Fix open redirect CVE-2019-13038 #220
Conversation
Fix open redirect CVE-2019-13038
awakenine
changed the title
awakenine
changed the title
awakenine
changed the title
There was a problem hiding this comment.
Hi,
first of all, sorry for taking so long before looking at this pull request.
I had a look at this pull request now. Overall, I am positive to the change, but I don't really trust the apr_uri_parse()-function anymore, since it has had so many problems.
I think we at least need to add more checks for what it returns.
My suggestion would be to allow two types of URLs: Absolute and relative to the root of the site.
For absolute URLs, we should require that scheme, hostname and path are set. We can allow port_str, query and fragment to be set. We should forbid forbid user and password.
For relative URLs, we should require path to be set, and allow query and fragment to be set. scheme, user, password, hostname and port_str should be forbidden.
In addition, for both absolute URLs and relative URLs, we should verify that path starts with a single /. I.e. "/" and "/example" are allowed, but // is forbidden.
auth_mellon_util.c
Outdated
| /* http and https schemes without hostname are invalid. */ | ||
| if (!uri.hostname) { | ||
| return HTTP_BAD_REQUEST; | ||
| } |
There was a problem hiding this comment.
Could you fix the indentation of the comment and closing curly bracket?
There was a problem hiding this comment.
Hi @olavmrk. Sure, it should be fixed now.
I used this code to check |
Yes, that is why the fix I imagined for the latest problem was to replace As I said in my comment, this is the third time that using If we are not going to replace |
|
Closing this pull request as part of archiving this project. See the announcement for details: https://github.com/Uninett/mod_auth_mellon/blob/info/README.md |
Fix open redirect CVE-2019-13038
#35 (comment)