You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
48 lines
1.2 KiB
48 lines
1.2 KiB
3 years ago
|
From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
|
||
|
|
From: AIMOTO Norihito <aimoto@osstech.co.jp>
|
||
|
|
Date: Tue, 6 Jul 2021 22:57:24 +0200
|
||
|
|
Subject: [PATCH] Prevent redirect to URLs that begin with '///'
|
||
|
|
|
||
|
|
Visiting a logout URL like this:
|
||
|
|
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
|
||
|
|
would have redirected the user to fishing-site.example.com
|
||
|
|
|
||
|
|
With the patch, this URL would be rejected.
|
||
|
|
|
||
|
|
Fixes: CVE-2021-3639
|
||
|
|
---
|
||
|
|
auth_mellon_util.c | 10 ++++++++++
|
||
|
|
1 file changed, 10 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
|
||
|
|
index 2f8c9c3..6a686db 100644
|
||
|
|
--- a/auth_mellon_util.c
|
||
|
|
+++ b/auth_mellon_util.c
|
||
|
|
@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
|
||
|
|
{
|
||
|
|
const char *i;
|
||
|
|
|
||
|
|
+ if (url == NULL) {
|
||
|
|
+ return HTTP_BAD_REQUEST;
|
||
|
|
+ }
|
||
|
|
+
|
||
|
|
for (i = url; *i; i++) {
|
||
|
|
if (*i >= 0 && *i < ' ') {
|
||
|
|
/* Deny all control-characters. */
|
||
|
|
@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
+ if (strstr(url, "///") == url) {
|
||
|
|
+ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
|
||
|
|
+ "URL starts with '///'");
|
||
|
|
+ return HTTP_BAD_REQUEST;
|
||
|
|
+ }
|
||
|
|
+
|
||
|
|
return OK;
|
||
|
|
}
|
||
|
|
|
||
|
|
--
|
||
|
|
2.26.3
|
||
|
|
|