'request'},
+- undef, $rp
+- )
+- )
+- {
+- $self->logger->error(
+- "JWT signature request can not be verified");
+- return PE_ERROR;
+- }
+- else {
+- $self->logger->debug("JWT signature request verified");
+- }
+- }
+-
+ # Check id_token_hint
+ my $id_token_hint = $oidc_request->{'id_token_hint'};
+ if ($id_token_hint) {
+@@ -957,27 +969,13 @@
+
+ if ($post_logout_redirect_uri) {
+
+- # Check redirect URI is allowed
+- my $redirect_uri_allowed = 0;
+- foreach ( keys %{ $self->conf->{oidcRPMetaDataOptions} }
) {
+- my $logout_rp = $_;
+- if ( my $redirect_uris =
+- $self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
+- ->{oidcRPMetaDataOptionsPostLogoutRedirectUris} )
+- {
+-
+- foreach ( split( /\s+/, $redirect_uris ) ) {
+- if ( $post_logout_redirect_uri eq $_ ) {
+- $self->logger->debug(
+-"$post_logout_redirect_uri is an allowed logout redirect URI for RP
$logout_rp"
+- );
+- $redirect_uri_allowed = 1;
+- }
+- }
+- }
+- }
+-
+- unless ($redirect_uri_allowed) {
++ unless (
++ $self->findRPFromUri(
++ $post_logout_redirect_uri,
++ 'oidcRPMetaDataOptionsPostLogoutRedirectUris'
++ )
++ )
++ {
+ $self->logger->error(
+ "$post_logout_redirect_uri is not allowed");
+ return PE_BADURL;
+@@ -1009,6 +1007,43 @@
+ return PE_ERROR;
+ }
+
++sub findRPFromUri {
++ my ( $self, $uri, $option ) = @_;
++
++ my $found_rp;
++ foreach my $rp ( keys %{ $self->conf->{oidcRPMetaDataOptions} } ) {
++ $found_rp = $rp if $self->isUriAllowedForRP( $uri, $rp, $option );
++ }
++ return $found_rp;
++}
++
++sub isUriAllowedForRP {
++ my ( $self, $uri, $rp, $option, $wildcard_allowed ) = @_;
++ my $allowed_uris = $self->conf->{oidcRPMetaDataOptions}->{$rp}->{$option}
// "";
++
++ my $is_uri_allowed;
++ if ($wildcard_allowed) {
++ $is_uri_allowed =
++ grep { _wildcard_match( $_, $uri ) } split( /\s+/, $allowed_uris );
++ }
++ else {
++ $is_uri_allowed = grep { $_ eq $uri } split( /\s+/, $allowed_uris );
++ }
++ return $is_uri_allowed;
++}
++
++sub _wildcard_match {
++ my ( $config_url, $candidate ) = @_;
++
++ # Quote everything
++ my $config_re = $config_url =~ s/(.)/\Q$1/gr;
++
++ # Replace \* by .*
++ $config_re =~ s/\\\*/.*/g;
++
++ return ( $candidate =~ qr/^$config_re$/ ? 1 : 0 );
++}
++
+ # Handle token endpoint
+ sub token {
+ my ( $self, $req ) = @_;
+@@ -1917,6 +1952,7 @@
+ my $userinfo_signed_response_alg =
+ $client_metadata->{userinfo_signed_response_alg};
+ my $redirect_uris = $client_metadata->{redirect_uris};
++ my $request_uris = $client_metadata->{request_uris};
+
+ # Register RP in global configuration
+ my $conf = $self->confAcc->getConf( { raw => 1, noCache => 1 } );
+@@ -1938,6 +1974,9 @@
+ = $id_token_signed_response_alg;
+ $conf->{oidcRPMetaDataOptions}->{$rp}->{oidcRPMetaDataOptionsRedirectUris}
+ = join( ' ', @$redirect_uris );
++ $conf->{oidcRPMetaDataOptions}->{$rp}->{oidcRPMetaDataOptionsRequestUris}
=
++ join( ' ', @$request_uris )
++ if $request_uris and @$request_uris;
+ $conf->{oidcRPMetaDataOptions}->{$rp}
+ ->{oidcRPMetaDataOptionsUserInfoSignAlg} = $userinfo_signed_response_alg
+ if defined $userinfo_signed_response_alg;
+@@ -1975,6 +2014,8 @@
+ $registration_response->{'id_token_signed_response_alg'} =
+ $id_token_signed_response_alg;
+ $registration_response->{'redirect_uris'} = $redirect_uris;
++ $registration_response->{'request_uris'} = $request_uris
++ if $request_uris and @$request_uris;
+ $registration_response->{'userinfo_signed_response_alg'} =
+ $userinfo_signed_response_alg
+ if defined $userinfo_signed_response_alg;
+@@ -2001,25 +2042,13 @@
+
+ if ($post_logout_redirect_uri) {
+
+- # Check redirect URI is allowed
+- my $redirect_uri_allowed = 0;
+- foreach ( keys %{ $self->conf->{oidcRPMetaDataOptions} } ) {
+- my $logout_rp = $_;
+- my $redirect_uris =
+- $self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
+- ->{oidcRPMetaDataOptionsPostLogoutRedirectUris};
+-
+- foreach ( split( /\s+/, $redirect_uris ) ) {
+- if ( $post_logout_redirect_uri eq $_ ) {
+- $self->logger->debug(
+-"$post_logout_redirect_uri is an allowed logout redirect URI for RP
$logout_rp"
+- );
+- $redirect_uri_allowed = 1;
+- }
+- }
+- }
+-
+- unless ($redirect_uri_allowed) {
++ unless (
++ $self->findRPFromUri(
++ $post_logout_redirect_uri,
++ 'oidcRPMetaDataOptionsPostLogoutRedirectUris'
++ )
++ )
++ {
+ $self->logger->error("$post_logout_redirect_uri is not allowed");
+ return $self->p->login($req);
+ }
+@@ -2202,7 +2231,7 @@
+ claims_supported => [qw/sub iss auth_time acr/],
+ request_parameter_supported => JSON::true,
+ request_uri_parameter_supported => JSON::true,
+- require_request_uri_registration => JSON::false,
++ require_request_uri_registration => JSON::true,
+
+ # Algorithms
+ id_token_signing_alg_values_supported =>
+@@ -2254,19 +2283,7 @@
+ }
+ }
+
+- # Extract request_uri/request parameter
+- my $request = $req->param('request');
+- if ( $req->param('request_uri') ) {
+- $request = $self->getRequestJWT( $req->param('request_uri') );
+- }
+-
+- if ($request) {
+- my $request_data = $self->getJWTJSONData($request);
+- foreach ( keys %$request_data ) {
+- $req->env->{ "llng_oidc_" . $_ } = $request_data->{$_};
+- }
+- }
+-
++ my $rp;
+ if ( $req->param('client_id') ) {
+ my $rp = $self->getRP( $req->param('client_id') );
+ $req->env->{"llng_oidc_rp"} = $rp if $rp;
+@@ -2278,6 +2295,27 @@
+ if $targetAuthnLevel;
+ }
+
++ # Extract request_uri/request parameter
++ my $request = $req->param('request');
++ if ( my $request_uri = $req->param('request_uri') ) {
++ if (
++ $rp
++ and $self->isUriAllowedForRP(
++ $request_uri, $rp, 'oidcRPMetaDataOptionsRequestUris', 1
++ )
++ )
++ {
++ $request = $self->getRequestJWT($request_uri);
++ }
++ }
++
++ if ($request) {
++ my $request_data = getJWTPayload($request);
++ foreach ( keys %$request_data ) {
++ $req->env->{ "llng_oidc_" . $_ } = $request_data->{$_};
++ }
++ }
++
+ return PE_OK;
+ }
+
diff --git
a/debian/patches/fix-open-redirection-without-OIDC-redirect-uris.patch
b/debian/patches/fix-open-redirection-without-OIDC-redirect-uris.patch
new file mode 100644
index 000000000..d65366fd1
--- /dev/null
+++ b/debian/patches/fix-open-redirection-without-OIDC-redirect-uris.patch
@@ -0,0 +1,365 @@
+Description: Fix open redirection when OIDC RP has no
oidcRPMetaDataOptionsRedirectUris
+ This issue concerns only people that modify config by hand. The manager
+ refuses already a relying party without redirect URIs.
+Author: Yadd <y...@debian.org>
+Origin: upstream, commit:c1de35ad
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3003
+Forwarded: not-needed
+Applied-Upstream: v2.17.1, commit:c1de35ad
+Reviewed-By: <name and email of someone who approved/reviewed the patch>
+Last-Update: 2023-09-20
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
+@@ -290,6 +290,12 @@
+ return PE_BADURL;
+ }
+ }
++ elsif ($redirect_uri) {
++ $self->logger->error(
++"RP $rp has no RedirectUris, unable to handle accept
redirect_uri=$redirect_uri"
++ );
++ return 37; # PE_BADURL value
++ }
+
+ # Check if flow is allowed
+ if ( $flow eq "authorizationcode"
+---
a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-OP-logout.t
++++
b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-OP-logout.t
+@@ -228,6 +228,8 @@
+ 'http://auth.rp.com/oidc/logout',
+ oidcRPMetaDataOptionsLogoutType => 'front',
+ oidcRPMetaDataOptionsLogoutSessionRequired => 0,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.rp.com?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+---
a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-public_client.t
++++
b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-public_client.t
+@@ -338,7 +338,9 @@
+ oidcRPMetaDataOptionsUserIDAttr => "",
+ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
+ oidcRPMetaDataOptionsPostLogoutRedirectUris =>
+- "http://auth.rp.com/?logout=1";
++ "http://auth.rp.com/?logout=1";,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.rp.com/?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+---
a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-authchoice.t
++++
b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-authchoice.t
+@@ -292,7 +292,9 @@
+ oidcRPMetaDataOptionsUserIDAttr => "",
+ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
+ oidcRPMetaDataOptionsPostLogoutRedirectUris =>
+- "http://auth.rp.com/?logout=1";
++ "http://auth.rp.com/?logout=1";,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.rp.com/?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+---
a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-info.t
++++
b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-info.t
+@@ -342,7 +342,9 @@
+ oidcRPMetaDataOptionsUserIDAttr => "",
+ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
+ oidcRPMetaDataOptionsPostLogoutRedirectUris =>
+- "http://auth.rp.com/?logout=1";
++ "http://auth.rp.com/?logout=1";,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.rp.com/?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+---
a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-none-alg.t
++++
b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code-with-none-alg.t
+@@ -334,7 +334,9 @@
+ oidcRPMetaDataOptionsUserIDAttr => "",
+ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
+ oidcRPMetaDataOptionsPostLogoutRedirectUris =>
+- "http://auth.rp.com/?logout=1";
++ "http://auth.rp.com/?logout=1";,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.rp.com/?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
++++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
+@@ -337,6 +337,8 @@
+ oidcRPMetaDataOptionsClientSecret => "rpsecret",
+ oidcRPMetaDataOptionsUserIDAttr => "",
+ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.rp.com/?openidconnectcallback=1',
+ oidcRPMetaDataOptionsPostLogoutRedirectUris =>
+ "http://auth.rp.com/?logout=1";
+ }
+--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-hybrid.t
++++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-hybrid.t
+@@ -255,7 +255,9 @@
+ oidcRPMetaDataOptionsBypassConsent => 1,
+ oidcRPMetaDataOptionsClientSecret => "rpsecret",
+ oidcRPMetaDataOptionsUserIDAttr => "",
+- oidcRPMetaDataOptionsAccessTokenExpiration => 3600
++ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.rp.com?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-implicit-no-token.t
++++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-implicit-no-token.t
+@@ -237,7 +237,9 @@
+ oidcRPMetaDataOptionsBypassConsent => 0,
+ oidcRPMetaDataOptionsClientSecret => "rpsecret",
+ oidcRPMetaDataOptionsUserIDAttr => "",
+- oidcRPMetaDataOptionsAccessTokenExpiration => 3600
++ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.rp.com?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-implicit.t
++++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-implicit.t
+@@ -253,7 +253,9 @@
+ oidcRPMetaDataOptionsBypassConsent => 0,
+ oidcRPMetaDataOptionsClientSecret => "rpsecret",
+ oidcRPMetaDataOptionsUserIDAttr => "",
+- oidcRPMetaDataOptionsAccessTokenExpiration => 3600
++ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.rp.com?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+--- a/lemonldap-ng-portal/t/32-OIDC-Code-Flow-with-2F-UpgradeOnly.t
++++ b/lemonldap-ng-portal/t/32-OIDC-Code-Flow-with-2F-UpgradeOnly.t
+@@ -362,7 +362,9 @@
+ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
+ oidcRPMetaDataOptionsAuthnLevel => 5,
+ oidcRPMetaDataOptionsPostLogoutRedirectUris =>
+- "http://auth.rp.com/?logout=1";
++ "http://auth.rp.com/?logout=1";,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.rp.com/?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+--- a/lemonldap-ng-portal/t/32-OIDC-Code-Flow-with-2F.t
++++ b/lemonldap-ng-portal/t/32-OIDC-Code-Flow-with-2F.t
+@@ -362,7 +362,9 @@
+ oidcRPMetaDataOptionsUserIDAttr => "",
+ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
+ oidcRPMetaDataOptionsPostLogoutRedirectUris =>
+- "http://auth.rp.com/?logout=1";
++ "http://auth.rp.com/?logout=1";,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.rp.com/?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+--- a/lemonldap-ng-portal/t/32-OIDC-Hooks.t
++++ b/lemonldap-ng-portal/t/32-OIDC-Hooks.t
+@@ -57,6 +57,7 @@
+ oidcRPMetaDataOptionsUserIDAttr => "",
+ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
+ oidcRPMetaDataOptionsBypassConsent => 1,
++ oidcRPMetaDataOptionsRedirectUris => 'http://rp2.com/',
+ },
+ oauth => {
+ oidcRPMetaDataOptionsDisplayName => "oauth",
+--- a/lemonldap-ng-portal/t/32-OIDC-Macro.t
++++ b/lemonldap-ng-portal/t/32-OIDC-Macro.t
+@@ -136,6 +136,7 @@
+ oidcRPMetaDataOptionsClientSecret => "rpsecret",
+ oidcRPMetaDataOptionsUserIDAttr =>
"custom_sub",
+ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
++ oidcRPMetaDataOptionsRedirectUris => 'http://rp.com/',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+--- a/lemonldap-ng-portal/t/32-OIDC-Offline-Session.t
++++ b/lemonldap-ng-portal/t/32-OIDC-Offline-Session.t
+@@ -60,7 +60,7 @@
+ oidcRPMetaDataOptionsIDTokenForceClaims => 1,
+ oidcRPMetaDataOptionsAdditionalAudiences =>
+ "http://my.extra.audience/test urn:extra2",
+-
++ oidcRPMetaDataOptionsRedirectUris => 'http://test/',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+--- a/lemonldap-ng-portal/t/32-OIDC-Refresh-Token.t
++++ b/lemonldap-ng-portal/t/32-OIDC-Refresh-Token.t
+@@ -56,6 +56,7 @@
+ oidcRPMetaDataOptionsIDTokenForceClaims => 1,
+ oidcRPMetaDataOptionsAdditionalAudiences =>
+ "http://my.extra.audience/test urn:extra2",
++ oidcRPMetaDataOptionsRedirectUris => 'http://test/',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+--- a/lemonldap-ng-portal/t/32-OIDC-Token-Introspection.t
++++ b/lemonldap-ng-portal/t/32-OIDC-Token-Introspection.t
+@@ -57,6 +57,7 @@
+ oidcRPMetaDataOptionsUserIDAttr => "",
+ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
+ oidcRPMetaDataOptionsBypassConsent => 1,
++ oidcRPMetaDataOptionsRedirectUris => 'http://rp2.com/',
+ },
+ oauth => {
+ oidcRPMetaDataOptionsDisplayName => "oauth",
+--- a/lemonldap-ng-portal/t/32-OIDC-Token-Security.t
++++ b/lemonldap-ng-portal/t/32-OIDC-Token-Security.t
+@@ -57,6 +57,7 @@
+ oidcRPMetaDataOptionsUserIDAttr => "",
+ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
+ oidcRPMetaDataOptionsBypassConsent => 1,
++ oidcRPMetaDataOptionsRedirectUris => 'http://rp.com/',
+ },
+ rp2 => {
+ oidcRPMetaDataOptionsDisplayName => "RP2",
+@@ -67,7 +68,8 @@
+ oidcRPMetaDataOptionsUserIDAttr => "",
+ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
+ oidcRPMetaDataOptionsBypassConsent => 1,
+- oidcRPMetaDataOptionsRule => '$uid eq "dwho"',
++ oidcRPMetaDataOptionsRule => '$uid eq "dwho"',
++ oidcRPMetaDataOptionsRedirectUris => 'http://rp2.com/',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+@@ -104,7 +106,7 @@
+
+ # Try to get code for RP1 with invalide scope name
+ $query =
+-"response_type=code&scope=openid%20profile%20email%22&client_id=rpid&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Frp2.com%2F";
++"response_type=code&scope=openid%20profile%20email%22&client_id=rpid&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Frp.com%2F";
+ ok(
+ $res = $op->_get(
+ "/oauth2/authorize",
+@@ -119,7 +121,7 @@
+ #
+ # Get code for RP1
+ $query =
+-"response_type=code&scope=openid%20profile%20email&client_id=rpid&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Frp2.com%2F";
++"response_type=code&scope=openid%20profile%20email&client_id=rpid&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Frp.com%2F";
+ ok(
+ $res = $op->_get(
+ "/oauth2/authorize",
+@@ -131,7 +133,7 @@
+ );
+ count(1);
+
+-my ($code) = expectRedirection( $res, qr#http://rp2\.com/.*code=([^\&]*)# );
++my ($code) = expectRedirection( $res, qr#http://rp\.com/.*code=([^\&]*)# );
+
+ # Play code on RP2
+ $query =
+--- a/lemonldap-ng-portal/t/37-Issuer-Timeout.t
++++ b/lemonldap-ng-portal/t/37-Issuer-Timeout.t
+@@ -182,7 +182,9 @@
+ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
+ oidcRPMetaDataOptionsBypassConsent => 1,
+ oidcRPMetaDataOptionsPostLogoutRedirectUris =>
+- "http://auth.rp.com/?logout=1";
++ "http://auth.rp.com/?logout=1";,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://rp.example.com/',
+ },
+ rp2 => {
+ oidcRPMetaDataOptionsDisplayName => "RP",
+@@ -195,7 +197,9 @@
+ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
+ oidcRPMetaDataOptionsBypassConsent => 1,
+ oidcRPMetaDataOptionsPostLogoutRedirectUris =>
+- "http://auth.rp2.com/?logout=1";
++ "http://auth.rp2.com/?logout=1";,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://rp2.example.com/',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+--- a/lemonldap-ng-portal/t/37-Logout-from-OIDC-RP-to-SAML-SP.t
++++ b/lemonldap-ng-portal/t/37-Logout-from-OIDC-RP-to-SAML-SP.t
+@@ -356,7 +356,9 @@
+ oidcRPMetaDataOptionsBypassConsent => 0,
+ oidcRPMetaDataOptionsClientSecret => "rpsecret",
+ oidcRPMetaDataOptionsUserIDAttr => "",
+- oidcRPMetaDataOptionsAccessTokenExpiration => 3600
++ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.rp.com?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+--- a/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-GET-with-WAYF.t
++++ b/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-GET-with-WAYF.t
+@@ -377,7 +377,9 @@
+ oidcRPMetaDataOptionsBypassConsent => 0,
+ oidcRPMetaDataOptionsClientSecret => "rpsecret",
+ oidcRPMetaDataOptionsUserIDAttr => "",
+- oidcRPMetaDataOptionsAccessTokenExpiration => 3600
++ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.rp.com?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+--- a/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-GET.t
++++ b/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-GET.t
+@@ -357,7 +357,9 @@
+ oidcRPMetaDataOptionsBypassConsent => 0,
+ oidcRPMetaDataOptionsClientSecret => "rpsecret",
+ oidcRPMetaDataOptionsUserIDAttr => "",
+- oidcRPMetaDataOptionsAccessTokenExpiration => 3600
++ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.rp.com?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+--- a/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-POST.t
++++ b/lemonldap-ng-portal/t/37-OIDC-RP-to-SAML-IdP-POST.t
+@@ -359,7 +359,9 @@
+ oidcRPMetaDataOptionsBypassConsent => 0,
+ oidcRPMetaDataOptionsClientSecret => "rpsecret",
+ oidcRPMetaDataOptionsUserIDAttr => "",
+- oidcRPMetaDataOptionsAccessTokenExpiration => 3600
++ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.rp.com?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+--- a/lemonldap-ng-portal/t/37-SAML-SP-GET-to-OIDC-OP.t
++++ b/lemonldap-ng-portal/t/37-SAML-SP-GET-to-OIDC-OP.t
+@@ -295,7 +295,9 @@
+ oidcRPMetaDataOptionsBypassConsent => 0,
+ oidcRPMetaDataOptionsClientSecret => "rpsecret",
+ oidcRPMetaDataOptionsUserIDAttr => "",
+- oidcRPMetaDataOptionsAccessTokenExpiration => 3600
++ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.proxy.com?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
+--- a/lemonldap-ng-portal/t/37-SAML-SP-POST-to-OIDC-OP.t
++++ b/lemonldap-ng-portal/t/37-SAML-SP-POST-to-OIDC-OP.t
+@@ -294,7 +294,9 @@
+ oidcRPMetaDataOptionsBypassConsent => 0,
+ oidcRPMetaDataOptionsClientSecret => "rpsecret",
+ oidcRPMetaDataOptionsUserIDAttr => "",
+- oidcRPMetaDataOptionsAccessTokenExpiration => 3600
++ oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
++ oidcRPMetaDataOptionsRedirectUris =>
++ 'http://auth.proxy.com?openidconnectcallback=1',
+ }
+ },
+ oidcOPMetaDataOptions => {},
diff --git a/debian/patches/fix-open-redirection.patch
b/debian/patches/fix-open-redirection.patch
new file mode 100644
index 000000000..db9db737a
--- /dev/null
+++ b/debian/patches/fix-open-redirection.patch
@@ -0,0 +1,262 @@
+Description: fix open redirection
+Author: Yadd <y...@debian.org>
+ Maxime Besson <maxime.bes...@worteks.com>
+Origin: upstream,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/342/diffs
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2931
+Forwarded: not-needed
+Applied-Upstream: 2.17.0,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/342
+Last-Update: 2023-09-20
+
+--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/ApacheMP2/Main.pm
++++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/ApacheMP2/Main.pm
+@@ -16,6 +16,7 @@
+ use APR::Table;
+ use Apache2::Const -compile =>
+ qw(FORBIDDEN HTTP_UNAUTHORIZED REDIRECT OK DECLINED DONE SERVER_ERROR
AUTH_REQUIRED HTTP_SERVICE_UNAVAILABLE);
++use URI;
+ use base 'Lemonldap::NG::Handler::Main';
+
+ use constant FORBIDDEN => Apache2::Const::FORBIDDEN;
+@@ -166,7 +167,7 @@
+ $f->r->status( $class->REDIRECT );
+ $f->r->status_line("303 See Other");
+ $f->r->headers_out->unset('Location');
+- $f->r->err_headers_out->set( 'Location' => $url );
++ $f->r->err_headers_out->set( 'Location' => URI->new($url)->as_string
);
+ $f->ctx(1);
+ }
+ while ( $f->read( my $buffer, 1024 ) ) {
+--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
++++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
+@@ -9,6 +9,7 @@
+
+ #use AutoLoader 'AUTOLOAD';
+ use MIME::Base64;
++use URI;
+ use URI::Escape;
+ use Lemonldap::NG::Common::Session;
+
+@@ -697,7 +698,7 @@
+ ) ? '' : ":$portString";
+ my $url = "http" . ( $_https ? "s" : "" ) . "://$realvhost$portString$s";
+ $class->logger->debug("Build URL $url");
+- return $url;
++ return URI->new($url)->as_string;
+ }
+
+ ## @rmethod protected int isUnprotected()
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm
+@@ -9,6 +9,7 @@
+ use Mouse;
+ use MIME::Base64;
+ use Lemonldap::NG::Common::FormEncode;
++use URI;
+
+ our $VERSION = '2.0.6';
+
+@@ -163,7 +164,10 @@
+ );
+
+ # Redirect
+- return [ 302, [ Location => $urldc, $req->spliceHdrs ], [] ];
++ return [
++ 302, [ Location => URI->new($urldc)->as_string, $req->spliceHdrs
],
++ []
++ ];
+
+ }
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm
+@@ -13,6 +13,7 @@
+ PE_BADURL
+ PE_SENDRESPONSE
+ );
++use URI;
+
+ our $VERSION = '2.0.9';
+
+@@ -84,7 +85,8 @@
+ if ( $gateway and $gateway eq "true" ) {
+ $self->logger->debug(
+ "Gateway mode requested, redirect without authentication");
+- $req->response( [ 302, [ Location => $service ], [] ] );
++ $req->response(
++ [ 302, [ Location => URI->new($service)->as_string ], [] ] );
+ for my $s ( $self->ipath, $self->ipath . 'Path' ) {
+ $self->logger->debug("Removing $s from pdata")
+ if delete $req->pdata->{$s};
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
+@@ -16,6 +16,7 @@
+ use Lemonldap::NG::Common::UserAgent;
+ use MIME::Base64 qw/encode_base64 decode_base64/;
+ use Mouse;
++use URI;
+
+ use Lemonldap::NG::Portal::Main::Constants qw(PE_OK PE_REDIRECT);
+
+@@ -1684,7 +1685,7 @@
+ $response_url .= build_urlencoded( state => $state );
+ }
+
+- return $response_url;
++ return URI->new($response_url)->as_string;
+ }
+
+ # Create session_state parameter
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
+@@ -2493,7 +2493,7 @@
+
+ # Redirect user to response URL
+ my $slo_url = $logout->msg_url;
+- return [ 302, [ Location => $slo_url ], [] ];
++ return [ 302, [ Location => URI->new($slo_url)->as_string ], [] ];
+ }
+
+ # HTTP-POST
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
+@@ -132,6 +132,7 @@
+ $req->{urldc} =~ s/[\r\n]//sg;
+ }
+ }
++ $req->{urldc} = URI->new( $req->{urldc} )->as_string;
+
+ # For logout request, test if Referer comes from an authorized site
+ my $tmp = (
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+@@ -402,7 +402,13 @@
+ $self->logger->info("Force cleaning pdata");
+ delete $req->{pdata}->{_url};
+ }
+- return [ 302, [ Location => $req->{urldc}, $req->spliceHdrs ], []
];
++ return [
++ 302,
++ [
++ Location => URI->new( $req->{urldc} )->as_string,
++ ],
++ []
++ ];
+ }
+ }
+ my ( $tpl, $prms ) = $self->display($req);
+--- a/lemonldap-ng-portal/t/03-XSS-protection.t
++++ b/lemonldap-ng-portal/t/03-XSS-protection.t
+@@ -19,21 +19,25 @@
+ '' => 0, 'Empty',
+
+ # 2 http://test1.example.com/
+- 'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tLw==' => 1, 'Protected virtual host',
++ 'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tLw==' => 'http://test1.example.com/',
++ 'Protected virtual host',
+
+ # 3 http://test1.example.com
+- 'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29t' => 1, 'Missing / in URL',
++ 'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29t' => 'http://test1.example.com',
++ 'Missing / in URL',
+
+ # 4 http://test1.example.com:8000/test
+- 'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tOjgwMDAvdGVzdA==' => 1,
++ 'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tOjgwMDAvdGVzdA==' =>
++ 'http://test1.example.com:8000/test',
+ 'Non default port',
+
+ # 5 http://test1.example.com:8000/
+- 'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tOjgwMDAv' => 1,
++ 'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tOjgwMDAv' =>
++ 'http://test1.example.com:8000/',
+ 'Non default port with missing /',
+
+ # 6 http://t.example2.com/test
+- 'aHR0cDovL3QuZXhhbXBsZTIuY29tL3Rlc3Q=' => 1,
++ 'aHR0cDovL3QuZXhhbXBsZTIuY29tL3Rlc3Q=' => 'http://t.example2.com/test',
+ 'Undeclared virtual host in trusted domain',
+
+ # 7 http://testexample2.com/
+@@ -47,7 +51,7 @@
+ . ' "example3.com" is trusted, but domain "*.example3.com" not)',
+
+ # 9 http://example3.com/
+- 'aHR0cDovL2V4YW1wbGUzLmNvbS8K' => 1,
++ 'aHR0cDovL2V4YW1wbGUzLmNvbS8K' => 'http://example3.com/',
+ 'Undeclared virtual host with trusted domain name',
+
+ # 10 http://t.example.com/test
+@@ -85,6 +89,21 @@
+ 'aHR0cHM6Ly90ZXN0MS5leGFtcGxlLmNvbTp0ZXN0QGhhY2tlci5jb20=' => 0,
+ 'userinfo trick',
+
++ # 22 url=https://hacker.com\@@test1.example.com/
++ 'aHR0cHM6Ly9oYWNrZXIuY29tXEBAdGVzdDEuZXhhbXBsZS5jb20v' =>
++ 'https://hacker.com%5C@@test1.example.com/',
++ 'Good reencoding (2931)',
++
++ # 23 url=https://hacker.com:\@@test1.example.com/
++ 'aHR0cHM6Ly9oYWNrZXIuY29tOlxAQHRlc3QxLmV4YW1wbGUuY29tLw==' =>
++ 'https://hacker.com:%5C@@test1.example.com/',
++ 'Good reencoding (2931)',
++
++ # 24 url='https://hacker.com\anyth...@test1.example.com/'
++ 'aHR0cHM6Ly9oYWNrZXIuY29tXGFueXRoaW5nQHRlc3QxLmV4YW1wbGUuY29tLw==' =>
++ 'https://hacker.com%5canyth...@test1.example.com/',
++ 'Good reencoding (2931)',
++
+ # LOGOUT TESTS
+ 'LOGOUT',
+
+@@ -95,7 +114,7 @@
+
+ # 19 url=http://www.toto.com/, good referer
+ 'aHR0cDovL3d3dy50b3RvLmNvbS8=',
+- 'http://test1.example.com/' => 1,
++ 'http://test1.example.com/' => 'http://www.toto.com/',
+ 'Logout required by good site',
+
+ # 20 url=http://www?<script>, good referer
+@@ -130,10 +149,13 @@
+ ),
+ $detail
+ );
+- ok( ( $res->[0] == ( $redir ? 302 : 200 ) ),
+- ( $redir ? 'Get redirection' : 'Redirection dropped' ) )
+- or explain( $res->[0], ( $redir ? 302 : 200 ) );
+- count(2);
++ if ($redir) {
++ expectRedirection( $res, $redir );
++ }
++ else {
++ expectOK($res);
++ }
++ count(1);
+ }
+
+ while ( defined( my $url = shift(@tests) ) ) {
+@@ -151,9 +173,12 @@
+ ),
+ $detail
+ );
+- ok( ( $res->[0] == ( $redir ? 302 : 200 ) ),
+- ( $redir ? 'Get redirection' : 'Redirection dropped' ) )
+- or explain( $res->[0], ( $redir ? 302 : 200 ) );
++ if ($redir) {
++ expectRedirection( $res, $redir );
++ }
++ else {
++ expectOK($res);
++ }
+ ok(
+ $res = $client->_post(
+ '/',
+@@ -164,7 +189,7 @@
+ );
+ expectOK($res);
+ $id = expectCookie($res);
+- count(3);
++ count(2);
+ }
+
+ clean_sessions();
diff --git a/debian/patches/series b/debian/patches/series
index 8cd6b510b..a7803dae5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,6 @@ CVE-2021-40874.patch
CVE-2022-37186.patch
fix-url-validation-bypass.patch
CVE-2023-28862.patch
+fix-open-redirection-without-OIDC-redirect-uris.patch
+fix-open-redirection.patch
+SSRF-issue.patch
--- End Message ---
