diff -Nru libapache2-mod-auth-mellon-0.14.2/auth_mellon_cache.c libapache2-mod-auth-mellon-0.16.0/auth_mellon_cache.c --- libapache2-mod-auth-mellon-0.14.2/auth_mellon_cache.c 2017-10-02 09:44:08.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/auth_mellon_cache.c 2020-01-14 13:01:03.000000000 +0000 @@ -235,7 +235,8 @@ if (am_cache_entry_pool_left(entry) < str_len) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, - "apr_cache_entry_store_string() asked %zd available: %zd. " + "apr_cache_entry_store_string() asked %" APR_SIZE_T_FMT + " available: %" APR_SIZE_T_FMT ". " "It may be a good idea to increase MellonCacheEntrySize.", str_len, am_cache_entry_pool_left(entry)); return HTTP_INTERNAL_SERVER_ERROR; @@ -589,7 +590,7 @@ */ for(i = 0; i < t->size; ++i) { varname = am_cache_entry_get_string(t, &t->env[i].varname); - varname_prefix = "MELLON_"; + varname_prefix = d->env_prefix; /* Check if we should map this name into another name. */ env_varname_conf = (am_envattr_conf_t *)apr_hash_get( diff -Nru libapache2-mod-auth-mellon-0.14.2/auth_mellon_config.c libapache2-mod-auth-mellon-0.16.0/auth_mellon_config.c --- libapache2-mod-auth-mellon-0.14.2/auth_mellon_config.c 2018-03-16 07:14:54.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/auth_mellon_config.c 2020-01-14 13:02:57.000000000 +0000 @@ -1,7 +1,7 @@ /* * * auth_mellon_config.c: an authentication apache module - * Copyright © 2003-2007 UNINETT (http://www.uninett.no/) + * Copyright © 2003-2007 UNINETT (http://www.uninett.no/) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -36,6 +36,11 @@ */ static const char *default_user_attribute = "NAME_ID"; +/* This is the default prefix to use for attributes received from the + * server. Customizable using the MellonEnvPrefix option + */ +static const char *default_env_prefix = "MELLON_"; + /* This is the default name of the cookie which mod_auth_mellon will set. * If you change this, then you should also update the description of the * MellonVar configuration directive. @@ -105,6 +110,9 @@ /* The default list of trusted redirect domains. */ static const char * const default_redirect_domains[] = { "[self]", NULL }; +/* The default setting to enabled the invalidation session endpoint + */ +static const int default_enabled_invalidation_session = 0; /* This function handles configuration directives which set a * multivalued string slot in the module configuration (the destination @@ -575,6 +583,8 @@ d->cookie_samesite = am_samesite_lax; } else if(!strcasecmp(arg, "strict")) { d->cookie_samesite = am_samesite_strict; + } else if(!strcasecmp(arg, "none")) { + d->cookie_samesite = am_samesite_none; } else { return "The MellonCookieSameSite parameter must be 'lax' or 'strict'"; } @@ -754,6 +764,42 @@ return NULL; } +/* This function handles the MellonAuthnContextComparisonType option. + * It could be set to "exact", "minimum", "maximum" or "better" + * + * Parameters: + * cmd_parms *cmd The command structure for this configuration + * directive. + * void *struct_ptr Pointer to the current directory configuration. + * const char *arg The string argument following this configuration + * directive in the configuraion file. + * + * Returns: + * NULL on success or an error string if the argument is wrong. + */ +static const char *am_set_authn_context_comparison_type_slot(cmd_parms *cmd, + void *struct_ptr, + const char *arg) +{ + am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr; + + if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_EXACT)) { + d->authn_context_comparison_type = + LASSO_LIB_AUTHN_CONTEXT_COMPARISON_EXACT; + } else if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MINIMUM)) { + d->authn_context_comparison_type = + LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MINIMUM; + } else if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MAXIMUM)) { + d->authn_context_comparison_type = + LASSO_LIB_AUTHN_CONTEXT_COMPARISON_MAXIMUM; + } else if (!strcasecmp(arg, LASSO_LIB_AUTHN_CONTEXT_COMPARISON_BETTER)) { + d->authn_context_comparison_type = + LASSO_LIB_AUTHN_CONTEXT_COMPARISON_BETTER; + } else { + return "parameter must be 'exact', 'minimum', 'maximum' or 'better'"; + } + return NULL; +} /* This function decodes MellonCond flags, such as [NOT,REG] * @@ -1197,6 +1243,39 @@ return NULL; } +/* This function handles the MellonEnabledInvalidateSessionEndpoint configuration directive. + * This directive can be set to "on" or "off" (default). + * + * Parameters: + * cmd_parms *cmd The command structure for this configuration + * directive. + * void *struct_ptr Pointer to the current directory configuration. + * const char *arg The string argument following this configuration + * directive in the configuraion file. + * + * Returns: + * NULL on success or an error string if the argument is wrong. + */ +static const char *am_set_invalidate_session_slots(cmd_parms *cmd, + void *struct_ptr, + const char *arg) +{ + am_dir_cfg_rec *d = (am_dir_cfg_rec *)struct_ptr; + + if (strcasecmp(arg, "on") == 0) { + d->enabled_invalidation_session = 1; + } + else if (strcasecmp(arg, "off") == 0) { + d->enabled_invalidation_session = 0; + } else { + return apr_psprintf(cmd->pool, "%s: must be one of: 'on', 'off'", + cmd->cmd->name); + } + + return NULL; +} + + /* This array contains all the configuration directive which are handled * by auth_mellon. */ @@ -1372,8 +1451,10 @@ am_set_setenv_slot, NULL, OR_AUTHCFG, - "Renames attributes received from the server while retaining prefix MELLON_. The format is" - " MellonSetEnv ." + "Renames attributes received from the server while retaining the" + " prefix. The prefix defaults to MELLON_ but can be changed with" + " MellonEnvPrefix." + " The format is MellonSetEnv ." ), AP_INIT_TAKE2( "MellonSetEnvNoPrefix", @@ -1383,6 +1464,13 @@ "Renames attributes received from the server without adding prefix. The format is" " MellonSetEnvNoPrefix ." ), + AP_INIT_TAKE1( + "MellonEnvPrefix", + ap_set_string_slot, + (void *)APR_OFFSETOF(am_dir_cfg_rec, env_prefix), + OR_AUTHCFG, + "The prefix to use for attributes received from the server." + ), AP_INIT_FLAG( "MellonSessionDump", ap_set_flag_slot, @@ -1579,6 +1667,13 @@ "A list of AuthnContextClassRef to request in the AuthnRequest and " "to validate upon reception of an Assertion" ), + AP_INIT_TAKE1( + "MellonAuthnContextComparisonType", + am_set_authn_context_comparison_type_slot, + NULL, + OR_AUTHCFG, + "An AuthnContextComparisonType attribute as part of the AuthnRequest." + ), AP_INIT_FLAG( "MellonSubjectConfirmationDataAddressCheck", ap_set_flag_slot, @@ -1652,6 +1747,14 @@ OR_AUTHCFG, "Signature method used to sign SAML messages sent by Mellon" ), + AP_INIT_TAKE1( + "MellonEnabledInvalidateSessionEndpoint", + am_set_invalidate_session_slots, + NULL, + OR_AUTHCFG, + "Enabled the session invalidation endpoint. Default is 'off'." + ), + {NULL} }; @@ -1714,6 +1817,7 @@ dir->cookie_path = NULL; dir->cookie_samesite = am_samesite_default; dir->envattr = apr_hash_make(p); + dir->env_prefix = default_env_prefix; dir->userattr = default_user_attribute; dir->idpattr = NULL; dir->signature_method = inherit_signature_method; @@ -1748,6 +1852,7 @@ dir->inherit_server_from = dir; dir->server = NULL; dir->authn_context_class_ref = apr_array_make(p, 0, sizeof(char *)); + dir->authn_context_comparison_type = NULL; dir->subject_confirmation_data_address_check = inherit_subject_confirmation_data_address_check; dir->send_cache_control_header = inherit_send_cache_control_header; dir->do_not_verify_logout_signature = apr_hash_make(p); @@ -1756,6 +1861,8 @@ dir->ecp_send_idplist = inherit_ecp_send_idplist; + dir->enabled_invalidation_session = default_enabled_invalidation_session; + return dir; } @@ -1868,6 +1975,10 @@ add_cfg->envattr : base_cfg->envattr); + new_cfg->env_prefix = (add_cfg->env_prefix != default_env_prefix ? + add_cfg->env_prefix : + base_cfg->env_prefix); + new_cfg->userattr = (add_cfg->userattr != default_user_attribute ? add_cfg->userattr : base_cfg->userattr); @@ -1985,6 +2096,10 @@ add_cfg->authn_context_class_ref : base_cfg->authn_context_class_ref); + new_cfg->authn_context_comparison_type = (add_cfg->authn_context_comparison_type != NULL ? + add_cfg->authn_context_comparison_type : + base_cfg->authn_context_comparison_type); + new_cfg->do_not_verify_logout_signature = apr_hash_copy(p, (apr_hash_count(add_cfg->do_not_verify_logout_signature) > 0) ? add_cfg->do_not_verify_logout_signature : @@ -2005,6 +2120,11 @@ add_cfg->redirect_domains : base_cfg->redirect_domains); + new_cfg->enabled_invalidation_session = + (add_cfg->enabled_invalidation_session != default_enabled_invalidation_session ? + add_cfg->enabled_invalidation_session : + base_cfg->enabled_invalidation_session); + return new_cfg; } diff -Nru libapache2-mod-auth-mellon-0.14.2/auth_mellon_cookie.c libapache2-mod-auth-mellon-0.16.0/auth_mellon_cookie.c --- libapache2-mod-auth-mellon-0.14.2/auth_mellon_cookie.c 2019-03-19 12:37:02.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/auth_mellon_cookie.c 2020-01-28 14:59:44.000000000 +0000 @@ -1,7 +1,7 @@ /* * * auth_mellon_cookie.c: an authentication apache module - * Copyright © 2003-2007 UNINETT (http://www.uninett.no/) + * Copyright © 2003-2007 UNINETT (http://www.uninett.no/) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -59,6 +59,7 @@ const char *cookie_domain = ap_get_server_name(r); const char *cookie_path = "/"; const char *cookie_samesite = ""; + const char *env_var_value = NULL; am_dir_cfg_rec *cfg = am_get_dir_cfg(r); if (cfg->cookie_domain) { @@ -69,10 +70,21 @@ cookie_path = cfg->cookie_path; } - if (cfg->cookie_samesite == am_samesite_lax) { - cookie_samesite = "; SameSite=Lax"; - } else if (cfg->cookie_samesite == am_samesite_strict) { - cookie_samesite = "; SameSite=Strict"; + if (r->subprocess_env != NULL){ + env_var_value = apr_table_get(r->subprocess_env, + AM_DISABLE_SAMESITE_ENV_VAR); + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, + "%s : %s", AM_DISABLE_SAMESITE_ENV_VAR, env_var_value); + } + + if (env_var_value == NULL){ + if (cfg->cookie_samesite == am_samesite_lax) { + cookie_samesite = "; SameSite=Lax"; + } else if (cfg->cookie_samesite == am_samesite_strict) { + cookie_samesite = "; SameSite=Strict"; + } else if (cfg->cookie_samesite == am_samesite_none) { + cookie_samesite = "; SameSite=None"; + } } secure_cookie = cfg->secure; diff -Nru libapache2-mod-auth-mellon-0.14.2/auth_mellon_diagnostics.c libapache2-mod-auth-mellon-0.16.0/auth_mellon_diagnostics.c --- libapache2-mod-auth-mellon-0.14.2/auth_mellon_diagnostics.c 2018-03-16 07:14:54.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/auth_mellon_diagnostics.c 2020-01-14 13:02:57.000000000 +0000 @@ -214,6 +214,7 @@ case am_samesite_default: return "default"; case am_samesite_lax: return "lax"; case am_samesite_strict: return "strict"; + case am_samesite_none: return "none"; default: return apr_psprintf(r->pool, "unknown (%d)", samesite); } @@ -442,6 +443,9 @@ "%sMellonCookieSameSite (cookie_samesite): %s\n", indent(level+1), am_diag_samesite_str(r, cfg->cookie_samesite)); + apr_file_printf(diag_cfg->fd, + "%sMellonEnvPrefix (env_prefix): %s\n", + indent(level+1), cfg->env_prefix); apr_file_printf(diag_cfg->fd, "%sMellonCond (cond): %d items\n", @@ -466,7 +470,7 @@ apr_hash_this(hash_item, (void *)&key, NULL, (void *)&envattr_conf); if (envattr_conf->prefixed) { - name = apr_pstrcat(r->pool, "MELLON_", + name = apr_pstrcat(r->pool, cfg->env_prefix, envattr_conf->name, NULL); } else { name = envattr_conf->name; @@ -617,7 +621,9 @@ "%s[%2d]: %s\n", indent(level+2), i, context_class); } - + apr_file_printf(diag_cfg->fd, + "%sMellonAuthnContextComparisonType (authn_context_comparison_type): %s\n", + indent(level+1), cfg->authn_context_comparison_type); apr_file_printf(diag_cfg->fd, "%sMellonSubjectConfirmationDataAddressCheck" " (subject_confirmation_data_address_check): %s\n", diff -Nru libapache2-mod-auth-mellon-0.14.2/auth_mellon.h libapache2-mod-auth-mellon-0.16.0/auth_mellon.h --- libapache2-mod-auth-mellon-0.14.2/auth_mellon.h 2018-03-16 07:14:54.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/auth_mellon.h 2020-01-28 14:59:44.000000000 +0000 @@ -1,7 +1,7 @@ /* * * auth_mellon.h: an authentication apache module - * Copyright © 2003-2007 UNINETT (http://www.uninett.no/) + * Copyright © 2003-2007 UNINETT (http://www.uninett.no/) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -25,6 +25,7 @@ #include "config.h" #include +#include #include #include @@ -95,6 +96,11 @@ } am_diag_flags_t; #endif + +/* Disable SameSite Environment Value */ +#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE" + + /* This is the length of the id we use (for session IDs and * replaying POST data). */ @@ -163,7 +169,8 @@ typedef enum { am_samesite_default, am_samesite_lax, - am_samesite_strict + am_samesite_strict, + am_samesite_none, } am_samesite_t; typedef enum { @@ -237,6 +244,7 @@ am_samesite_t cookie_samesite; apr_array_header_t *cond; apr_hash_t *envattr; + const char *env_prefix; const char *userattr; const char *idpattr; LassoSignatureMethod signature_method; @@ -290,6 +298,9 @@ /* AuthnContextClassRef list */ apr_array_header_t *authn_context_class_ref; + /* AuthnContextComparisonType */ + const char *authn_context_comparison_type; + /* Controls the checking of SubjectConfirmationData.Address attribute */ int subject_confirmation_data_address_check; @@ -310,6 +321,9 @@ /* List of domains we can redirect to. */ const char * const *redirect_domains; + + /* Enabled the session invalidate endpoint. */ + int enabled_invalidation_session; } am_dir_cfg_rec; /* Bitmask for PAOS service options */ diff -Nru libapache2-mod-auth-mellon-0.14.2/auth_mellon_handler.c libapache2-mod-auth-mellon-0.16.0/auth_mellon_handler.c --- libapache2-mod-auth-mellon-0.14.2/auth_mellon_handler.c 2019-03-19 12:37:02.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/auth_mellon_handler.c 2020-01-14 13:01:06.000000000 +0000 @@ -1,7 +1,7 @@ /* * * auth_mellon_handler.c: an authentication apache module - * Copyright © 2003-2007 UNINETT (http://www.uninett.no/) + * Copyright © 2003-2007 UNINETT (http://www.uninett.no/) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -807,6 +807,72 @@ return rc; } +/* This function handles an invalidate request. + * + * Parameters: + * request_rec *r The logout request. + * + * Returns: + * OK on success, or an error if any of the steps fail. + */ +static int am_handle_invalidate_request(request_rec *r) +{ + int rc; + char *return_to; + am_cache_entry_t *session = am_get_request_session(r); + am_dir_cfg_rec *cfg = am_get_dir_cfg(r); + + /* Check if the session invalidation endpoint is enabled. */ + if (cfg->enabled_invalidation_session == 0) { + AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r, + "Session Invalidation Endpoint is not enabled."); + return HTTP_BAD_REQUEST; + } + + am_diag_printf(r, "enter function %s\n", __func__); + am_diag_log_cache_entry(r, 0, session, "%s\n", __func__); + + return_to = am_extract_query_parameter(r->pool, r->args, "ReturnTo"); + + if (return_to == NULL) { + AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r, + "No ReturnTo parameter provided for invalidate handler."); + return HTTP_BAD_REQUEST; + } + + /* Check for bad characters in ReturnTo. */ + rc = am_check_url(r, return_to); + if (rc != OK) { + return rc; + } + + rc = am_urldecode(return_to); + if (rc != OK) { + AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, rc, r, + "Could not urldecode ReturnTo value in invalidate" + " response."); + return HTTP_BAD_REQUEST; + } + + /* Make sure that it is a valid redirect URL. */ + rc = am_validate_redirect_url(r, return_to); + if (rc != OK) { + AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r, + "Invalid target domain in invalidate response ReturnTo parameter."); + return rc; + } + + if (session == NULL) { + AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r, + "Error processing invalidate request message." + " No session found."); + } else { + am_delete_request_session(r, session); + } + + apr_table_setn(r->headers_out, "Location", return_to); + return HTTP_SEE_OTHER; +} /* This function handles a logout response message from the IdP. We get * this message after we have sent a logout request to the IdP. @@ -1139,6 +1205,25 @@ } } +/* This function handles requests to the invalidate handler. + * + * Parameters: + * request_rec *r The request. + * + * Returns: + * OK on success, or an error if any of the steps fail. + */ +static int am_handle_invalidate(request_rec *r) +{ + LassoServer *server; + + server = am_get_lasso_server(r); + if (server == NULL) { + return HTTP_INTERNAL_SERVER_ERROR; + } + + return am_handle_invalidate_request(r); +} /* This function parses a timestamp for a SAML 2.0 condition. * @@ -2895,6 +2980,11 @@ "adding AuthnContextClassRef %s to the " "AuthnRequest", ref); } + + if (dir_cfg->authn_context_comparison_type != NULL) { + lasso_assign_string(request->RequestedAuthnContext->Comparison, + dir_cfg->authn_context_comparison_type); + } } LASSO_PROFILE(login)->msg_relayState = g_strdup(return_to_url); @@ -3536,6 +3626,8 @@ * with version 0.0.6 and older. */ return am_handle_logout(r); + } else if(!strcmp(endpoint, "invalidate")) { + return am_handle_invalidate(r); } else if(!strcmp(endpoint, "login")) { return am_handle_login(r); } else if(!strcmp(endpoint, "probeDisco")) { diff -Nru libapache2-mod-auth-mellon-0.14.2/auth_mellon_util.c libapache2-mod-auth-mellon-0.16.0/auth_mellon_util.c --- libapache2-mod-auth-mellon-0.14.2/auth_mellon_util.c 2019-03-20 07:29:16.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/auth_mellon_util.c 2020-01-14 13:01:03.000000000 +0000 @@ -116,6 +116,13 @@ /* Sanity check of the scheme of the domain. We only allow http and https. */ if (uri.scheme) { + /* http and https schemes without hostname are invalid. */ + if (!uri.hostname) { + AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r, + "Preventing redirect with scheme but no hostname: %s", + url); + return HTTP_BAD_REQUEST; + } if (strcasecmp(uri.scheme, "http") && strcasecmp(uri.scheme, "https")) { AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r, diff -Nru libapache2-mod-auth-mellon-0.14.2/configure libapache2-mod-auth-mellon-0.16.0/configure --- libapache2-mod-auth-mellon-0.14.2/configure 2019-03-21 13:58:52.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/configure 2020-01-28 15:06:03.000000000 +0000 @@ -1,8 +1,8 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for mod_auth_mellon 0.14.2. +# Generated by GNU Autoconf 2.69 for mod_auth_mellon 0.16.0. # -# Report bugs to . +# Report bugs to . # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -267,10 +267,11 @@ $as_echo "$0: be upgraded to zsh 4.3.4 or later." else $as_echo "$0: Please tell bug-autoconf@gnu.org and -$0: olav.morken@uninett.no about your system, including any -$0: error possibly output before this message. Then install -$0: a modern shell, or manually run the script under such a -$0: shell if you do have one." +$0: https://github.com/latchset/mod_auth_mellon/issues +$0: about your system, including any error possibly output +$0: before this message. Then install a modern shell, or +$0: manually run the script under such a shell if you do +$0: have one." fi exit 1 fi @@ -580,9 +581,9 @@ # Identity of this package. PACKAGE_NAME='mod_auth_mellon' PACKAGE_TARNAME='mod_auth_mellon' -PACKAGE_VERSION='0.14.2' -PACKAGE_STRING='mod_auth_mellon 0.14.2' -PACKAGE_BUGREPORT='olav.morken@uninett.no' +PACKAGE_VERSION='0.16.0' +PACKAGE_STRING='mod_auth_mellon 0.16.0' +PACKAGE_BUGREPORT='https://github.com/latchset/mod_auth_mellon/issues' PACKAGE_URL='' # Factoring default headers for most tests. @@ -666,7 +667,6 @@ docdir oldincludedir includedir -runstatedir localstatedir sharedstatedir sysconfdir @@ -750,7 +750,6 @@ sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' -runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1003,15 +1002,6 @@ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; - -runstatedir | --runstatedir | --runstatedi | --runstated \ - | --runstate | --runstat | --runsta | --runst | --runs \ - | --run | --ru | --r) - ac_prev=runstatedir ;; - -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ - | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ - | --run=* | --ru=* | --r=*) - runstatedir=$ac_optarg ;; - -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1149,7 +1139,7 @@ for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir runstatedir + libdir localedir mandir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1262,7 +1252,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures mod_auth_mellon 0.14.2 to adapt to many kinds of systems. +\`configure' configures mod_auth_mellon 0.16.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1302,7 +1292,6 @@ --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] - --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -1324,7 +1313,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of mod_auth_mellon 0.14.2:";; + short | recursive ) echo "Configuration of mod_auth_mellon 0.16.0:";; esac cat <<\_ACEOF @@ -1368,7 +1357,7 @@ Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. -Report bugs to . +Report bugs to . _ACEOF ac_status=$? fi @@ -1431,7 +1420,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -mod_auth_mellon configure 0.14.2 +mod_auth_mellon configure 0.16.0 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1636,9 +1625,9 @@ $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} -( $as_echo "## ------------------------------------- ## -## Report this to olav.morken@uninett.no ## -## ------------------------------------- ##" +( $as_echo "## ----------------------------------------------------------------- ## +## Report this to https://github.com/latchset/mod_auth_mellon/issues ## +## ----------------------------------------------------------------- ##" ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac @@ -1779,7 +1768,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by mod_auth_mellon $as_me 0.14.2, which was +It was created by mod_auth_mellon $as_me 0.16.0, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3098,7 +3087,7 @@ -NAMEVER=mod_auth_mellon-0.14.2 +NAMEVER=mod_auth_mellon-0.16.0 @@ -4879,7 +4868,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by mod_auth_mellon $as_me 0.14.2, which was +This file was extended by mod_auth_mellon $as_me 0.16.0, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4935,13 +4924,13 @@ Configuration headers: $config_headers -Report bugs to ." +Report bugs to ." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -mod_auth_mellon config.status 0.14.2 +mod_auth_mellon config.status 0.16.0 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru libapache2-mod-auth-mellon-0.14.2/configure.ac libapache2-mod-auth-mellon-0.16.0/configure.ac --- libapache2-mod-auth-mellon-0.14.2/configure.ac 2019-03-21 13:58:35.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/configure.ac 2020-01-28 14:59:44.000000000 +0000 @@ -1,4 +1,4 @@ -AC_INIT([mod_auth_mellon],[0.14.2],[olav.morken@uninett.no]) +AC_INIT([mod_auth_mellon],[0.16.0],[https://github.com/latchset/mod_auth_mellon/issues]) AC_CONFIG_HEADERS([config.h]) # We require support for C99. diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/changelog libapache2-mod-auth-mellon-0.16.0/debian/changelog --- libapache2-mod-auth-mellon-0.14.2/debian/changelog 2019-11-22 17:39:03.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/debian/changelog 2020-01-28 15:25:41.000000000 +0000 @@ -1,19 +1,21 @@ -libapache2-mod-auth-mellon (0.14.2-1ubuntu2) focal; urgency=medium +libapache2-mod-auth-mellon (0.16.0-1) unstable; urgency=high - * SECURITY UPDATE: open redirect issue - - debian/patches/CVE-2019-13038-1.patch: prevent schemes without - hostname in auth_mellon_util.c. - - debian/patches/CVE-2019-13038-2.patch: add error message in - auth_mellon_util.c. - - CVE-2019-13038 + * New upstream release. - -- Marc Deslauriers Fri, 22 Nov 2019 12:39:03 -0500 + -- Thijs Kinkhorst Tue, 28 Jan 2020 15:25:41 +0000 -libapache2-mod-auth-mellon (0.14.2-1ubuntu1) disco; urgency=medium +libapache2-mod-auth-mellon (0.15.0-1) unstable; urgency=medium - * Build the module with --enable-diagnostics (LP: #1820279) + * New upstream release. + - Fixes security issue CVE-2019-13038 (closes: #931265). + * Build with diagnostics enabled; this can be switched on at + runtime with the Apache directives MellonDiagnosticsEnable and + MellonDiagnosticsFile (closes: #931562). + * Relocated upstream, updated URLs and copyrights. + * Packaging cleanups: change section to HTTPD, bump debhelper + level to 12, standards-version to 4.5.0. - -- Dmitrii Shcherbakov Fri, 22 Mar 2019 22:27:25 +0300 + -- Thijs Kinkhorst Mon, 27 Jan 2020 10:41:36 +0000 libapache2-mod-auth-mellon (0.14.2-1) unstable; urgency=high diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/compat libapache2-mod-auth-mellon-0.16.0/debian/compat --- libapache2-mod-auth-mellon-0.14.2/debian/compat 2019-02-11 08:50:04.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/debian/compat 2020-01-27 10:54:52.000000000 +0000 @@ -1 +1 @@ -11 +12 diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/control libapache2-mod-auth-mellon-0.16.0/debian/control --- libapache2-mod-auth-mellon-0.14.2/debian/control 2019-11-22 17:39:03.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/debian/control 2020-01-27 12:14:05.000000000 +0000 @@ -1,15 +1,14 @@ Source: libapache2-mod-auth-mellon -Section: web +Section: httpd Priority: optional -Maintainer: Ubuntu Developers -XSBC-Original-Maintainer: Thijs Kinkhorst -Build-Depends: debhelper (>= 11), dh-exec, +Maintainer: Thijs Kinkhorst +Build-Depends: debhelper (>= 12), dh-exec, dh-apache2, apache2-dev, - libcurl3-dev, liblasso3-dev (>= 2.1.0) -Standards-Version: 4.3.0 + libcurl3-dev, liblasso3-dev +Standards-Version: 4.5.0 Vcs-Git: https://salsa.debian.org/debian/modmellon.git Vcs-Browser: https://salsa.debian.org/debian/modmellon -Homepage: https://github.com/UNINETT/mod_auth_mellon +Homepage: https://github.com/latchset/mod_auth_mellon/ Rules-Requires-Root: binary-targets Package: libapache2-mod-auth-mellon diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/copyright libapache2-mod-auth-mellon-0.16.0/debian/copyright --- libapache2-mod-auth-mellon-0.14.2/debian/copyright 2019-02-11 08:41:13.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/debian/copyright 2020-01-27 11:51:41.000000000 +0000 @@ -1,7 +1,6 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: mod_auth_mellon -Upstream-Contact: Olav Morken -Source: https://github.com/UNINETT/mod_auth_mellon +Source: https://github.com/latchset/mod_auth_mellon/ Files: * Copyright: 2003-2007 UNINETT @@ -9,7 +8,7 @@ Files: debian/* Copyright: 2013 Tilburg University - 2014-2017 SURFnet b.v. + 2014-2020 SURFnet b.v. License: GPL-2+ with OpenSSL exception License: GPL-2+ with OpenSSL exception diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/manpages libapache2-mod-auth-mellon-0.16.0/debian/manpages --- libapache2-mod-auth-mellon-0.14.2/debian/manpages 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/debian/manpages 2020-01-28 15:25:41.000000000 +0000 @@ -0,0 +1 @@ +doc/mellon_create_metadata.8 diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038-1.patch libapache2-mod-auth-mellon-0.16.0/debian/patches/CVE-2019-13038-1.patch --- libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038-1.patch 2019-11-22 17:38:11.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/debian/patches/CVE-2019-13038-1.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,30 +0,0 @@ -From a52645391d08739a6a96df21e2506d3e57b888dc Mon Sep 17 00:00:00 2001 -From: Valentin -Date: Fri, 6 Sep 2019 13:30:36 +0300 -Subject: [PATCH 1/2] Fix open redirect CVE-2019-13038 - -Resolves: - https://github.com/latchset/mod_auth_mellon/issues/2 - -The original reported redirect attack was: - https://application.com/mellon/login?ReturnTo=http:www.malicious.com ---- - auth_mellon_util.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/auth_mellon_util.c b/auth_mellon_util.c -index fd442f9..e53a98f 100644 ---- a/auth_mellon_util.c -+++ b/auth_mellon_util.c -@@ -116,6 +116,10 @@ int am_validate_redirect_url(request_rec *r, const char *url) - - /* Sanity check of the scheme of the domain. We only allow http and https. */ - if (uri.scheme) { -+ /* http and https schemes without hostname are invalid. */ -+ if (!uri.hostname) { -+ return HTTP_BAD_REQUEST; -+ } - if (strcasecmp(uri.scheme, "http") - && strcasecmp(uri.scheme, "https")) { - AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r, - diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038-2.patch libapache2-mod-auth-mellon-0.16.0/debian/patches/CVE-2019-13038-2.patch --- libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038-2.patch 2019-11-22 17:38:15.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/debian/patches/CVE-2019-13038-2.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,27 +0,0 @@ -From 07bf06b89ba53d5553e5a7f5e54a796045dbeceb Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Tue, 29 Oct 2019 14:14:25 +0100 -Subject: [PATCH 2/2] Add an error message when preventing redirect to a bad - uri - -This is a follow up patch related to: - https://github.com/latchset/mod_auth_mellon/issues/2 -aka CVE-2019-13038 that just adds a message that is logged. ---- - auth_mellon_util.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/auth_mellon_util.c b/auth_mellon_util.c -index e53a98f..b4bb471 100644 ---- a/auth_mellon_util.c -+++ b/auth_mellon_util.c -@@ -118,6 +118,9 @@ int am_validate_redirect_url(request_rec *r, const char *url) - if (uri.scheme) { - /* http and https schemes without hostname are invalid. */ - if (!uri.hostname) { -+ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r, -+ "Preventing redirect with scheme but no hostname: %s", -+ url); - return HTTP_BAD_REQUEST; - } - if (strcasecmp(uri.scheme, "http") diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/patches/series libapache2-mod-auth-mellon-0.16.0/debian/patches/series --- libapache2-mod-auth-mellon-0.14.2/debian/patches/series 2019-11-22 17:38:15.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/debian/patches/series 2020-01-27 13:32:39.000000000 +0000 @@ -1,2 +0,0 @@ -CVE-2019-13038-1.patch -CVE-2019-13038-2.patch diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/watch libapache2-mod-auth-mellon-0.16.0/debian/watch --- libapache2-mod-auth-mellon-0.14.2/debian/watch 2018-03-16 10:41:03.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/debian/watch 2020-01-27 11:52:23.000000000 +0000 @@ -1,2 +1,2 @@ version=3 -https://github.com//UNINETT/mod_auth_mellon/releases .*/mod_auth_mellon-(\d[\d\.]*)\.tar\.gz +https://github.com/latchset/mod_auth_mellon/releases .*/mod_auth_mellon-(\d[\d\.]*)\.tar\.gz diff -Nru libapache2-mod-auth-mellon-0.14.2/doc/mellon_create_metadata.8 libapache2-mod-auth-mellon-0.16.0/doc/mellon_create_metadata.8 --- libapache2-mod-auth-mellon-0.14.2/doc/mellon_create_metadata.8 1970-01-01 00:00:00.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/doc/mellon_create_metadata.8 2020-01-28 14:59:44.000000000 +0000 @@ -0,0 +1,25 @@ +.TH man 8 "25 January 2020" "1.0" "mellon_create_metadata manual page" +.SH NAME +mellon_create_metadata \- Populate inital SP metadata for mod_auth_mellon +.SH SYNOPSIS +mellon_create_metadata ENTITY-ID ENDPOINT-URL +.SH DESCRIPTION +The Apache module mod_auth_mellon provides a SAML 2.0 service provider (SP). +This service provider needs metadata to function. You can create the initial +configuration for this with mellon_create_metadata. Three files will be +created in the current directory. A public and private key pair, and a +boilerplate metadata xml file with the public key and the URLs of this +installation, that can be further edited at will. + +You can reference these files in the configuration options +MellonSPPrivateKeyFile, MellonSPCertFile and MellonSPMetadataFile, +respectively. +.SH OPTIONS +Specify the desired entity ID of the SP. This needs to be globally unique +and is therefore an URL or URN, probably with your own domain in it. +The endpoint URL is the full URL to your mellon installation. This normally +ends with "/mellon" unless configured otherwise. +.SH EXAMPLE +mellon_create_metadata urn:someservice https://sp.example.org/mellon +.SH AUTHOR +Thijs Kinkhorst diff -Nru libapache2-mod-auth-mellon-0.14.2/doc/user_guide/mellon_user_guide.adoc libapache2-mod-auth-mellon-0.16.0/doc/user_guide/mellon_user_guide.adoc --- libapache2-mod-auth-mellon-0.14.2/doc/user_guide/mellon_user_guide.adoc 2019-03-19 12:37:02.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/doc/user_guide/mellon_user_guide.adoc 2020-01-28 14:59:44.000000000 +0000 @@ -1634,7 +1634,7 @@ === How is Mellon metadata created? [[metadata_creation]] -The purpose of SAML metadata is describe in <>. An annotated +The purpose of SAML metadata is described in <>. An annotated example of Mellon metadata is presented in <>. There are multiple ways one can create Mellon metadata: @@ -2007,11 +2007,13 @@ assertion to a name of your choosing when it is placed in the Apache environment. This is controlled by `MellonSetEnv` and `MellonSetEnvNoPrefix` directives. The distinction - is `MellonSetEnv` always prepends the `MELLON_` prefix to the + is `MellonSetEnv` always prepends a prefix to the environment variable name to help to prevent name collisions. The + prefix defaults to `MELLON_` and can be configured using the + `MellonEnvPrefix` configuration option. The `MellonSetEnvNoPrefix` directive also remaps the assertion name to a name of your choosing but it omits prepending the environment - variable name with `MELLON_`. See <> + variable name with the prefix. See <> Using the <> Mellon places these environment variables in the Apache environment. See @@ -2096,10 +2098,12 @@ assertion attribute to a name of your choosing. The `MellonSetEnv` directive follows the same convention as all other assertion attributes added by Mellon in that it always prefixes the environment -variable name with `MELLON_` to help avoid name collisions in the +variable name with a configurable prefix, which defaults to `MELLON_` to help avoid name collisions in the Apache environment. However sometimes you do not want the `MELLON_` -prefix added and instead you want to use exactly the environment -variable name as specified., `MellonSetEnvNoPrefix` serves this role. +prefix added. In case you simply want the variables prefixed with +a different string, use the `MellonEnvPrefix` configuration option. If, +instead you want to use exactly the environment variable name as specified., +`MellonSetEnvNoPrefix` serves this role. To illustrate let's look at an example. Suppose your web app is expecting an attribute which is the user's last name, specifically it @@ -2117,6 +2121,20 @@ Also see <> for an example of setting the `REMOTE_USER` environment variable using `MellonSetEnvNoPrefix`. +The `MellonEnvPrefix` variable might be useful e.g. if you +are migrating from a different SP which used its own prefix +for the variables passed by the IdP. For example, to prefix +all variables with `NOLLEM_` you would use: + +---- +MellonEnvPrefix NOLLEM_ +---- + +If you recieved an attribute-map.xml from your IDP that uses the +`urn:mace:shibboleth:2.0:attribute-map` namespace, it can be converted +to `MellonSetEnvNoPrefix` entries with `docs/mellon-attribute-map.xsl` +and loaded into your webserver configuration. + === Using Mellon to apply constraints [[assertion_constraints]] SAML attributes can be used for more than exporting those values to a @@ -2942,7 +2960,7 @@ directives. These directives are module level and as such should be declared outside of any location blocks in your Apache configuration. -MellonDiagnosticFile:: +MellonDiagnosticsFile:: If Mellon was built with diagnostic capability then diagnostic is written here, it may be either a filename or a pipe. If it's a filename then the resulting path is relative to the ServerRoot. If @@ -2950,7 +2968,7 @@ by a path to a program to receive the log information on its standard input. Default: `logs/mellon_diagnostics` -MellonDiagnosticEnable:: +MellonDiagnosticsEnable:: If Mellon was built with diagnostic capability then this is a list of words controlling diagnostic output. Currently only `On` and `Off` are supported. Default: `Off` @@ -2959,12 +2977,12 @@ configuration file where you keep your Mellon configuration. ---- -MellonDiagnosticEnable On +MellonDiagnosticsEnable On ---- Restart Apache and perform some operation that involves Mellon. In your Apache log directory will be a file called `mellon_diagnostics` -(or whatever `MellonDiagnosticFile` was set to). +(or whatever `MellonDiagnosticsFile` was set to). IMPORTANT: Diagnostic logging may potentially contain security sensitive information. Diagnostic logging is verbose and will generate @@ -3580,6 +3598,7 @@ MellonProbeDiscoveryTimeout (probe_discovery_timeout): -1 MellonProbeDiscoveryIdP (probe_discovery_idp): 0 items MellonAuthnContextClassRef (authn_context_class_ref): 0 items + MellonAuthnContextComparisonType (authn_context_comparison_type): (null) MellonSubjectConfirmationDataAddressCheck (subject_confirmation_data_address_check): On MellonDoNotVerifyLogoutSignature (do_not_verify_logout_signature): 0 items MellonPostReplay (post_replay): On diff -Nru libapache2-mod-auth-mellon-0.14.2/Makefile.in libapache2-mod-auth-mellon-0.16.0/Makefile.in --- libapache2-mod-auth-mellon-0.14.2/Makefile.in 2019-03-19 12:37:02.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/Makefile.in 2020-01-28 08:39:29.000000000 +0000 @@ -36,6 +36,7 @@ COPYING \ NEWS \ mellon_create_metadata.sh \ + doc/mellon_create_metadata.8 \ $(USER_GUIDE_FILES) all: mod_auth_mellon.la diff -Nru libapache2-mod-auth-mellon-0.14.2/mellon_create_metadata.sh libapache2-mod-auth-mellon-0.16.0/mellon_create_metadata.sh --- libapache2-mod-auth-mellon-0.14.2/mellon_create_metadata.sh 2019-03-19 12:37:02.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/mellon_create_metadata.sh 2020-01-28 14:59:44.000000000 +0000 @@ -41,6 +41,7 @@ echo "Private key: $OUTFILE.key" echo "Certificate: $OUTFILE.cert" echo "Metadata: $OUTFILE.xml" +echo echo "Host: $HOST" echo echo "Endpoints:" diff -Nru libapache2-mod-auth-mellon-0.14.2/NEWS libapache2-mod-auth-mellon-0.16.0/NEWS --- libapache2-mod-auth-mellon-0.14.2/NEWS 2019-03-21 13:58:27.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/NEWS 2020-01-28 14:59:44.000000000 +0000 @@ -1,3 +1,53 @@ +Version 0.16.0 +--------------------------------------------------------------------------- + +Enhancements: + + * The MellonCookieSameSite option accepts a new valid "None". This is intended + to be used together with "MellonSecureCookie On". With some newer browsers, + only cookies with "SameSite=None; Secure" would be available for cross-site + access. + + * A new option MellonEnabledInvalidateSessionEndpoint was added. When this + option is enabled, then a user can invalidate their session locally by + calling the "/invalidate" endpoint. + +Version 0.15.0 +--------------------------------------------------------------------------- + +Security fixes: + +* [CVE-2019-13038] Redirect URL validation bypass + + Version 0.14.1 and older of mod_auth_mellon allows the redirect URL + validation to be bypassed by specifying an URL formatted as + "http:www.hostname.com". In this case, the APR parsing utility + would parse the scheme as http, host as NULL and path as www.hostname.com. + Browsers, however, interpret the URL differently and redirect to + www.hostname.com. This could be reproduced with: + https://application.com/mellon/login?ReturnTo=http:www.hostname.com + + This version fixes that issue by rejecting all URLs with + scheme, but no host name. + +Enhancements: + + * A XSLT script that allows converting attribute maps from Shibboleth + to a set of MellonSetEnvNoPrefix entries was added. The script can + be found at doc/mellon-attribute-map.xsl + + * A new configuration option MellonEnvPrefix was added. This option allows + you to configure the variable prefix, which normally defaults to MELLON_ + + * A new configuration option MellonAuthnContextComparisonType was added. + This option allows you to set the "Comparison" attribute within + the AuthnRequest + +Notable bug fixes: + + * Compilation issues on Solaris were fixed + + Version 0.14.2 --------------------------------------------------------------------------- diff -Nru libapache2-mod-auth-mellon-0.14.2/README.md libapache2-mod-auth-mellon-0.16.0/README.md --- libapache2-mod-auth-mellon-0.14.2/README.md 2019-03-19 12:37:02.000000000 +0000 +++ libapache2-mod-auth-mellon-0.16.0/README.md 2020-01-28 14:59:44.000000000 +0000 @@ -218,11 +218,26 @@ # MellonCookieSameSite allows control over the SameSite value used # for the authentication cookie. - # The setting accepts values of "Strict" or "Lax" - # If not set, the SameSite attribute is not set on the cookie. + # The setting accepts values of "Strict", "Lax", or "None". + # When using none, you should set "MellonSecureCookie On" to prevent + # compatibility issues with newer browsers. + # If not set, the SameSite attribute is not set on the cookie. In newer + # browsers, this may cause SameSite to default to "Lax" # Default: not set # MellonCookieSameSite lax + # Some browsers will reject cookies if SameSite is specified. + # MELLON_DISABLE_SAMESITE environment variable suppresses + # unnecessary setting of SameSite cookies + # SetEnvIf User-Agent ^.*Chrome\/(5[1-9]|6[0-6]).*$ MELLON_DISABLE_SAMESITE + # SetEnvIf User-Agent ^.*Android.*UCBrowser\/([0-9]|1[0-1]).*$ MELLON_DISABLE_SAMESITE + # SetEnvIf User-Agent ^.*Android.*UCBrowser\/12\.([0-9]|1[0-2]).*$ MELLON_DISABLE_SAMESITE + # SetEnvIf User-Agent ^.*Android.*UCBrowser\/12\.13\.[0-1].*$ MELLON_DISABLE_SAMESITE + # SetEnvIf User-Agent ^.*iPhone; CPU iPhone OS 1[0-2].*$ MELLON_DISABLE_SAMESITE + # SetEnvIf User-Agent ^.*iPad; CPU OS 1[0-2].*$ MELLON_DISABLE_SAMESITE + # SetEnvIf User-Agent ^.*iPod touch; CPU iPhone OS 1[0-2].*$ MELLON_DISABLE_SAMESITE + # SetEnvIf User-Agent ^.*Macintosh; Intel Mac OS X.*Version\/1[0-2].*Safari.*$ MELLON_DISABLE_SAMESITE + # MellonUser selects which attribute we should use for the username. # The username is passed on to other apache modules and to the web # page the user visits. NAME_ID is an attribute which we set to @@ -253,6 +268,11 @@ # Default. None set. MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName" + # MellonEnvPrefix changes the string the variables passed from the + # IdP are prefixed with. + # Default: MELLON_ + MellonEnvPrefix "NOLLEM_" + # MellonMergeEnvVars merges multiple values of environment variables # set using MellonSetEnv into single variable: # ie: MYENV_VAR => val1;val2;val3 instead of default behaviour of: @@ -527,6 +547,10 @@ # MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" # MellonAuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI" + # This option will set the "Comparsion" attribute within the AuthnRequest + # It could be set to "exact", "minimum", "maximum" or "better" + # MellonAuthnContextComparisonType "minimum" + # MellonSubjectConfirmationDataAddressCheck is used to control # the checking of client IP address against the address returned by the # IdP in Address attribute of the SubjectConfirmationData node. Can be useful if your SP is @@ -735,6 +759,20 @@ after the logout operation has completed. +## Invalidating session +It is possible to invalidate the current mod_auth_mellon session, +without calling SLO. The mod_auth_mellon cookie session will be +invalidated and the session will be removed from the mod_auth_mellon cache. +SLO will not be possible after the mod_auth_mellon session is invalidated. +If this functionality is enabled, invalidate the session by calling +the endpoint "/invalidate". +Here is a sample configuration to enabled this feature: +```ApacheConf +MellonEnabledInvalidateSessionEndpoint On +``` +Default value is Off + + ## Probe IdP discovery mod_auth_mellon has an IdP probe discovery service that sends HTTP GET @@ -884,9 +922,10 @@ ## Reporting security vulnerabilities For reporting security vulnerabilities in mod_auth_mellon, please contact -the maintainer directly at the following email address: +the maintainers directly at the following email address: - olav.morken@uninett.no + jhrozek@redhat.com + simo@redhat.com This allows us to coordinate the disclosure of the vulnerability with the fixes for the vulnerability.