File fix-CVE-2022-23527-3.patch of Package apache2-mod_auth_openidc.28532
From 87119f44b9a88312dbc1f752d720bcd2371b94a8 Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Tue, 13 Dec 2022 20:57:32 +0100
Subject: [PATCH] release 2.4.12.2: CVE-2022-23527 prevent open redirect in
default setup
i.e. when OIDCRedirectURLsAllowed is not configured, see:
https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53
Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
---
ChangeLog | 5 +++++
configure.ac | 2 +-
src/mod_auth_openidc.c | 12 ++++++------
src/mod_auth_openidc.h | 1 +
src/util.c | 2 +-
test/open-redirect-payload-list.txt | 1 +
6 files changed, 15 insertions(+), 8 deletions(-)
Index: mod_auth_openidc-2.4.0/src/mod_auth_openidc.c
===================================================================
--- mod_auth_openidc-2.4.0.orig/src/mod_auth_openidc.c
+++ mod_auth_openidc-2.4.0/src/mod_auth_openidc.c
@@ -2630,15 +2630,15 @@ apr_byte_t oidc_validate_redirect_url(re
oidc_error(r, "%s: %s", *err_str, *err_desc);
return FALSE;
}
-
- if ((strstr(url, "/%09") != NULL) || (strstr(url, "/%2f") != NULL)
- || (strstr(url, "/%68") != NULL) || (strstr(url, "/http:") != NULL)
- || (strstr(url, "/https:") != NULL) || (strstr(url, "/javascript:") != NULL)
+ if ( (strstr(url, "/%09") != NULL) || (oidc_util_strcasestr(url, "/%2f") != NULL)
+ || (strstr(url, "/\t") != NULL)
+ || (strstr(url, "/%68") != NULL) || (oidc_util_strcasestr(url, "/http:") != NULL)
+ || (oidc_util_strcasestr(url, "/https:") != NULL) || (oidc_util_strcasestr(url, "/javascript:") != NULL)
|| (strstr(url, "/〱") != NULL) || (strstr(url, "/〵") != NULL)
|| (strstr(url, "/ゝ") != NULL) || (strstr(url, "/ー") != NULL)
|| (strstr(url, "/〱") != NULL) || (strstr(url, "/ー") != NULL)
- || (strstr(url, "/<") != NULL) || (strstr(url, "%01javascript:") != NULL)
- || (strstr(url, "/%5c") != NULL)) {
+ || (strstr(url, "/<") != NULL) || (oidc_util_strcasestr(url, "%01javascript:") != NULL)
+ || (strstr(url, "/%5c") != NULL) || (strstr(url, "/\\") != NULL)) {
*err_str = apr_pstrdup(r->pool, "Invalid URL");
*err_desc = apr_psprintf(r->pool, "URL value \"%s\" contains illegal character(s)", url);
oidc_error(r, "%s: %s", *err_str, *err_desc);
Index: mod_auth_openidc-2.4.0/src/mod_auth_openidc.h
===================================================================
--- mod_auth_openidc-2.4.0.orig/src/mod_auth_openidc.h
+++ mod_auth_openidc-2.4.0/src/mod_auth_openidc.h
@@ -780,6 +780,7 @@ char *oidc_util_http_query_encoded_url(r
const char *oidc_util_get_provided_token_binding_id(const request_rec *r);
char *oidc_util_http_query_encoded_url(request_rec *r, const char *url, const apr_table_t *params);
char *oidc_util_get_full_path(apr_pool_t *pool, const char *abs_or_rel_filename);
+char* oidc_util_strcasestr(const char *s1, const char *s2);
/* HTTP header constants */
#define OIDC_HTTP_HDR_COOKIE "Cookie"
diff --git a/src/util.c b/src/util.c
index 708762f4..9548b94e 100644
--- a/src/util.c
+++ b/src/util.c
@@ -434,7 +434,7 @@ char* oidc_util_javascript_escape(apr_pool_t *pool, const char *s) {
return output;
}
-static char* oidc_util_strcasestr(const char *s1, const char *s2) {
+char* oidc_util_strcasestr(const char *s1, const char *s2) {
const char *s = s1;
const char *p = s2;
do {
Index: mod_auth_openidc-2.4.0/test/open-redirect-payload-list.txt
===================================================================
--- mod_auth_openidc-2.4.0.orig/test/open-redirect-payload-list.txt
+++ mod_auth_openidc-2.4.0/test/open-redirect-payload-list.txt
@@ -1,4 +1,5 @@
/%09/example.com
+/ /example.com
/%2f%2fexample.com
/%2f%2f%2fbing.com%2f%3fwww.omise.co
/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/