Hello community,
here is the log from the commit of package apache2-mod_auth_openidc for
openSUSE:Factory checked in at 2019-10-30 14:49:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_auth_openidc (Old)
and /work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.2990 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_auth_openidc"
Wed Oct 30 14:49:08 2019 rev:7 rq:744159 version:2.4.0.3
Changes:
--------
---
/work/SRC/openSUSE:Factory/apache2-mod_auth_openidc/apache2-mod_auth_openidc.changes
2019-08-24 18:45:07.869764682 +0200
+++
/work/SRC/openSUSE:Factory/.apache2-mod_auth_openidc.new.2990/apache2-mod_auth_openidc.changes
2019-10-30 14:49:11.778270170 +0100
@@ -1,0 +2,15 @@
+Wed Oct 30 10:54:48 UTC 2019 - Kristyna Streitova <[email protected]>
+
+- Update to version 2.4.0.3
+
+Security
+ * improve validation of the post-logout URL parameter on logout;
+ thanks AIMOTO Norihito; closes #449
+ [bsc#1153666], [CVE-2019-14857]
+
+Bugfixes
+ * changed storing POST params from localStorage to sessionStorage
+ due to some issue of losing data in localStorage in Firefox
+ (private mode); fixes #447 #441
+
+-------------------------------------------------------------------
Old:
----
apache2-mod_auth_openidc-2.4.0.tar.gz
New:
----
apache2-mod_auth_openidc-2.4.0.3.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2-mod_auth_openidc.spec ++++++
--- /var/tmp/diff_new_pack.wKyWGs/_old 2019-10-30 14:49:12.454270888 +0100
+++ /var/tmp/diff_new_pack.wKyWGs/_new 2019-10-30 14:49:12.454270888 +0100
@@ -19,7 +19,7 @@
%define apxs %{_sbindir}/apxs2
%define apache_libexecdir %(%{apxs} -q LIBEXECDIR)
Name: apache2-mod_auth_openidc
-Version: 2.4.0
+Version: 2.4.0.3
Release: 0
Summary: Apache2.x module for an OpenID Connect enabled Identity
Provider
License: Apache-2.0
++++++ apache2-mod_auth_openidc-2.4.0.tar.gz ->
apache2-mod_auth_openidc-2.4.0.3.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0/.gitignore
new/mod_auth_openidc-2.4.0.3/.gitignore
--- old/mod_auth_openidc-2.4.0/.gitignore 2019-08-22 17:00:25.000000000
+0200
+++ new/mod_auth_openidc-2.4.0.3/.gitignore 2019-10-03 15:53:00.000000000
+0200
@@ -6,3 +6,16 @@
/discover
/metadata
/build/
+/.libs/
+/m4/
+/compile
+/config.guess
+/install-sh
+/libtool
+/ltmain.sh
+/mod_auth_openidc.la
+/config.sub
+/depcomp
+/missing
+/.settings/
+/.autotools
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0/AUTHORS
new/mod_auth_openidc-2.4.0.3/AUTHORS
--- old/mod_auth_openidc-2.4.0/AUTHORS 2019-08-22 17:00:25.000000000 +0200
+++ new/mod_auth_openidc-2.4.0.3/AUTHORS 2019-10-03 15:53:00.000000000
+0200
@@ -54,3 +54,6 @@
Lance Fannin <[email protected]>
Ricardo Martin Camarero <https://github.com/rickyepoderi>
Filip Vujicic <https://github.com/FilipVujicic>
+ Janusz Ulanowski <https://github.com/janul>
+ AIMOTO Norihito
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0/ChangeLog
new/mod_auth_openidc-2.4.0.3/ChangeLog
--- old/mod_auth_openidc-2.4.0/ChangeLog 2019-08-22 17:00:25.000000000
+0200
+++ new/mod_auth_openidc-2.4.0.3/ChangeLog 2019-10-03 15:53:00.000000000
+0200
@@ -1,3 +1,12 @@
+10/03/2019
+- improve validation of the post-logout URL parameter on logout; thanks AIMOTO
Norihito; closes #449
+- release 2.4.0.3
+
+08/28/2019
+- fixes #447 #441 : changed storing POST params from localStorage to
+ sessionStorage due to some issue of losing data in localStorage in Firefox
+ (private mode)
+
08/22/2019
- release 2.4.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0/configure.ac
new/mod_auth_openidc-2.4.0.3/configure.ac
--- old/mod_auth_openidc-2.4.0/configure.ac 2019-08-22 17:00:25.000000000
+0200
+++ new/mod_auth_openidc-2.4.0.3/configure.ac 2019-10-03 15:53:00.000000000
+0200
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.0],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.0.3],[[email protected]])
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0/src/.gitignore
new/mod_auth_openidc-2.4.0.3/src/.gitignore
--- old/mod_auth_openidc-2.4.0/src/.gitignore 2019-08-22 17:00:25.000000000
+0200
+++ new/mod_auth_openidc-2.4.0.3/src/.gitignore 2019-10-03 15:53:00.000000000
+0200
@@ -3,3 +3,9 @@
/*.slo
/*.la
/.libs
+/.deps/
+/.dirstamp
+/config.h
+/config.h.in
+/config.h.in~
+/stamp-h1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mod_auth_openidc-2.4.0/src/mod_auth_openidc.c
new/mod_auth_openidc-2.4.0.3/src/mod_auth_openidc.c
--- old/mod_auth_openidc-2.4.0/src/mod_auth_openidc.c 2019-08-22
17:00:25.000000000 +0200
+++ new/mod_auth_openidc-2.4.0.3/src/mod_auth_openidc.c 2019-10-03
15:53:00.000000000 +0200
@@ -464,7 +464,7 @@
apr_psprintf(r->pool,
" <script
type=\"text/javascript\">\n"
" function %s() {\n"
- "
localStorage.setItem('mod_auth_openidc_preserve_post_params',
JSON.stringify(%s));\n"
+ "
sessionStorage.setItem('mod_auth_openidc_preserve_post_params',
JSON.stringify(%s));\n"
" %s"
" }\n"
" </script>\n", jmethod, json,
@@ -506,8 +506,8 @@
" return result;\n"
" }\n"
" function %s() {\n"
- " var
mod_auth_openidc_preserve_post_params =
JSON.parse(localStorage.getItem('mod_auth_openidc_preserve_post_params'));\n"
- "
localStorage.removeItem('mod_auth_openidc_preserve_post_params');\n"
+ " var
mod_auth_openidc_preserve_post_params =
JSON.parse(sessionStorage.getItem('mod_auth_openidc_preserve_post_params'));\n"
+ "
sessionStorage.removeItem('mod_auth_openidc_preserve_post_params');\n"
" for (var key in
mod_auth_openidc_preserve_post_params) {\n"
" var input =
document.createElement(\"input\");\n"
" input.name =
str_decode(key);\n"
@@ -3024,6 +3024,61 @@
return rc;
}
+static apr_byte_t oidc_validate_post_logout_url(request_rec *r, const char
*url,
+ char **err_str, char **err_desc) {
+ apr_uri_t uri;
+ const char *c_host = NULL;
+
+ if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {
+ *err_str = apr_pstrdup(r->pool, "Malformed URL");
+ *err_desc = apr_psprintf(r->pool, "Logout URL malformed: %s",
url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
+
+ c_host = oidc_get_current_url_host(r);
+ if ((uri.hostname != NULL)
+ && ((strstr(c_host, uri.hostname) == NULL)
+ || (strstr(uri.hostname, c_host) ==
NULL))) {
+ *err_str = apr_pstrdup(r->pool, "Invalid Request");
+ *err_desc =
+ apr_psprintf(r->pool,
+ "logout value \"%s\" does not
match the hostname of the current request \"%s\"",
+ apr_uri_unparse(r->pool, &uri,
0), c_host);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ } else if ((uri.hostname == NULL) && (strstr(url, "/") != url)) {
+ *err_str = apr_pstrdup(r->pool, "Malformed URL");
+ *err_desc =
+ apr_psprintf(r->pool,
+ "No hostname was parsed and it
does not seem to be relative, i.e starting with '/': %s",
+ url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ } else if ((uri.hostname == NULL) && (strstr(url, "//") == url)) {
+ *err_str = apr_pstrdup(r->pool, "Malformed URL");
+ *err_desc =
+ apr_psprintf(r->pool,
+ "No hostname was parsed and
starting with '//': %s",
+ url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
+
+ /* validate the URL to prevent HTTP header splitting */
+ if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL)) {
+ *err_str = apr_pstrdup(r->pool, "Invalid Request");
+ *err_desc =
+ apr_psprintf(r->pool,
+ "logout value \"%s\" contains
illegal \"\n\" or \"\r\" character(s)",
+ url);
+ oidc_error(r, "%s: %s", *err_str, *err_desc);
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
/*
* perform (single) logout
*/
@@ -3033,6 +3088,9 @@
oidc_provider_t *provider = NULL;
/* pickup the command or URL where the user wants to go after logout */
char *url = NULL;
+ char *error_str = NULL;
+ char *error_description = NULL;
+
oidc_util_get_request_parameter(r, OIDC_REDIRECT_URI_REQUEST_LOGOUT,
&url);
oidc_debug(r, "enter (url=%s)", url);
@@ -3050,44 +3108,11 @@
} else {
/* do input validation on the logout parameter value */
-
- const char *error_description = NULL;
- apr_uri_t uri;
-
- if (apr_uri_parse(r->pool, url, &uri) != APR_SUCCESS) {
- const char *error_description = apr_psprintf(r->pool,
- "Logout URL malformed: %s", url);
- oidc_error(r, "%s", error_description);
- return oidc_util_html_send_error(r, c->error_template,
- "Malformed URL", error_description,
- HTTP_INTERNAL_SERVER_ERROR);
-
- }
-
- const char *c_host = oidc_get_current_url_host(r);
- if ((uri.hostname != NULL)
- && ((strstr(c_host, uri.hostname) == NULL)
- || (strstr(uri.hostname,
c_host) == NULL))) {
- error_description =
- apr_psprintf(r->pool,
- "logout value \"%s\"
does not match the hostname of the current request \"%s\"",
-
apr_uri_unparse(r->pool, &uri, 0), c_host);
- oidc_error(r, "%s", error_description);
- return oidc_util_html_send_error(r, c->error_template,
- "Invalid Request", error_description,
- HTTP_INTERNAL_SERVER_ERROR);
- }
-
- /* validate the URL to prevent HTTP header splitting */
- if (((strstr(url, "\n") != NULL) || strstr(url, "\r") != NULL))
{
- error_description =
- apr_psprintf(r->pool,
- "logout value \"%s\"
contains illegal \"\n\" or \"\r\" character(s)",
- url);
- oidc_error(r, "%s", error_description);
- return oidc_util_html_send_error(r, c->error_template,
- "Invalid Request", error_description,
- HTTP_INTERNAL_SERVER_ERROR);
+ if (oidc_validate_post_logout_url(r, url, &error_str,
+ &error_description) == FALSE) {
+ return oidc_util_html_send_error(r, c->error_template,
error_str,
+ error_description,
+ HTTP_BAD_REQUEST);
}
}
