File fix-CVE-2022-23527-0.patch of Package apache2-mod_auth_openidc.28532

From 1a394a86be6d5b49b197aa62f0d96c06a0e5e515 Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Thu, 6 Jan 2022 16:38:53 +0100
Subject: [PATCH] improve detection of suspicious redirect URLs; add test list

bump to 2.4.11rc1

Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
---
 ChangeLog                           |   4 +
 Makefile.am                         |   3 +-
 configure.ac                        |   2 +-
 src/mod_auth_openidc.c              |  15 +-
 src/mod_auth_openidc.h              |   1 +
 test/open-redirect-payload-list.txt | 837 ++++++++++++++++++++++++++++
 test/test.c                         |  45 ++
 7 files changed, 904 insertions(+), 3 deletions(-)
 create mode 100644 test/open-redirect-payload-list.txt

Index: mod_auth_openidc-2.3.8/src/mod_auth_openidc.c
===================================================================
--- mod_auth_openidc-2.3.8.orig/src/mod_auth_openidc.c
+++ mod_auth_openidc-2.3.8/src/mod_auth_openidc.c
@@ -2413,7 +2413,7 @@ static int oidc_target_link_uri_matches_
 
 #define OIDC_MAX_URL_LENGTH 8192 * 2
 
-static apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
+apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c,
 		const char *redirect_to_url, apr_byte_t restrict_to_host, char **err_str,
 		char **err_desc) {
 	apr_uri_t uri;
@@ -2481,6 +2481,19 @@ static apr_byte_t oidc_validate_redirect
 		return FALSE;
 	}
 
+	if ((strstr(url, "/%09") != NULL) || (strstr(url, "/%2f") != NULL)
+			|| (strstr(url, "/%68") != NULL) || (strstr(url, "/.") != NULL)
+			|| (strstr(url, "/http:") != NULL) || (strstr(url, "/https:") != NULL)
+			|| (strstr(url, "/javascript:") != NULL) || (strstr(url, "/〱") != NULL)
+			|| (strstr(url, "/〵") != NULL) || (strstr(url, "/ゝ") != NULL)
+			|| (strstr(url, "/ー") != NULL) || (strstr(url, "/〱") != NULL)
+			|| (strstr(url, "/ー") != NULL) || (strstr(url, "/<") != NULL)
+			|| (strstr(url, "%01javascript:") != NULL) || (strstr(url, "/%5c") != NULL)) {
+		*err_str = apr_pstrdup(r->pool, "Invalid URL");
+		*err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
+		oidc_error(r, "%s: %s", *err_str, *err_desc);
+		return FALSE;
+	}
 	return TRUE;
 }
 
Index: mod_auth_openidc-2.3.8/src/mod_auth_openidc.h
===================================================================
--- mod_auth_openidc-2.3.8.orig/src/mod_auth_openidc.h
+++ mod_auth_openidc-2.3.8/src/mod_auth_openidc.h
@@ -631,6 +631,7 @@ apr_byte_t oidc_proto_handle_authorizati
 apr_byte_t oidc_proto_validate_access_token(request_rec *r, oidc_provider_t *provider, oidc_jwt_t *jwt, const char *response_type, const char *access_token);
 apr_byte_t oidc_proto_validate_code(request_rec *r, oidc_provider_t *provider, oidc_jwt_t *jwt, const char *response_type, const char *code);
 apr_byte_t oidc_proto_validate_nonce(request_rec *r, oidc_cfg *cfg, oidc_provider_t *provider, const char *nonce, oidc_jwt_t *jwt);
+apr_byte_t oidc_validate_redirect_url(request_rec *r, oidc_cfg *c, const char *redirect_to_url, apr_byte_t restrict_to_host, char **err_str, char **err_desc);
 
 // oidc_authz.c
 typedef apr_byte_t (*oidc_authz_match_claim_fn_type)(request_rec *, const char * const, const json_t * const);
Index: mod_auth_openidc-2.3.8/test/open-redirect-payload-list.txt
===================================================================
--- /dev/null
+++ mod_auth_openidc-2.3.8/test/open-redirect-payload-list.txt
@@ -0,0 +1,837 @@
+/%09/example.com
+/%2f%2fexample.com
+/%2f%2f%2fbing.com%2f%3fwww.omise.co
+/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
+/%5cexample.com
+/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
+/.example.com
+//%09/example.com
+//%5cexample.com
+///%09/example.com
+///%5cexample.com
+////%09/example.com
+////%5cexample.com
+/////example.com
+/////example.com/
+////\;@example.com
+////example.com/
+////example.com/%2e%2e
+////example.com/%2e%2e%2f
+////example.com/%2f%2e%2e
+////example.com/%2f..
+////example.com//
+///\;@example.com
+///example.com
+///example.com/
+//google.com/%2f..
+//www.whitelisteddomain.tld@google.com/%2f..
+///google.com/%2f..
+///www.whitelisteddomain.tld@google.com/%2f..
+////google.com/%2f..
+////www.whitelisteddomain.tld@google.com/%2f..
+https://google.com/%2f..
+https://www.whitelisteddomain.tld@google.com/%2f..
+/https://google.com/%2f..
+/https://www.whitelisteddomain.tld@google.com/%2f..
+//www.google.com/%2f%2e%2e
+//www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+///www.google.com/%2f%2e%2e
+///www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+////www.google.com/%2f%2e%2e
+////www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+https://www.google.com/%2f%2e%2e
+https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+/https://www.google.com/%2f%2e%2e
+/https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+//google.com/
+//www.whitelisteddomain.tld@google.com/
+///google.com/
+///www.whitelisteddomain.tld@google.com/
+////google.com/
+////www.whitelisteddomain.tld@google.com/
+https://google.com/
+https://www.whitelisteddomain.tld@google.com/
+/https://google.com/
+/https://www.whitelisteddomain.tld@google.com/
+//google.com//
+//www.whitelisteddomain.tld@google.com//
+///google.com//
+///www.whitelisteddomain.tld@google.com//
+////google.com//
+////www.whitelisteddomain.tld@google.com//
+https://google.com//
+https://www.whitelisteddomain.tld@google.com//
+//https://google.com//
+//https://www.whitelisteddomain.tld@google.com//
+//www.google.com/%2e%2e%2f
+//www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
+///www.google.com/%2e%2e%2f
+///www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
+////www.google.com/%2e%2e%2f
+////www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
+https://www.google.com/%2e%2e%2f
+https://www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
+//https://www.google.com/%2e%2e%2f
+//https://www.whitelisteddomain.tld@www.google.com/%2e%2e%2f
+///www.google.com/%2e%2e
+///www.whitelisteddomain.tld@www.google.com/%2e%2e
+////www.google.com/%2e%2e
+////www.whitelisteddomain.tld@www.google.com/%2e%2e
+https:///www.google.com/%2e%2e
+https:///www.whitelisteddomain.tld@www.google.com/%2e%2e
+//https:///www.google.com/%2e%2e
+//www.whitelisteddomain.tld@https:///www.google.com/%2e%2e
+/https://www.google.com/%2e%2e
+/https://www.whitelisteddomain.tld@www.google.com/%2e%2e
+///www.google.com/%2f%2e%2e
+///www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+////www.google.com/%2f%2e%2e
+////www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+https:///www.google.com/%2f%2e%2e
+https:///www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+/https://www.google.com/%2f%2e%2e
+/https://www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+/https:///www.google.com/%2f%2e%2e
+/https:///www.whitelisteddomain.tld@www.google.com/%2f%2e%2e
+/%09/google.com
+/%09/www.whitelisteddomain.tld@google.com
+//%09/google.com
+//%09/www.whitelisteddomain.tld@google.com
+///%09/google.com
+///%09/www.whitelisteddomain.tld@google.com
+////%09/google.com
+////%09/www.whitelisteddomain.tld@google.com
+https://%09/google.com
+https://%09/www.whitelisteddomain.tld@google.com
+/%5cgoogle.com
+/%5cwww.whitelisteddomain.tld@google.com
+//%5cgoogle.com
+//%5cwww.whitelisteddomain.tld@google.com
+///%5cgoogle.com
+///%5cwww.whitelisteddomain.tld@google.com
+////%5cgoogle.com
+////%5cwww.whitelisteddomain.tld@google.com
+https://%5cgoogle.com
+https://%5cwww.whitelisteddomain.tld@google.com
+/https://%5cgoogle.com
+/https://%5cwww.whitelisteddomain.tld@google.com
+https://google.com
+https://www.whitelisteddomain.tld@google.com
+javascript:alert(1);
+javascript:alert(1)
+//javascript:alert(1);
+/javascript:alert(1);
+//javascript:alert(1)
+/javascript:alert(1)
+/%5cjavascript:alert(1);
+/%5cjavascript:alert(1)
+//%5cjavascript:alert(1);
+//%5cjavascript:alert(1)
+/%09/javascript:alert(1);
+/%09/javascript:alert(1)
+java%0d%0ascript%0d%0a:alert(0)
+//google.com
+https:google.com
+//google%E3%80%82com
+\/\/google.com/
+/\/google.com/
+//google%00.com
+https://www.whitelisteddomain.tld/https://www.google.com/
+";alert(0);//
+javascript://www.whitelisteddomain.tld?%a0alert%281%29
+http://0xd8.0x3a.0xd6.0xce
+http://www.whitelisteddomain.tld@0xd8.0x3a.0xd6.0xce
+http://3H6k7lIAiqjfNeN@0xd8.0x3a.0xd6.0xce
+http://XY>.7d8T\205pZM@0xd8.0x3a.0xd6.0xce
+http://0xd83ad6ce
+http://www.whitelisteddomain.tld@0xd83ad6ce
+http://3H6k7lIAiqjfNeN@0xd83ad6ce
+http://XY>.7d8T\205pZM@0xd83ad6ce
+http://3627734734
+http://www.whitelisteddomain.tld@3627734734
+http://3H6k7lIAiqjfNeN@3627734734
+http://XY>.7d8T\205pZM@3627734734
+http://472.314.470.462
+http://www.whitelisteddomain.tld@472.314.470.462
+http://3H6k7lIAiqjfNeN@472.314.470.462
+http://XY>.7d8T\205pZM@472.314.470.462
+http://0330.072.0326.0316
+http://www.whitelisteddomain.tld@0330.072.0326.0316
+http://3H6k7lIAiqjfNeN@0330.072.0326.0316
+http://XY>.7d8T\205pZM@0330.072.0326.0316
+http://00330.00072.0000326.00000316
+http://www.whitelisteddomain.tld@00330.00072.0000326.00000316
+http://3H6k7lIAiqjfNeN@00330.00072.0000326.00000316
+http://XY>.7d8T\205pZM@00330.00072.0000326.00000316
+http://[::216.58.214.206]
+http://www.whitelisteddomain.tld@[::216.58.214.206]
+http://3H6k7lIAiqjfNeN@[::216.58.214.206]
+http://XY>.7d8T\205pZM@[::216.58.214.206]
+http://[::ffff:216.58.214.206]
+http://www.whitelisteddomain.tld@[::ffff:216.58.214.206]
+http://3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
+http://XY>.7d8T\205pZM@[::ffff:216.58.214.206]
+http://0xd8.072.54990
+http://www.whitelisteddomain.tld@0xd8.072.54990
+http://3H6k7lIAiqjfNeN@0xd8.072.54990
+http://XY>.7d8T\205pZM@0xd8.072.54990
+http://0xd8.3856078
+http://www.whitelisteddomain.tld@0xd8.3856078
+http://3H6k7lIAiqjfNeN@0xd8.3856078
+http://XY>.7d8T\205pZM@0xd8.3856078
+http://00330.3856078
+http://www.whitelisteddomain.tld@00330.3856078
+http://3H6k7lIAiqjfNeN@00330.3856078
+http://XY>.7d8T\205pZM@00330.3856078
+http://00330.0x3a.54990
+http://www.whitelisteddomain.tld@00330.0x3a.54990
+http://3H6k7lIAiqjfNeN@00330.0x3a.54990
+http://XY>.7d8T\205pZM@00330.0x3a.54990
+http:0xd8.0x3a.0xd6.0xce
+http:www.whitelisteddomain.tld@0xd8.0x3a.0xd6.0xce
+http:3H6k7lIAiqjfNeN@0xd8.0x3a.0xd6.0xce
+http:XY>.7d8T\205pZM@0xd8.0x3a.0xd6.0xce
+http:0xd83ad6ce
+http:www.whitelisteddomain.tld@0xd83ad6ce
+http:3H6k7lIAiqjfNeN@0xd83ad6ce
+http:XY>.7d8T\205pZM@0xd83ad6ce
+http:3627734734
+http:www.whitelisteddomain.tld@3627734734
+http:3H6k7lIAiqjfNeN@3627734734
+http:XY>.7d8T\205pZM@3627734734
+http:472.314.470.462
+http:www.whitelisteddomain.tld@472.314.470.462
+http:3H6k7lIAiqjfNeN@472.314.470.462
+http:XY>.7d8T\205pZM@472.314.470.462
+http:0330.072.0326.0316
+http:www.whitelisteddomain.tld@0330.072.0326.0316
+http:3H6k7lIAiqjfNeN@0330.072.0326.0316
+http:XY>.7d8T\205pZM@0330.072.0326.0316
+http:00330.00072.0000326.00000316
+http:www.whitelisteddomain.tld@00330.00072.0000326.00000316
+http:3H6k7lIAiqjfNeN@00330.00072.0000326.00000316
+http:XY>.7d8T\205pZM@00330.00072.0000326.00000316
+http:[::216.58.214.206]
+http:www.whitelisteddomain.tld@[::216.58.214.206]
+http:3H6k7lIAiqjfNeN@[::216.58.214.206]
+http:XY>.7d8T\205pZM@[::216.58.214.206]
+http:[::ffff:216.58.214.206]
+http:www.whitelisteddomain.tld@[::ffff:216.58.214.206]
+http:3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
+http:XY>.7d8T\205pZM@[::ffff:216.58.214.206]
+http:0xd8.072.54990
+http:www.whitelisteddomain.tld@0xd8.072.54990
+http:3H6k7lIAiqjfNeN@0xd8.072.54990
+http:XY>.7d8T\205pZM@0xd8.072.54990
+http:0xd8.3856078
+http:www.whitelisteddomain.tld@0xd8.3856078
+http:3H6k7lIAiqjfNeN@0xd8.3856078
+http:XY>.7d8T\205pZM@0xd8.3856078
+http:00330.3856078
+http:www.whitelisteddomain.tld@00330.3856078
+http:3H6k7lIAiqjfNeN@00330.3856078
+http:XY>.7d8T\205pZM@00330.3856078
+http:00330.0x3a.54990
+http:www.whitelisteddomain.tld@00330.0x3a.54990
+http:3H6k7lIAiqjfNeN@00330.0x3a.54990
+http:XY>.7d8T\205pZM@00330.0x3a.54990
+〱google.com
+〵google.com
+ゝgoogle.com
+ーgoogle.com
+ーgoogle.com
+/〱google.com
+/〵google.com
+/ゝgoogle.com
+/ーgoogle.com
+/ーgoogle.com
+%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
+http://%67%6f%6f%67%6c%65%2e%63%6f%6d
+<>javascript:alert(1);
+<>//google.com
+//google.com\@www.whitelisteddomain.tld
+https://:@google.com\@www.whitelisteddomain.tld
+http://google.com:80#@www.whitelisteddomain.tld/
+http://google.com:80?@www.whitelisteddomain.tld/
+///example.com/%2e%2e
+///example.com/%2e%2e%2f
+///example.com/%2f%2e%2e
+///example.com/%2f..
+///example.com//
+//example.com
+//example.com/
+//example.com/%2e%2e
+//example.com/%2e%2e%2f
+//example.com/%2f%2e%2e
+//example.com/%2f..
+//example.com//
+//google%00.com
+//google%E3%80%82com
+//https:///example.com/%2e%2e
+//https://example.com/%2e%2e%2f
+//https://example.com//
+/<>//example.com
+/\/\/example.com/
+/\/example.com/
+/example.com/%2f%2e%2e
+/http://%67%6f%6f%67%6c%65%2e%63%6f%6d
+/http://example.com
+/http:/example.com
+/https:/%5cexample.com/
+/https://%09/example.com
+/https://%5cexample.com
+/https:///example.com/%2e%2e
+/https:///example.com/%2f%2e%2e
+/https://example.com
+/https://example.com/
+/https://example.com/%2e%2e
+/https://example.com/%2e%2e%2f
+/https://example.com/%2f%2e%2e
+/https://example.com/%2f..
+/https://example.com//
+/https:example.com
+//%2fxgoogle.com
+//localdomain.pw/%2f..
+//www.whitelisteddomain.tld@localdomain.pw/%2f..
+///localdomain.pw/%2f..
+///www.whitelisteddomain.tld@localdomain.pw/%2f..
+////localdomain.pw/%2f..
+////www.whitelisteddomain.tld@localdomain.pw/%2f..
+https://localdomain.pw/%2f..
+https://www.whitelisteddomain.tld@localdomain.pw/%2f..
+/https://localdomain.pw/%2f..
+/https://www.whitelisteddomain.tld@localdomain.pw/%2f..
+//localdomain.pw/%2f%2e%2e
+//www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+///localdomain.pw/%2f%2e%2e
+///www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+////localdomain.pw/%2f%2e%2e
+////www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+https://localdomain.pw/%2f%2e%2e
+https://www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+/https://localdomain.pw/%2f%2e%2e
+/https://www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+//localdomain.pw/
+//www.whitelisteddomain.tld@localdomain.pw/
+///localdomain.pw/
+///www.whitelisteddomain.tld@localdomain.pw/
+////localdomain.pw/
+////www.whitelisteddomain.tld@localdomain.pw/
+https://localdomain.pw/
+https://www.whitelisteddomain.tld@localdomain.pw/
+/https://localdomain.pw/
+/https://www.whitelisteddomain.tld@localdomain.pw/
+//localdomain.pw//
+//www.whitelisteddomain.tld@localdomain.pw//
+///localdomain.pw//
+///www.whitelisteddomain.tld@localdomain.pw//
+////localdomain.pw//
+////www.whitelisteddomain.tld@localdomain.pw//
+https://localdomain.pw//
+https://www.whitelisteddomain.tld@localdomain.pw//
+//https://localdomain.pw//
+//https://www.whitelisteddomain.tld@localdomain.pw//
+//localdomain.pw/%2e%2e%2f
+//www.whitelisteddomain.tld@localdomain.pw/%2e%2e%2f
+///localdomain.pw/%2e%2e%2f
+///www.whitelisteddomain.tld@localdomain.pw/%2e%2e%2f
+////localdomain.pw/%2e%2e%2f
+////www.whitelisteddomain.tld@localdomain.pw/%2e%2e%2f
+https://localdomain.pw/%2e%2e%2f
+https://www.whitelisteddomain.tld@localdomain.pw/%2e%2e%2f
+//https://localdomain.pw/%2e%2e%2f
+//https://www.whitelisteddomain.tld@localdomain.pw/%2e%2e%2f
+///localdomain.pw/%2e%2e
+///www.whitelisteddomain.tld@localdomain.pw/%2e%2e
+////localdomain.pw/%2e%2e
+////www.whitelisteddomain.tld@localdomain.pw/%2e%2e
+https:///localdomain.pw/%2e%2e
+https:///www.whitelisteddomain.tld@localdomain.pw/%2e%2e
+//https:///localdomain.pw/%2e%2e
+//www.whitelisteddomain.tld@https:///localdomain.pw/%2e%2e
+/https://localdomain.pw/%2e%2e
+/https://www.whitelisteddomain.tld@localdomain.pw/%2e%2e
+///localdomain.pw/%2f%2e%2e
+///www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+////localdomain.pw/%2f%2e%2e
+////www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+https:///localdomain.pw/%2f%2e%2e
+https:///www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+/https://localdomain.pw/%2f%2e%2e
+/https://www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+/https:///localdomain.pw/%2f%2e%2e
+/https:///www.whitelisteddomain.tld@localdomain.pw/%2f%2e%2e
+/%09/localdomain.pw
+/%09/www.whitelisteddomain.tld@localdomain.pw
+//%09/localdomain.pw
+//%09/www.whitelisteddomain.tld@localdomain.pw
+///%09/localdomain.pw
+///%09/www.whitelisteddomain.tld@localdomain.pw
+////%09/localdomain.pw
+////%09/www.whitelisteddomain.tld@localdomain.pw
+https://%09/localdomain.pw
+https://%09/www.whitelisteddomain.tld@localdomain.pw
+/%5clocaldomain.pw
+/%5cwww.whitelisteddomain.tld@localdomain.pw
+//%5clocaldomain.pw
+//%5cwww.whitelisteddomain.tld@localdomain.pw
+///%5clocaldomain.pw
+///%5cwww.whitelisteddomain.tld@localdomain.pw
+////%5clocaldomain.pw
+////%5cwww.whitelisteddomain.tld@localdomain.pw
+https://%5clocaldomain.pw
+https://%5cwww.whitelisteddomain.tld@localdomain.pw
+/https://%5clocaldomain.pw
+/https://%5cwww.whitelisteddomain.tld@localdomain.pw
+https://localdomain.pw
+https://www.whitelisteddomain.tld@localdomain.pw
+javascript:alert(1);
+javascript:alert(1)
+//javascript:alert(1);
+/javascript:alert(1);
+//javascript:alert(1)
+/javascript:alert(1)
+/%5cjavascript:alert(1);
+/%5cjavascript:alert(1)
+//%5cjavascript:alert(1);
+//%5cjavascript:alert(1)
+/%09/javascript:alert(1);
+/%09/javascript:alert(1)
+java%0d%0ascript%0d%0a:alert(0)
+//localdomain.pw
+https:localdomain.pw
+//localdomain%E3%80%82pw
+\/\/localdomain.pw/
+/\/localdomain.pw/
+/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
+//localdomain%00.pw
+https://www.whitelisteddomain.tld/https://localdomain.pw/
+";alert(0);//
+javascript://www.whitelisteddomain.tld?%a0alert%281%29
+http://0xd8.0x3a.0xd6.0xce
+http://www.whitelisteddomain.tld@0xd8.0x3a.0xd6.0xce
+http://3H6k7lIAiqjfNeN@0xd8.0x3a.0xd6.0xce
+http://XY>.7d8T\205pZM@0xd8.0x3a.0xd6.0xce
+http://0xd83ad6ce
+http://www.whitelisteddomain.tld@0xd83ad6ce
+http://3H6k7lIAiqjfNeN@0xd83ad6ce
+http://XY>.7d8T\205pZM@0xd83ad6ce
+http://3627734734
+http://www.whitelisteddomain.tld@3627734734
+http://3H6k7lIAiqjfNeN@3627734734
+http://XY>.7d8T\205pZM@3627734734
+http://472.314.470.462
+http://www.whitelisteddomain.tld@472.314.470.462
+http://3H6k7lIAiqjfNeN@472.314.470.462
+http://XY>.7d8T\205pZM@472.314.470.462
+http://0330.072.0326.0316
+http://www.whitelisteddomain.tld@0330.072.0326.0316
+http://3H6k7lIAiqjfNeN@0330.072.0326.0316
+http://XY>.7d8T\205pZM@0330.072.0326.0316
+http://00330.00072.0000326.00000316
+http://www.whitelisteddomain.tld@00330.00072.0000326.00000316
+http://3H6k7lIAiqjfNeN@00330.00072.0000326.00000316
+http://XY>.7d8T\205pZM@00330.00072.0000326.00000316
+http://[::216.58.214.206]
+http://www.whitelisteddomain.tld@[::216.58.214.206]
+http://3H6k7lIAiqjfNeN@[::216.58.214.206]
+http://XY>.7d8T\205pZM@[::216.58.214.206]
+http://[::ffff:216.58.214.206]
+http://www.whitelisteddomain.tld@[::ffff:216.58.214.206]
+http://3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
+http://XY>.7d8T\205pZM@[::ffff:216.58.214.206]
+http://0xd8.072.54990
+http://www.whitelisteddomain.tld@0xd8.072.54990
+http://3H6k7lIAiqjfNeN@0xd8.072.54990
+http://XY>.7d8T\205pZM@0xd8.072.54990
+http://0xd8.3856078
+http://www.whitelisteddomain.tld@0xd8.3856078
+http://3H6k7lIAiqjfNeN@0xd8.3856078
+http://XY>.7d8T\205pZM@0xd8.3856078
+http://00330.3856078
+http://www.whitelisteddomain.tld@00330.3856078
+http://3H6k7lIAiqjfNeN@00330.3856078
+http://XY>.7d8T\205pZM@00330.3856078
+http://00330.0x3a.54990
+http://www.whitelisteddomain.tld@00330.0x3a.54990
+http://3H6k7lIAiqjfNeN@00330.0x3a.54990
+http://XY>.7d8T\205pZM@00330.0x3a.54990
+http:0xd8.0x3a.0xd6.0xce
+http:www.whitelisteddomain.tld@0xd8.0x3a.0xd6.0xce
+http:3H6k7lIAiqjfNeN@0xd8.0x3a.0xd6.0xce
+http:XY>.7d8T\205pZM@0xd8.0x3a.0xd6.0xce
+http:0xd83ad6ce
+http:www.whitelisteddomain.tld@0xd83ad6ce
+http:3H6k7lIAiqjfNeN@0xd83ad6ce
+http:XY>.7d8T\205pZM@0xd83ad6ce
+http:3627734734
+http:www.whitelisteddomain.tld@3627734734
+http:3H6k7lIAiqjfNeN@3627734734
+http:XY>.7d8T\205pZM@3627734734
+http:472.314.470.462
+http:www.whitelisteddomain.tld@472.314.470.462
+http:3H6k7lIAiqjfNeN@472.314.470.462
+http:XY>.7d8T\205pZM@472.314.470.462
+http:0330.072.0326.0316
+http:www.whitelisteddomain.tld@0330.072.0326.0316
+http:3H6k7lIAiqjfNeN@0330.072.0326.0316
+http:XY>.7d8T\205pZM@0330.072.0326.0316
+http:00330.00072.0000326.00000316
+http:www.whitelisteddomain.tld@00330.00072.0000326.00000316
+http:3H6k7lIAiqjfNeN@00330.00072.0000326.00000316
+http:XY>.7d8T\205pZM@00330.00072.0000326.00000316
+http:[::216.58.214.206]
+http:www.whitelisteddomain.tld@[::216.58.214.206]
+http:3H6k7lIAiqjfNeN@[::216.58.214.206]
+http:XY>.7d8T\205pZM@[::216.58.214.206]
+http:[::ffff:216.58.214.206]
+http:www.whitelisteddomain.tld@[::ffff:216.58.214.206]
+http:3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
+http:XY>.7d8T\205pZM@[::ffff:216.58.214.206]
+http:0xd8.072.54990
+http:www.whitelisteddomain.tld@0xd8.072.54990
+http:3H6k7lIAiqjfNeN@0xd8.072.54990
+http:XY>.7d8T\205pZM@0xd8.072.54990
+http:0xd8.3856078
+http:www.whitelisteddomain.tld@0xd8.3856078
+http:3H6k7lIAiqjfNeN@0xd8.3856078
+http:XY>.7d8T\205pZM@0xd8.3856078
+http:00330.3856078
+http:www.whitelisteddomain.tld@00330.3856078
+http:3H6k7lIAiqjfNeN@00330.3856078
+http:XY>.7d8T\205pZM@00330.3856078
+http:00330.0x3a.54990
+http:www.whitelisteddomain.tld@00330.0x3a.54990
+http:3H6k7lIAiqjfNeN@00330.0x3a.54990
+http:XY>.7d8T\205pZM@00330.0x3a.54990
+〱localdomain.pw
+〵localdomain.pw
+ゝlocaldomain.pw
+ーlocaldomain.pw
+ーlocaldomain.pw
+/〱localdomain.pw
+/〵localdomain.pw
+/ゝlocaldomain.pw
+/ーlocaldomain.pw
+/ーlocaldomain.pw
+%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
+http://%67%6f%6f%67%6c%65%2e%63%6f%6d
+<>javascript:alert(1);
+<>//localdomain.pw
+//localdomain.pw\@www.whitelisteddomain.tld
+https://:@localdomain.pw\@www.whitelisteddomain.tld
+http://localdomain.pw:80#@www.whitelisteddomain.tld/
+http://localdomain.pw:80?@www.whitelisteddomain.tld/
+http://3H6k7lIAiqjfNeN@www.whitelisteddomain.tld+@localdomain.pw/
+http://XY>.7d8T\205pZM@www.whitelisteddomain.tld+@localdomain.pw/
+http://3H6k7lIAiqjfNeN@www.whitelisteddomain.tld@localdomain.pw/
+http://XY>.7d8T\205pZM@www.whitelisteddomain.tld@localdomain.pw/
+http://www.whitelisteddomain.tld+&@localdomain.pw#+@www.whitelisteddomain.tld/
+http://localdomain.pw\twww.whitelisteddomain.tld/
+//localdomain.pw:80#@www.whitelisteddomain.tld/
+//localdomain.pw:80?@www.whitelisteddomain.tld/
+//3H6k7lIAiqjfNeN@www.whitelisteddomain.tld+@localdomain.pw/
+//XY>.7d8T\205pZM@www.whitelisteddomain.tld+@localdomain.pw/
+//3H6k7lIAiqjfNeN@www.whitelisteddomain.tld@localdomain.pw/
+//XY>.7d8T\205pZM@www.whitelisteddomain.tld@localdomain.pw/
+//www.whitelisteddomain.tld+&@localdomain.pw#+@www.whitelisteddomain.tld/
+//localdomain.pw\twww.whitelisteddomain.tld/
+//;@localdomain.pw
+http://;@localdomain.pw
+@localdomain.pw
+javascript://https://www.whitelisteddomain.tld/?z=%0Aalert(1)
+data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=
+http://localdomain.pw%2f%2f.www.whitelisteddomain.tld/
+http://localdomain.pw%5c%5c.www.whitelisteddomain.tld/
+http://localdomain.pw%3F.www.whitelisteddomain.tld/
+http://localdomain.pw%23.www.whitelisteddomain.tld/
+http://www.whitelisteddomain.tld:80%40localdomain.pw/
+http://www.whitelisteddomain.tld%2elocaldomain.pw/
+/x:1/:///%01javascript:alert(document.cookie)/
+/https:/%5clocaldomain.pw/
+javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
+/http://localdomain.pw
+/%2f%2flocaldomain.pw
+/localdomain.pw/%2f%2e%2e
+/http:/localdomain.pw
+/.localdomain.pw
+http://.localdomain.pw
+.localdomain.pw
+///\;@localdomain.pw
+///localdomain.pw
+/////localdomain.pw/
+/////localdomain.pw
+java%0ascript:alert(1)
+java%09script:alert(1)
+java%0dscript:alert(1)
+javascript://%0aalert(1)
+Javas%26%2399;ript:alert(1)
+data:www.whitelisteddomain.tld;text/html;charset=UTF-8,<html><script>document.write(document.domain);</script><iframe/src=xxxxx>aaaa</iframe></html>
+jaVAscript://www.whitelisteddomain.tld//%0d%0aalert(1);//
+http://www.localdomain.pw\.www.whitelisteddomain.tld
+%19Jav%09asc%09ript:https%20://www.whitelisteddomain.tld/%250Aconfirm%25281%2529
+//example.com@google.com/%2f..
+///google.com/%2f..
+///example.com@google.com/%2f..
+////google.com/%2f..
+////example.com@google.com/%2f..
+https://google.com/%2f..
+https://example.com@google.com/%2f..
+/https://google.com/%2f..
+/https://example.com@google.com/%2f..
+//google.com/%2f%2e%2e
+//example.com@google.com/%2f%2e%2e
+///google.com/%2f%2e%2e
+///example.com@google.com/%2f%2e%2e
+////google.com/%2f%2e%2e
+////example.com@google.com/%2f%2e%2e
+https://google.com/%2f%2e%2e
+https://example.com@google.com/%2f%2e%2e
+/https://google.com/%2f%2e%2e
+/https://example.com@google.com/%2f%2e%2e
+//google.com/
+//example.com@google.com/
+///google.com/
+///example.com@google.com/
+////google.com/
+////example.com@google.com/
+https://google.com/
+https://example.com@google.com/
+/https://google.com/
+/https://example.com@google.com/
+//google.com//
+//example.com@google.com//
+///google.com//
+///example.com@google.com//
+////google.com//
+////example.com@google.com//
+https://google.com//
+https://example.com@google.com//
+//https://google.com//
+//https://example.com@google.com//
+//google.com/%2e%2e%2f
+//example.com@google.com/%2e%2e%2f
+///google.com/%2e%2e%2f
+///example.com@google.com/%2e%2e%2f
+////google.com/%2e%2e%2f
+////example.com@google.com/%2e%2e%2f
+https://google.com/%2e%2e%2f
+https://example.com@google.com/%2e%2e%2f
+//https://google.com/%2e%2e%2f
+//https://example.com@google.com/%2e%2e%2f
+///google.com/%2e%2e
+///example.com@google.com/%2e%2e
+////google.com/%2e%2e
+////example.com@google.com/%2e%2e
+https:///google.com/%2e%2e
+https:///example.com@google.com/%2e%2e
+//https:///google.com/%2e%2e
+//example.com@https:///google.com/%2e%2e
+/https://google.com/%2e%2e
+/https://example.com@google.com/%2e%2e
+///google.com/%2f%2e%2e
+///example.com@google.com/%2f%2e%2e
+////google.com/%2f%2e%2e
+////example.com@google.com/%2f%2e%2e
+https:///google.com/%2f%2e%2e
+https:///example.com@google.com/%2f%2e%2e
+/https://google.com/%2f%2e%2e
+/https://example.com@google.com/%2f%2e%2e
+/https:///google.com/%2f%2e%2e
+/https:///example.com@google.com/%2f%2e%2e
+/%09/google.com
+/%09/example.com@google.com
+//%09/google.com
+//%09/example.com@google.com
+///%09/google.com
+///%09/example.com@google.com
+////%09/google.com
+////%09/example.com@google.com
+https://%09/google.com
+https://%09/example.com@google.com
+/%5cgoogle.com
+/%5cexample.com@google.com
+//%5cgoogle.com
+//%5cexample.com@google.com
+///%5cgoogle.com
+///%5cexample.com@google.com
+////%5cgoogle.com
+////%5cexample.com@google.com
+https://%5cgoogle.com
+https://%5cexample.com@google.com
+/https://%5cgoogle.com
+/https://%5cexample.com@google.com
+https://google.com
+https://example.com@google.com
+javascript:alert(1);
+javascript:alert(1)
+//javascript:alert(1);
+/javascript:alert(1);
+//javascript:alert(1)
+/javascript:alert(1)
+/%5cjavascript:alert(1);
+/%5cjavascript:alert(1)
+//%5cjavascript:alert(1);
+//%5cjavascript:alert(1)
+/%09/javascript:alert(1);
+/%09/javascript:alert(1)
+java%0d%0ascript%0d%0a:alert(0)
+//google.com
+https:google.com
+//google%E3%80%82com
+\/\/google.com/
+/\/google.com/
+//google%00.com
+https://example.com/https://google.com/
+";alert(0);//
+javascript://example.com?%a0alert%281%29
+http://0xd8.0x3a.0xd6.0xce
+http://example.com@0xd8.0x3a.0xd6.0xce
+http://3H6k7lIAiqjfNeN@0xd8.0x3a.0xd6.0xce
+http://XY>.7d8T\205pZM@0xd8.0x3a.0xd6.0xce
+http://0xd83ad6ce
+http://example.com@0xd83ad6ce
+http://3H6k7lIAiqjfNeN@0xd83ad6ce
+http://XY>.7d8T\205pZM@0xd83ad6ce
+http://3627734734
+http://example.com@3627734734
+http://3H6k7lIAiqjfNeN@3627734734
+http://XY>.7d8T\205pZM@3627734734
+http://472.314.470.462
+http://example.com@472.314.470.462
+http://3H6k7lIAiqjfNeN@472.314.470.462
+http://XY>.7d8T\205pZM@472.314.470.462
+http://0330.072.0326.0316
+http://example.com@0330.072.0326.0316
+http://3H6k7lIAiqjfNeN@0330.072.0326.0316
+http://XY>.7d8T\205pZM@0330.072.0326.0316
+http://00330.00072.0000326.00000316
+http://example.com@00330.00072.0000326.00000316
+http://3H6k7lIAiqjfNeN@00330.00072.0000326.00000316
+http://XY>.7d8T\205pZM@00330.00072.0000326.00000316
+http://[::216.58.214.206]
+http://example.com@[::216.58.214.206]
+http://3H6k7lIAiqjfNeN@[::216.58.214.206]
+http://XY>.7d8T\205pZM@[::216.58.214.206]
+http://[::ffff:216.58.214.206]
+http://example.com@[::ffff:216.58.214.206]
+http://3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
+http://XY>.7d8T\205pZM@[::ffff:216.58.214.206]
+http://0xd8.072.54990
+http://example.com@0xd8.072.54990
+http://3H6k7lIAiqjfNeN@0xd8.072.54990
+http://XY>.7d8T\205pZM@0xd8.072.54990
+http://0xd8.3856078
+http://example.com@0xd8.3856078
+http://3H6k7lIAiqjfNeN@0xd8.3856078
+http://XY>.7d8T\205pZM@0xd8.3856078
+http://00330.3856078
+http://example.com@00330.3856078
+http://3H6k7lIAiqjfNeN@00330.3856078
+http://XY>.7d8T\205pZM@00330.3856078
+http://00330.0x3a.54990
+http://example.com@00330.0x3a.54990
+http://3H6k7lIAiqjfNeN@00330.0x3a.54990
+http://XY>.7d8T\205pZM@00330.0x3a.54990
+http:0xd8.0x3a.0xd6.0xce
+http:example.com@0xd8.0x3a.0xd6.0xce
+http:3H6k7lIAiqjfNeN@0xd8.0x3a.0xd6.0xce
+http:XY>.7d8T\205pZM@0xd8.0x3a.0xd6.0xce
+http:0xd83ad6ce
+http:example.com@0xd83ad6ce
+http:3H6k7lIAiqjfNeN@0xd83ad6ce
+http:XY>.7d8T\205pZM@0xd83ad6ce
+http:3627734734
+http:example.com@3627734734
+http:3H6k7lIAiqjfNeN@3627734734
+http:XY>.7d8T\205pZM@3627734734
+http:472.314.470.462
+http:example.com@472.314.470.462
+http:3H6k7lIAiqjfNeN@472.314.470.462
+http:XY>.7d8T\205pZM@472.314.470.462
+http:0330.072.0326.0316
+http:example.com@0330.072.0326.0316
+http:3H6k7lIAiqjfNeN@0330.072.0326.0316
+http:XY>.7d8T\205pZM@0330.072.0326.0316
+http:00330.00072.0000326.00000316
+http:example.com@00330.00072.0000326.00000316
+http:3H6k7lIAiqjfNeN@00330.00072.0000326.00000316
+http:XY>.7d8T\205pZM@00330.00072.0000326.00000316
+http:[::216.58.214.206]
+http:example.com@[::216.58.214.206]
+http:3H6k7lIAiqjfNeN@[::216.58.214.206]
+http:XY>.7d8T\205pZM@[::216.58.214.206]
+http:[::ffff:216.58.214.206]
+http:example.com@[::ffff:216.58.214.206]
+http:3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
+http:XY>.7d8T\205pZM@[::ffff:216.58.214.206]
+http:0xd8.072.54990
+http:example.com@0xd8.072.54990
+http:3H6k7lIAiqjfNeN@0xd8.072.54990
+http:XY>.7d8T\205pZM@0xd8.072.54990
+http:0xd8.3856078
+http:example.com@0xd8.3856078
+http:3H6k7lIAiqjfNeN@0xd8.3856078
+http:XY>.7d8T\205pZM@0xd8.3856078
+http:00330.3856078
+http:example.com@00330.3856078
+http:3H6k7lIAiqjfNeN@00330.3856078
+http:XY>.7d8T\205pZM@00330.3856078
+http:00330.0x3a.54990
+http:example.com@00330.0x3a.54990
+http:3H6k7lIAiqjfNeN@00330.0x3a.54990
+http:XY>.7d8T\205pZM@00330.0x3a.54990
+〱google.com
+〵google.com
+ゝgoogle.com
+ーgoogle.com
+ーgoogle.com
+/〱google.com
+/〵google.com
+/ゝgoogle.com
+/ーgoogle.com
+/ーgoogle.com
+%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
+http://%67%6f%6f%67%6c%65%2e%63%6f%6d
+<>javascript:alert(1);
+<>//google.com
+//google.com\@example.com
+https://:@google.com\@example.com
+http://google.com:80#@example.com/
+http://google.com:80?@example.com/
+http://3H6k7lIAiqjfNeN@example.com+@google.com/
+http://XY>.7d8T\205pZM@example.com+@google.com/
+http://3H6k7lIAiqjfNeN@example.com@google.com/
+http://XY>.7d8T\205pZM@example.com@google.com/
+http://example.com+&@google.com#+@example.com/
+http://google.com\texample.com/
+//google.com:80#@example.com/
+//google.com:80?@example.com/
+//3H6k7lIAiqjfNeN@example.com+@google.com/
+//XY>.7d8T\205pZM@example.com+@google.com/
+//3H6k7lIAiqjfNeN@example.com@google.com/
+//XY>.7d8T\205pZM@example.com@google.com/
+//example.com+&@google.com#+@example.com/
+//google.com\texample.com/
+//;@google.com
+http://;@google.com
+@google.com
+javascript://https://example.com/?z=%0Aalert(1)
+data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=
+http://google.com%2f%2f.example.com/
+http://google.com%5c%5c.example.com/
+http://google.com%3F.example.com/
+http://google.com%23.example.com/
+http://example.com:80%40google.com/
+http://example.com%2egoogle.com/
+/x:1/:///%01javascript:alert(document.cookie)/
+/https:/%5cgoogle.com/
+javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
+/http://google.com
+/%2f%2fgoogle.com
+/google.com/%2f%2e%2e
+/http:/google.com
+/.google.com
+///\;@google.com
+///google.com
+/////google.com/
\ No newline at end of file
Index: mod_auth_openidc-2.3.8/test/test.c
===================================================================
--- mod_auth_openidc-2.3.8.orig/test/test.c
+++ mod_auth_openidc-2.3.8/test/test.c
@@ -114,6 +114,12 @@ static int TST_RC;
 			return TST_ERR_MSG; \
 		}
 
+#define TST_ASSERT_BYTE(message, result, expected) \
+		if (result != expected) { \
+			sprintf(TST_ERR_MSG, TST_FORMAT("%s"), __FUNCTION__, message, result ? "TRUE" : "FALSE", expected ? "TRUE" : "FALSE"); \
+			return TST_ERR_MSG; \
+		}
+
 #define TST_RUN(test, pool) message = test(pool); test_nr_run++; if (message) return message;
 
 static char *_jwk_parse(apr_pool_t *pool, const char *s, oidc_jwk_t **jwk,
@@ -1290,8 +1296,46 @@ static char * test_accept(request_rec *r
 	TST_ASSERT("Accept: application/json (opera)",
 			oidc_util_hdr_in_accept_contains(r, "application/json") != 0);
 
+	apr_table_set(r->headers_in, "Host", "www.example.com");
+
 	return 0;
 }
+#define TST_OPEN_REDIRECT(url, result) \
+		err_str = NULL; \
+		err_desc = NULL; \
+		rc = oidc_validate_redirect_url(r, c, url, TRUE, &err_str, &err_desc); \
+		msg = apr_psprintf(r->pool, "test validate_redirect_url (%s): %s: %s", url, err_str, err_desc); \
+		TST_ASSERT_BYTE(msg, rc, result);
+
+static char* test_open_redirect(request_rec *r) {
+	apr_byte_t rc = FALSE;
+	char *err_str = NULL, *err_desc = NULL, *url = NULL, *msg = NULL;
+	char filename[512];
+	char line_buf[8096];
+	apr_file_t *f;
+	size_t line_s;
+	char *dir = getenv("srcdir") ? getenv("srcdir") : ".";
+	// https://github.com/payloadbox/open-redirect-payload-list
+	sprintf((char* )filename, "%s/%s", dir, "/test/open-redirect-payload-list.txt");
+
+	oidc_cfg *c = ap_get_module_config(r->server->module_config, &auth_openidc_module);
+
+	TST_OPEN_REDIRECT("https://www.example.com/somewhere", TRUE);
+	TST_OPEN_REDIRECT("https://evil.example.com/somewhere", FALSE);
+
+	apr_file_open(&f, filename, APR_READ, APR_OS_DEFAULT, r->pool);
+	while (1) {
+		if (apr_file_gets(line_buf, sizeof(line_buf), f) != APR_SUCCESS)
+			break;
+		line_s = strlen(line_buf);
+		line_buf[--line_s] = '\0';
+		TST_OPEN_REDIRECT(line_buf, FALSE);
+	}
+	apr_file_close(f);
+
+	return 0;
+}
+
 static char * all_tests(apr_pool_t *pool, request_rec *r) {
 	char *message;
 	TST_RUN(test_jwt_parse, pool);
@@ -1323,6 +1367,7 @@ static char * all_tests(apr_pool_t *pool
 
 	TST_RUN(test_current_url, r);
 	TST_RUN(test_accept, r);
+	TST_RUN(test_open_redirect, r);
 
 	return 0;
 }
openSUSE Build Service is sponsored by