Fix redirect URL validation bypass
It turns out that browsers silently convert backslash characters into forward slashes, while apr_uri_parse() does not. This mismatch allows an attacker to bypass the redirect URL validation by using an URL like: https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/ mod_auth_mellon will assume that it is a relative URL and allow the request to pass through, while the browsers will use it as an absolute url and redirect to https://malicious.example.org/ . This patch fixes this issue by rejecting all redirect URLs with backslashes.
This commit is contained in:
parent
7bc436760d
commit
62041428a3
|
@ -927,6 +927,13 @@ int am_check_url(request_rec *r, const char *url)
|
||||||
"Control character detected in URL.");
|
"Control character detected in URL.");
|
||||||
return HTTP_BAD_REQUEST;
|
return HTTP_BAD_REQUEST;
|
||||||
}
|
}
|
||||||
|
if (*i == '\\') {
|
||||||
|
/* Reject backslash character, as it can be used to bypass
|
||||||
|
* redirect URL validation. */
|
||||||
|
AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
|
||||||
|
"Backslash character detected in URL.");
|
||||||
|
return HTTP_BAD_REQUEST;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return OK;
|
return OK;
|
||||||
|
|
Loading…
Reference in New Issue