Instead of listing all commands to run in a single line, split it into
multiple steps. This makes it easier to read the build script, and
also makes the output more readable.
This patch updates the Travis CI build configuration to use Ubuntu
18.04 (Bionic).
Since Ubuntu 18.04 no longer has separate packages for the different
Apache Multi-Processing Modules, we no longer need to build with both
apache2-prefork-dev and apache2-threaded-dev. We simply need to build
against apache2-dev.
Travis CI recently changed the default distribution from Ubuntu 14.04
(Trusty) to Ubuntu 18.04 (Xenial):
https://blog.travis-ci.com/2019-04-15-xenial-default-build-environment
This was a slow rollout, and does not appear to have reached this
project until the last couple of weeks.
This patch simply pins the distribution used for tests to Ubuntu 14.04
(Trusty), to ensure that we always use a consistent build environment.
A later patch will update it to a more recent distribution.
Compilation on reports warning:
"auth_mellon_diagnostics.c", line 188: warning: implicit function declaration: rindex
"auth_mellon_diagnostics.c", line 188: warning: improper pointer/integer combination: op "="
And binary dumps core, because rindex() is assumed to be integer type, so
compiler sign extends its return value and then uses the number as pointer:
am_diag_cond_str+0x154: call -0x1e119 <PLT=libc.so.1`rindex>
am_diag_cond_str+0x159: movslq %eax,%rax
am_diag_cond_str+0x15c: testq %rax,%rax
am_diag_cond_str+0x15f: je +0x7 <am_diag_cond_str+0x168>
am_diag_cond_str+0x161: movb $0x5d,(%rax) <- SIGSEGV
Fixes issue #207.
mellon passes on every attribute received in a SAML assertion as an
Apache variable. By default, the variable is prefixed with "MELLON_".
In some cases, for example when migrating from a different SP to mellon
it might be beneficial to change the prefix. And while using
MellonSetEnvNoPrefix is an option as well, the MellonSetEnvNoPrefix has
to be specified for each variable independently.
It turns out that browsers silently convert backslash characters into
forward slashes, while apr_uri_parse() does not.
This mismatch allows an attacker to bypass the redirect URL validation
by using an URL like:
https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/
mod_auth_mellon will assume that it is a relative URL and allow the
request to pass through, while the browsers will use it as an absolute
url and redirect to https://malicious.example.org/ .
This patch fixes this issue by rejecting all redirect URLs with
backslashes.
The way the ECP flow works is that when a client initiates the flow, the
SP's response is HTTP 200, but not the requested content, but a signed XML
document that contains the "samlp:AuthnRequest" element. The idea is that
the ECP client would then determine the IDP and send the document to the
IDP, get a samlp:Response and convey that to the SP to get access to the
protected resource.
Internally, the auth check which is normally done with am_check_uid() set to
apache's ap_hook_check_user_id() hook, just responds with OK, so it pretends
to authenticate the user. Then in the usual flow, the request reaches the
ap_hook_handler which handles the request. There in the pipeline, mellon
registers functions am_handler() which should run first (APR_HOOK_FIRST),
determine that this request is an ECP one and return the ECP AuthnRequest
document. But in case the proxy module is also in the picture, the proxy
module "races" for who gets to be the first to handle the request in the
pipeline and wins. Therefore, the request reaches the protected resource
via mod_proxy and returns it.
This fix modifies the ap_hook_handler() call to explicitly run before
handlers from mod_proxy.c
To reproduce the bug:
0) Have a SP with mellon connected to a Keycloak IDP (or any other IDP I
guess). In the example below, my SAML SP is saml.federation.test
1) Set a Location protected by mellon that proxies requests to another
URL. For example:
ProxyPass /sp-proxy http://app.federation.test/example_app/
<Location /sp-proxy>
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
2) call:
curl -L -H "Accept: application/vnd.paos+xml" \
-H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' \
http://saml.federation.test/sp-proxy
Before the patch, you would see whatever is served from the proxied
page. With the patch, you should get back a XML document with a
samlp:AuthnRequest.
A trailing semi-colon in the Set-Cookie header confuses the AWS
Elastic Load Balancer. This patch fixes the code that generates the
Set-Cookie header so that it no longer ends with a semi-colon.
Fixes issue #190
The code was looking for "X-Request-With", but the header is actually
"X-Requested-With". As far as I can tell, it has always been the
latter, at least in the jQuery source code.
Fixes issue #174.
Using Apache environment variables in MellonCond expressions didn't
work for various reasons:
* The substitution was never executed if no backrefs were present.
* Only the OS environment was queried without checking the Apache
internal variable stores.
* The output string after substitution was set to an empty string.
Fixing these issues makes %{ENV:...} work properly.